5 2015 SU s p er tock/AP/SIPA

State-sponsored hackers: hybrid armies? by Patryk Pawlak and Gergana Petkova

Cyber-attacks are rarely disconnected from politi- 2010, the collision of a Chinese fishing boat with cal realities. CyberBerkut – a pro-Russian group a Japanese coast guard vessel and the subsequent of ‘patriot’ hackers – has, for example, hacked detainment of its Chinese captain and crew caused German government websites in retaliation for a flurry of malicious cyber activity. Attacks in lat- the political support offered to Kiev by Berlin. er years were triggered by the 80th anniversary The Syrian Electronic Army – a hacker collective of the 1931 Manchuria incident or the ongoing thought to be linked to Syrian President Bassar controversy over the Senkaku/Diaoyu islands. al-Assad – regularly targets Western media out- lets, most recently Le Monde. Non-state cyber armies have also been employed in ongoing conflicts. CyberBerkut is but the Due to this blurring of the virtual and most recent example: the group not only man- physical worlds, governments, which aged to hack governmental websites in Germany, are familiar with stateless actors such as Ukraine and Poland, but also successfully took al-Qaeda or the Islamic State of Iraq and the down three NATO websites, including that of the Levant (ISIL), may now have to learn to deal Cooperative Cyber Defence Centre of Excellence with equally hostile, amorphous and often in Tallinn. state-sponsored ‘hacktors’. Other Russian political movements, which are or- ganised and partially sponsored by the state, also Using the past but shaping the present have an important role in non-state cyber offensive capabilities. For instance, a group called ‘Nashi’ While maritime disputes between China and claimed responsibility for the Distributed-Denial- its neighbours often grab the headlines in the of-Service attack in Estonia in 2007. The group ­Asia-Pacific, cyber-attacks are comparatively un- is also active domestically, targeting the Russian derreported. Each year, for instance, the com- opposition and those critical of the government, memoration of the Sino-Japanese conflict which including newspapers such as Kommersant. began on 18 September 1931 (and resulted in Japan’s occupation of three provinces in northeast Smaller and militarily less advanced countries ap- China) witnesses a virtual offensive on Japanese pear to readily embrace the actions of such ‘pa- websites. triotic’ hackers as they benefit from the tactical asymmetry – a sort of virtual guerrilla warfare – The ‘9/18’ cyber-attacks in recent years have that the cyberspace offers. The Syrian Electronic been fuelled by a host of diplomatic disputes. In Army, active since the outbreak of protests in Syria

European Union Institute for Security Studies January 2015 1 in 2011, claims to be driven by patriotism and Looking into the future denies any official affiliation with the government. The group is behind some of the more audacious In addition to governmental or political targets, cyber-attacks, including the defacement and hack- state-linked hackers have also damaged private ing of numerous media websites and Twitter ac- businesses. In 2014, the US-based security compa- counts (e.g. the BBC, The Guardian, The New York ny Crowdstrike blamed a Chinese PLA-associated Times, Human Rights Watch, and Forbes), opposi- group ‘Putter Panda’ for a series of cyber-espionage tion Facebook pages, chat messengers like Skype actions directed at high-profile aerospace, satellite and Viber, as well as foreign government institu- and communications targets. More recently, an- tions (e.g. Saudi Arabia’s Ministry of Defence). other group called ‘Guardians of Peace’ – suppos- edly linked to North Korea – claimed responsibil- ity for an attack on Sony Entertainment Pictures which resulted in the loss of personal information Examples of malware and state-linked of employees and their families and the exposure cyber-attacks of executive-level salaries and company email ex- changes. Flame: Malware described as ‘the most so- phisticated cyber weapon yet unleashed’. Available data suggest that cyber-espionage by Detected in the Middle East, it shares many state-affiliated groups is on the rise. The 2014 Data characteristics with Duqu and Stuxnet. Flame Breach Investigations Report by Verizon, a US tel- begins by sniffing the network traffic, taking ecommunications company, shows that 87% of all screenshots, recording audio conversations, such incidents in 2013 (511) were performed by and intercepting keyboard presses. state-linked groups originating from either East Asia (49%) or eastern Europe (21%). Red October: Malware used for a cyber-espi- onage campaign that has affected hundreds With state and non-state actors ever more inter- of bodies around the world – including dip- ested in developing both offensive and defensive lomatic and government agencies, research cyber capabilities, designing the rules of the game institutions, energy and nuclear groups, and will be complicated. Authoritarian regimes enjoy trade and aerospace organisations. significant freedom to set and adapt rules as they please. Their opponents have, alas, more limited MiniDuke: Malware designed to steal data options. In democratic states, governments are from government agencies and research in- bound by the rule of law and operate under strict stitutions. Kaspersky Labs uncovered 59 public scrutiny. Legal cooperation among like- high-profile victim organisations in 23 coun- minded countries is moving forward, but at a very tries, including Belgium, the Czech Republic, slow pace. Hungary, Ireland, Portugal, Romania, Ukraine, and the US. Little can be done if certain actors choose not to play by the rules. The US indictment of five GhostNet: Malware allegedly originating in Chinese military officers for cyber-espionage in China which infiltrated targets in about 103 2014 was, for example, practically ignored by countries, including the systems of NATO Beijing. And the use of sanctions – as was the case SHAPE headquarters, various embassies and against North Korea following the attacks on Sony foreign ministries, and the office of the Dalai – may just aggravate the delicate situation on the Lama. peninsula further.

Moonlight Maze – Suspected state-sponsored Accordingly, a preventive cyber-attack on – or attacks by Russian hackers targeting the quick retaliation against – the computer networks Pentagon, the US Department of Energy, of other countries suspected of providing support NASA and several universities and research to hackers may appear the only response capable labs. of deterring future incidents.Such actions, howev- er, may undermine the international system in the Titan Rain – Suspected state-sponsored at- long run – and further muddy the already difficult tacks by Chinese hackers targeting the com- international debate surrounding cyber norms. puter networks of US defence contractors in search of military secrets. The networks of the Patryk Pawlak is a Senior Analyst and British and German governments appear to Gergana Petkova is a Junior Analyst at the have been targeted at the same time. EUISS.

European Union Institute for Security Studies January 2015 2

© eU Institute for Security Studies, 2015. | QN-AL-15-005-2A-N | ISBN 978-92-9198-300-1 | ISSN 2315-1129 | DOI 10.2815/341983