Cyber Lawyers Bootcamp Offensive Cyber Activities Reading Materials

Session 2: Cyber Attack Tools and Approaches: Understanding the Technology | January 12, 2021 Michael Ehrlich, Chief Technology Officer, IronNet Cybersecurity; NSI Visiting Fellow & Kelly Moan, Division Chief, IT Operations, U.S. Department of Homeland Security; NSI Visiting Fellow

Dep’t of Homeland Sec., Commodification of Cyber Capabilities: A Grand Cyber Arms Bazaar (2019) ...... 2

Blake Johnson et al., Attackers Deploy New ICS Attack Framework “TRITON” and Cause Operational Disruption to Critical Infrastructure, FireEye (Dec. 14, 2017) ...... 36

‘War Dialing’ Tool Exposes Zoom’s Password Problems, Krebs on Security (Apr. 2, 2020) .. 46

Kenneth Geers et al., World War C: Understanding Nation-State Motives Behind Today’s Advanced Cyber Attacks, FireEye (Sept. 30, 2013) ...... 50 Commodification of Cyber Capabilities: A Grand Cyber Arms Bazaar Table of Contents Page

Executive Summary ...... 1

Cyber Threat Landscape: More Actors, Capabilities, and Connectivity ...... 2

Common Approaches to Acquiring Cyber Capability: Buy, Build, Bridge ...... 5

Grand Cyber Arms Bazaar: A Framework for Categorizing Sophistication ...... 7 Strolling the Grand Bazaar...... 8 Organizational Maturity ...... 9 Operational Intent ...... 12

Applying the Framework: Case Studies ...... 14 Case Study #1: North Korea ...... 14 Case Study #2: Vietnam...... 17 Case Study #3: Artem Radchenko and Oleksander Ieremenko ...... 19

Policy Challenges: Deterrence, Redlines, and Escalation ...... 19 Dearth of Effective Approaches to Deterrence ...... 20 Lack of Redlines ...... 21 Escalation and Unintended Consequences...... 22

A Few Futures to Consider ...... 23 Scenario A: Rapid Escalation ...... 23 Scenario B: Inflection Point ...... 24

Conclusion and Recommendations ...... 25

Appendix 1: Comparison of Concerns and Analytical Challenges Across Industries ...... 28

Appendix 2: India-Pakistan Case Study ...... 29

Acknowledgements ...... 30

Commodification of Cyber Capabilities Team Members ...... 32

i Executive Summary

A proliferation and commodification of cyber offensive capabilities is reshaping the cyber balance of power, enabling an expanded array of actors to use cyber for geopolitical impact or economic gain. From the use of offensive cyberattack by nation-states directly against another or by co-opting cyber criminals, this trend has blurred the line between spies and non-state malicious hackers.

An expanding array of new entrants—both nation-states and non-state actors—with significant capabilities is reshaping the cyber threat landscape. The tools at their disposal allow for unprecedented espionage and surveillance capabilities, which often are the precursors for criminal financial gain, destruction, and disruption operations. Just as the vulnerability surface for cyber is marked by being mostly civilian infrastructure, so increasingly are we seeing non-state actors, including commercial entities, building capabilities that years ago were solely held by a handful of state actors.

The proliferation of cyber tools, which are hard to control and contain, is lowering the barriers to entry. The ability to buy capabilities off the shelf, to bridge gaps in capabilities, or to build tailored tools organically ensures the complex dynamics of the current cyber threat landscape will continue to challenge national security, the commercial sector, and civilians, particularly, vulnerable populations.

The increasing ability to buy cyber tools on a commercial basis allows both nation-state and non- state actors to leapfrog by crossing the line from emerging threat to an established threat quickly; thus leapfrogging is seen as a key driver in the cyber threat landscape. When combined with the challenges of definitive and timely attribution, a threat actor that emerges quickly could inject a high level of geopolitical instability into a conflict that would be more difficult to anticipate than traditional military changes in the balance of power, such as acquisitions of new weapons.

One challenge that government and private sector executives will face in the current environment is how to posture their organization to minimize surprise around the emergence of new cyber actors and effects. In this paper, we present a framework for understanding the sophistication of threat actors in a threat landscape that is characterized by a “grand cyber arms bazaar” in which sophisticated cyber capabilities are widely available from commercial, criminal and open sources.

Our framework includes three distinct categories of sophistication: 1. Established actors—those with the most advanced, accurate, and agile tools.

2. Emerging actors—which include nation-states, criminal organizations, and those with defined processes. 3. Opportunistic actors—generally those associated with cybercriminal activity. An important differentiator in the three categories of this framework of sophistication is motivation.

Whether it is financial gain, collection and surveillance, or offensive attack, cyber actors at each level of sophistication are able to carry out impactful cyber campaigns. Through three case studies, we apply the framework to determine the level of cyber sophistication of nation-state actors.

Because of its geopolitical position in the world and its considerable and vulnerable attack surface, the West faces particular challenges in addressing the cyber threat and several issues exacerbate an already problematic environment including an inconsistent ability to hold actors responsible. Among the key issues that may need to be addressed are the lack of clear redlines that set expectations and implications for the use of cyber weapons by state and non-state actors. Another consideration is the evolving understanding of how escalation and unintended consequences can and should be managed in a cyberattack. Overall, as would be expected from a relatively new area of warfare, the rules of engagement are still emerging and unclear.

This paper explores two potential types of futures. The first are situations of rapid escalation— which might emerge when the geopolitical environment is lacking consensus or broadly held norms for acceptable behavior, just as cyberattack capabilities are becoming more powerful and not well understood. A second future scenario we see as likely is the foundation of an inflection point. In this scenario, enough actors share a perception that an inflection point has been reached, and begin to take steps to control or manage the evolution or revolution in this sphere.

Cyber Threat Landscape: More Actors, Capabilities, and Connectivity

The modern cyber threat landscape is distinguished by an expanding array of state and non-state actors with access to various cyber tools or weapons, which may be combined to conduct advanced operations aimed at collection, criminal financial gain, or digital surveillance. Nation-states view cyber espionage as a tool for countering internal dissent or acquiring diplomatic or competitive advantage. Some governments use cyber asymmetry to challenge established powers with significant diplomatic sway or military power or to target private sector entities—a tactic which can be difficult to address with diplomatic or military means. Others have latched onto financially motivated cybercrime as a means of evading sanctions.

 Non-state actors, such as cyber criminals, exploit an increasingly interconnected environment to mount sophisticated cyber operations that can yield vast sums from targeted financial institutions or from large scale ransomware campaigns against smaller targets. These actors may also sell their malware and skills “as a service” in online forums, including on the dark web.

2  In some cases, state actors may sponsor or co-opt indigenous cyber criminals, hacktivists, or semi-professional criminal hackers to either launch cyber operations with a veneer of deniability or quickly draw upon foreign technical expertise.

The cyber environment is also characterized by a low entry barrier for new actors, as cyber tools are hard to contain and control. Code is nearly impossible to regulate and cyber actors are selling or sharing their capabilities and techniques without restraint. Absent regulation, automation and proliferation of sophisticated and “usable” cyber tools abound. As a result, malicious actors can now embark on opportunistic attacks that are also sophisticated.

 A recent dynamic is the diffusion of expertise as former government, intelligence, or military cyber experts offer their expertise for hire to nation-states seeking to jump-start cyber programs. The government of the United Arab Emirates (UAE) hired former US government intelligence personnel working for Dark Matter to build an advanced capability to compromise challenging technical targets and boost the government’s cyber abilities. The contractors, Dark Matter, may have operated at a level close to top-tier national security agencies, thus boosting the UAE’s cyber abilities significantly and quickly to achieve previously hard-to-obtain goals in cyberspace.

In other cases, commercial firms have offered sophisticated cyber capabilities for sale to foreign governments, or customers with close ties to an unstable military regime that may use it against an adversary or its own citizens.1 For example, FinFisher, a private company based in Germany, developed a capability that has been widely used and exported. According to Citizen Lab, there have been “33 likely government users of FinFisher in 32 countries.”2,3

Below (Table 1) are examples of similar operations with wide-ranging impact:

1 In addition to DarkMatter, NSO Group and FinFisher, this research revealed several other firms competing in this space: Verint, Interionet, Gamma Group, Intellexa, Black Cube, CyberPoint International, Senpai Technologies, Al- Thuraya Consultancy & Research, Omniscope Limited, Q Cyber Technologies, and SecureTech. 2 Marczak, Bill, John-Scott Railton, Adam Senft, Brene Poetranto, Sarah McKune (2015, October 15). Citizen Labs. Pay No Attention to the Server Behind the Proxy: Mapping FinFisher’s Continuing Proliferation. Retrieved from https://citizenlab.ca/2015/10/mapping-finfishers-continuing-proliferation/#2 3 Mazzetti, Mark, Adam Goldman, Ronen Bergman and Nicole Perlroth (2019, March 21). New York Times. A New Age of Warfare: How Internet Mercenaries Do Battle for Authoritarian Governments. Retrieved from https://www.nytimes.com/2019/03/21/us/politics/government-hackers-nso-darkmatter.html

3 Table 1: Cyber Operations and Impact

Operation Severity Scale Duration Specific

Global. Affected organizations in Europe, the US and Asia (Maersk, Merck, Short-term, with Rosneft, Beiersdorf, High: data recovery spanning NotPetya DHL and others) but No destruction , over months to a also a concentration in year. Ukraine (banking, nuclear power plants, airports, metro services).

Global, but primarily in Russia, Ukraine, India Short-term, with High: data and Taiwan. Operation recovery spanning WannaCry No destruction affected multinationals, over months to a critical infrastructure year. and government. Focused on Sony Pictures Entertainment Short-term, with High: data (<7,600 employees), a Destover recovery in Yes destruction subsidiary of Sony months. Corporation (131,700 employees in 2015). Focused on Iran’s High: destruction Stuxnet nuclear weapon <1 year Yes of centrifuges development program. Various Varied: some offensive cyber data destruction operations Focused on Islamic but also denial Unknown Yes against ISIS by State. and manipulation US, Australia, effects UK

4 A major contributor to the dynamic global threat landscape is the pace of technological evolution, which is marked by growing interconnectivity. This interconnectivity not only provides a larger attack surface in general, but also expands the reach to a growing set of cyber threat actors. Internet of Things (IoT) devices are an instrumental example. Actors can compromise these devices all over the world, directing them to carry out an attack that is both large in scale and difficult to attribute given how dispersed the actors are. As with much of new technology, the regulatory environment that constructs a framework for safe and effective use often lags behind, leaving otherwise innocuous devices susceptible to exploitation.

In some cases, threat actors looking to take advantage of technological innovations to expand or improve operations may not fully understand how their activity will have a geopolitical impact. These threat actors may be ignorant of potential consequences or the “domino effect” inherent in such an interconnected environment. Many organizations do not own all of their infrastructure, but use subcontractors and shared service providers instead. Actors may not realize, or not care, if malicious code meant for one target spreads to others, or if a similarly financially motivated attack disrupts a nation’s critical infrastructure sector.

The ability of organizations and individuals to patch their systems has failed to keep pace with fast-increasing numbers of devices and connectivity, new applications of technology, and the speed with which threat actors can find and exploit vulnerabilities. Many of the experts interviewed for this project shared similar concerns about the software architectural design process being fundamentally flawed and therefore more difficult to defend.

The combination of more cyber actors with access to similar tools and fast-evolving technology likely will make it increasingly difficult to distinguish threat actors from each other and from legitimate network activity. Actor motivations are blurrier and their tactics, techniques, and procedures (TTPs) are not always indicative of their targets. For example, as a defense contractor one may assume that the target of a cyberattack would be access to the US Department of Defense’s secure systems; however, nefarious actors may be just as interested in acquiring employees’ personally identifiable information (PII) for fraudulent activities. It is also possible that cyber experts, including former government or military personnel, may not understand the intent of nation-state actors who hire them or they may choose to turn a blind eye until they have become embroiled in an ethically questionable cyber campaign.

Common Approaches to Acquiring Cyber Capability: Buy, Build, Bridge

Based on interviews with experts in academia, industry, and government, we identified three approaches used by threat actors to acquire cyber capabilities: create an indigenous capability, buy a capability from external sources, or use partnerships and purchase as a “bridge” to eventually developing custom capabilities. These strategies likely will remain viable over the long term, continuing a trend of access to capability by an increasing number and range of threat actors. In particular, the ability to buy or bridge capabilities will continue to offer actors with limited skills

5 opportunities to achieve asymmetric advantage. We also assess that sophisticated actors will find value in an expansion of the cyber marketplace and diffusion of cyber tools and capabilities.

Buy: A key evolutionary driver of this diverse landscape is the ability for actors, nation-states and otherwise, to purchase their capabilities, enabling “leapfrogging.” Theoretically, leapfrogging allows an actor who is initially categorized as an emerging threat to become an established threat, assuming the actors also are able to acquire the products, processes, and people to accompany those tools. For actors that purchase their tools, there are tools with high barriers and those with low barriers:

 Some purchased tools may offer a low barrier for the expertise and tradecraft required to employ them. Such tools are often inexpensive, easily customizable, and readily available on the open market. These “off the shelf” tools are easily commoditized and sold in marketplaces.

 Other tools may require significant financial and personnel resources and operational tradecraft to employ. They may be designed to achieve a specific and reliable effect against a specific target in a way that advances an actor’s geopolitical aims.

 While on the surface, tools with high barriers to entry appear to be the most significant threat, experts in the field warn of the dangers associated with low barrier tools. One expert explicitly noted that it is easy for any actor to use a low barrier tool to cast an unspecific effect at any point in time if their goal is not precision, and there are little to no concerns for collateral damage.

The increasing availability of anonymous marketplaces and information exchanges enables efficient collaboration and rapid exchange of information around new tools and exploits. These forums will not dissipate- even after several attempts by law enforcement to curb underground fora and marketplaces, notably, the takedowns of AlphaBay and Hansa in 2017. Despite law enforcement’s best efforts, criminals continue to purchase tools and capabilities for conducting cyberattacks.4 Proliferation of capabilities by way of transaction is the new normal. In addition to established marketplaces for trading cyber tools and tradecraft, the rise of secure channels such as Telegram and Discord further establishes this culture of commoditizing cyber capabilities, facilitating private transactions or exchanges of stolen data, malicious code, or hacking for hire.

Bridge: Aside from purchasing “ready to go” tools or capabilities, actors can also accelerate the acquisition of cyber capabilities and bridge cyber gaps by leveraging the tools and resources of another organization through a partnership. When trying to achieve geopolitical outcomes, for

4 Van Wirdum, Aaron (2019, January 31). Bitcoin Magazine. Chainalysis: Darknet Market Activity Nearly Doubled Throughout 2018. Retrieved from https://bitcoinmagazine.com/articles/chainalysis-darknet-market- activity-nearly-doubled-throughout-2018

6 example, experts identify two types of partnerships that can be drivers for proliferation of capabilities: partnerships with other nation-states and with criminal or private organizations. A partnership between nation-states can expedite the development of capabilities in the lower-tier partner. One expert in the field emphasized that we particularly see this happening surrounding the development of spheres of influence.

Partnerships with criminal or commercial firms (e.g., Dark Matter and NSO Group) provide an avenue for individuals, companies, or nation-states to purchase a broad range of capabilities. Reuters journalists uncovered a partnership between Dark Matter and the UAE government that also utilized American cyber mercenaries and whose mission was to spy on human rights activists, journalists and political rivals.5

Build: While some nation-states elect to purchase their tools and capabilities, those that choose to build their own defensive and offensive capabilities are more likely to be categorized in a higher tier given the sophistication and precision needed to create and use these tools effectively. One academic expert opined that nations seeking to incorporate cyberattack into their military capabilities would eventually seek to develop indigenous capabilities, rather than rely on external sources. Several factors shape the level of indigenous capability that a nation may achieve. Indigenous technical talent is a key factor.

Other Factors: The ability to create organizations and processes that blend operators, developers, analysts, strategists, and even a legal department to conduct operations and manage risk is paramount in developing a robust and sustainable capability. Even a strong network and operational infrastructure from which to operate is key. Infrastructure is important not only for the development of capabilities from which to build and launch attacks, but also, for the defense against external threats. Additionally, a nation-state’s political, economic, social and legal environment are key components to their propensity to develop an organic cyber capability. In addition, leadership buy-in can shape whether cyber emerges as a well-resourced capability that is embraced by military or intelligence organizations as a means of achieving geopolitical aims.

Grand Cyber Arms Bazaar: A Framework for Categorizing Sophistication

One challenge that government and private sector executives will face with the evolving cyber threat landscape is how to posture their organization to minimize surprise around the emergence of new cyber actors and effects. A growing number of nefarious actors are acquiring capabilities from commercial sources, cyber criminals, and open sources. Some are hiring former intelligence and military officers who have cyber expertise. Others are establishing professional cadres to develop, maintain, and use indigenous capabilities. This expanding array of actors increasingly

5 Bing, Christopher and Joel Schectman (2019, January 30). Reuters. Project Raven: Inside the UAE’s Secret Hacking Team of American Mercenaries. Retrieved from: https://www.reuters.com/investigates/special-report/usa- spying-raven/

7 recognize cyber as an asymmetric capability that can be employed below the threshold of armed conflict to signal displeasure with established powers or otherwise deter them.

 This section presents a framework, a “grand cyber arms bazaar,” to help distinguish among a growing range of actors, all having access to advanced capabilities, based on their organizational maturity (advanced, emerging, or opportunistic) and operational intent (collection, profit, or disruption).

 We begin by orienting the reader to the framework at a high level. We then delve into greater detail on two distinguishing factors among threat actors: organizational maturity and operational intent. The next section offers three examples of applying the framework.

Strolling the Grand Bazaar

Our framework is presented in Figure 1 below. The idea of a “grand bazaar” is motivated by the range of cyber tools that are available to the full range of state and non-state threat actors. Nonetheless, these actors likely will achieve varying degrees of success in the cyber realm, despite having access to comparable capabilities. One influencing factor is their ability to “professionalize” cyber capabilities in mature organizations that integrate a mix of technical, operational, and other skills and develop repeatable processes for conducting cyber operations. Another factor is operational intent, which spans a range from simple “smash and grab” collection (theft), to complex operations calibrated to achieve precise and reliable disruptive effects.

 We identify three categories of actors based on increasing levels of organizational maturity: opportunistic, emerging, and established. A few factors can enable actors to quickly “leapfrog” between categories. For example, actors may buy capabilities and talent or develop partnerships that allow them to tap into external capabilities. Leadership emphasis can also drive rapid maturation by directing resources and talent to cyber over other priorities.

 Intent can range from profit to collection to attack. In some cases, it may be possible to draw complexity distinctions among these motives. For example, conducting a cyberattack that achieves reliable and repeatable impact on a critical infrastructure or other target may require an understanding of how that target operates and countering defenders’ efforts to reconstitute. Nonetheless, we acknowledge that mature organizational processes provide a foundation for actors to mount highly sophisticated operations aimed at profit or theft.

