By Byron V. Acohido
Nation-state backed hacking collectives have been around at least as long as the Internet.
However, evidence that the ‘golden age’ of cyber espionage is upon us continues to accumulate as the first half of 2018 comes to a close.
Related podcast: Obsolescence is creeping into legacy security systems
What’s changed is that cyber spies are no longer content with digital intelligence gathering. Military operatives and intelligence units today routinely hack to knock down critical infrastructure, interfere with elections, and even to exact revenge on Hollywood studios.
Recently, one of the most powerful and notorious cyber spies on the planet, North Korean General Kim Yong Chol, stepped from obscurity into global celebrity status.
Last month President Trump invited the heretofore obscure General Kim into the White House for an impromptu state visit. For about two hours, Trump exchanged pleasantries with the man who orchestrated North Korea’s devastating hack of Sony Pictures in 2014, the aforementioned revenge caper. The tête-à-tête unfolded as Trump prepared for his summit in Singapore with General Kim’s boss, North Korean despot Kim Jong-un.
Rise of North Korea
It’s notable that, since the Sony Pictures hack, General Kim has steadily gotten more powerful and adept at the cyber spy game. Today he commands a cyber army, some 7,000 hackers and support staff strong, that has emerged as a potent and disruptive force. The Wall Street Journal recently reported that North Korea is cultivating elite hackers much like other countries train Olympic athletes.
Meanwhile, Iran-sponsored cyber operatives are making hay, as well. Trump’s decision to pull out of the Iran nuclear deal has ignited a flurry of activity by Iran-backed threat actors. Some experts anticipate that Iran will escalate cyber attacks against U.S. plants and factories, specifically to gain control of industrial control systems, also called operational technology, or OT.
“As we’ve already seen with Russian threat actors, the goal is to establish footholds in OT networks that could later be used for more destructive attacks,” says Phil Neray, vice-president of industrial cybersecurity at a Boston-based startup called CyberX, which supplies OT monitoring and security systems.
Quite clearly, nation-state backed cyber espionage and cyber attacks are rapidly escalating. What comes next is difficult to conjure. We are in uncharted waters. For historical context, here are a few milestone hacks – each thought to be nation-state backed – that have brought us to this juncture:
Russia meddles in US elections. In the run-up to the 2016 U.S. presidential election, Russia hacked into the voter databases and software systems in 39 states; Russian-directed botnets meddled with polling results, often showing Trump besting Hillary Clinton; and Russian botnets blasted out misleading and manipulative social media posts.
Meanwhile, an audit prior to the election found some 39 percent of Trump’s Twitter followers were faked. And a Twitter audit conducted in January 2017, just after Trump was sworn in, showed him with 22.7 million Twitter followers – 16.6 million real, and 6.1 million fabricated.
Iran hacks Saudi plants. Since 2012, petrochemical plants located in Saudi Arabia have been repeated disrupted by hackers. The latest attack, in August 2017, sought not just to take control of industrial controls, and also to trigger an explosion.
Each of the Saudi plant hacks required considerable skill and resources to pull off, suggesting government backing, with Iran widely suspected. The attacks may have been attempts to throw a monkey wrench into Crown Prince Mohammed bin Salman’s plans to encourage investment and diversify the Saudi economy. The worry now is that there is little stopping copycat hackers from targeting factories and power plants in other nations that rely on widely used industrial controls rife with software vulnerabilities.
North Korea deploys NSA cyber weapons. In the spring and early summer of 2017, WannaCry and Petya wreaked havoc. These self-spreading viruses made use of cyber weapons stolen from NSA and made publicly available by a hacking group calling itself the Shadow Brokers.
WannaCry encrypted data on company servers and demanded ransom payment in Bitcoin. The initial attack spread to 200,000 computers across 150 countries, with total damages ranging from hundreds of millions to billions of dollars. A series of copycat and derivative attacks followed.
In December 2017, the Trump White House publicly blamed North Korea for unleashing WannaCry and crippling hospitals, banks and other companies across the globe in the process. However, Trump officials say a public shaming is the only consequence the U.S. intends to impose on North Korea.
China hacks Uncle Sam. In 2014, hackers took a couple of deep, deep dives into the U.S. Office of Personnel Management to exfiltrate personal records for 21.5 million current and former federal employees and contractors. OPM wasn’t very timely about discovering and dealing with the breaches; it disclosed the hacks in June 2015, leading to the resignations of OPM Director Katherine Archuleta and Chief Information Officer CIO Donna Seymour.
The pilfered data include the extensive background checks used to issue security clearances; so, now and forever, sensitive information collection for anyone who was ever issued a government security clearance is in the possession of the hackers. This includes information collected about family members, work colleagues and close acquaintances.
The FBI subsequently arrested a Chinese man as he tried to enter the U.S. purportedly to attend a conference. He was charged in connection with creating the malware used in the OPM hack. President Obama came close to publicly blaming China on this one. China’s presumed motive: bolster its ability to monitor political dissidents. However, the potential long-run collateral damage to U.S. national security is incalculable.
Russia muscles Ukraine. In 2015 and again in 2016, Sandworm, a Russia-backed hacking ring, caused widespread power outages in the city of Kiev. Subsequently, Symantec issued a report describing another Russian campaign, dubbed Dragonfly 2.0, that targeted some 20 energy companies in the U.S. and Europe; in a few instances, Symantec reported, the attackers secured deep enough access inside OT networks to switch off circuit breakers.
Russia and Iran aren’t the only nation-states targeting critical infrastructure. About a month after Symantec’s Dragonfly disclosures, NBC News’ broke a story linking North Korea to spear phishing attempts targeting the control networks of U.S. electric power companies.
North Korea’s revenge on Sony. In 2014, Sony Pictures was about to release of The Interview, a black comedy starring Seth Rogen and James Franco, mocking North Korea’s supreme leader Kim Jong-un. A hacking ring, going by the handle Guardians of Peace, began releasing pirated copies of unreleased Sony movies.
Sony carried through with the movie release. So the hackers posted even more stolen digital records: contracts, phone lists, financial details, as well as cryptographic keys and digital certificates used to encrypt business records and authenticate Sony’s web properties.
President Obama subsequently imposed economic sanctions on a number of North Korean government agencies and senior officials, as chastisement for disbursing Sony’s intellectual property and business records.
U.S. teams with Israel. In 2010, a self-spreading computer virus, dubbed Stuxnet, was discovered spreading through Iranian nuclear plants causing computers used to shut down and reboot repeatedly. Stuxnet wasn’t supposed to work like that. It was supposed to give US and Israeli cyber spies silent access to, and control over, the industrial controls of a specific Iranian nuclear plant.
The U.S. and Israel intended Stuxnet to be a big innovation in covert cyber operations, giving their respective intelligence and military branches an ace in the hole. Instead, Stuxnet backfired. It disclosed the operation, which was bad enough; it also demonstrated how tenuous and raw cutting-edge hacks by a couple of superpowers can be.
Stuxnet also highlighted just how vulnerable industrial controls are. Since then, OT vulnerabilities and OT hacks have become a staple of hacking teams sponsored by Russia, Iran, China, North Korea. The U.S. and Israeli presumably have remained active, as well.
Acohido
(Editor’s note: Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.)
