The cyber threat landscape is as diverse as it is sophisticated. Staying abreast of these threats, understanding actors’ motivations and knowing their tactics, techniques and procedures (TTPs) is paramount.
While most media reports focus on threats from nation-states such as Russia, China and North Korea, a broader global set of countries is involved in campaigns to gain access to valuable intelligence or are designed to influence, disrupt and compromise the political or economic stability of other nations. Here is an overview of six of the most important nation-state groups and examples of recent operations that underscore their objectives, typical targets and initial access tactics.
The United States
The U.S. is home to some of the most advanced and sophisticated nation-state actors in the world. The Office of Tailored Access Operations (TAO) is a cyber-warfare intelligence-gathering unit of the U.S. National Security Agency (NSA). TAO identifies, monitors, infiltrates and gathers intelligence on computer systems used by enemies and friendly foreign entities. The Equation Group is one of the most notorious and highly sophisticated threat actors suspected of being tied to the TAO unit.
On the other hand, the U.S. Cyber Command (USCYBERCOM) is one of the eleven unified combatant commands of the U.S. Department of Defense (DoD). While initially created for defensive purposes, it is increasingly viewed as an offensive force of which the primary objectives consist of espionage, targeting of critical infrastructure and political interference. In June 2019, the New York Times reported that hackers from USCYBERCOM planted malware capable of disrupting the Russian electrical grid. Russia acknowledged the United States potentially attacked its electrical grid.
Stuxnet vs. Iran
While government filings are thin, there is a high level of confidence that the Equation Group, a unit of threat actors suspected to be part of the NSA’s TAO, was responsible for some of the most infamous hacks, including Stuxnet and Flame.
Stuxnet is a computer worm discovered in 2010 that targeted the Supervisor Control and Data Acquisition (SCADA) systems of Iran’s nuclear program. Stuxnet was designed to target programmable logic controllers (PLC), which are automation devices used to control machinery and industrial processes. Once deployed, the malware targeted Microsoft operating systems and networks to search for a specific piece of software made by Siemens. The malware compromised the Iranian nuclear centrifuges’ PLC through the Siemens controller software, causing them to spin out of control, ultimately destroying themselves.
This attack is considered by many to be the first-time nation-state threat actors maliciously acted to destroy industrial systems. The malware was spread indiscriminately in the wild but only targeted Siemens Step-7 software for SCADA systems in embargoed equipment smuggled into Iran. One of the interesting caveats from the Stuxnet event was the collaboration between nation-state hackers in the United States and Israel.
United Kingdom
The Government Communications Headquarters, commonly known as the GCHQ, is Her Majesty’s intelligence and security organization responsible for providing signals intelligence and information assurance to the government and the U. K’s armed forces. GCHQ was established after the First World War and is responsible for breaking the German Enigma codes during the Second World War. The GCHQ consists of two branches: the Composite Signals Organization (CSO), responsible for gathering information, and the National Cyber Security Centre (NCSC), responsible for securing the U.K.’s communications.
In November 2020, the U.K. announced a new information warfare network known as @HutEighteen CITATION Def20 \l 1033 [4], in partnership with the Defense Academy of the United Kingdom, part of the Ministry of Defense. As a community of interest, @HutEighteen brings together practitioners, policymakers and thinkers within the Ministry of Defense and other government departments, academia, industry and the international community. @HutEighteen aims to uncover new and innovative ways of conducting hybrid and information warfare by harnessing diverse talent and aptitude.
GCHQ vs. Belgacom: Operation Socialist
In 2013, former NSA contractor Edward Snowden published documents that revealed “Operation Socialist,” the code name given by the GCHQ to an operation active between 2010 and 2013. They successfully breached the infrastructure of the Belgian telecom organization Belgacom on the instruction of U.K. ministers.
British spies targeted Belgacom employees working in security and maintenance by redirecting them with fake LinkedIn messages to websites that implanted backdoor malware on their systems, a highly developed attack technology referred to as a “Quantum Insert.” The attacks focused on employees connected to the International Carrier Services unit, which handles phone and data traffic in Africa and the Middle East. They also sought to target communications made between roaming smartphones.
The interception would have provided access to communications at NATO headquarters in Brussels and important European institutions, including the European Commission, European Parliament and the European Council.
This operation was the first documented example of a European Union member state covertly hacking into another member state’s critical infrastructure.
China
The People’s Republic of China (PRC) has some of the most infamous and advanced nation-state threat actors in the threat landscape. These threat groups represent divisions either inside the People’s Liberation Army (PLA) or the Ministry of State Security (MSS). Their main objectives consist of state-sponsored espionage campaigns targeting foreign government agencies and organizations in multiple industries across the globe. Some of their operators were engaged in financially motivated crimes for personal gain while conducting operations for the state.