8 Figure 1: The Grand Cyber Arms Bazaar Framework

Organizational Maturity

Established Actors: Those with the most advanced, accurate, and agile tools are considered “established” actors. In-house developed tools with wide availability and customization are developed to gain and maintain access to their targets, including those that are well defended. Established actors have extensive resources, including time and money to achieve persistence, and are capable of achieving global reach using advanced tradecraft. They have products, process, and people aligned to them, as well as robust risk management programs to consider and mitigate the effects of exposure. Nation-states who fall in this category have the ability to leverage sophisticated tools to target other nation-states with the intent of driving geopolitical outcomes. Established actors leverage tools like malware, such as Zebocry, to target diplomats, defense officials, and ministry of foreign affairs staff with the aim of stealing login credentials, keystrokes, communications, and sensitive files.6 When these tools are deployed in coordination with military efforts, the scale of impact is markedly wider.7

6 GReAT (2019, August 1). APT trends report Q2 2019. Retrieved from: https://securelist.com/apt-trends-report- q2-2019/91897/ 7 For example, the Russian-backed group Sandworm used a destructive piece of malware called NotPetya to attack Ukraine and through a widely used tax software. Although targeting was regional, NotPetya inadvertently spread on

9 Emerging Actors: Emerging actors include nation-states, criminal organizations, and others who have defined processes, capabilities, and a history of targeted operations. However, there is a clear hallmark of emergent actors: their attempts are not consistently successful to the extent of established actors. They are able to expend resources to strike a target but have no immediate restrike capabilities. While attacks are occasionally successful, impacts are inconsistent. Further, while these actors have some tradecraft, it is limited. These groups have the beginning of organizational maturity, and are on the cusp of developing the products, processes, and people necessary to contend with the “established” actors. Some of these actors are less technology-capable than the established actors, but look to global powers such as China and Russia for ideas. These ideas and resources provided by established powers could lead a low-level actor to become an emerging threat.8 Regardless of whether these nations are buying, building, or bridging their capabilities, they remain a threat to be tracked, especially as their geopolitical interests incentivize the use of cyber weapons.

Opportunistic Actors: Generally, opportunistic actors are associated with low-level cybercriminal activity. The markets in which they operate are dispersed, diverse, and segmented; they are constantly innovating to keep pace with current trends and avoid law enforcement intervention.9 Further, they typically have a small bench size, do not utilize large-scale processes, and are acting for financial gain or to achieve notoriety. These are actors whose methods are not repeatable and tend to be in the “right place at the right time” which is what leads to their success. Although often leveraging open source tools or existing code, some cybercriminals are now reported to be using tools that are more sophisticated and techniques developed and leaked by other actors.10 In the opportunistic category, there are a vast number of entities, organizations, and nation-states with these capabilities, especially as compared with emerging and established actors.

Another method to distinguish emerging and established actors, particularly, is the level of offensive cyber capability. One academic interviewed made a further distinction in offensive cyber capabilities by distinguishing between levels of attack precision, with high precision attacks typically associated with nation-states attempting to achieve a specific effect against a specific target with minimal to no collateral damage. Low precision attacks, which are less complicated and less costly, are normally associated with no specific target or time frame and unconstrained by a global scale, crippling international corporations such as Maersk and Merck as well as shipping, construction, and agriculture industries. 8 Sherman, Justin (2019, July 25). Digital authoritarianism and the threat to global democracy. Retrieved from: https://thebulletin.org/2019/07/digital-authoritarianism-and-the-threat-to-global-democracy/ 9 United States. Cong. House. Committee on Financial Services, Subcommittee on Terrorism and Illicit Finance. Hearing on Data Thieves: The Motivations of Cyber Threat Actors and Their Use and Monetization of Stolen Data. Mar. 15, 2018. Washington: GPO, 2018. (statement of Lillian Ablon, the RAND Corporation). 10 Department of Defense, Defense Science Board. 2013. Task Force Report: Resilient Military Systems and the Advanced Cyber Threat. Washington, DC: The Office of the Under Secretary of Defense for Acquisition, Technology and Logistics. Retrieved from: https://nsarchive2.gwu.edu/NSAEBB/NSAEBB424/docs/Cyber- 081.pdf

10 collateral damage. Another researcher differentiated offensive cyber capabilities by three components:

 People: operators, developers, system administrators, front office personnel, strategic and legal experts, etc.

 Exploits and tools: their origination and usage

 Infrastructure: degree of outsourcing of cyber infrastructure

Figure 2: Example of the Grand Cyber Arms Bazaar Framework

Figure 3: SilverTerrier and Iran

Silver Terrier

Silver Terrier is a Nigerian cybercriminal group known for their business email compromise schemes. One expert considered Nigeria could be the “next” country to rise through the ranks of dangerous or threatening cyber actors. However, examining not only the tools but the motive of their activity, it is clear that Silver Terrier’s current plans do not include driving any geopolitical outcomes (see Figure 2).

Iran

In the early 2000s, many considered Iran to be a lower-tier actor; however, the nation has made drastic improvements in their capabilities, to the surprise of many US military leaders. Iran

11 views cyber weapons as party of the asymmetric military capabilities it can use against countries like the United States, which feeds its intent to continue to rise as an “established” actor.

Operational Intent

One of the most important differentiators among these actors is their motivation. Intentions widely vary for cyber operations but can nevertheless elevate their status between tiers. Examples of intent include financial gain, power or the advancement of political agendas, or geopolitical outcomes (see the “emerging” and “established” categories in Figure 1). Many experts emphasized that it is futile to observe what capabilities actors possess in a vacuum. One of the most important factors in a nation-state’s propensity to be a threat is their intent, and subsequently their willingness to deploy their capabilities.

Financial Gain: Nation-state cyber campaigns tend to be carried out in pursuit of surveillance, espionage, and targeting of adversary critical infrastructure. However, there is another motivator that impacts governments, corporations and individuals alike: profit. Many governments and institutions, particularly financial institutions, have extensive stores of sensitive information which can be easily liquidated for financial gain if a cyber actor is successful. Adversaries leverage crimeware, known vulnerabilities, phishing, spear-phishing, and smash-and-grab techniques to attain financial gain at the expense of their target.11 Actors within this category range from ad-hoc cyber criminals to nation-states whose motivations and hostilities are exacerbated by income loss and international effects of economic sanctions.12

Collection & Surveillance: Beyond using cyber weapons to conduct profit-driven outcomes, threat actors conduct operations with the intent of data collection, surveillance, and espionage. They employ information without the consent or knowledge of their intended target. Actors use these tools to target individuals, groups, industries, or even other nation-states. Collection techniques are also prevalent in regional conflicts, for example, the United Arab Emirates (UAE) has used collection tools such as Karma for a campaign that monitored targets including the Emir of Qatar, Turkish national leadership, and a human-rights activist in Yemen.13

11 United States. Cong. House. Committee on Financial Services, Subcommittee on Terrorism and Illicit Finance. Hearing on Data Thieves: The Motivations of Cyber Threat Actors and Their Use and Monetization of Stolen Data. Mar. 15, 2018. Washington: GPO, 2018. (statement of Lillian Ablon, the RAND Corporation). 12 Halpern, Sue (2019, July 18). New Yorker. How Cyber Weapons Are Changing the Landscape of Modern Warfare. Retrieved from: https://newyorker.com/tech/annals-of-technology/how-cyber-weapons-are-changing-the- landscape-of-modern-warfare 13 Schectman, Joel and Christopher Bing (2019, January 30th). Reuters. Exclusive: UAE Used Cyber Super- Weapon To Spy on iPhones Of Foes. Retrieved from: https://www.reuters.com/article/us-usa-spying-karma- exclusive/exclusive-uae-used-cyber-super-weapon-to-spy-on-iphones-of-foes-idUSKCN1PO1AN

12 Activity associated with the Dark Caracal group highlights how cyber capabilities can offer global reach to new cyber actors. Development of collection-driven tools, uncovered by cybersecurity firm Lookout Mobile in partnership with the Electronic Frontier Foundation (EFF), has been linked to the Lebanese government, specifically to the Beirut headquarters of the Lebanese General Directorate of General Security. As described in a report from Lookout Mobile and the EFF, this activity has targeted governments, militaries, various industries, financial institutions, and defense contractors. Data uncovered by Lookout Mobile showed documents, call records, audio recordings, secure messaging content, contact information, text messages, photos and account data that had been collected by the Dark Caracal actors.14

Many, including United Nations Special Rapporteur David Kaye, have raised concerns over the availability of these collection-based tools. Various technologies can be purchased and leveraged by nation-states and used in human rights violations that lead to detention, tortures, and extrajudicial killings.15 The reality of collection efforts spans far beyond simply the monitoring of a person or group’s private information and location—it manifests itself in grievous human rights violations and, in many cases, loss of life.

Offensive Attack: Cyberattacks can occur for a variety of reasons, but their overall motive is generally to inflict damage to their targets. Actors deploy malicious methods to invade, manipulate and execute missions on the intended target. One such prevalent method is the distributed Denial- of-Service (DDoS) attack. Adversaries typically conduct DDoS attacks for political purposes and to support other malicious activities such as distraction, hacktivism, and extortion. Since March of 2019, DDoS attacks have targeted computer systems controlling the power supply in Los Angeles and Salt Lake City; the Central Bank; Ministry of Foreign Affairs; and the Presidential Office of Ecuador, as well as the messaging application Telegram, which China used to investigate demonstrations in Hong Kong.

Nation-states often use offensive attacks to hack and attack the networks of other nation-states and adversaries. For example, the Russian military in June 2017 launched the NotPetya cyberattack against Ukrainian networks. This software, “which quickly spread worldwide, causes billions of dollars in damage across Europe, Asia, and the Americas” and was part of a Russian effort to destabilize Ukraine, according to a White House statement in February 2018. Attacks can have a variety of targets, from governments to private companies. For example, Iranian cyber actors in February 2014 targeted Sands Las Vegas Corporation, according to public statements in early 2015 by then US Director of National Intelligence James Clapper. The attack may have been motivated

14 Lookout. 2012. Dark Caracal, Cyber-espionage at a Global Scale. USA: Electronic Frontier Foundation. Retrieved from: https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark- Caracal_srr_20180118_us_v.1.0.pdf 15 Anstis, Siena, Ron Deibert, Miles Kenyon, and John Scott-Railton. Citizen Lab. The Dangerous Effects of Unregulated Commercial Spyware. Retrieved from The Citizen Lab: https://citizenlab.ca/2019/06/the-dangerous- effects-of-unregulated-commercial-spyware/

13 by public comments by the casino’s owner, which may have drawn the ire of Iranian officials. Cyberattacks such as NotPetya and the Sands incident currently are being performed at the hands of advanced and established cyber actors, however, experts fear the ability of emerging or even opportunistic actors to buy, build, and bridge these capabilities.

Applying the Framework: Case Studies

Case Study #1: North Korea

We identify North Korea as an “emerging” actor overall, but they could fall in the “established” category for cyber crime. During the past decade, the North Korean government has sponsored cyber operations of increasing sophistication aimed at financial gain for the regime and intelligence collection. They have also used cyberattack as a means of signaling displeasure for perceived slights to the regime. Across this range of motives, the North Koreans have shown a higher risk tolerance for aggressive cyber activity compared to other emerging actors.

Financially Motivated Activities

The North Korean regime has used cyber means to acquire funds to avoid international sanctions since at least 2015. The vast sums stolen in multiple operations spanning years suggests this country may fall in the “established” category in our framework, at least in the area of cyber crime. Their success likely stems in part from adroit exploitation of technological trends by North Korean cyber actors who have taken advantage of security weaknesses in financial institutions, the difficulty of tracing cryptocurrencies, and global money laundering networks.

 North Korea has used cyber operations to steal as much as $2 billion to generate income and sidestep United Nations (UN)-imposed sanctions, according to press reports in early August 2019 that detailed a still-unpublished UN report.16 The UN experts reportedly were investigating , “at least 35 reported instances of DPRK actors attacking financial institutions, cryptocurrency exchanges, and mining activity designed to ear foreign currency” in some 17 countries, according to the same press report.

 A criminal complaint lodged in June 2018 by the US Department of Justice (DOJ) against North Korean actor Park Jin Hyok describes a “wide-ranging, multi-year conspiracy to conduct computer intrusions and commit wire fraud by co-conspirators” working on behalf of North Korea.17 The complaint implicates these conspirators in the fraudulent

16 BBC. North Korea stole $2bn for weapons via cyber-attacks (2019, August 7). Retrieved from: https://www.bbc.com/news/world-asia-49259302 17 United States District Court for the Central District of California (2018, June 8). Criminal Complaint: United States of America v. Park Jin Hyok, Defendant. Retrieved from: https://www.justice.ggov/opa/press- release/file/1092091/download

14 transfer in February 2016 of $81 million from the Bangladesh Bank and in computer intrusions and cyber heists having attempted losses of over $1 billion from 2015 to 2018.

 A South Korean intelligence agency in early 2018 reportedly informed South Korea’s National Assembly of North Korean involvement in the heist in January 2018 of $526 million from Japanese cryptocurrency exchange Coincheck.18 South Korean intelligence further alleged that North Korean actors had stolen on the order of tens of millions of dollars from South Korean cryptocurrency exchange providers.

Despite North Korea’s success with cyber-enabled theft, the global Wannacry malware outbreak in May 2017 highlights the potential dangers of unintended consequences from cyber operations employing virulent software exploits. This outbreak, attributed to North Korea in late 2017 by then Homeland Security Advisor Tom Bossert, impacted hundreds of thousands of computers in hospitals, schools, businesses, and homes in over 150 countries, according to a White House press statement.19

One driver for the malware’s rapid spread was its use of the EternalBlue, an exploit attributed to NSA which an unidentified group known as the Shadow Brokers publicized in April 2017.20 The North Korean actors may have underestimated their ability to control this virulent exploit, despite incorporating a “kill switch” in the Wannacry code.

Collection-Driven Activities

However, beyond simply profit-driven motives, North Korea has been active in the “collection” arena as well. For example, Lazarus Group, a threat group attributed to the North Korean government, deployed Operation Troy in 2009. Operation Troy was a campaign that aimed to spy on and disrupt South Korea’s military and government activities. Lazarus Group carried out their operations using multiple types of malware, which allowed remote access to the targets’ environments.21

18 Nikkei Asian Review (2018, February 6). North Korea Suspected in Coincheck. Retrieved from: https://asia.nikkei.com/Spotlight/Bitcoin-evolution/North-Korea-suspected-in-Coincheck 19 Brady, James S. (2017, December 19). White House Press Briefing. Press Briefing on the Attribution of the WannaCry Malware Attack to North Korea. Retrieved from: https://www.whitehouse.gov/briefings- statements/press-briefing-on-the-attribution-of-the-wannacry-malware-attack-to-north-korea-121917 20 McNeil, Adam (2018, February 8). MalwareBytes Labs. How Did the WannaCry Ransomworm Spread? Retrieved from: https://blog.malwarebytes.com/cybercrime/2017/05/how-did-wannacry-ransomworm-spread 21 Sherstobitoff, Ryan and Itai Liba, James Walter (2018). McAfee. Dissecting Operation Troy: Cyber Espionage in South Korea. Santa Clara, CA: McAfee. Retrieved from: https://www.mcafee.com/enterprise/en- us/assets/white-papers/wp-dissecting-operation-troy.pdf

15 Attack-Driven Activities

Many remember the 2014 Lazarus-led Operation Blockbuster, better known as the Sony Pictures Entertainment Attack. Acting under the name “Guardians of Peace,” North Korean government actors targeted Sony Pictures Entertainment (SPE) networks, employees and their families, as well as proprietary corporate information. Once inside SPE’s network, the actors stole (and leaked) movies and other confidential information and effectively rendered thousands of computers inoperable, according to a DOJ indictment.22 Along with this attack, the group threatened the company against the release of a film that they considered slanderous to the North Korean regime.

The SPE attack illustrates the potential for a regional power to exploit today’s interconnected environment to cause effects within US borders that would not have been possibly previously. The incident also shows the potential for other actors to adopt similar tactics to signal displeasure for US actions, including by the private sector, using means considered short of war.

North Korea’s ability to achieve a finite aim demonstrates an “emerging” level of cyberattack capability. However, it does not show the ability to repeatedly and reliably use cyberattack to achieve clear geopolitical aims, which would be characteristic of an “established” actor in the attack realm.

Drivers

Experts claim that North Korea currently lacks some of the definitional characteristics of an established cyber power; however, several drivers could propel them to the level of an established power over time. North Korea leverages China for elevating its capability through training, and even draws lessons from Chinese military doctrine.23 Aside from political and economic ties to China, North Korea has been reported to train their most promising hackers in Shenyang, a one-hour train ride from the North Korean border.24 As discussed, North Korea is rife with cyber intent from avoiding sanctions to making a geopolitical impact on their enemies. Additional drivers include their “bridging” of capabilities through utilization of advanced cyber criminal networks worldwide.

22 United States District Court for the Central District of California (2018, June 8). Criminal Complaint: United States of America v. Park Jin Hyok, Defendant. Retrieved from: https://www.justice.ggov/opa/press- release/file/1092091/download 23 Kong, Ji Young, Jong In Lim, Kyoung Gon Kim (2019). 2019 International Conference on Cyber Conflict: Silent Battle. The All-Purpose Sword: North Korea’s Cyber Operations and Strategies. Retrieved from: https://ccdcoe.org/uploads/2019/06/Art_08_The-All-Purpose-Sword.pdf 24 Tribune News Service (2018, February 1). How did barely connected North Korea become a hacking superpower? Retrieved from: https://www.scmp.com/print/news/world/article/2131470/north-korea-barely-wired- so-how-did-it-become-global-hacking-power

16 Case Study #2: Vietnam

Since at least 2012, threat actors allegedly linked to the Vietnamese government have conducted increasingly sophisticated and persistent campaigns targeting various sectors. The activity of Vietnamese-sponsored threat actors, combined with their government signaling increasing investment in cyber capabilities, indicates that Vietnam is an emerging player in cyberspace. Although they are not in the established tier, Vietnam exhibits key drivers, including monetary and personnel investment, as well as leveraging off-the-shelf tools and informal partnerships that will allow the country to rapidly push its cyber power forward across the board.

Collection-Driven Activities

The most prominent actor for Vietnam-based cyber activity is the OceanLotus Group, also known as APT32. This activity was first detected in 2012, when it was observed targeting intellectual property and confidential business information from organizations in China, Vietnam, and the Philippines.25 The group has persisted since it came onto the scene, also targeting human rights organizations, research institutes, and journalists.26 Additionally, OceanLotus has deployed numerous custom-built tools in its operations and at times has persisted on networks for more than a year, highlighting there is likely sizeable investment in the group.27 APT32 represents the most notable example of a threat actor not sponsored by China, Iran, Russia, or North Korea conducting significant activity in support of, and likely sponsored by, a foreign government.28

 This activity provides a canonical example of an emerging collection actor. As more actors gain access to increasingly sophisticated capabilities through various means, it is likely that similar patterns of cyber activity sponsored by other governments will be detected.

