Threat Intelligence, Incident Response, TDR

Cyber spies in disguise: Nation-state

If, by chance, some extended space travel took you out of Earth's orbit for the past 25 years and you just returned, you might be excused for thinking not much has changed in foreign relations. Western leaders like Canadian Prime Minister Stephen Harper are back to referring to the NATO countries as the “free world” and relations with Russia (yeah, we call it that, again) are chilly once more. China? Still red, and still spying on us, although now the Cold War is fought through advanced persistent threat (APT) in the cloud, on email servers and over mobile devices.

In February 2013, Alexandria, Va.-based Mandiant provided a detailed view inside the activities of APT1  –  a unit of the People's Liberation Army (PLA) operating primarily out of Shanghai's Pudong New Area  –  which had compromised an estimated 141 organizations in 20 major industrial sectors.

“That report was important for a number of reasons,” says Amit Yoran (below), general manager and senior vice president of RSA Security in Bedford, Mass., and a former director of the Department of Homeland Security's National Cyber Security Division. “It provided some interesting specifics and raised awareness of these types of activities.”

While he says those within the security community merely shrugged at the confirmation of what they already suspected, the Mandiant report heightened people's understanding of how far foreign nations will go to obtain information.

Three months later, leaks from former Booz Allen Hamilton contractor Edward Snowden illustrated that China was not the only country playing the game.

“It wasn't unknown that spying was going on, but the increased profile changed the environment beyond the narrow core,” says Larry Clinton, president and CEO of the Internet Security Alliance, a nonprofit collaboration between trade associations and academia focused on cyber security.

“The technical content of the Mandiant report was not a shock,” agrees Michael Sutton, vice president of security research at San Jose, Calif.-based Zscaler, but he says the sudden public spotlight forced the PLA unit underground for about three months.

Despite the disruption, says Alex Cox, a senior research analyst at RSA FirstWatch, “It didn't really change things. The past six months have been business as usual for those guys.”

The weakest link

In this instance, business as usual means setting watering-hole traps and launching the kind of spear-phishing attacks that have reached as high as some federal government departments in the West.

“People continue to be the weakest link,” says Cox. “These APT crews know they can break in, and as far as security goes, we're seeing the same level of sophistication, or lack thereof, among Fortune 100 companies.”

Yoran adds that since the revelations there have been some changes in the tools and techniques being used. “But, that's just par for the course, over time. We are dealing with some very focused adversaries.”

In an email response on behalf of Communications Security Establishment Canada – the country's secretive cryptologic agency – spokesperson Ryan Foreman wrote: “Cyber threat actors are constantly probing government systems and networks looking for vulnerabilities. These activities are becoming more frequent and more sophisticated.” 

Meanwhile, Cox says that the majority of attacks continue to emanate from China  –  and whether they are state-sponsored continues to be debated  –  but adds that countries like Russia and India are also active sources.

“Basically, everybody's doing it,” he says. “A lot of it is retaliatory, some of it is politically motivated. Not everything we see is a state-sponsored attack.”

Unlike the Cold War years, when geo-political shifts and events like the thwarted Bay of Pigs Invasion, would trigger a spike in spy activity, observers say that we are unlikely to see more attacks in the wake of something like Russia's takeover of Crimea.

“I think countries like Russia and the U.S. are already at full capacity as far as cyber espionage goes,” says Clinton.

Sutton agrees. “A cooling of relations between the NATO members and Russia won't change anything. Cyber espionage is already there and ongoing. What we're seeing is lengthy intel gathering.”

What has occurred is a shift in targets. In addition to focusing on government and related organizations, foreign players have begun extending their activities to media outlets.

“That's actually a very wise avenue,” says Sutton (left). “If you can access reporters' private conversations with their confidential sources then you have tapped into a fantastic stream of intelligence.”

Small organizations have fallen victim, too, and Sutton says that nation-states will often target law firms to get at highly prized information related to government contracts. “It's a mistake to say, ‘We're too small.' There are some juicy targets among smaller organizations, and anyone can fall victim to foreign espionage if they have information that someone thinks might prove worthwhile.”

Some nation-state actors have definitely moved downmarket, says Yoran, and that is creating significant problems for companies who find it difficult to defend against malicious or criminally minded attackers, let alone state-financed spies.

“It's a tough job for a small- or midsized business,” says Cox. “Your opponent is well funded and you may not even be able to afford a full-time IT guy.”

But, even for companies that put resources into safeguards and take cyber security seriously, Yoran says the attackers will always have the edge. “When you're on defense, you have to play a perfect game. You have to be at 100 percent at all times. Meanwhile, the other side only has to score once.”

The incentives definitely favor the attackers, adds Clinton. “The state-sponsored ones are using increasingly sophisticated methods, and they can invest as much time as they want to. The defense is inherently behind.” 

He says an ongoing issue when intelligence is at risk is that it is very hard to demonstrate return on investment for security provisions.  “What do you focus on? You can't do it all, and you can't necessarily guess what foreign players might want to go after.”

Complete transparency?

Recognizing this, some governments have offered to help. For instance, in Canada, the Canadian Security Intelligence Service reached out to organizations in the aerospace, biotechnology, petroleum and agriculture sectors with an offer to confer on how they might protect information that could be deemed to be in the national interest.

That idea draws a laugh from former Homeland Security director Yoran. “Unless you want to embrace complete transparency, you probably don't want to invite the government in to look at your networks. I can't imagine too many companies allowing a spy agency in.”

The issue of cyber espionage on a multinational basis has generated some interesting discussions among the directors of global companies, he says. 

“Boards of directors have not normally had to deal with this type of cross-border issue,” he says, citing an industry truism – risk accepted by one is shared by all – as a reality now facing organizations that operate in numerous jurisdictions.

Cross-border issues

Larry Clinton, president and CEO, Internet Security Alliance 

Alex Cox, senior research analyst, RSA FirstWatch 

Ryan Foreman, spokesperson, Communications Security Establishment Canada 

Michael Sutton, vice president of security research, Zscaler 

Amit Yoran, general manager and senior vice president, RSA Security

“It's a complex situation,” he says, “and you need to put the right controls in place to ensure you are managing risk in the way that best protects your business.”

The best thing organizations can do, says Cox, is to focus on your most valuable assets. “You need to build visibility to have a view of those things so that nothing important leaves your network without you knowing. You need to understand how these types of attacks happen, and watch for them.”

Sutton says the best thing organizations can do to protect themselves against foreign predators is to share information, despite the natural competitive instinct to keep things quiet.

“I think we're starting to see more organizations opening up to that,” he says. “The Target breach was a good lesson. As a business, it doesn't help you if your competitor gets hit. You could be next in line.”

Clinton believes that Big Data will also play a role in counteracting foreign attacks.

“I'm optimistic that analytics will help us win,” he says. “We can use our insight to determine the patterns of their behavior, and move to block it. In the end, we have the data, and they're just people.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.