Cyber Espionage: Confronting Advanced Persistent Threats

Aug 3, 2011

By Jarrod Rifkind

Cyber espionage is a threat to nation-states, companies, and international organizations alike.  Events in recent months only reaffirm the threat posed by cyber espionage to anyone using a computer network.    Many have attributed these instances of cyber espionage to nation-states because they are the primary actors capable of funding and maintaining cyber espionage efforts without being detected.  Nation states can afford computer specialists skilled in writing highly sophisticated code used in spear phishing attacks that serve as the access point for attackers to infiltrate a target’s network.  In most cases, states also have much to gain from successful cyber espionage operations that lead to the acquisition of intellectual property and sensitive information about other countries and organizations.  The open source nature of most hacking software also makes it possible for technically skilled individuals to engage in cyber espionage.  This is less likely simply because individuals are often unwilling to risk being caught for something with limited financial reward.  The attempt here will be to classify cyber espionage into three categories (political, economic, and military) and to pinpoint the shared intent of attackers to obtain sensitive information through cyber means.

Office of His Holiness the Dalai Lama (OHHDL) – This example of political espionage lasted for some time and was traced back to China.  A paper written by Shishir Nagaraja and Ross Anderson places the attack within the context of the Beijing Olympics in 2008.  According to the document, the OHHDL began suspecting they were under network surveillance after sending an email invitation to a foreign diplomat.  Before they could follow up with a phone call, the Chinese government had already contacted the diplomat’s office warning against meeting with the Dalai Lama. 

After an investigation of their email server logs, the authors discovered successful logins from a range of IP addresses belonging to ISPs in China and Hong Kong.  The traffic between users and the email server was unencrypted, so emails were captured and altered to include malicious code for phishing attacks.  During the entire operation, the attacker collected files and sensitive information from a large number of monks’ computers and sent them to three servers located in China’s Sichuan province.

RSA/Lockheed Martin Hacks – Similar to what happened to the OHHDL, RSA was the victim of cyber espionage, but for economic and military reasons.   According to the RSA blog by Uri Rivner, the attackers sent two different spear phishing emails titled “2011 Recruitment Plan” over a two-day period to two small groups of employees.  The spreadsheet contained a zero-day exploit that installed a backdoor through an Adobe Flash vulnerability.  Even though RSA’s Computer Incidence Response Team caught the attack while it was occurring, information held by the company was compromised. 

A few months later, Lockheed Martin publicly announced that it had been hacked.  The attackers were likely targeting project plans associated with the company’s work with the Department of Defense (DOD).  The RSA and Lockheed hacks are connected because the hackers were able to use stolen RSA SecurID hardware tokens to access Lockheed Martin’s network.   According to Lockheed Martin officials, they were able to thwart the attack before critical information was lost.  This case is one example of how hackers have attempted to steal intellectual property from U.S. companies as a way to improve their competitive advantage.

International Monetary Fund (IMF) – Again, the victim in this scenario was likely an unsuspecting employee at the IMF that opened a file he/she received in an email, and the attack had political and economic underpinnings.  Once some computers at the IMF were compromised, emails and important documents were exfiltrated by the hackers.   A source with knowledge about the incident claimed that the intrusion was likely carried out by a nation-state.  The IMF also cut its network connection with the World Bank across the street to prevent the effects of the attack from spreading to World Bank computers.  The information stolen could divulge sensitive information about the economic status of countries with ties to the Fund.  A state could leverage this information in dealings with other countries.

There is a plethora of other examples for cyber espionage incidents.  As displayed by these cases, the victims of cyber espionage are often the targets of Advanced Persistent Threats (APTs).  The difficulty often lies in pinpointing the identity of the attackers as well as the origin of the attacks.  This can be attributed to the attackers’ skill and determination to achieve what they have set out to do.  The three cases discussed above highlight how cyber espionage can be conducted for political, military, and economic reasons.  These are neither the only nor the most important cases in recent years.  McAfee released a document today detailing the targeted intrusion of over 70 global companies, governments, and non-profit organizations during the last five years.  Each of the incidents discussed in the report are examples of cyber espionage.  This news reaffirms that actors will do what they deem necessary for survival in a Hobbesian world.

Although APTs will continue to compromise computer networks, there are some ways to limit access to sensitive information and mitigate the aftereffects of an attack.  In general, attackers conducting cyber espionage operations are able to exploit an individual’s natural curiosity through the use of spear phishing attacks.  Awareness is essential for limiting the success rates of attackers targeting employees in governments, companies, and international organizations.  Although encryption isn’t the only solution either, the case of the OHHDL incident shows how critical it is for sensitive information to remain encrypted on machines.   With cyber espionage becoming public knowledge, it is the responsibility of individuals, governments, companies, and international organizations to ensure that they remain up-to-date on best practices for confronting and mitigating the effects of an attack.