Attack-Driven Activities

In early 2018, Vietnam announced the creation of the “Cyberspace Operations Command,” elevating cyber to a top-tier priority.29 The stated intent of the 10,000-strong unit is to “counter

25 Hay Newman, Lily (2017, May 24). Wired. An Up-Close View of the Notorious APT32 Hacking Group in Action. Retrieved from: https://www.wired.com/2017/05/close-look-notorious-apt32-hacking-group-action/ 26 CFR. Cyber Operations Tracker: Ocean Lotus. Retrieved from: https://www.cfr.org/interactive/cyber- operations/ocean-lotus 27 Dahan, Assaf (2017, May 24). Cybereason. Operation Cobalt Kitty: A Large-Scale Apt In Asia Carried Out By The Oceanlotus Group. Retrieved from: https://www.cybereason.com/blog/operation-cobalt-kitty-apt 28 Carr, Nich (2017, May 14). FireEye. Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved from: https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html 29 Parameswaran, Prashanth (2018, January 12). The Diplomat. What’s Behind Vietnam’s New Military Cyber Command? Retrieved from: https://thediplomat.com/2018/01/whats-behind-vietnams-new-military-cyber- command/

17 ‘wrong’ views on the Internet.” This development, combined with Vietnam’s strong collection capabilities, could lay an organizational and technical foundation for creating a cyberattack capability should future regional dynamics in South East Asia warrant.30

 Press reports from mid-2017 linking APT32 to the public disclosure of sensitive Philippine government documents, including the transcript of a call between Philippine President Rodrigo Duterte and the US President, suggest that Vietnam may have begun to apply its cyber collection capabilities to hack-and-leak operations aimed at embarrassing a regional regime.31 This tactic may arise in the future as a first foray by other emerging cyber actors into offensive cyber operations that seek effects beyond collection and surveillance.

Financially-Motivated Activities

Another factor in the mix is the rise of Vietnamese cybercriminal actors, reportedly an intended target of the country’s controversial cyber law.32 While there are not any reported occurrences of Vietnam coopting cybercriminals within its borders to achieve the goals of the state, this trend has been a common way for other nation-states to enhance capabilities and expand its attack surface. A recently shuttered Vietnamese hacking website had a membership of more than 14,000 before it was shut down, highlighting the growing cyber talent within the country whose threat actors are also allegedly involved in globally well-known underground forums.33

Drivers

Vietnam is committed to aggressive economic growth and enhancing the competitiveness of its domestic industries; the operation of APT32 to date point to the government’s willingness to engage in cyber operations to achieve those goals. Vietnamese officials have echoed the idea that cyberspace is critical for the security and development of the country.34

30 Nguyen, Mi (2017, December 26). Reuters. Vietnam unveils 10,000-strong cyber unit to combat 'wrong views' Retrieved from: https://www.reuters.com/article/us-vietnam-security-cyber/vietnam-unveils-10000-strong-cyber- unit-to-combat-wrong-views-idUSKBN1EK0XN 31 Bing, Chris (2017, May 31). CyberScoop. A Stolen Trump-Dutere Transcript Appears to be just One Part of a Larger Hacking Story. Retrieved from: https://www.cyberscoop.com/apt-32/trump-duterte-hacking-xi-jinping- vietnam 32 Lindsey, Nicole (2019, January 14). CPO Magazine. Vietnam’s Controversial New Cyber Law Could Entangle Google and Facebook in a Battle Over Freedom of Speech. Retrieved from: https://www.cpomagazine.com/cyber- security/vietnams-controversial-new-cyber-law-could-entangle-google-and-facebook-in-a-battle-over-freedom-of- speech/ 33 Vijayan, Jay (2019, June 5). Dark Reading. Vietnam Rises as Cyberthreat. Retrieved from: https://www.darkreading.com/attacks-breaches/vietnam-rises-as-cyberthreat-/d/d-id/1334890 34 Parameswaran, Prashanth (2018, January 12). The Diplomat. What’s Behind Vietnam’s New Military Cyber Command? Retrieved from: https://thediplomat.com/2018/01/whats-behind-vietnams-new-military-cyber- command/

18 Case Study #3: Artem Radchenko and Oleksander Ieremenko

A 16-count indictment unsealed in January 2019 charged Ukrainian nationals Artem Radchenko and Oleksander Ieremenko with securities fraud conspiracy, wire fraud, and computer fraud, according to a public release from the US DOJ.35 The indictment alleges that these individuals hacked into the Electronic Data Gathering, Analysis, and Retrieval (EDGAR) system operated by the US Securities and Exchange Commission in order to steal thousands of files including annual and quarterly earnings reports containing confidential, non-public, financial information, which publicly traded companies disclose to the SEC. This activity allegedly occurred from February 2016 through March 2017. Radchenko and Ieremenko allegedly used a series of targeted cyberattacks, including directory traversal, phishing, and infecting computers with malware. The indictment further alleges that Radchenko recruited to scheme traders who were provided with stolen test filings, which often contain information similar to corporations’ final filings, so they could profit by trading on the information before the investment went public.

 This activity fits the profile of an emerging, profit-driven non-state cyber actor. Radchenko and Ieremenko identified and used cyber means to target a high-profile SEC database containing sensitive corporate earnings information. They successfully exfiltrated data over an extended time period and worked with recruited traders to use the stolen information for profit. However, these actors prior to their indictment did not demonstrate an ability to scale their operation to illicitly obtain vast sums comparable to other cyber crime actors, such as those tied to the North Korean government.

Policy Challenges: Deterrence, Redlines, and Escalation

The lack of rules and consequences within the cyber realm has resulted in several policy challenges, namely, a de facto tolerance of cyber operations that fall below a clear threshold of war. This tacit acceptance creates inertia for moving towards a consensus - and is driven by immature approaches to deterring cyber activity and a lack of international consensus on norms to guide nation-state behavior in cyberspace, including clear redlines for when cyber effects become an act of war. The current climate is one in which cyber activity that crosses an unclear threshold or causes unintended consequences could escalate into armed conflict. Furthermore, an absence of established norms to guide nation-state and non-state actors’ behavior exacerbates confusion over the status of private sector companies, and how commercial entities that offer cyber services and capabilities should operate. This section addresses the challenges of deterrence, norms and redlines, and escalation.

35 United States. Department of Justice, Office of Public Affairs (2018, January 15). Two Ukrainian Nationals Indicted in Computer Hacking and Securities Fraud Scheme Targeting U.S. Securities and Exchange Commission. Retrieved from: https://www.justice.gov/opa/pr/two-ukrainian-nationals-indicted-computer-hacking-and-securities- fraud-scheme-targeting-us

19 Dearth of Effective Approaches to Deterrence

While it can be argued that Western deterrence and policies in a traditional sense have led to a state of relative peace since 1945, this same policy-driven leadership has not been present when it comes to the use and regulation of cyber capabilities. Western governments have not been consistent in their response to hold actors accountable for cyber incidents.36 This is in part due to the diverse set of actors in cyberspace, the creation of policy reactively, and the difficulty of attribution when it comes to cyberattacks.

Non-state actors represent a unique challenge to deterrence because they are often not susceptible to diplomatic or military suasion in the same manner as nation-states. Several government officials advised that the problem with holding non-state actors accountable is that retaliatory actions and policy standards such as sanctions and treaties are not applicable, because they are not government entities and typically do not have the same concern about the opinions of the international community. These groups also often lack clear territory or physical locations that can be targeted by military means, or they may reside in countries that tolerate such activity where the use of military force would not be feasible for other reasons.

In the past, the US (DoD in particular) has acknowledged there is an issue with cybersecurity policy and has outlined strategies going forward. However, there remains a lack of effective policy development, response to incidences, and metrics to determine progress.37 Further, US decision- making and policy has been reactive rather than proactive, and driven by specific events such as distributed denial of service (DDoS) attacks against the US financial sector between late 2011 and mid-2013, which led to the indictment in early 2016 of seven Iranian actors employed by two firms that had performed work on behalf of the Iranian government, including the Islamic Revolutionary Guard Corps.38 Those attacks caused hundreds of thousands of customers to be unable to access their accounts and resulted in companies losing tens of millions of dollars in remediation costs. Incidences such as these have led the United States to indict and publicly attribute the activity of nation-state actors as part of attempts to dissuade these actions.39,40,41 The efficacy of this kind of

36 Department of Defense, Defense Science Board. 2013 . Task Force Report: Resilient Military Systems and the Advanced Cyber Threat. Washington, DC: The Office of the Under Secretary of Defense for Acquisition, Technology and Logistics. Retrieved from: https://nsarchive2.gwu.edu/NSAEBB/NSAEBB424/docs/Cyber- 081.pdf 37 ibid. 38 United States. Department of Justice, Office of Public Affairs (2016, March 24). Seven Iranians Working for Islamic Revolutionary Guard Corps-Affiliated Entities Charged for Conducting Coordinated Campaign of Cyber Attacks Against U.S. Financial Sector. Retrieved from: https://www.justice.gov/opa/pr/seven-iranians-working- islamic-revolutionary-guard-corps-affiliated-entities-charged 39 ibid. 40 United States District Court for the District of Columbia (2018, February 16). Indictment. United States of America v. Internet Research Agency LLC A/K/A Mediasintex LLC, etc., Defendants. Retrieved from: https://www.justice.gov/opa/press-release/file/1035562/download 41 ibid.

20 policy is debatable, and its creation does not place the US at the forefront of developing international cyber policy that will shape the future; rather, it creates policy that correlates to historical incidents.42 There is also hesitation with enacting effective policy and response because of the difficulty in attributing or possibly misattributing cyber activity. The United States’ history of reactive cyber policies and failure to enact clear and consistent responses has helped facilitate a de facto norm for acceptance of certain types of offensive cyber activity by foreign threat actors.

Lack of Redlines

The lack of clear international norms regarding the use of cyber capabilities has led to the creation of unwritten rules among cyber actors on how to operate.43 The default “red line” that has been drawn among nation-states is defined by the use of cyber capabilities with consequences that lead to war, and anything below that line being acceptable. The problem with this redline is that there is no consistency on what the range of cyber behavior should be below this threshold. Several experts mentioned that countries such as China, Russia, Iran, and North Korea all seem to be more tolerant of operational and diplomatic risk than the West. The imprecision of the redline becomes more of an issue when considering non-state actors who have little regard for law that is clearly written.

 One aspect of this environment is the lack of clear norms related to cyber operations against private sector companies.44 Some foreign actors pursue this tactic as a means of applying pressure on the US short of war to change its policies or to drive an ideological agenda.

 The emergence of private sector firms and criminal groups that are willing to sell cyber capabilities has made this environment more tenuous,45,46 as there are also no agreed upon international regulations guiding what types of capabilities are acceptable to create and sell.

42 Pomerleau, Mark (2019, February 21). Fifth Domain. New Report Questions Effectiveness of Cyber Indictments. Retrieved from: https://www.fifthdomain.com/industry/2019/02/21/new-report-questions-effectiveness-of-cyber- indictments/ 43 Ranger, Steve (2018, December 4). ZDNet. What is cyberwar? Everything you need to know about the frightening future of digital conflict. Retrieved from: https://www.zdnet.com/article/cyberwar-a-guide-to-the- frightening-future-of-online-conflict/ 44 Ranger, Steve (2014, April 24). TechRepublic. Inside the Secret Digital Arms Race: Facing the Threat of a Global Cyber War. Retrieved from: https://www.techrepublic.com/article/inside-the-secret-digital-arms-race/ 45 Stockton, Paul and Michele Golabek-Goldman (2013). Yale Law & Policy Review, Volume 32, Issue 1, Article 11. Curbing the Market for Cyber Weapons. Retrieved from: https://digitalcommons.law.yale.edu/cgi/viewcontent.cgi?article=1660&context=ylpr 46 Zilber, Neri (2018, August 31). The Rise of Cyber Mercinaries. Retrieved from: https://foreignpolicy.com/2018/08/31/the-rise-of-the-cyber-mercenaries-israel-nso/

21 Although there has been dialogue about creating rules for cyber conflict and operations, such as the Tallinn Manual, Tallinn Manual 2.0,47 and Digital Geneva Convention proposed by Microsoft,48 there is still no agreement across the international community. An academic noted that the redline has been continually moving towards more destructive behavior,49 with incidents such as Stuxnet, WannaCry, and NotPetya, which leads to the potential for escalation and unintended consequences.

Escalation and Unintended Consequences

As cyber effects move increasingly closer to what are universally viewed as acts of war, there is the increasing potential to cross a redline that elicits kinetic or military response. The lack of agreed-upon redlines in this area introduces a risk of miscalculation among nations, particularly in crisis situations. Governments may operate under differing perceptions that may or may not be evident to their rivals. A cyberattack occurring during a period of inflamed tensions could unintentionally place a government in a situation in which it would have to respond to assuage popular anger or maintain credibility in other diplomatic or military arenas. The possibility of a cyber operation causing unintended consequences adds further risk.

 One academic noted that in some cases cyberattack may be perceived as a non-escalatory tactic that could be used when kinetic means may not be desirable, but cautioned that cyber has not yet been escalatory. In this vein, the academic offered the example of the US drone shot down in June 2019 by Iran’s Islamic Revolutionary Guard Corps. The expert explained that this incident likely involved some calculus by the government of Iran; shooting down the drone would send a message without the provocative impact of causing US casualties. The expert, noting press reports of an alleged US cyber response, suggested that this tactic offered an “escalation-controlled” response because no Iranians would die. However, the expert cautioned that the alleged cyber response could risk unintended consequences or a “tit-for-tat” cyber dynamic, both of which could have escalatory consequences.

 An actor not governed by rules could underestimate the potential destruction a cyber capability has, overestimate their ability to maintain control of a capability, or simply act

47 NATO Cooperative Cyber Defence. Tallinn Manual 2.0. Retrieved from: https://ccdcoe.org/research/tallinn- manual/ 48 Guay, Joseph and Lisa Rudnick (2017, June 25). UNHCR Innovation Service. What the Digital Geneva Convention Means for the Future of Humanitarian Action. Retrieved from: https://www.unhcr.org/innovation/digital-geneva-convention-mean-future-humanitarian-action/ 49 Gertz, Bill (2017, November 16). Free Beacon. NSA: Cyber Attacks Are Becoming More Sophisticated, Aggressive, and Disruptive. Retrieved from: https://freebeacon.com/national-security/nsa-cyber-attacks-becoming- sophisticated-aggressive-disruptive/

22 recklessly. This was observed in NotPetya and Stuxnet, where these capabilities propagated beyond their initial intended victims.

A Few Futures to Consider

We describe two alternative futures that represent potential boundary cases for geopolitical impacts resulting from the global diffusion of cyber capabilities in what amounts to a “grand cyber arms bazaar.” In one extreme, the complexity and volatility of this dynamic, as described in previous sections, results in a rapid escalation of tensions between actors that has the potential of crossing the threshold of armed conflict. In the other scenario, the global community reaches a diplomatic, technological, or other inflection point that changes the current dynamic of rapid diffusion of capabilities applied by an increasing number of actors without clear norms or restraints.

Scenario A: Rapid Escalation

This scenario walks through how a combination of factors, both cyber and non-cyber, could collectively lead to an escalation of tensions between two nations, potentially leading to kinetic action. We assume the current trends of wide availability of cyber tools, an increasing number of actors, and lack of norms or other restraints continue unabated. In this environment, foreign actors take increasingly risky actions with little regard for repercussions, or their cyber capabilities cause unintended collateral effects. Technology also continues its rapid advance, with increasingly interconnected technologies being incorporated into critical infrastructures and virtually every aspect of everyday life. This increases the chances of a cyber event causing physical harm that crosses a kinetic response threshold. Attribution of cyber activity also remains challenging and some governments employ non-state actors to “jump start” their capabilities or operate with plausible deniability.

In the West, interaction between the government and private sectors has not evolved to meet the threat. Without public-private partnerships that evolve with cyber developments and threats, the ability to mitigate tensions becomes more difficult. Without well-established effective partnerships, governments are slower to respond and keep up with cybersecurity developments or work with the private sector to bring about appropriate regulations and unified information sharing practices. Without the support or mandate from the public sector to set effective cyber policy, companies in the private sector may not be equipped or incentivized to allocate enough of their budget to cybersecurity.

It is not difficult to visualize a situation where in an already fragile environment, one miscalculated attack can spark a series of responses that could include steps nearing a physical attack. In this instance, a state actor known as Country X has temporarily employed the cyber capabilities of a domestic criminal organization. This criminal organization has been testing out adversarial artificial intelligence (AI) on vehicles and successfully altered some of the vehicle’s systems.

23 Country X is developing its own capabilities but uses non-state actors as it builds its own arsenal and tests out new tactics under the guise of the criminal organization. While it hopes to develop skills to launch sophisticated, targeted attacks on power-grids or financial systems should the need and opportunity arise, Country X first assesses and learns from the capabilities of the criminal organization. It directs the criminal organization to continue conducting progressively more sophisticated attacks on its behalf. While some attacks are discovered, none result in significant responses.

A controversial global event could motivate the criminal organization to set off a series of simultaneous cyberattacks using their adversarial AI that result in significant financial losses, sensitive data leaks, and/or the fear of possible destruction of life and property. Whether these effects were intended and whether the criminals were acting at the behest of Country X remain unclear. To make it worse, the criminals access and release massive volumes of personally identifiable information (PII) and a host of sensitive documents from more than 20 countries. The effects of this incident are particularly severe in Country Y, which is a regional rival of Country X.

While not taking a toll on human life, the overly aggressive cyberattack was unexpected in its range of impact. Suspicions immediately arise regarding Country X’s culpability. However, there are no defined parameters or norms to determine how to respond to an unattributed or potentially misattributed attack. The criteria under which a cyberattack crosses a threshold for kinetic response have not been universally agreed upon, although attacks on financial systems and institutions, nuclear systems, and disruption of defense activities are likely agreed upon actions that prompt war.50

As noted, Country Y, a regional rival of Country X, was significantly impacted by the incident. Tensions have been simmering for some time over a disputed territory. There have recently been armed clashes, and a Country X-linked insurgent group in the past month conducted a suicide attack in Country Y’s capital. The cyber incident further inflames Country Y’s population. Protests erupt demanding a response, and Country Y’s government is finding it difficult to back down.

Scenario B: Inflection Point

At some point, the trends identified in the previous section reach an inflection point that drives collective action to contain the cyber drivers of geopolitical instability. This might come in the aftermath of an incident that clearly demonstrates the dangers of global cyber diffusion without norms or restraints. Perhaps a cyber event takes an entire nation offline and paralyzes it with no

50 McDavid, Saundra (2017, July 31). When Does a Cyber Attack Become an Act of War? Retrieved from: https://incyberdefense.com/news/cyber-attack-become-act-war/

24 choice but to seek de-escalation.51 Such an incident might arise as a cyber analog to the Cuban Missile Crisis of 1962, but likely would not have the same stakes for human existence. The emergence of a new technology could also act as a restraining factor. For example, the integration of AI capabilities could lead to a fundamental shift in the balance between cyber offense and defense that favors the latter.