The United States of America vs. Li Xiaoyu and Dong Jiazhi
In July 2020, the U.S. Department of Justice (DOJ) indicted two Chinese attackers, Li Xiaoyu (aka “Oro0lxy”) and Dong Jiazhi. They were charged with conducting campaigns that targeted intellectual property and confidential business information, including COVID-19 research.
Li and Dong were former college classmates who used their technical training for malicious activities. Their motivations, however, were not limited to personal profit. They were also stealing information of interest for the PRC’s MSS. The two often worked with and were assisted by an MSS officer during sanctioned operations.
While working with the PRC, Li and Dong conducted reconnaissance operations to gather information and resources about potential victims and the information they might possess, such as intellectual property and educational research. Typically, the two gained access to their victims’ networks by exploiting publicly known vulnerabilities in web server software and web applications or wrong default configurations in popular applications. After gaining access to the target networks, they dropped malicious web shells such as China Chopper and uploaded programs designed to steal credentials from the victim’s network for privilege escalation. To evade detection and exfiltrate stolen data, the two repackaged the victim’s data in RAR archives, changed the archive’s file extension and staged the files in the victim’s recycling bin.
Li and Dong also sold their victims’ data for personal profit and extorted the breached organizations for cryptocurrency, threatening to leak stolen data if the victims didn’t pay.
Iran
Iranian nation-state actors are often mistakenly perceived as unsophisticated threat actors. Skilled Iranian threat actors work either directly or as contractors for the Islamic Republic of Iran’s Ministry of Intelligence and Security (MOIS) or the Islamic Revolutionary Guard Corps (IRGC). Their main objectives consist of state-sponsored espionage targeting organizations in multiple industries across the world and directly targeting dissidents and those tagged enemies of Iran.
The United States vs. Hooman Heidarian and Mehdi Farhadi
In September 2020, the U.S. DOJ indicted two Iranian threat actors, Hooman Heidarian and Mehdi Farhadi, on charges of conducting cybertheft and defacement campaigns against systems in the U.S., Europe and the Middle East.
Heidarian and Farhadi are prolific hackers who engage in politically motivated campaigns that are destructive and disruptive. Some attacks were conducted at the request of the Iranian government. Heidarian is reported to have extensive experience in social engineering, data interception, hacking web applications, managing botnets and conducting denial-of-service (DoS) attacks. Farhadi regularly partnered with and often directed Heidarian to target specific victims. Their goal was to steal intellectual property and other data to sell the data to black-market customers — including the government of Iran — to accumulate personal wealth. They are also known for degrading and defacing websites to intimidate perceived enemies of Iran.
When operating, the two conducted online research and reconnaissance to select their victims. Once a target was set, they gathered data and intelligence about the victim’s network to prepare and develop tools. This process typically includes scanning a victim’s network to discover IP ranges, hosts, routers and DNS records, known as network mapping. Heidarian and Farhadi typically gained initial access to a victim’s network using common tools and methods such as session hijacking and SQL injections while maintaining unauthorized access by dropping key loggers and RATs. During campaigns, the two developed and maintained botnets to facilitate the spread of malware, launch DoS attacks and spam networks.
From 2010 to 2017, Heidarian and Farhadi were able to steal hundreds of terabytes of data and deface websites with political ideology. Using the handle “Sejeal,” they regularly posted information and even notified media outlets about the stolen data they were selling on the black market to gain recognition in the hacking community.
North Korea
North Korean state actors representing the Democratic People’s Republic of Korea (DPRK) are some of the most ruthless. These highly skilled threat actors typically work for Bureau 121, the DPRKs cyberwarfare unit, a division of the Reconnaissance General Bureau (RGB) of the DPRK’s military. Their goal mainly consists of state-sponsored espionage, targeting government agencies and organizations in multiple verticals across the world, destructive and disruptive campaigns, as well as a broad range of financially motivated attacks.
The United States of America. a vs. Park Jin Hyok
In September 2018, the U.S. DOJ indicted Park Jin Hyok, a North Korean nation-state threat actor, charging him with conspiracy to conduct multiple cyberattacks and intrusion.
Hyok is accused of being a member of the Lazarus Group, a unit reportedly under the control of the Reconnaissance General Bureau (RGB) that is responsible for the 2017 global WannaCry 2.0 ransomware attack, the destructive attacks on Sony Pictures in 2014 and the $81 million-dollar SWIFT hack that targeted the Central Bank in Bangladesh in 2016. These campaigns resulted in massive amounts of damage to computers, including extensive loss of data, money and resources. Hyok has also worked for more than a decade for a North Korean front company used by the DPRK to support their malicious activity, the Korea Expo Joint Ventures (KEJV).