However it arises, this inflection point has led to cyber norms and the creation of communication channels between governments and the private sector that are designed for use in fast-breaking cyber incidents. Intelligence sharing protocols, to determine attribution for example, are created amongst cooperating organizations. While cyber consultants and advisors have dominated the market for best cybersecurity practices and deterrence services, global institutions begin looking at the macro level legal, privacy, and security implications of cyber advancements and threats.

In this environment, Country X would carefully consider its relationship with the cyber criminal organization. If discovered, the relationship would result in diplomatic or economic consequences designed to outweigh the benefits of having an offensive cyber capability. In addition, this post- inflection environment offers several inducements for Country X to refrain from acquiring destabilizing cyber capabilities.

During a period of tension between Country X and Country Y, the criminal organization based in Country X unleashes a cyber incident with effects comparable to the previous section. As before, this comes in the context of rising tensions with Country Y over disputed territory and a Country X-linked suicide attack in Country Y’s capital.

Country Y’s government now taps into pre-established communication channels with allied governments as well as Country X. They gain the benefit of timely attribution insights from more technologically advanced countries, which clear the government of Country X. It is determined that the criminal organization’s malware went further than intended. Country Y’s government wishes to avoid war, and it uses the legitimacy of the international findings as a pathway to de-escalate cyber-driven tensions with Country X.

Conclusion and Recommendations

Over the past decade, we have witnessed the emergence of a “grand cyber arms bazaar.” This phenomenon allows a range of nation-states and non-state actors to access tools for financial gain, collection and surveillance, or cyberattack, which will in turn exert an increasing influence on geopolitical, economic, and military balances as an increasing number of actors move from

51 Morgus, Robert and Justin Sherman (2019, May 17). Just Security. When To Use the ‘Nuclear Option?’ Why Knocking Russia Offline Is a Bad Idea. Retrieved from: https://www.justsecurity.org/64094/when-to-use-the- nuclear-option-why-knocking-russia-offline-is-a-bad-idea/

25 opportunistic to emerging and established cyber powers. This trend brings a host of implications for executives in the private and public sectors and for the relationship between the public and private sectors in the West.

 Executives in both sectors must posture their organizations for a growing risk of surprise in cyberspace. This trend will be driven by the emergence of new threat actors, the availability of advanced tools, and new vulnerabilities that emerge as technology and interconnectivity advance faster than our ability to control risk and mitigate vulnerability.

 As more actors use cyber effects to advance geopolitical aims, organizations increasingly will need to integrate world events into their network defense processes. Threat intelligence will need to evolve from incorporating indicators of compromise gleaned from detected cyber activity. It will become increasingly important to use geopolitical cues to prioritize finite cyber defense resources, particularly as private sector firms increasingly become front-line targets for foreign actors seeking to shape Western policy short of war. Most firms probably lack mature procedures for doing this.

 Grappling with an increasing risk of surprise will require proactive efforts to increase the operational and technical resilience of organizations. This could include “grease pencil” procedures based on voice and paper communications for operating in the face of sustained degradation to computing and network environments. Technical resilience measures may extend to increased attention to unseen risks in supply chains and third- party vendors and designing computers and networks that incorporate architectural features designed to slow down and contain attackers. Most firms probably have not invested significant effort in these endeavors.

 Government entities, researchers, and think tanks can likely assist public and private sector organizations in posturing for this new environment by developing standards and template processes for using geopolitical analysis to drive cyber defense and maintaining operational resiliency in an increasingly hostile cyber environment.

 Senior executives can prepare their workforces for this environment by developing a consistent and multi-dimensional communications strategy used at all management levels that conveys a sense of urgency in preparing for the new risk environment and identifies high-level priorities and milestones. Senior executives can hold themselves, the management team, and workforce accountable for security and resilience and recognize best practices through bonuses or other rewards. One important undertaking is a deliberate conversation about the appropriate investment in resilience to mitigate a perceived level of future risk.

26  New approaches for government and private sector collaboration must be created to ensure national security as private sector firms increasingly become “front line” targets for foreign actors seeking to shape Western policy. Restrictions against the government providing competitive advantage to private firms may need to be updated to reflect this new environment, while still preserving the original intent. Repeatable collaboration processes should define roles and responsibilities of private firms and the various government entities that have a role in protecting national security and conducting law enforcement. These processes must reflect private sector concerns about how information sharing impacts their relationship with regulators. Finally, the clear thresholds should be articulated that help the public and private sectors know when they must come together in the national interest. Most cyber activity will not rise to such threshold.

27 Appendix 1: Comparison of Concerns and Analytical Challenges Across Industries

Industry Concern Analytical Challenge It is almost certain that hackers are trying to infiltrate financial institutions to steal and sell data. The Manipulation or hacking of a critical response a state has to that situation institution (whether an actual exchange versus a bad actor that wants to use a or a large financial institution) could Financial cyberattack to take down, manipulate, have lasting and significant global or disrupt the financial system will impacts that could set a state in motion likely be more severe. Fully towards a dual cyber and kinetic war. understanding the drivers and motivators in this instance is imperative. The role of AI and IoT is increasing, particularly in the transportation Vulnerabilities are becoming more industry as mentioned in the scenario numerous as a result of more Transportation above. These technological sophisticated software that is lacking advancements increase the opportunity equally sophisticated defense for attack and can have physically mechanisms to protect it. damaging consequences. The risk of an APT is heightened which makes understanding the A disruption to the supply chain could sophistication of a state and its cyber have global impacts. Industrial capabilities important to defend All espionage and intellectual property against and also determine disputes can increase tension between attribution. Third parties must meet states and contribute to the risk of war. security standards, otherwise the whole supply chain or significant portions of it are at heightened risk. The risk of losing personnel can be Programmed/unmanned military reduced if a machine, drone, or equipment utilized in physical unmanned weapon can be programmed warfare could have a significant to conduct an attack. A misjudged effect on how a state thinks about cyberattack could have major war, the rules surrounding war, and Military consequences and/or collateral damage. the consequences of going to physical A lack of defense to protect military war. For less-transparent states or resources could also be a game-changer non-states, this will likely increase on both sides (the attacker and the the risk of miscalculated attacks with attacked). greater collateral damage.

28 Appendix 2: India-Pakistan Case Study

There is substantially less awareness in open-source information regarding the capabilities of India and Pakistan in the offensive cyber dimension, yet some glimpses of what may be underway, combined with educated analysis of potential capabilities, suggests that groups aligned with both are slowly developing a range of more sophisticated capabilities. In 2018, news reports noted that in response to an escalation by Pakistani hackers against India’s telecom and national research institutes, the Indian government was establishing a joint agency for cyber warfare.52 Whether these entities and groups engaged in carrying cyber operations would spill over outside the regional conflict would be one concern – another is the history of proliferation of other military capabilities and whether that may become an issue. A recent example suggests that collateral effects are taking place.

One glimpse behind the curtain came in 2018, when researchers at Lookout Security Intelligence uncovered a campaign targeting government officials, including diplomats and military in Pakistan, Afghanistan, India, Iraq and the UAE.53 The targets included activists, and some collateral collection also took place involving US, Australian and German government officials. Lookout attributed the campaign to the Pakistani military – and observed that it relied on compromising mobile devices with Android and iOS operating systems. Much of the observed activities involved intelligence collection from the targets.

Lookout also noted that they observed spyware tools offered for commercial sale sharing some similarities with the tools used by the Stealth Mango and Tangelo groups—which is another example of the easy transfer of knowledge and technology between nation-state groups and commercial hackers.54 A side benefit of the commonality in the types of tools used—as the Lookout researchers noted—is that the compromise of these tools does not carry the cost that is often required to exploit an unknown vulnerability, a so-called zero day. This likely makes the threat actors far more willing to deploy the tools more aggressively.55

52 The Economic Times (2018, July 14). India Is Quietly Preparing A Cyber Warfare Unit To Fight A New Kind Of Enemy. Retrieved from: https://economictimes.indiatimes.com/news/defence/india-is-quietly-preparing-a-new- warfare-unit-to-fight-a-new-kind-of-enemy/articleshow/61141277.cms?from=mdr 53 Blaich, Andrew and Michael Flossman (2018, May 15). Lookout. Stealth Mango And Tangelo: Nation State Mobile Surveillanceware Stealing Data From Military & Government Officials. Retrieved from: https://blog/lookout.com/stealth-mango 54 ibid. 55 Curits, Franklin (2018, July 26). DarkReading. Stealth Mango Proves Malware Success Doesn't Require Advanced Tech. Retrieved from: https://www.darkreading.com/endpoint/privacy/stealth-mango-proves-malware- success-doesn’t-require-advanced-tech/d/d-id/1332408

29 Acknowledgements

When we began this project, the grand scope of the question challenged us to narrow, define, and refine—without forgoing this unique opportunity—to bring a fresh perspective on an emerging trend.

This team would like to thank the Analytic Exchange Program organizers, specifically, Tammy Padilla and her team, for their stewardship in tackling this broad, complex topic. We appreciate the support of the Department of Homeland Security and the Office of Director of National Intelligence - AEP is a leading exemplar of public-private partnership and innovation in intelligence.

Any errors or analytical shortcomings are our own, and do not represent our respective organizations. We are grateful to the individuals and organizations listed below for their contributions, whether insight, comments, or contacts. We spoke and interacted with over 50 experts across sectors, and for privacy and security reasons, not all of them are named here.

We hope that this partial list reflects the diversity of the contributors to this product, while also acting as a reminder that many of those who provide service don’t ask for credit.

Andrea Limbago James Mulvenon Robert K. Knake Chief Social Scientist SOS International Northeastern University Virtru Jason Healey Senior Research Scholar Steve Brown Catherine Lotrionte Columbia University’s School National Crime Agency, United Georgetown University of International and Public Kingdom Affairs Jeff Fields Tim Maurer Chris Hurst Supervisory Special Agent Cyber Policy Initiative Stabilitas Federal Bureau of Investigation Carnegie Endowment for (FBI) International Peace Troels Oerting David Forscey John Fant Chairman of the Advisory Board Aspen Institute Peraton of the Centre for Cybersecurity World Economic Forum David Gioe Kevin Allison Army Cyber Institute, A Large Financial Institution Eurasia Group West Point

30 Duncan Hollis Temple University Laura Galante A US geopolitical risk advisory School of Law Galante Strategies firm Carnegie Endowment for International Peace Erica Borghard Nicole Eshenbaugh Federal Bureau of Investigation Army Cyber Institute, Kroll Cyber Risk (FBI) West Point Nina Kollars Galina Antova Associate Professor Naval War Large Global Investment Bank Claroty College Harvey Rishikof Omar Khawaja Senior Counselor Simon Everett, Ltd. HM Health Solutions, Inc. ABA SCOLANS Pablo Breuer James Bosworth Sofwerx The National Cyber-Forensics Founder Donovan Group, US Special and Training Alliance (NCFTA) Hxagon, LLC. Operations Command University of Pittsburgh Institute for Cyber Law, Policy, and Security.

31 Commodification of Cyber Capabilities Team Members

Munish P. US Government Megan Foster FS-ISAC Kyle H. US Government Dana M. US Government Suzel S. US Government Guillermo Christensen Ice Miller LLP Pipps Nash Tony Porter FON Advisors Aaron Henry FireEye Clare Boyle US Government

32 10/9/2020 Attackers Deploy New ICS Attack Framework “TRITON” and Cause Operational Disruption to Critical Infrastructure | FireEye Inc

 

Threat Research Attackers Deploy New ICS Attack Framework “TRITON” and Cause Operational Disruption to Critical Infrastructure

December 14, 2017 | by Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer

MALWARE ICS SECURITY

Introduction

Mandiant recently responded to an incident at a critical infrastructure organization where an attacker deployed malware designed to manipulate industrial safety systems. The targeted systems provided emergency shutdown capability for industrial processes. We assess with moderate confidence that the attacker was developing the capability to cause physical damage and inadvertently shutdown operations. This malware, which we call TRITON, is an attack framework built to interact with Triconex Safety Instrumented System (SIS) controllers. We have not attributed the incident to a threat actor, though we believe the activity is consistent with a nation state preparing for an attack.

TRITON is one of a limited number of publicly identified malicious software families targeted at industrial control systems (ICS). It follows Stuxnet which was used against Iran in 2010 and Industroyer which we believe was deployed by Sandworm Team against Ukraine in 2016. TRITON is consistent with these attacks, in that it could prevent safety mechanisms from executing their intended function, resulting in a physical consequence.

Malware Main Modules Description Family

Main executable trilog.exe leveraging libraries.zip

TRITON Custom communication library.zip library for interaction with Triconex controllers.

Table 1: Description of TRITON Malware

Incident Summary

The attacker gained remote access to an SIS engineering workstation and deployed the TRITON attack framework to reprogram the SIS controllers. During the incident, some SIS controllers entered a failed safe state, which automatically shutdown the industrial process and prompted the asset owner to initiate an investigation. The investigation found that the SIS controllers initiated a safe shutdown when application code between redundant processing units failed a validation check -- resulting in an MP diagnostic failure message.

We assess with moderate confidence that the attacker inadvertently shutdown operations while developing the ability to cause physical damage for the following reasons:

Modifying the SIS could prevent it from functioning correctly, increasing the likelihood of a failure that would result in physical consequences. TRITON was used to modify application memory on SIS controllers in the environment, which could have led to a failed validation check. The failure occurred during the time period when TRITON was used. It is not likely that existing or external conditions, in isolation, caused a fault during the time of the incident.      Promotion Subscribe Share Recent RSS https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html 1/10 10/9/2020 Attackers Deploy New ICS Attack Framework “TRITON” and Cause Operational Disruption to Critical Infrastructure | FireEye Inc Attribution   FireEye has not connected this activity to any actor we currently track; however, we assess with moderate confidence that the actor is sponsored by a nation state. The targeting of critical infrastructure as well as the attacker’s persistence, lack of any clear monetary goal and the technical resources necessary to create the attack framework suggest a well- resourced nation state actor. Specifically, the following facts support this assessment:

The attacker targeted the SIS suggesting an interest in causing a high-impact attack with physical consequences. This is an attack objective not typically seen from cyber-crime groups.

The attacker deployed TRITON shortly after gaining access to the SIS system, indicating that they had pre-built and tested the tool which would require access to hardware and software that is not widely available. TRITON is also designed to communicate using the proprietary TriStation protocol which is not publicly documented suggesting the adversary independently reverse engineered this protocol.

The targeting of critical infrastructure to disrupt, degrade, or destroy systems is consistent with numerous attack and reconnaissance activities carried out globally by Russian, Iranian, North Korean, U.S., and Israeli nation state actors. Intrusions of this nature do not necessarily indicate an immediate intent to disrupt targeted systems, and may be preparation for a contingency.

Background on Process Control and Safety Instrumented Systems

     Promotion Subscribe Share Recent RSS https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html 2/10 10/9/2020 Attackers Deploy New ICS Attack Framework “TRITON” and Cause Operational Disruption to Critical Infrastructure | FireEye Inc

 

Figure 1: ICS Reference Architecture

Modern industrial process control and automation systems rely on a variety of sophisticated control systems and safety functions. These systems and functions are often referred to as Industrial Control Systems (ICS) or Operational Technology (OT).

A Distributed Control System (DCS) provides human operators with the ability to remotely monitor and control an industrial process. It is a computerized control system consisting of computers, software applications and controllers. An Engineering Workstation is a computer used for configuration, maintenance and diagnostics of the control system applications and other control system equipment.

A SIS is an autonomous control system that independently monitors the status of the process under control. If the process exceeds the parameters that define a hazardous state, the SIS attempts to bring the process back into a safe state or automatically performs a safe shutdown of the process. If the SIS and DCS controls fail, the final line of defense is the design of the industrial facility, which includes mechanical protections on equipment (e.g. rupture discs), physical alarms, emergency response procedures and other mechanisms to mitigate dangerous situations.

Asset owners employ varied approaches to interface their plant's DCS with the SIS. The traditional approach relies on the principles of segregation for both communication infrastructures and control strategies. For at least the past decade, there has been a trend towards integrating DCS and SIS designs for various reasons including lower cost, ease of use, and benefits achieved from exchanging information between the DCS and SIS. We believe TRITON acutely demonstrates the risk associated with integrated designs that allow bi-directional comm unication between DCS and SIS network hosts. Promotion Subscribe Share Recent RSS https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html 3/10 10/9/2020 Attackers Deploy New ICS Attack Framework “TRITON” and Cause Operational Disruption to Critical Infrastructure | FireEye Inc Safety Instrumented Systems Threat Model and Attack Scenarios  

Figure 2: Temporal Relationship Between Cyber Security and Safety

The attack lifecycle for disruptive attacks against ICS is similar to other types of cyber attacks, with a few key distinctions. First, the attacker’s mission is to disrupt an operational process rather than steal data. Second, the attacker must have performed OT reconnaissance and have sufficient specialized engineering knowledge to understand the industrial process being controlled and successfully manipulate it.

Figure 2 represents the relationship between cyber security and safety controls in a process control environment. Even if cyber security measures fail, safety controls are designed to prevent physical damage. To maximize physical impact, a cyber attacker would also need to bypass safety controls.

The SIS threat model below highlights some of the options available to an attacker who has successfully compromised an SIS.

Attack Option 1: Use the SIS to shutdown the process

The attacker can reprogram the SIS logic to cause it to trip and shutdown a process that is, in actuality, in a safe state. In other words, trigger a false positive. Implication: Financial losses due to process downtime and complex plant start up procedure after the shutdown.

Attack Option 2: Reprogram the SIS to allow an unsafe state

The attacker can reprogram the SIS logic to allow unsafe conditions to persist. Implication: Increased risk that a hazardous situation will cause physical consequences (e.g. impact to equipment, product, environment and human safety) due to a loss of SIS functionality.

Attack Option 3: Reprogram the SIS to allow an unsafe state – while using the DCS to create an unsafe state or hazard

The attacker can manipulate the process into an unsafe state from the DCS while preventing the SIS from functioning appropriately. Implication: Impact to human safety, the environment, or damage to equipment, the extent of which depends on the physical constraints of the process and the plant design.

Analysis of Attacker Intent    Promotion Subscribe Share Recent RSS https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html 4/10 10/9/2020 Attackers Deploy New ICS Attack Framework “TRITON” and Cause Operational Disruption to Critical Infrastructure | FireEye Inc We assess with moderate confidence that the attacker’s long-term objective was to develop the capability to cause a physical consequence. We base this on the fact that the attacker initially obtained a reliable foothold on the DCS and  could have developed the capability to manipulate the process or shutdown the plant, but instead proceeded to compromise the SIS system. Compromising both the DCS and SIS system would enable the attacker to develop and carry out an attack that causes the maximum amount of damage allowed by the physical and mechanical safeguards in place.

Once on the SIS network, the attacker used their pre-built TRITON attack framework to interact with the SIS controllers using the TriStation protocol. The attacker could have caused a process shutdown by issuing a halt command or intentionally uploading flawed code to the SIS controller to cause it to fail. Instead, the attacker made several attempts over a period of time to develop and deliver functioning control logic for the SIS controllers in this target environment. While these attempts appear to have failed due one of the attack scripts’ conditional checks, the attacker persisted with their efforts. This suggests the attacker was intent on causing a specific outcome beyond a process shutdown.

Of note, on several occasions, we have observed evidence of long term intrusions into ICS which were not ultimately used to disrupt or disable operations. For instance, Russian operators, such as Sandworm Team, have compromised Western ICS over a multi-year period without causing a disruption.

Summary of Malware Capabilities

The TRITON attack tool was built with a number of features, including the ability to read and write programs, read and write individual functions and query the state of the SIS controller. However, only some of these capabilities were leveraged in the trilog.exe sample (e.g. the attacker did not leverage all of TRITON’s extensive reconnaissance capabilities).

The TRITON malware contained the capability to communicate with Triconex SIS controllers (e.g. send specific commands such as halt or read its memory content) and remotely reprogram them with an attacker-defined payload. The TRITON sample Mandiant analyzed added an attacker-provided program to the execution table of the Triconex controller. This sample left legitimate programs in place, expecting the controller to continue operating without a fault or exception. If the controller failed, TRITON would attempt to return it to a running state. If the controller did not recover within a defined time window, this sample would overwrite the malicious program with invalid data to cover its tracks.

Recommendations

Asset owners who wish to defend against the capabilities demonstrated in the incident, should consider the following controls:

Where technically feasible, segregate safety system networks from process control and information system networks. Engineering workstations capable of programming SIS controllers should not be dual-homed to any other DCS process control or information system network. Leverage hardware features that provide for physical control of the ability to program safety controllers. These usually take the form of switches controlled by a physical key. On Triconex controllers, keys should not be left in the PROGRAM mode other than during scheduled programming events. Implement change management procedures for changes to key position. Audit current key state regularly. Use a unidirectional gateway rather than bidirectional network connections for any applications that depend on the data provided by the SIS. Implement strict access control and application whitelisting on any server or workstation endpoints that can reach the SIS system over TCP/IP. Monitor ICS network traffic for unexpected communication flows and other anomalous activity.

     Promotion Subscribe Share Recent RSS https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html 5/10 10/9/2020 Attackers Deploy New ICS Attack Framework “TRITON” and Cause Operational Disruption to Critical Infrastructure | FireEye Inc

 

Figure 3: Triconex Key Switch (source)

Appendix: Technical Analysis

Figure 4: TRITON Architecture and Attack Scenario

TRITON was deployed on an SIS engineering workstation running the Microsoft Windows operating system. The malware was named to masquerade as the legitimate Triconex Trilog application. This application is used for reviewing logs and is a part of the TriStation application suite. The malware was delivered as a Py2EXE compiled python script dependent on a zip file containing standard Python libraries, open source libraries, as well as the attacker-developed Triconex attack framework for interacting with the Triconex controllers. Along with the executable, two binary files, inject.bin (malicious function code) and imain.bin (malicious control logic), were deployed as the controller’s payload. These file names were hard coded in the Py2EXE compiled python script.

Trilog.exe took one option from the command line, which was a single IP address of the target Triconex device. It did not leverage the underlying TRITON library’s capability for Triconex device discovery, instead an instance of trilog.exe had to be invoked separately for each target controller in the environment. Once invoked, trilog.exe checked the status of the controller, then read the configuration information exposed by the TriStation protocol. If the controller was in a running      Promotion Subscribe Share Recent RSS https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html 6/10 10/9/2020 Attackers Deploy New ICS Attack Framework “TRITON” and Cause Operational Disruption to Critical Infrastructure | FireEye Inc state, trilog.exe encoded the two payload files inject.bin and imain.bin and passed them to the communication libraries to be appended to the controller’s program memory and execution table. 

After payload files were inserted into memory on the Triconex controller, the script initiated a countdown, periodically checking the status of the controller. If an error was detected, the communication library’s method SafeAppendProgramMod attempted to reset the controller to the previous state using a TriStation protocol command. If this failed, trilog.exe attempted to write a small ‘dummy’ program to memory. We assess that this was an anti-forensics technique to hide the presence of the attacker code on the Triconex controller.

Working with the asset owner, Mandiant ran trilog.exe in a lab environment with a valid Triconex controller and discovered a conditional check in the malware that prevented the payload binary from persisting in the environment. Mandiant confirmed that, after correcting patching the attack script to remove this check, the payload binary would persist in controller memory, and the controller would continue to run.

TRITON implements the TriStation protocol, which is the protocol used by the legitimate TriStation application, to configure controllers.

TsHi is the high-level interface created by the malware’s authors that allows the threat actor’s operators to implement attack scripts using the TRITON framework. It exposes functions for both reconnaissance and attack. The functions generally accept binary data from the user, and handle the code ‘signing’ and check sums prior to passing the data to lower level libraries for serialization on to the network.

TsBase, another attacker-written module, contains the functions called by TsHi, which translate the attacker’s intended action to the appropriate TriStation protocol function code. For certain functions, it also packs and pads the data in to the appropriate format.

TsLow is an additional attacker module that implements the TriStation UDP wire protocol. The TsBase library primarily depends on the ts_exec method. This method takes the function code and expected response code, and serializes the commands payload over UDP. It checks the response from the controller against the expected value and returns a result data structure indicating success or a False object representing failure.

TsLow also exposes the connect method used to check connectivity to the target controller. If invoked with no targets, it runs the device discovery function detect_ip. This leverages a "ping" message over the TriStation protocol using IP broadcast to find controllers that are reachable via a router from where the script is invoked.

Indicators

Filename Hash

MD5: 6c39c3f4a08d3d78f2eb973a94bd7718 trilog.exe SHA-256: e8542c07b2af63ee7e72ce5d97d91036c5da56e2b091aa2afe737b224305d230

MD5: 437f135ba179959a580412e564d3107f imain.bin SHA-256: 08c34c6ac9186b61d9f29a77ef5e618067e0bc9fe85cab1ad25dc6049c376949

MD5: 0544d425c7555dc4e9d76b571f31f500 inject.bin SHA-256: 5fc4b0076eac7aa7815302b0c3158076e3569086c4c6aa2f71cd258238440d14

MD5: 0face841f7b2953e7c29c064d6886523 library.zip SHA-256: bef59b9a3e00a14956e0cd4a1f3e7524448cbe5d3cc1295d95a15b83a3579c59

TS_cnames.pyc MD5: e98f4f3505f05bf90e17554fbc97bba9 SHA-256:  2c1d3d0a9c6f76726 994b88589219cb8d9c39d d9924bc8d2d02bf41d95 5fe326  Promotion Subscribe Share Recent RSS https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html 7/10 10/9/2020 Attackers Deploy New ICS Attack Framework “TRITON” and Cause Operational Disruption to Critical Infrastructure | FireEye Inc

 MD5: 288166952f934146be172f6353e9a1f5  TsBase.pyc SHA-256: 1a2ab4df156ccd685f795baee7df49f8e701f271d3e5676b507112e30ce03c42

MD5: 27c69aa39024d21ea109cc9c9d944a04 TsHi.pyc SHA-256: 758598370c3b84c6fbb452e3d7119f700f970ed566171e879d3cb41102154272

MD5: f6b3a73c8c87506acda430671360ce15 TsLow.pyc SHA-256: 5c776a33568f4c16fee7140c249c0d2b1e0798a96c7a01bfd2d5684e58c9bb32

MD5: 8b675db417cc8b23f4c43f3de5c83438 sh.pyc SHA-256: c96ed56bf7ee85a4398cc43a98b4db86d3da311c619f17c8540ae424ca6546e1

Detection

rule TRITON_ICS_FRAMEWORK { meta: author = "nicholas.carr @itsreallynick" md5 = "0face841f7b2953e7c29c064d6886523" description = "TRITON framework recovered during Mandiant ICS incident response" strings: $python_compiled = ".pyc" nocase ascii wide $python_module_01 = "__module__" nocase ascii wide $python_module_02 = "" nocase ascii wide $python_script_01 = "import Ts" nocase ascii wide $python_script_02 = "def ts_" nocase ascii wide

$py_cnames_01 = "TS_cnames.py" nocase ascii wide $py_cnames_02 = "TRICON" nocase ascii wide $py_cnames_03 = "TriStation " nocase ascii wide $py_cnames_04 = " chassis " nocase ascii wide

$py_tslibs_01 = "GetCpStatus" nocase ascii wide $py_tslibs_02 = "ts_" ascii wide $py_tslibs_03 = " sequence" nocase ascii wide $py_tslibs_04 = /import Ts(Hi|Low|Base)[^:alpha:]/ nocase ascii wide $py_tslibs_05 = /module\s?version/ nocase ascii wide $py_tslibs_06 = "bad " nocase ascii wide $py_tslibs_07 = "prog_cnt" nocase ascii wide

$py_tsbase_01 = "TsBase.py" nocase ascii wide $py_tsbase_02 = ".TsBase(" nocase ascii wide

$py_tshi_01 = "TsHi.py" nocase ascii wide $py_tshi_02 = "keystate" nocase ascii wide $py_tshi_03 = "GetProjectInfo" nocase ascii wide $py_tshi_04 = "GetProgramTable" nocase ascii wide $py_tshi_05 = "SafeAppendProgramMod" nocase ascii wide $py_tshi_06 = ".TsHi(" ascii nocase wide

     Promotion Subscribe Share Recent RSS https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html 8/10 10/9/2020 Attackers Deploy New ICS Attack Framework “TRITON” and Cause Operational Disruption to Critical Infrastructure | FireEye Inc $py_tslow_01 = "TsLow.py" nocase ascii wide  $py_tslow_02 = "print_last_error" ascii nocase wide  $py_tslow_03 = ".TsLow(" ascii nocase wide $py_tslow_04 = "tcm_" ascii wide $py_tslow_05 = " TCM found" nocase ascii wide

$py_crc_01 = "crc.pyc" nocase ascii wide $py_crc_02 = "CRC16_MODBUS" ascii wide $py_crc_03 = "Kotov Alaxander" nocase ascii wide $py_crc_04 = "CRC_CCITT_XMODEM" ascii wide $py_crc_05 = "crc16ret" ascii wide $py_crc_06 = "CRC16_CCITT_x1D0F" ascii wide $py_crc_07 = /CRC16_CCITT[^_]/ ascii wide

$py_sh_01 = "sh.pyc" nocase ascii wide

$py_keyword_01 = " FAILURE" ascii wide $py_keyword_02 = "symbol table" nocase ascii wide

$py_TRIDENT_01 = "inject.bin" ascii nocase wide $py_TRIDENT_02 = "imain.bin" ascii nocase wide

condition: 2 of ($python_*) and 7 of ($py_*) and filesize < 3MB }

 PREVIOUS POST NEXT POST 

Company FireEye Blogs Why FireEye? Threat Research Customer Stories FireEye Stories Careers Industry Perspectives Certifications and Compliance Investor Relations Threat Map Supplier Documents View the Latest Threats

News and Events Contact Us Newsroom +1 877-347-3393

Press Releases Webinars Stay Connected Events      Awards and Honors Email Preferences

Technical Support Incident? Report Security Issue Contact Support      CustomePro Pmotriotnal Subscribe Share Recent RSS https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html 9/10 10/9/2020 Attackers Deploy New ICS Attack Framework “TRITON” and Cause Operational Disruption to Critical Infrastructure | FireEye Inc Communities Documentation Portal 

Copyright © 2020 FireEye, Inc. All rights reserved. Site Language Privacy & Cookies Policy | Privacy Shield | Legal Documentation English 

     Promotion Subscribe Share Recent RSS https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html 10/10 10/9/2020 ‘War Dialing’ Tool Exposes Zoom’s Password Problems — Krebs on Security

Advertisement Subscribe to RSS Follow me on Twitter Join me on Facebook

Krebs on Security

In-depth security news and investigation

About the Author Advertising/Speaking

02 Apr 20 ‘War Dialing’ Tool Exposes Zoom’s Password Problems

As the Coronavirus pandemic continues to force people to work from home, countless companies are now holding daily meetings using videoconferencing services from Zoom. But without the protection of a password, there’s a decent chance your next Zoom meeting could be “Zoom bombed” — attended or disrupted by someone who doesn’t belong. And according to data gathered by a new automated Zoom meeting discovery tool dubbed “zWarDial,” a crazy number of meetings at major corporations are not being protected by a password.

https://krebsonsecurity.com/2020/04/war-dialing-tool-exposes-zooms-password-problems/ 1/12 10/9/2020 ‘War Dialing’ Tool Exposes Zoom’s Password Problems — Krebs on Security

zWarDial, an automated tool for finding non-password protected Zoom meetings. According to its makers, zWarDial can find on average 110 meetings per hour, and has a success rate of around 14 percent.

Each Zoom conference call is assigned a Meeting ID that consists of 9 to 11 digits. Naturally, hackers have figured out they can simply guess or automate the guessing of random IDs within that space of digits.

Security experts at Check Point Research did exactly that last summer, and found they were able to predict approximately four percent of randomly generated Meeting IDs. The Check Point researchers said enabling passwords on each meeting was the only thing that prevented them from randomly finding a meeting.

Zoom responded by saying it was enabling passwords by default in all future scheduled meetings. Zoom also said it would block repeated attempts to scan for meeting IDs, and that it would no longer automatically indicate if a meeting ID was valid or invalid.

Nevertheless, the incidence of Zoombombing has skyrocketed over the past few weeks, even prompting an alert by the FBI on how to secure meetings against eavesdroppers and mischief-makers. This suggests that many Zoom users have disabled passwords by default and/or that Zoom’s new security feature simply isn’t working as intended for all users.

New data and acknowledgments by Zoom itself suggest the latter may be more likely.

Earlier this week, KrebsOnSecurity heard from Trent Lo, a security professional and co-founder of SecKC, Kansas City’s longest-running monthly security meetup. Lo and fellow SecKC members recently created zWarDial, which borrows part of its name from the old phone-based war dialing programs that called random or sequential numbers in a given telephone number prefix to search for computer modems.

Lo said zWarDial evades Zoom’s attempts to block automated meeting scans by routing the searches through multiple proxies in Tor, a free and open-source software that lets users browse the Web anonymously.

“Zoom recently said they fixed this but I’m using a totally different URL and passing a cookie along with that URL,” Lo said, describing part of how the tool works on the back end. “This gives me the [Zoom meeting] room information without having to log in.”

Lo said a single instance of zWarDial can find approximately 100 meetings per hour, but that multiple instances of the tool running in parallel could probably discover most of the open Zoom meetings on any given day. Each instance, he said, has a success rate of approximately 14 percent, meaning for each random meeting number it tries, the program has a 14 percent chance of finding an open meeting.

Only meetings that are protected by a password are undetectable by zWarDial, Lo said.

“Having a password enabled on the meeting is the only thing that defeats it,” he said.

https://krebsonsecurity.com/2020/04/war-dialing-tool-exposes-zooms-password-problems/ 2/12 10/9/2020 ‘War Dialing’ Tool Exposes Zoom’s Password Problems — Krebs on Security Lo shared the output of one day’s worth of zWarDial scanning, which revealed information about nearly 2,400 upcoming or recurring Zoom meetings. That information included the link needed to join each meeting; the date and time of the meeting; the name of the meeting organizer; and any information supplied by the meeting organizer about the topic of the meeting.

The results were staggering, and revealed details about Zoom meetings scheduled by some of the world’s largest companies, including major banks, international consulting firms, ride-hailing services, government contractors, and investment ratings firms.

KrebsOnSecurity is not naming the companies involved, but was able to verify dozens of them by matching the name of the meeting organizer with corporate profiles on LinkedIn.

By far the largest group of companies exposing their Zoom meetings are in the technology sector, and include a number of security and cloud technology vendors. These include at least one tech company that’s taken to social media warning people about the need to password protect Zoom meetings!

The distribution of Zoom meetings found by zWarDial, indexed by industry. As depicted above, zWarDial found roughly 2,400 exposed meetings in less than 24 hours. Image: SecKC.

A GREMLIN IN THE DEFAULTS?

Given the preponderance of Zoom meetings exposed by security and technology companies that ostensibly should know better, KrebsOnSecurity asked Zoom whether its approach of adding passwords by default to all new meetings was actually working as intended.

In reply, Zoom said it was investigating the possibility that its password-by-default approach may fail under certain circumstances.

“Zoom strongly encourages users to implement passwords for all of their meetings to ensure uninvited users are not able to join,” the company said in a written statement shared with this author.

“Passwords for new meetings have been enabled by default since late last year, unless account owners or admins opted out,” the statement continues. “We are looking into unique edge cases to determine whether, Under certain under certain circumstances, users unaffiliated with an account owner or administrator may not have had passwords switched on by default at the time that change was made.” circumstances, users unaffiliated The acknowledgment comes amid a series of security and privacy stumbles for Zoom, which has seen its user with an account base grow exponentially in recent weeks. Zoom founder and chief executive Eric Yuan said in a recent blog post that the maximum number of daily meeting participants — both paid and free — has grown from around owner or 10 million in December to 200 million in March. administrator may not have had That rapid growth has also brought additional scrutiny from security and privacy experts, who’ve found plenty of real and potential problems with the service of late. TechCrunch’s Zack Whittaker has a fairly passwords comprehensive breakdown of them here; not included in that list is a story he broke earlier this week on a pair switched on by of zero-day vulnerabilities in Zoom that were publicly detailed by a former NSA expert. default at the time Zoom CEO Yuan acknowledged that his company has struggled to keep up with steeply growing demand for its that change was service and with the additional scrutiny that comes with it, saying in a blog post that for the next 90 days all made. new feature development was being frozen so the company’s engineers could focus on security issues.

Dave Kennedy, a security expert and founder of the security consultancy TrustedSec, penned a lengthy thread on Twitter saying while Zoom certainly has had its share of security and privacy goofs, some in the security community are unnecessarily exacerbating an already tough situation for Zoom and the tens of millions of users who rely on it for day-to-day meetings.

“What we have here is a company that is relatively easy to use for the masses (comes with its challenges on personal meeting IDs) and is relatively secure,” Kennedy wrote. “Yet the industry is making it out to be ‘this is malware’ and you can’t use this. This is extreme. We need to look at the https://krebsonsecurity.com/2020/04/war-dialing-tool-exposes-zooms-password-problems/ 3/12 10/9/2020 ‘War Dialing’ Tool Exposes Zoom’s Password Problems — Krebs on Security risk specific applications pose and help voice a message of how people can leverage technology and be safe. Dropping zero-days to the media hurts our credibility, sensationalizes fear, and hurts others.”