Hyok is a highly skilled programmer but was also known to global contract actors for his malicious activity. While Hyok’s tactics may seem simple, they are highly effective. In advance of attacks, he researches vulnerabilities, exploits, techniques and an organization’s employees and their social media accounts. Using this information, Hyok launches successful social engineering attacks leveraging spear-phishing messages to access the targeted networks. Hyok has been known to drop rapidly spreading, destructive malware designed to wipe machines and exfiltrate information of interest, build botnets and steal money for the DPRK.
Russia
When it comes to cyberwarfare capability, the Russian Federation tops most nations’ risk charts. Russia is renowned for targeting critical infrastructure, DoS attacks, dissemination of disinformation and propaganda aiming for political interference and participation of state-sponsored teams in political blogs. It’s also known for internet surveillance using its version of lawful interception interfaces known as SORM (Система оперативно-разыскных мероприятий or System for Operative Investigative Activities), persecution of cyber-dissidents and corporate espionage. Some of these activities were coordinated by the Russian signals intelligence, which was part of the FSB (the Federal Security Service of the Russian Federation) and formerly a part of the KGB. The military performed other activities under the Main Directorate of the General Staff of the Armed Forces (GRU) of Russia.
An analysis by the U.S. Defense Intelligence Agency in 2017 outlines Russia’s view of “Information Countermeasures” or IPb (informatsionnoye protivoborstvo) as “strategically decisive and critically important to control its domestic populace and influence adversary states,” dividing “Information Countermeasures” into two categories of “Informational-Technical” and “Informational-Psychological” groups. The former encompasses network operations relating to defense, attack, and exploitation and the latter to attempts to change people’s behavior or beliefs in favor of Russian governmental objectives.
The United States of America vs. Andrienko, Detistov, Frolov, Kovalev, Ochichenko, and Pliskin
In October, the U.S. DOJ charged six Russian GRU officers connected with a worldwide deployment of destructive malware and other disruptive actions. These actions included disrupting the 2017 French elections, as well as the 2018 Winter Olympics and causing nearly $1 billion in damages to Heritage Valley Health System, TNT Express B.V. and a U.S. pharmaceutical manufacturer.
These men are accused of being part of the GRU Military Unit, 74455, also known as Sandworm. This unit is also known within the GRU as the Main Center for Special Technologies (GTsST). They deployed destructive malware and launched disruptive attacks for the strategic benefit of Russia. In December 2015 and 2016, they launched a destructive malware campaign against Ukraine’s electric power grid, Ukraine’s Ministry of Finance and the State Treasury Service, leveraging BlackEnergy, KillDisk and Industroyer.
In April and May 2017, the group targeted local government entities and political parties during the French elections. In June 2017, they targeted hundreds of victims worldwide, causing nearly $1 billion in damage to just three victims with the malware attack, NotPetya. In December 2017, they targeted the 2018 Winter Olympic partners, athletes, government agencies and the International Olympic Committee (IOC) with a spear-phishing campaign that resulted in the deployment of a malware called Olympic Destroyer, which ultimately disturbed the opening ceremonies. The malware came riddled with false flags designed to mimic the code of Lazarus, the DPRK’s nation-state actor group, in an attempt to cause misattribution when discovered.
More recently, in January 2018, the group targeted Georgian media outlets with a spear-phishing campaign and an attack in October 2019 resulted in the defacement and degradation of nearly 15,000 websites.
This highly advanced unit relies on simple yet effective tactics to cause massive impacts on targeted networks. In their reconnaissance phase, they work together,
Summary
One of the primary reasons nation-state actors are so notorious in their field is the impact and scale of their attacks, which are notable and typically newsworthy as they influence change in a region, create chaos or leave citizens in panic. Interestingly, whether you perceive them as white hat or black hat actors is often based upon your location, political outlook, cultural background as well as your nation’s economic and trade agreements.
About the author: Pascal Geenens is the Director, Threat Intelligence for Radware, and helps execute the company's thought leadership on today’s security threat landscape. Pascal brings over two decades of experience in many aspects of Information Technology. As part of the Radware Security Research team, Pascal develops and maintains the IoT honeypots and actively researches IoT malware. Pascal discovered and reported on BrickerBot, performed extensive research on Hajime and closely follows new developments of threats in the IoT space and the applications of AI in cyber security and hacking.