“If there are ways for a company to improve, we should notify them and if they don’t fix their issues, we should call them out,” he continued. “We should not be putting fear into everyone, and leveraging the media as a method to create that fear.”

Zoom’s advice on securing meetings is here. SecKC’s Lo said organizations using Zoom should avoid posting the Zoom meeting links on social media, and always require a meeting password when possible.

“This should be enabled by default as a new customer or a trial user,” he said. “Legacy organizations will need to check their administration settings to make sure this is enabled. You can also enable ‘Embed password in meeting link for one-click join.’ This prevents an actor from accessing your meeting without losing the usability of sharing a link to join.”

In addition, Zoom users can disable “Allow participants to join the meeting before the host arrives.”

“If you have to have this feature enabled at least enable “notify host when participants join the meeting before them,” Lo advised. “This will notify you that someone might be using your meeting without your knowledge. If you must keep your meeting unprotected you should enable ‘Mask phone number in the participant list.’ Using the waiting list feature will prevent unwanted participants from accessing your meeting but it will still expose your meeting details if used without a password.”

Some of the security settings available to Zoom users. These and others can be found at https://www.zoom.us/profile/settings/

Tags: Dave Kennedy, Eric Yuan, SecKC, Techcrunch, Trent Lo, TrustedSec, Zack Whittaker, Zoom, zWarDial

This entry was posted on Thursday, April 2nd, 2020 at 10:43 am and is filed under A Little Sunshine, The Coming Storm, Time to Patch. You can follow any comments to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

77 comments

1. Ikijibiki April 4, 2020 at 2:02 pm https://krebsonsecurity.com/2020/04/war-dialing-tool-exposes-zooms-password-problems/ 4/12 REPORT

WORLD WAR C : Understanding Nation-State Motives Behind Today’s Advanced Cyber Attacks

Authors: Kenneth Geers, Darien Kindlund, Ned Moran, Rob Rachwald

SECURITY REIMAGINED World War C: Understanding Nation-State Motives Behind Today’s Advanced Cyber Attacks

CONTENTS

Executive Summary...... 3

Introduction...... 4

A Word of Warning...... 5

The FireEye Perspective...... 5

Asia-Pacific...... 6

Russia/Eastern Europe...... 12

Middle East...... 14

The West...... 18

Conclusion...... 21

About FireEye...... 22

2 www.fireeye.com World War C: Understanding Nation-State Motives Behind Today’s Advanced Cyber Attacks

Executive Summary between the means chosen and their goals will Cyberspace has become a full-blown war zone as look rational and reasonable to them if not governments across the globe clash for digital necessarily to us.” supremacy in a new, mostly invisible theater of operations. Once limited to opportunistic criminals, Just as each country has a unique political cyber attacks are becoming a key weapon for system, history, and culture, state-sponsored governments seeking to defend national sovereignty attacks also have distinctive characteristics, and project national power. which include everything from motivation to target to type of attack. From strategic cyber espionage campaigns, such as Moonlight Maze and Titan Rain, to the destructive, This report describes the unique characteristics of such as military cyber strikes on Georgia and Iran, cyber attack campaigns waged by governments human and international conflicts are entering a new worldwide. We hope that, armed with this knowl- phase in their long histories. In this shadowy edge, security professionals can better identify their battlefield, victories are fought with bits instead of attackers and tailor their defenses accordingly. bullets, malware instead of militias, and botnets instead of bombs. Here is a quick overview:

These covert assaults are largely unseen by the • Asia-Pacific. Home to large, bureaucratic public. Unlike the wars of yesteryear, this cyber hacker groups such as the “Comment Crew” war produces no dramatic images of exploding who pursue many goals and targets in warheads, crumbled buildings, or fleeing civilians. high-frequency, brute-force attacks. But the list of casualties—which already includes some of the biggest names in technology, financial • Russia/Eastern Europe. These cyber attacks services, defense, and government —is growing are more technically advanced and highly larger by the day. effective at evading detection.

A cyber attack is best understood not as an end in • Middle East. These hackers are dynamic, itself, but as a potentially powerful means to a wide often using creativity, deception, and variety of political, military, and economic goals. social engineering to trick users into com- promising their own computers. “Serious cyber attacks are unlikely to be motiveless,” said Martin Libicki, Senior Scientist • United States. The most complex, targeted, at RAND Corp. “Countries carry them out to and rigorously engineered cyber attack achieve certain ends, which tend to reflect their campaigns to date. broader strategic goals. The relationship

3 www.fireeye.com World War C: Understanding Nation-State Motives Behind Today’s Advanced Cyber Attacks

Introduction everything a user does on a computer. A software World War Z—a bestselling book and Holly- program that steals data from any nearby device wood movie—detailed a global pandemic in that has Bluetooth connectivity. Encrypted code which politics and culture deeply influenced that decrypts only on one specific, target device. how the public—and by extension, govern- Such sophistication speaks volumes about the ments—reacted to a zombie plague. In one maturity, size, and resources of the organizations passage, for example, an Arab boy refused to behind these attacks. With a few rare exceptions, believe that the disease was real, suspecting these attacks are now in the exclusive realm of that Israel had fabricated the story. The nations nation-states. described in World War Z—the United States, China, Russia, South Korea, Israel, and many “The international community has developed a others—are involved in a very different type of solid understanding of cyber technology,” said conflict, but one with real and growing national Prof. Michael N. Schmitt of the U.S. Naval War security impact: World War C, where “C” College, in an email interview. “What is missing stands for “Cyber”. However, the same rule is a grasp of the geopolitical context in which applies: each country has a unique political such technology operates. Attribution determi- system, history, language, culture, and under- nations made without sensitivity to the geopolit- standing of human and international conflict. ical surroundings are seldom reasonable.”

Cyber conflict often mirrors traditional conflict. World War C, like any analogy, has its limits. For example, China uses high-volume cyber Cyber war has been compared to special attacks similar to how it used infantry during the operations forces, submarine warfare, missiles, Korean War. Many Chinese soldiers were sent assassins, nuclear weapons, Pearl Harbor, 9/11, into battle with only a handful of bullets. Given Katrina, and more. Even our zombie analogy is their strength in numbers, they were still able to not new. Often, any compromised computer, if achieve battlefield victories. On the other end of it is actively under the surreptitious control of a the spectrum lie Russia, the U.S., and Israel, whose cybercriminal, is called a zombie, and botnets cyber tactics are more surgical, reliant on are sometimes called zombie armies. Also, advanced technologies and the cutting-edge work compared to stockpiling tanks and artillery, of contractors who are driven by competition and writing cyber attack code, and compromising financial incentives. thousands if not millions of computers, is easy. Moreover, malware often spreads with the We are still at the dawn of the Internet Age. But exponential growth of an infectious disease. cyber attacks have already proven themselves as a low-cost, high-payoff way to defend national This report examines many publicly known sovereignty and to project national power. Many cyber attacks. By exploring some of the of today’s headlines seem to be pulled from the distinctive national or regional characteristics pages of a science fiction novel. Code so sophisti- of these attacks, organizations can better cated it destroys a nuclear centrifuge thousands identify their attackers, anticipate future of miles away. Malware that secretly records attacks, and defend themselves.

4 www.fireeye.com World War C: Understanding Nation-State Motives Behind Today’s Advanced Cyber Attacks

A Word of Warning identified as non-state actors, and vice versa. To The analytical waters surrounding cyber warfare make matters worse, ties between the two are are inherently murky. At the strategic level, increasing. First, a growing number of “patriotic governments desire to have a degree of plausible cybercriminals” ostensibly wage cyber war on deniability. At the tactical level, military and behalf of governments (examples include Chechnya intelligence organizations envelop such opera- and Kosovo in the 1990s, China in 2001, Estonia in tions in layers of classification and secrecy. To be 2007, Georgia in 2008, and every year in the effective, information operations rely on decep- Middle East).1 Second, cybercrime organizations tion—and the Internet offers an ideal venue for offer anyone, including governments, cyber attack a spy’s smoke and mirrors. In practical terms, services to include denial-of-service attacks and hackers often run their attacks through cyber access to previously compromised networks. terrain (such as compromised, third-party networks) that present investigators with FireEye researchers have even seen one technical and jurisdictional complications. And nation-state develop and use a sophisticated finally, cybercriminal tools, tactics, and proce- Trojan, and later (after its own counter-Trojan dures (TTPs) evolve so quickly that cyber defense, defenses were in place) sell it to cybercriminals legislation, and law enforcement remain behind on the black market. Thus, some cyber attack the attacker’s curve. campaigns may bear the hallmarks of both state and non-state actors, making positive attribution “The biggest challenge to deterring, defending almost impossible. And finally, “false flag” cyber against, or retaliating for cyber attacks is the operations involve a hacker group behaving like problem of correctly identifying the perpetrator,” another to mislead cyber defense researchers. said Prof. John Arquilla, Naval Postgraduate School in an email interview with FireEye.® “Ballistic The FireEye Perspective missiles come with return addresses. But computer Within the shadowy world of cyber warfare, viruses, worms, and denial of service attacks often FireEye occupies a unique position. First, our threat emanate from behind a veil of anonymity. The best protection platform has been installed on thou- chance to pierce this veil comes with the skillful sands of sensitive networks around the world. This blending of forensic back-hacking techniques with gives our researchers a global and embedded deep knowledge of others’ strategic cultures and presence in the cyber domain. Second, FireEye their geopolitical aims.” devices are placed behind traditional security defenses such as firewalls, anti-virus, and intrusion Cyber “attribution”—identifying a likely culprit, prevention systems. This means that our “false whether an individual, organization, or na- positive” rate is extremely low, and that the attacks tion-state—is notoriously difficult, especially for we detect have already succeeded in penetrating any single attack. States are often mistakenly external network defenses.

1 Geers K. (2008) “Cyberspace and the Changing Nature of Warfare,” Hakin9 E-Book, 19(3) No. 6; SC Magazine (27 AUG 08) 1-12.

5 www.fireeye.com World War C: Understanding Nation-State Motives Behind Today’s Advanced Cyber Attacks

technology—with which it then targeted Lockheed Martin, Northrop Grumman, and L-3 Communications.4 Asia-Pacific • Business and Financial Services: Morgan China—the elephant in the room Stanley, the U.S. Chamber of Commerce, and The People’s Republic of China is the noisiest numerous banks have been hacked.5 threat actor in cyberspace. The reasons for this include its huge population, a rapidly expanding • Media: The New York Times, Wall Street economy, and a lack of good mitigation strategies Journal, Washington Post, and more have on the part of its targets. been targeted by advanced, persistent cyber attacks emanating from China.6 Chinese attacks on the U.S. The list of successful Chinese compromises is • Critical Infrastructure: Department of long, and spans the entire globe. Here are some of Homeland Security (DHS) reported in 2013 the most significant incidents in the U.S.: that 23 gas pipeline companies were hacked (possibly for sabotage),7 and that Chinese • Government: By 1999, the U.S. Department hackers were seen at the U.S. Army Corps of of Energy believed that China posed an “acute” Engineers’ National Inventory of Dams.8 threat to U.S. nuclear security via cyber espionage.2 By 2009, China apparently stole Some of these cyber attacks have given China the plans for the most advanced U.S. fighter jet, access to proprietary information such as the F-35.3. research and development data. Others offer Chinese intelligence access to sensitive commu- • Technology: China hacked Google, Intel, nications, from senior government officials to Adobe, and RSA’s SecureID authentication Chinese political dissidents.

2 Gerth, J. & Risen, J. (2 May 1999) “1998 Report Told of Lab Breaches and China Threat,” The New York Times. 3 Gorman, S., Cole, A. & Dreazen, Y. (21 Apr 2009) “Computer Spies Breach Fighter-Jet Project,” The Wall Street Journal. 4 Gross, M.J. (1 Sep 2011) “Enter the Cyber-dragon,” Vanity Fair. 5 Gorman, S. (21 Dec 2011) “China Hackers Hit U.S. Chamber,” Wall Street Journal; and Ibid. 6 Perlroth, N. (1 Feb 2013) “Washington Post Joins List of News Media Hacked by the Chinese,” and “Wall Street Journal Announces That It, Too, Was Hacked by the Chinese,” The New York Times. 7 Clayton, M. (27 Feb 2013) “Exclusive: Cyberattack leaves natural gas pipelines vulnerable to sabotage,” The Christian Science Monitor. 8 Gertz, B. (1 May 2013) “Dam! Sensitive Army database of U.S. dams compromised; Chinese hackers suspected,” The Washington Times.

6 www.fireeye.com World War C: Understanding Nation-State Motives Behind Today’s Advanced Cyber Attacks

raised the problem of nation-state hacking with China’s President;10 in 2010, British MI5 warned that undercover Chinese intelligence officers had given UK business executives malware-laden digital cameras and memory sticks.11

• India: Indian officials worry that China CHINA could disrupt their computer networks during a conflict. One expert confided that an exclusive reliance on Chinese hardware might give China a “permanent” denial-of-service capability.12 One sophisticated attack on an Indian Navy headquarters allegedly used a USB vector to bridge the “air-gap” between a compartmentalized, standalone network and the Internet.13

• South Korea: The South Korean government has complained for years of Chinese activity on its official computers, Chinese attacks outside the U.S. including a 2010 compromise of the Of course, the U.S. is not China’s only cyber personal computers and PDAs belonging target. All traditional, geopolitical conflicts have to much of South Korea’s government moved into cyberspace, and Chinese power structure14 and a 2011 assault on an compromises encompass the entire globe. But Internet portal that held personal many contests have been one-sided affairs, with information for 35 million Koreans.15. all publicly known attacks emanating from China. • Japan: Here, the target list includes • Europe: In 2006, Chinese cybercriminals government, military, and high-tech targeted the UK House of Commons;9 in networks. Chinese cybercriminals have 2007, German Chancellor Angela Merkel even stolen classified documents.16.

9 Warren, P. (18 Jan 2006) “Smash and grab, the hi-tech way,” The Guardian. 10 “Espionage Report: Merkel’s China Visit Marred by Hacking Allegations,” (27 Aug 2007) Spiegel. 11 Leppard, D. (31 Jan 2010) “China bugs and burgles Britain,” The Sunday Times. 12 Exclusive cyber threat-related discussions with FireEye researchers. 13 Pubby, M. (01 Jul 2012) “China hackers enter Navy computers, plant bug to extract sensitive data,” The Indian Express. 14 Ungerleider, N. (19 Oct 2010) “South Korea’s Power Structure Hacked, Digital Trail Leads to China.” Fast Company. 15 Mick, J. (28 Jul 2011) “Chinese Hackers Score Heist of 35 Million South Koreans’ Personal Info,” Daily Tech. 16 McCurry, J. (20 Sep 2011) “Japan anxious over defence data as China denies hacking weapons maker,” The Guardian;

7 www.fireeye.com World War C: Understanding Nation-State Motives Behind Today’s Advanced Cyber Attacks

countries.18 In 2010, a Chinese telecommu- Mailing Lists, Previous Watering Hole Intel, Reconnaissance nications firm transmitted erroneous Crawling, Mining Social Networks routing information for 37,000 computer Masked EXEs to Appear Non-Executable File networks, which misrouted some Internet Weaponization Formats, Malicious Non-EXE File Formats, traffic through China for 20 minutes. The Watering Hole Attacks attack exposed data from 8,000 U.S. Strategic Web Compromises, Spear phish URLs in networks, 1,100 Australian networks, and Delivery Email, Weaponized Email Attachments, 19 Webserver compromise via scanning 230 French networks. 0-Day Browser / Application Vulnerabilities, Exploitation Social Engineering Chinese cyber tactics The People’s Republic of China (PRC) is home to Feature Rich, Compact RATs with Minimal Installation Evasion Capabilities (Requires Operator For 1.35 billion people, or more than four times the Lateral Movement) population of the United States. Therefore, Command and HTTP with Embedded, Standard Encodings (e.g., China often has the ability to overwhelm cyber Control (C2) XOR), along with Custom Encodings defenses with quantity over quality, just as it did Intelligence Gathering / Economic Espionage, in the Korean War and as it might do in any other Actions on Objectives Persistent Access type of conflict.

TTP Exemplars Comment Group The Chinese malware that FireEye researchers Table 1: Characteristics of Chinese cyber attacks have analyzed is not the most advanced or creative. But in many circumstances, it has been no less effective. China employs brute- • Australia: China allegedly stole the blueprints force attacks that are often the most inexpen- for the Australian Security Intelligence sive way to accomplish its objectives. The Organization’s new $631 million building.17 attacks succeed due to the sheer volume of attacks, the prevalence and persistence of • Worldwide: In 2009, Canadian researchers vulnerabilities in modern networks, and a discovered that China controlled a world- seeming indifference on the part of the wide cyber espionage network in over 100 cybercriminals to being caught.

17 Report: Plans for Australia spy HQ hacked by China », (28 mai 2013) Associated Press. 18 « Tracking GhostNet: Investigating a Cyber Espionage Network », (29 mars 2009) Information Warfare Monitor. 19 Vijayan, J. (18 novembre 2010) « Update: Report sounds alarm on China’s rerouting of U.S. Internet traffic », Computerworld. 20 Sanger, D., Barboza, D. et Perlroth, N. (18 février 2013) « Chinese Army Unit is seen as tied to Hacking against U.S. », The New York Times. 21 Pidathala, V., Kindlund, D. et Haq, T. (1er février 2013) « Operation Beebus », FireEye.

8 www.fireeye.com World War C: Understanding Nation-State Motives Behind Today’s Advanced Cyber Attacks

The “Comment Crew,”20 a prominent exam- been written by an expert but incorrectly used ple of a Chinese cyber threat actor, is later by an inexperienced foot soldier (such as a believed to be a contractor to the PRC poorly written spear phishing email). Under- government. The Comment Crew is behind standing this cyber attack life cycle and its many noteworthy attacks, including Opera- different stages can help cyber defenders tion Beebus, which targets U.S. aerospace recognize and foil an attack. In any large organi- and defense industries.21 zation, some processes are less mature than others, and therefore easier to recognize. One important characteristic of the Comment Crew—which puts it definitively in the catego- Chinese cyber defense ry of an advanced persistent threat, or APT—is In its own defense, Chinese officials contend that it is a bureaucracy. In-depth analysis that their country is also a target of cyber reveals a small group of creative and strategic attacks. In 2006, the China Aerospace Science & thinkers at the top. One layer down, a larger Industry Corporation (CASIC) found spyware on group of specialists design and produce its classified network.23 In 2007, the Chinese malware in an industrial fashion. At the bottom Ministry of State Security stated that foreign are the foot soldiers—brute-force hackers who cybercriminals were stealing Chinese informa- execute orders and wage extended cyber tion, with 42 percent of attacks coming from attack campaigns, from network reconnais- Taiwan and 25 percent from the United States.24 sance to spear phishing to data exfiltration. In 2009, Chinese Prime Minister Wen Jiabao The Comment Crew is so large, in fact, that announced that a cybercriminal from Taiwan had when the Federal Bureau of Investigation stolen his upcoming report to the National (FBI) decoded one of the group’s stolen People’s Congress.25 In 2013, Edward Snowden, caches of information, if printed out, it would a former system administrator at the National have created a stack of paper taller than a set Security Agency (NSA), published documents of encyclopedias.22 suggesting that the U.S. conducted cyber espionage against China;26 and the Chinese Such a large bureaucracy helps to explain Computer Emergency Response Team (CERT) sometimes-incongruous cybercriminal behavior. stated that it possessed “mountains of data” on A given piece of malware, for example, may have cyber attacks by the U.S.27

20 Sanger, D., Barboza, D. & Perlroth, N. (18 Feb 2013) “Chinese Army Unit is seen as tied to Hacking against U.S.” The New York Times. 21 Pidathala, V., Kindlund, D. & Haq, T. (1 Feb 2013) “Operation Beebus,” FireEye. 22 Riley, M. & Lawrence, D. (26 Jul 2012) “Hackers Linked to China’s Army Seen From EU to D.C.,” Bloomberg. 23 “Significant Cyber Incidents Since 2006,” Center for Strategic and International Studies. 24 Ibid. 25 Ibid. 26 Rapoza, K. (22 June 2013) “U.S. Hacked China Universities, Mobile Phones, Snowden Tells China Press,” Forbes. 27 Hille, K. (5 Jun 2013) “China claims ‘mountains of data’ on cyber attacks by US,” Financial Times.

9 www.fireeye.com World War C: Understanding Nation-State Motives Behind Today’s Advanced Cyber Attacks

North Korean defectors have described a burgeon- ing cyberwarfare department of 3,000 personnel, largely trained in China and Russia. The defectors North Korea—the upstart stressed that North Korea has a growing fascina- North and South Korea remain locked in one of tionwith cyber attacks as a cost-effective way to the most intractable conflicts on Earth. North compete against its conventionally superior foes. Korea (supported by China) would seem to be They believe that North Korea is growing increas- stuck in a cyber Stone Age—especially relative ingly comfortable and confident in this new warfare to South Korea (supported by the U.S.)—has the domain, assessing that the Internet is not only fastest download speeds in the world28 and will vulnerable to attack but that this strategy can issue its students with computer tablets create psychological pressure on the West. Toward instead of books by 2015.29 Even so, the this end, North Korea has focused on disconnecting Internet offers anyone, and any nation, an its important servers from the Internet, while asymmetric way to gather intelligence and building a dedicated “attack network.”32 project national power in cyberspace—and North Korea appears to have acquired cyber FireEye researchers have seen a heavy use of spear attacks as a new weapon for its arsenal. phishing and the construction of a “watering hole,” in which an important website is hacked in the hope In 2009, North Korea launched its first major of compromising the computers of its subsequent assault on South Korean and U.S. government visitors, who usually belong to a certain VIP-profile websites. The attack did little damage, but the the attacker is targeting. Some North Korean incident gained wide media exposure.30 By attacks have begun to manipulate a victim’s 2013, however, the threat actors had matured. operating system settings and disable their A group dubbed the “DarkSeoul Gang” was anti-virus software—techniques that are normally responsible for at least four years of high-pro- characteristic of Russian cybercriminals. In other file attacks on South Korea. The group’s words, North Korean hackers may have learned attacks included a distributed denial-of-service from or have contracted support in Russia. (DDoS) attack and malicious code that wiped computer hard drives at banks, media, ISPs, Apart from any possible disruption or destruction telcos, and financial services companies—over- stemming from cyber attacks, computer network writing legitimate data with political messages. operations are an invaluable tool for collecting In the Korean conflict, such incidents often sensitive information, especially when it resides on take place on dates of historical significance, government or think-tank networks normally including July 4, the U.S. Independence Day.31 inaccessible from the Internet. North Korea, Suspected North Korean attacks on U.S. China, and Russia are all naturally interested in institutions include U.S. military elements collecting cyber intelligence that would increase based in South Korea, the U.S.-based Commit- their comparative advantage in classified informa- tee for Human Rights in North Korea, and even tion, diplomatic negotiating positions, or future the White House. policy changes.

28 McDonald, M. (21 Feb 2011) “Home Internet May Get Even Faster in South Korea,” The New York Times. 29 Gobry, P-E. (5 JUL 2011) “South Korea Will Replace All Paper With Tablets In Schools By 2015,” Business Insider. 30 Choe Sang-Hun, C. & Markoff, J. (8 Jul 2009) “Cyberattacks Jam Government and Commercial Web Sites in U.S. and South Korea,” The New York Times. 31 “Four Years of DarkSeoul Cyberattacks Against South Korea Continue on Anniversary of Korean War,” (27 Jun 2013) Symantec. 32 Fisher, M. (20 March 2013) “South Korea under cyber attack: Is North Korea secretly awesome at hacking?” The Washington Post.

10 www.fireeye.com World War C: Understanding Nation-State Motives Behind Today’s Advanced Cyber Attacks

At the same time, North Korea also asserts that it is a target of cyber attacks from South Korea and the U.S. In June 2013, when the North suffered a two-day outage of all of its in-country websites, its state news Pakistani IT, mining, automotive, legal, engineer- agency denounced “concentrated and persistent ing, food service, military, and financial services virus attacks,” and proclaimed that the U.S. and South networks.37 Although researchers could not Korea “will have to take the responsibility for the definitively tie the attacks to India’s government, whole consequences.” The North noted that the many of the targets represented the country’s attack took place in parallel with Key Resolve (joint national security interests.38 U.S.-South Korean military exercises), but the U.S. Joint Chiefs of Staff denied any connection.33 Association of Southeast Asian Nations (ASEAN): emerging economies as soft targets Since at least 2010, many APTs (likely China-based) have targeted the governments, militaries, and businesses of ASEAN, the Southeast Asian geopolitical and economic group composed of Brunei, Burma (Myanmar), Cambodia, Indonesia, India-Pakistan: old rivals, new tactics Laos, Malaysia, Philippines, Singapore, Thailand, A heavily fortified border separates India and and Vietnam. Although chances of any regional war Pakistan on the map. But the quiet, border- erupting in the near term are low, a large volume of less nature of cyberspace means both sides ongoing, regional cyber espionage activity is a are free to engage in cyber warfare—even constant. Targeted industries include telecommuni- during peacetime. cations, transportation, oil and gas, banks, and think tanks. The usual motivation is to gain tactical or In 2009, India announced that Pakistani cyber- strategic advantage within the political, military, criminals had placed malware on popular Indian and economic domains.39 music download sites as a clever, indirect way to compromise Indian systems.34 In 2010, the FireEye researchers are following numerous “Pakistani Cyber Army” defaced and subsequent- APT actors in this region, including BeeBus, ly shut down the website of the Central Bureau Mirage, Check Command, Taidoor, Seinup, and of Investigation, India’s top police agency.35 In Naikon. Their most common tactic is spear 2012, over 100 Indian government websites phishing, often using legitimate decoy docu- were compromised.36 ments that are related to the target’s national economy or politics, or to regional events such Not to be outdone, in 2013, cybercriminals in as ASEAN summits, Asia-Pacific Economic India undertook “Operation Hangover,” a large- Cooperation (APEC) summits, energy explora- scale Indian cyber espionage campaign that hit tion, or military affairs.

33 Herman, S. (15 Mar 2013) “North Korea Blames US, South for ‘Cyber Attack’,” Voice of America. 34 “Significant Cyber Incidents Since 2006,” Center for Strategic and International Studies. 35 “India and Pakistan in cyber war,” (4 Dec 2010) Al-Jazeera. 36 Muncaster, P. (16 March 2012) “Hackers hit 112 Indian gov sites in three months,” The Register. 37 “Operation Hangover: Q&A on Attacks,” (20 May 2013) Symantec. 38 “Snorre Fagerland, et al. “Operation Hangover: Unveiling an Indian Cyberattack Infrastructure.” May 2013. 39 Finkle, J. (4 Aug 2011) “’State actor’ behind slew of cyber attacks,” Reuters.

11 www.fireeye.com World War C: Understanding Nation-State Motives Behind Today’s Advanced Cyber Attacks

FireEye believes that many of these regional key—that key is Russian national interest.”40 In economic organizations are attractive targets for other words, where there is smoke, there is APT campaigns because the information they usually fire. possess is valuable and their level of cyber security awareness is low. Often, these organizations have In the mid-1990s, at the very dawn of the World inconsistent system administration, infrequent Wide Web, Russia was engaged in a protracted software patch management, poor policy control, or struggle over the fate of Chechnya; the Chechens some combination of these issues. Thus, many of became pioneers in cyber propaganda, and the these networks are “low-hanging fruit” for attackers. Russians became pioneers is shutting down their And to make matters worse, compromised systems websites. In 1998, when Russian ally Serbia was are used as staging grounds for further attacks on under attack from NATO, pro-Serbian hackers regional targets, by installing illicit com- jumped in the fray, targeting NATO with DoS mand-and-control (CnC) servers, abusing legitimate attacks and at least twenty-five strains of email accounts, and disseminating stolen office virus-infected email. In 2007, Russia was the documents as “bait.” prime suspect in the most famous international cyber attack to date—the punitive DDoS on Russia/Eastern Europe Estonia for moving a Soviet-era statue.41

In 2008, researchers uncovered clear evidence that computer network operations played a supporting role in Russian military advances Russia—a little bit “too quiet?” during its invasion of Georgia.42 Also in 2008, In 1939, Winston Churchill declared that Russia Russia was suspected in what U.S. Deputy was a “riddle wrapped in a mystery inside an Secretary of Defense William Lynn called the enigma …”. Seven decades later, cyber defense “most significant breach of U.S. military researchers would say that not much has computers ever”—an attack on Central Com- changed. Compared with the constant attacks mand (CENTCOM), delivered through an detected from China, you can almost hear the infected USB drive.43 In 2009, Russian cyber- snow falling on Red Square. One of the outstand- criminals were blamed in “Climategate,” a ing questions in cyber security today is: Where breach of university research intended to are the Russians? Perhaps they are simply great undermine international negotiations on climate hackers. Maybe they have sufficient human change mitigation.44 In 2010, NATO and the intelligence. Whatever the reason, cyber defense European Union warned of increased Russian analysts often look in vain for the traces of cyber attacks, while the FBI arrested and Russian cybercriminals. As a step toward finding deported a possible Russian intelligence agent some answers, however, consider the second half named Alexey Karetnikov, who had been of Churchill’s quote: “… but perhaps there is a working as a software tester at Microsoft.45

40 “Winston Churchill,” Wikiquote. 41 Geers K. (2008) “Cyberspace and the Changing Nature of Warfare,” Hakin9 E-Book, 19(3) No. 6; SC Magazine (27 AUG 08) 1-12. 42 “Overview by the US-CCU of the Cyber Campaign against Georgia in August of 2008,” (Aug 2009) U.S. Cyber Consequences Unit. 43 Lynn, W.J. (2010) “Defending a New Domain: The Pentagon’s Cyberstrategy,” Foreign Affairs 89(5) 97-108. 44 Stewart, W. & Delgado, M. (6 Dec 2009) “Were Russian security services behind the leak of ‘Climategate’ emails?” Daily Mail & “Global warning: New Climategate leaks,” (23 Nov 2011) RT. 45 Ustinova, A. (14 Jul 2010) “Microsoft Says 12th Alleged Russian Spy Was Employee,” Bloomberg.

12 www.fireeye.com World War C: Understanding Nation-State Motives Behind Today’s Advanced Cyber Attacks

On the brighter side, as a step toward cyber détente, the U.S. and Russia in 2013 signed an agreement to build a cyber “hotline”— similar to that used for nuclear scares during the Cold War—to help defuse any computer- related crises in the future.49 But, just to be on the safe side, Russia is taking the extreme cyber defense measure of buying old- RUSSIA fashioned typewriters,50 and the Russian military is (like the U.S., China, and Israel) creating cyber warfare-focused units.51

Russian tactics Though relatively quiet, Russia appears to be home to many of the most complex and advanced cyber attacks FireEye researchers have seen. More specifically, Russian exploit code can be significantly stealthier than its Chinese counterpart—which can also make it more worrisome. The “Red October” campaign, including its satellite software dubbed “Sputnik,” is a prominent example of One ironic aspect of nation-state cyber attacks— likely Russian malware. especially in authoritarian countries—is that many of them are inward facing. In 2012, Russian security TTP often includes the delivery of firm Kaspersky Lab announced the discovery of weaponized email attachments, though “Red October,”46 a cyber attack campaign that spied Russian cybercriminals appear to be adept on millions of citizens around the world, but chiefly at changing their attack patterns, exploits, within the former Soviet Union. Targets included and data exfiltration methods to evade embassies, research firms, military bases, energy detection. In fact, one telltale aspect of providers, nuclear agencies, and critical Russian hackers seems to be that, unlike the infrastructure.47 Similarly, in 2013, researchers Chinese, they go to extraordinary lengths to found malware on millions of Android devices in hide their identities and objectives. FireEye Russia and in Russian-speaking countries. Either or analysts have even seen examples in which both of these attacks could be partially explained as they have run “false-flag” cyber operations, the Russian government keeping an eye on its own designing their attack to appear as if it came population, and that of neighboring countries.48 from Asia.

46 “The ‘Red October’ Campaign—An Advanced Cyber Espionage Network Targeting Diplomatic and Government Agencies” (14 Jan 2013) GReAT, Kaspersky Lab. 47 Lee, D. (14 Jan 2013) “’Red October’” cyber-attack found by Russian researchers,” BBC News 48 Jackson Higgins, K. (3 Aug 2013) “Anatomy of a Russian Cybercrime Ecosystem Targeting Android,” Dark Reading. 49 Gallagher, S. (18 Jun 2013) “US, Russia to install ‘cyber-hotline’ to prevent accidental cyberwar,” Ars Technica. 50 Ingersoll, G. (11 Jul 2013) “Russia Turns to Typewriters to Protect against Cyber Espionage,” Business Insider. 51 Gorshenin, V. (29 Aug 2013) “Russia to create cyber-warfare units,” Pravda . 13 www.fireeye.com World War C: Understanding Nation-State Motives Behind Today’s Advanced Cyber Attacks

some Middle Eastern hackers may have to rely on Reconnaissance Likely HUMINT Sources cyber tactics that emphasize novelty, creativity, Weaponization Malicious DOC/XLS File Formats and deception. Delivery Weaponized Email Attachments For example, the 2012 Mahdi campaign, which Exploitation 0-Day Application Vulnerabilities infected targets in the Middle East, used Installation Feature Rich RAT with Encrypted Modules malicious Word documents, PowerPoint files, Command and HTTP with Custom Embedded E and PDFs to infect targets. That approach is Control (C2) ncoding / Encryption similar to many other attackers. But these Actions on Objectives Intelligence Gathering (Govt. Focused) attacks were accompanied by some imaginative TTP Exemplars Red October elements such as games, attractive images, and custom animations specifically designed to aid Table 2: Characteristics of Russian cyber attacks in the attack.

One further problem for cyber defense Not only did they trick users into executing researchers is that some Russian back doors into commands to install malicious code, but they compromised systems are hard to distinguish also distracted users from seeing malware- from advanced cybercriminal break-ins. related warning messages. Furthermore, Mahdi attacks were tailored to specific target Middle East audiences—for example by offering variations As a region, the Middle East may not possess the of games unique to each organization. Such arsenal of zero-day exploits available in Russia, or pinpoint strikes rely on prior reconnaissance, the brute-force numbers of China. Therefore, help to evade cyber defense behavioral- detection mechanisms, and dramatically increase the odds of compromise. So in the Middle East, the relative sophistication of an attack may be calculated less in the technology, and more in the clever ways in which malware is delivered and installed on a target network.

14 www.fireeye.com World War C: Understanding Nation-State Motives Behind Today’s Advanced Cyber Attacks

is therefore unsurprising that Iran—which has Reconnaissance Regional Mailing Lists, Conferences tense international relations and is on the Weaponization Malicious PPT/PPS Files verge of acquiring a nuclear bomb—has also Delivery Weaponized Email Attachments experienced the most sophisticated cyber attacks to date. Exploitation Social Engineering Mouse Clicks on Screen Primitive Collection of Custom Tools / RAT Installation In 2010, Stuxnet was a “cyber missile” of sorts (Requires Operator For Lateral Movement) designed with painstaking precision to burrow Command and Plain HTTP; Hiding in Plain Sight deep into Iran’s nuclear program and destroy Control (C2) physical infrastructure. To some degree, this Intelligence Gathering (Middle East Focused), Actions on Objectives piece of software replaced a squadron of fighter Denial of Service aircraft that would have violated foreign TTP Exemplars Madi, LV airspace, dropped laser-guided bombs, and left a smoking crater in the Earth’s surface.52 Table 3: Characteristics of Middle Eastern cyber attacks Beyond Stuxnet, other advanced espionage attacks have worried security experts, including Duqu, Flame, and Gauss, which all may have come from the same threat actor.53 And even amateurs are successfully targeting Iran; Iran: a “hot” cyber war although the “Mahdi” malware is by comparison Wherever significant activity erupts in the real far less sophisticated than Stuxnet and its world (including crime, espionage, and war- cousins, Mahdi has still managed to compromise fare), parallel activity unfolds in cyberspace. It engineering firms, government agencies, financial services firms, and academia through- out the Middle East.54.

52 Sanger, D. Confront and Conceal. (New York: 2012) pp. 188-225. 53 Boldizsár Bencsáth. “Duqu, Flame, Gauss: Followers of Stuxnet,” BME CrySyS Lab, RSA 2012. 54 Simonite, T. (31 Aug 2012) “Bungling Cyber Spy Stalks Iran,” MIT Technology Review.

15 www.fireeye.com World War C: Understanding Nation-State Motives Behind Today’s Advanced Cyber Attacks

So how does anyone, including a nation-state, software (which is popular in countries like Iran respond to a cyber attack? Does the counter- and anonymizes Internet traffic) also installed a strike remain within the cyber realm, or can it Trojan that collected usernames and key- come in the form of a traditional military (or strokes, sending them to a likely intelligence terrorist) assault? In 2012, Iran appears to have collection site.60 Finally, in 2013 the Wall Street chosen the first option. A hacker group called the Journal reported that Iranian actors had “Cutting Sword of Justice” used the “Shamoon” increased their efforts to compromise U.S. virus to attack the Saudi Arabian national oil critical infrastructure.61 company Aramco, deleting data on three-quar- ters of Aramco’s corporate PCs (including documents, spreadsheets, e-mails, and files) and replacing them with an image of a burning American flag.55 And over the past year, another group called Izz ad-Din al-Qassam launched Syria: what is the Syrian Electronic Army? “Operation Ababil,” a series of DDoS attacks Syria is in the midst of a civil war, so researchers against many U.S. financial institutions including have a lot of cyber activity to analyze. The most the New York Stock Exchange.56 prominent hacker group by far is the Syrian Electronic Army (SEA), which is loyal to Syrian Other examples of cyber attacks abound. In President Bashar al-Assad. SEA has conducted 2009, the plans for a new U.S. Marine Corps 1 DDoS attacks, phishing, pro-Assad defacements, presidential helicopter were found on a and spamming campaigns against governments, file-sharing network in Iran.57 In 2010, the online services, and media that are perceived to “Iranian Cyber Army” disrupted Twitter and the be hostile to the Syrian government. SEA has Chinese search engine Baidu, redirecting users hacked Al-Jazeera, Anonymous, Associated to Iranian political messages.58 In 2011, Iranian Press (AP), BBC, Daily Telegraph, Financial attackers compromised a Dutch digital certifi- Times, Guardian, Human Rights Watch, National cate authority, after which it issued more than Public Radio, The New York Times, Twitter, and 500 fraudulent certificates for major compa- more.62 Its most famous exploit was a hoax nies and government agencies.59 In 2012, Iran announcement using AP’s Twitter account that disrupted the BBC’s Persian Language Service, the White House was bombed and President and University of Toronto researchers reported Obama injured—after which stock markets that some versions of the Simurgh “proxy” briefly dipped to the tune of $200 billion.63.

55 Perlroth, N. (23 Oct 2012) “In Cyberattack on Saudi Firm, U.S. Sees Iran Firing Back,” The New York Times. 56 Walker, D. (8 Mar 2013) “Hacktivists plan to resume DDoS campaign against U.S. banks,” SC Magazine. 57 Borak, D. (3 Mar 2009) “Source in Iran views Marine One blueprints,” Marine Corps Times. 58 Wai-yin Kwok, V. (13 Jan 2010) “Baidu Hijacked By Cyber Army,” Forbes. 59 Charette, R. (9 Sep 2011) “DigiNotar Certificate Authority Breach Crashes e-Government in the Netherlands,” IEEE Spectrum. 60 “Iranian anti-censorship software ‘Simurgh’ circulated with malicious backdoor,” (25 May 2012) Citizenlab. 61 Gorman, S. & Yadron, D. (23 May 2013) “Iran Hacks Energy Firms, U.S. Says,” Wall Street Journal. 62 Fisher, M. & Keller, J. (31 Aug 2011) “Syria’s Digital Counter-Revolutionaries.” The Atlantic; “Syrian Electronic Army,” (accessed 25 July, 2013) Wikipedia. 63 Manzoor, S. (25 July, 2013) “Slaves to the algorithm: Are stock market math geniuses, or quants, a force for good?” The Sunday Telegraph.

16 www.fireeye.com World War C: Understanding Nation-State Motives Behind Today’s Advanced Cyber Attacks

In the month of July 2013 alone, SEA compro- all of this information to a computer address mised three widely used online communications lying within Syrian government-controlled websites: Truecaller (the world’s largest tele- Internet Protocol (IP) space for intelligence phone directory),64 Tango (a video and text collection and review.67 messaging service),65 and Viber (a free online calling and messaging application).66 These types of compromises are significant because they can give Syrian intelligence access to the communica- tions of millions of people, including political activists within Syria who might then be targeted Israel: old conflict, new tactics for espionage, intimidation, and arrest. Even during the Cold War, the Arab-Israeli conflict saw many hot wars, and it was often the To compromise its targets, the SEA often sends testing ground for new military weapons and socially engineered, spear-phishing emails to tactics. Nothing has changed in the Internet era. lure opposition activists into opening fraudulent, Since at least 2000, pro-Israeli hackers have weaponized, and malicious documents. If the targeted sites of political and military signifi- recipient falls for the scam, Trojan horse, remote cance in the Middle East.68 In 2007, Israel access tool (RAT) software is installed on the reportedly disrupted Syrian air defense networks victim’s computer that can give the attacker via cyber attack (with some collateral damage to keystrokes, screenshots, microphone and its own domestic networks) to facilitate the webcam recordings, stolen documents, and Israeli Air Force’s destruction of an alleged passwords. And of course, the SEA likely sends Syrian nuclear facility.69

64 Khare, A. (19 July 2013) “Syrian Electronic Army Hacks Truecaller Database, Gains Access Codes to Social Media Accounts.” iDigital Times. 65 Kastrenakes, J. (22 July 2013) “Syrian Electronic Army alleges stealing ‘millions’ of phone numbers from chat app Tango.” The Verge; Albanesius, C. (23 July 2013) “Tango Messaging App Targeted by Syrian Electronic Army.” PCMag. 66 Ashford, W. (24 July 2013) “Syrian hacktvists hit second mobile app in a week.” Computer Weekly. 67 Tsukayama, H. (28 Aug 2013) “Attacks like the one against the New York Times should put consumers on alert,” The Washington Post. 68 Geers K. (2008) “Cyberspace and the Changing Nature of Warfare,” Hakin9 E-Book, 19(3) No. 6; SC Magazine (27 AUG 08) 1-12. 69 Carroll, W. (26 Nov 2007) “Israel’s Cyber Shot at Syria,” Defense Tech.

17 www.fireeye.com World War C: Understanding Nation-State Motives Behind Today’s Advanced Cyber Attacks

But as an advanced industrial nation, Israel also The West depends on information technology. The nation has proven to be vulnerable to cyber attacks, which often target the Israeli economy. In 2009, during Israel’s military operation in Gaza, hackers briefly paralyzed many government United States sites with a DDoS attack from at least 500,000 Analysts believe that the U.S. has conducted the computers. The 2009 attack consisted of four most highly engineered cyber attacks to date, independent waves, each stronger than the including Stuxnet,74 Duqu, Flame, and Gauss.75 last, peaking at 15 million junk mail deliveries This family of malware is unparalleled in its per second. The Israeli “Home Front Command” complexity and targeting. Stuxnet in particular website, which plays a key role in national was developed with a singular goal (to disrupt defense communications with the public, was Iranian nuclear enrichment) that was both down for three hours. Due to technical narrowly focused and capable of yielding strategic similarities with the 2008 cyber attack on gains in the international arena. In contrast to Georgia during its war with Russia, Israeli computer worms such as Slammer and Code Red, officials surmised that the attack itself might Stuxnet did not seek to compromise as many have been carried out by a criminal organiza- computers as possible, but as few as possible. tion in the former Soviet Union, and paid for by Even more amazing, its malicious behavior was Hamas or Hezbollah.70 concealed under a veneer of apparently legitimate operational data—but ultimately, the malware Often, the trouble with cyber attacks is that destroyed Iranian centrifuges. they do not need to be highly sophisticated to succeed, even against security-conscious Israel. This family of malware was exquisitely designed. In 2012, the ineptly written71 “Mahdi” malware For example, its payload can arrive at its destina- compromised at least 54 targets in Israel.72 Last tion encrypted—and become decrypted and but not least, in 2013, the Iranian media installed only on a target device. This helps the reported that the Syrian army had carried out a malware to evade the prying eyes of cyber defend- cyber attack against the water supply of the ers, making discovering and reverse engineering Israeli city of Haifa. Prof. Isaac Ben-Israel, a the malware much more difficult. cyber security adviser to Prime Minister Benjamin Netanyahu, said that the report was Ironically, this family of malware could be a false, but added that cyber attacks on critical paragon of over-engineering. For example, it not infrastructures pose a “real and present threat” only uses multiple zero-day exploits, but also to Israel.73 world-first computational achievements such as a

70 Pfeffer, A. (15 Jun 2009) “Israel suffered massive cyber attack during Gaza offensive,” Haaretz. 71 Simonite, T. (31 Aug 2012) “Bungling Cyber Spy Stalks Iran,” MIT Technology Review. 72 Zetter, K. (17 Jul 2012) “Mahdi, the Messiah, Found Infecting Systems in Iran, Israel,” WIRED. 73 Yagna, Y. (26 May 2013) “Ex-General denies statements regarding Syrian cyber attack,” Haaretz. 74 Sanger, D. Confront and Conceal. (New York: 2012) pp. 188-225. 75 Boldizsár Bencsáth. “Duqu, Flame, Gauss: Followers of Stuxnet,” BME CrySyS Lab, RSA 2012. 76 Goodin, Dan (7 Jun 2012) “Crypto breakthrough shows Flame was designed by world-class scientists,” Ars Technica.

18 www.fireeye.com World War C: Understanding Nation-State Motives Behind Today’s Advanced Cyber Attacks

because “it very much had the feel to it of having Reconnaissance Likely HUMINT Sources been written by or governed by a team of Weaponization Auto Infected Removable Media Washington lawyers.”77 Finally, the amount of Delivery USB Removable Media work involved in these operations suggests the participation of an enormous defense Exploitation Social Engineering USB Media Use contractor base, with different companies Well-Crafted, Targeted (Crypto-Keyed) Worm Installation specializing in particular aspects of a large and (No Operator Required; Auto-Lateral Movement) complex undertaking. Command and Strategic One-Time Use C2 Nodes; Control (C2) Full SSL Crypto On the downside (and similar to the Israeli case), Intelligence Gathering / Subtle System Actions on Objectives all advanced industrial economies are vulnerable Disruption (Middle East Focused) to cyber counterattack. In 2008, a CIA official TTP Exemplars Stuxnet, Flame, Duqu, Gauss informed a conference of critical infrastructure providers that unknown cybercriminals, on Table 4: Characteristics of Western cyber attacks multiple occasions, had been able to disrupt the power supply in various foreign cities.78 In the forced cryptographic “hash collision.”76 In the military domain, Iraqi insurgents used $26 case of Iran (which is currently subject to a trade off-the-shelf software to intercept live video feeds embargo that restricts its acquisition of high tech- from U.S. Predator drones, likely giving them the nology), it is doubtful whether Iranian software is ability to monitor and evade U.S. military up-to-date or properly configured. So the authors operations.79 In the economic sphere, the U.S.- of Stuxnet could likely have used more conven- based International Monetary Fund (IMF) fell tional computer exploits and still succeeded. victim to a phishing attack in 2011 that was described as a “very major breach.”80 One possible telling aspect of U.S. cyber attacks: they require such a high level of financial Thus, while cyber attacks are relatively a new investment, technical sophistication, and legal phenomenon, they represent a growing national oversight that they will stand out from the crowd. security challenge. As part of a broader effort to On the last point, Richard Clarke, who served mitigate the threat, President Obama signed a three U.S. Presidents as a senior counterterrorism directive in 2013 that the U.S. should aid allies official, argued that Stuxnet was a U.S. operation who come under foreign cyber attack.81

77 Rosenbaum, R. (Apr 2012) “Richard Clarke on Who Was Behind the Stuxnet Attack,” Smithsonian. 78 Nakashima, E. & Mufson, S. (19 Jan 2008) “Hackers Have Attacked Foreign Utilities, CIA Analyst Says,” Washington Post. 79 Gorman, S., Dreazen, Y. & Cole, A. (17 Dec 2009) “Insurgents Hack U.S. Drones,” Wall Street Journal. 80 Sanger, D. & Markoff, J. (11 Jun 2011) “I.M.F. Reports Cyberattack Led to ‘Very Major Breach’,” New York Times. 81 Shanker, T. & Sanger, D. (8 Jun 2013) “U.S. Helps Allies Trying to Battle Iranian Hackers,” New York Times.

19 www.fireeye.com World War C: Understanding Nation-State Motives Behind Today’s Advanced Cyber Attacks

In the military sphere, in 2009, French Navy planes were grounded following an infection by the Conficker worm.86 In 2012, the UK admitted Europe that cybercriminals had penetrated its classified No prominent examples have been Ministry of Defense networks.87 discovered of the European Union (EU) or the North Atlantic Treaty Organization (NATO) In business, the European Union’s carbon trading conducting their own offensive cyber attacks. market was breached in 2011, resulting in the theft On the contrary, their leaders have so far of more than $7 million in credits, forcing the foresworn them.82 But many examples reveal market to shut down temporarily.88 In 2012, the European networks getting hacked from European Aeronautic Defence and Space Company other parts of the world, particularly China (EADS) and German steelmaker ThyssenKrupp fell and Russia. victim to major attacks by Chinese cybercriminals.89

Within government, cyber attacks on the Security professionals should particularly be on the British Foreign Ministry evaded network lookout for APT cyber threats just before and defenses in 2010 by pretending to come from during international negotiations. In 2011 alone, the White House.83 In 2011, German Police the European Commission complained of wide- found that servers used to locate serious spread hacking before an EU summit,90 the French criminals and terrorism suspects had been government was compromised prior to a G-20 penetrated, initially via a phishing attack.84 Also meeting,91 and at least 10 Norwegian defense and in 2011, European Commission officials were energy companies were breached during large- targeted at an Internet Governance Forum scale contract negotiations, via phishing that was (IGF) in Azerbaijan.85 specifically tailored to each company.92

82 Leyden, J. (6 June 2012) “Relax hackers! NATO has no cyber-attack plans—top brass,” The Register. 83 Arthur, C. (5 Feb 2011) “William Hague reveals hacker attack on Foreign Office in call for cyber rules,” The Observer. 84 “Hackers infiltrate German police and customs service computers,” (18 July 2011) Infosecurity Magazine. 85 Satter, R. (10 Nov 2012) “European Commission Officials Hacked At Internet Governance Forum,” Huffington Post. 86 Willsher, K. (7 Feb 2009) “French fighter planes grounded by computer virus,” The Telegraph. 87 Hopkins, N. (3 May 2012) “Hackers have breached top secret MoD systems, cyber-security chief admits,” The Guardian. 88 Krukowska, E. & Carr, M. (20 Jan 2011), “EU Carbon Trading Declines After Alleged Hacking Suspends Spot Market,” Bloomberg. 89 Rochford, O. (24 Feb 2013) “European Space, Industrial Firms Breached in Cyber Attacks: Report,” Security Week. 90 “’Serious’ cyber attack on EU bodies before summit,” (23 Mar 2011) BBC. 91 Charette, R. (8 Mar 2011) “’Spectacular’ Cyber Attack Gains Access to France’s G20 Files,” IEEE Spectrum. 92 Albanesius, C. (18 Nov 2011) “Norway Cyber Attack Targets Country’s Oil, Gas Systems,” PCMag.

20 www.fireeye.com World War C: Understanding Nation-State Motives Behind Today’s Advanced Cyber Attacks

Conclusion item. President Reagan’s favorite Russian World War Z told a story of idiosyncratic proverb was доверяй, но проверяй, or national behavior in response to a major “trust but verify.” Given that a single USB international crisis. This report sought to stick can now hold billions of bits of informa- highlight the same phenomenon in regard to the tion, verifying would be easier said than done. challenges posed by national cyber insecurity and international cyber attacks. Behind every 3. PRISM, freedom of speech, and privacy: we incident is an agenda—and individual human are still at the dawn of the Internet era, and beings—each unique and ultimately identifiable. this conversation has only just begun. It The bigger the cyber campaign, the more data it encompasses Daniel Ellsberg, Chelsea generates for security researchers, and the more Manning, and Edward Snowden, as well as difficulty attackers will have remaining anony- the Declaration of Independence, Enigma, mous and hiding their agenda. and The Onion Router (TOR). Today, politicians, spooks, and hippies are all aware As for crystal balls: no one knows what the next of a critical debate on the horizon—just how cyber attack will look like. But considering recent much online privacy should we have? trends, we can make a few educated guesses. 4. New actors on the cyber stage: the Here are five factors that could change the revolutionary nature of computers and the world’s cyber security landscape in the near- to amplification power of networks are not medium-term: exclusive to the world’s largest nations. Iran, Syria, North Korea, and even non-state 1. Outage of national critical infrastructure: actors such as Anonymous have employed we know that cyber attacks can disrupt cyber attacks as a way to conduct diplomacy government networks, but most current cases and wage war by other means. Researchers simply do not rise to the level of a national have little reason to think that other security threat. Stuxnet—and Iran’s alleged governments are not active in this domain. retaliation against Saudi Aramco—has shifted Possible candidates could be: the thinking on cyber war from theory to something closer to reality. But have we seen a. Poland: it was the Poles who first broke the limit of what cyber attacks can achieve, or the German Enigma cipher—way back in could cybercriminals threaten public safety by 1932!Today, with programming talent and downing a power grid or financial market? well-known rivalry with Russia, it is a possibility. 2. Cyber arms treaty: if world leaders begin to view cyber attacks as more of a liability than b. Brazil: Home to some of the world’s most an opportunity, they may join a cyber arms prolific cybercriminals, will Brazil’s govern- control regime or sign a non-aggression pact ment, be angry about recent revelations of for cyberspace. However, arms control U.S. cyber spying, harness this talent for requires the ability to inspect for a prohibited geopolitical ends?

21 www.fireeye.com World War C: Understanding Nation-State Motives Behind Today’s Advanced Cyber Attacks

c. Taiwan: with constant cyber attacks makers. “And strategic attribution begins and emanating from Mainland China, Taipei may ends with geopolitical analysis,” he said. With this have little choice but to react. in mind, we hope that an awareness of this World War C dynamic helps cyber security profession- 5. Stronger focus on evasion: as we have als better understand, identify, and combat cyber seen, some nation-states know how to attacks in the future. launch stealthy cyber attacks. But as the discipline of cyber defense matures, and About FireEye as public awareness of the World War C FireEye has invented a purpose-built, virtual phenomenon grows, some “noisy” cyber machine-based security platform that pro- attackers such as China may be forced to vides real-time threat protection to enterpris- raise their game by trying to fly under a es and governments worldwide against the more finely tuned radar. next generation of cyber attacks. These highly sophisticated cyber attacks easily circumvent The analysis and conclusions drawn in this paper are traditional signature-based defenses, such as conjectural. Cyber security, cyber espionage, and next-generation firewalls, IPS, anti-virus, and cyber war are new and rapidly evolving concepts. gateways. The FireEye Threat Prevention Plat- Furthermore, most computer network operations form provides real-time, dynamic threat are shrouded in secrecy. Deception is a given. protection without the use of signatures to protect an organization across the primary “A cyber attack, viewed outside of its geopolitical threat vectors, including Web, email, and files context, allows very little legal maneuvering room and across the different stages of for the defending state,” said Prof. Thomas an attack life cycle. The core of the FireEye Wingfield of the Marshall Center, in a recent email platform is a virtual execution engine, comple- interview with FireEye. “False flag operations and mented by dynamic threat intelligence, to the very nature of the Internet make tactical identify and block cyber attacks in real time. attribution a losing game.” FireEye has over 1,100 customers across more than 40 countries, including over 100 of But Wingfield adds that strategic attribution—fus- the Fortune 500. ing all sources of intelligence on a potential threat—allows a much higher level of confidence For more information on next-generation threat and more options for government decision protection, visit www.FireEye.com.

FireEye, Inc. | 1440 McCarthy Blvd. Milpitas, CA 95035 | 408.321.6300 | 877.FIREEYE (347.3393) | [email protected] | www.fireeye.com

© 2014 FireEye, Inc. All rights reserved. FireEye is a registered trademark of FireEye, Inc. All other brands, products, or service names are or may be trademarks or service marks of their respective owners. – RPT.WWC.EN-US.082014