China leads the hacking charts with the highest combination of impact factors ticked off on a matrix combining the potential capability and impact of possible attacker groups, thus presenting the highest risk, forming one of three actors with a potential tier 6 catastrophic impact (alongside Russia and the Five Eyes) according to a new report by Flashpoint.
The authors say that this Decision Report reinforces the need for decision makers inside the enterprise to incorporate Business Risk Intelligence (BRI) into their risk assessments and strategies.
Flashpoint has detailed the main factors that will increase cyber-threat levels producing its Threat Matrix which details the capability and potential impact of different attackers, from specific nation states to Jihadis.
A primary focus is the fact that cyber-warfare is a main component used in all conflict now. Consequently the increase in tensions in East Asia over the North Korean nuclear and intercontinental ballistic missile programme which will result in more direct and kinetic conflict between North and South Korea, the United States, and potentially China, would increase levels of cyber-conflict too. The US has formally recognised Jerusalem as the capital of Israel is moving its embassy from Tel Aviv to Jerusalem sparking a broad regional outrage as it is opposed by virtually the entire UN and especially Muslim states. There is an ongoing power struggle between Saudi Arabia and Iran for influence in the Middle East leading to kinetic conflict in the region (in Yemen), again spilling over into the digital sphere. Also, the situation in Syria is further deteriorating with the potential of armed conflict between major states with differing ambitions for the region meaning the likelihood of cyber-attacks to influence power has increased.
Russia is still globally a hugely active and dangerous player in terms of cyber-space and cyber-attacks, however it is being increasingly isolated from the Western countries due to exposure of its interference in the US Presidential election and spreading of misinformation against Western democracies. In addition Russia is creating its own global internet for social media meaning there will be Russian-owned versions of Facebook, Instagram, Twitter, Youtube and Snapchat for example.
The Five Eyes' cyber-intelligence operations are mostly exclusively conducted in support of national security objectives rather than for commercial or economic gain, and destructive or disruptive attacks are intended to be utilised only as a component of covert actions against already hostile targets, or during wartime. The Five Eyes are not likely to be considered threat actors for Western organisations and individual component nations of the Five Eyes: the US, UK, Canada, Australia and New Zealand.
A potential future threat is if other nation-states, such as China, Iran, and North Korea, adopt the Russian model of engaging in “cyber influence operations” via proxies, resulting in the exposure of such a campaign.
Also, the report predicts an expansion in North Korean cyber-operators' presence in Southwest and Southeast Asia as Chinese support wanes due to international pressure and a growing diplomatic rift between Beijing and Pyongyang. North Korean actors are already believed to operate autonomously abroad, running various cyber-operations to finance their activities or acquire additional funds for the regime through online crime.
More conventional criminal gangs remain a severe threat despite disruption of their groups due to last year's arrests of significant top-tier cybercriminal actors active in various underground communities as well as take-downs of specific criminal operations online. Now Cybercriminal groups increasingly seeking and recruiting insiders in financial institutions as well as leveraging the stolen NSA exploits made available by Shadow Brokers.
Disruptive and attention-seeking threat actors who lack ideological or financial motivation have decreased due to better security efforts with companies are being targeted investing in DDoS mitigation systems. However, attacks from financially motivated cyber-criminals are still at a high level and they have proved to be inventive, evading the latest fraud-detection measures enabling cyber-crime to continue to be a growing and persistent global problem.
Many of the more capable Jihadist hackers were killed or arrested (though website defacement and DDoS attacks were their most usual activity) reducing their likely impact, but last year the UCC (United Cyber Caliphate) reportedly established its all-female “al-Khansa Battalion;” overcoming its more usual view of the role of women by seeking to educate female ISIS supporters to engage in “cyber jihad.”
Flashpoint's director of East Asian Research and Analysis, Jon Condra spoke to SC Media UK about the report conclusions including the implications of Russia's increasing isolation, including segregating its internet from the rest of the world by creating its own - both for Russia and the West. He told SC: “For the Russian government, isolating its population from the broader global Internet has a number of advantages. First, it enables a greater level of information control within the country's borders, as the government can now block websites hosting content that it finds objectionable with greater efficacy and forces traffic to route through government-controlled DNS servers, enabling greater levels of monitoring and filtering. This will likely have the effect of strengthening the regime's ability to shape public opinion in a largely unseen manner, thus bringing a heightened level of political control over the populace for the Kremlin.”
"With respect to the Russian population and for foreign entities, be they individuals or businesses operating within Russia, it means that the Internet is liable to become a much more closed off and homogenous environment. It is likely that less foreign media will be permitted into the country via the Internet, and that social narratives are much more easily manipulated by the authorities. For political dissidents and the opposition within Russia, it may push these individuals and movements further underground.
“For the world, it is plausible that the success of Russia's effort in this vein will accelerate similar aspirations in other countries such as China and Syria to implement the same sort of system. This may ultimately result in the fragmentation of the Internet, in that national governments begin to exert greater control over information flowing across borders and domestic services begin to be favoured in place of more competitive or more popular foreign ones which the local government, for whatever reason, determines is objectionable.
"A knock on effect of these efforts may be an era of digital protectionism, wherein allowing or preventing access to foreign services via “national Internets” can determine the success or failure of entire industries or narratives which are reliant on the Internet to thrive. Moreover, the move towards a closed Internet signals an insular shift in Russian policy, which is disappointing to many observers who, especially in the immediate aftermath of the collapse of the Soviet Union, heralded a new era of international relations wherein Russia would inevitably move towards democratic governance and integration into the largely Western-shaped international order.”
Are the Five Eyes an offensive threat to non-members - both political adversaries and ostensible allies - given that the UK, for example, has been found spying on fellow European countries?
SC also asked whether China is the biggest threat because of its capability, or is it actually the most active adversary in terms of attacks? Plus we wanted to know, what is the biggest danger in the cyber-sphere presented by China?
Condra replied: “Chinese military planners and policymakers have long understood the utility of advance cyber-attack and cyber-espionage capabilities for the purposes of both accelerating the country's economic development as well as negating or otherwise degrading a Western military effort in the Asia-Pacific region. As a result, it has invested heavily in the development of such capabilities, and at least for a time, largely unabashedly leveraged its cyber-espionage capabilities against Western governments and private sector organisations in efforts to steal intellectual property and/or government secrets.
“In peacetime, the largest threat posed by China in the cyber-sphere is its demonstrated prowess at intellectual property theft. China has been linked to dozens, if not hundreds, of intrusions over the last decade—breaches which are estimated to have cost (the American economy in particular) tens of billions of dollars and accelerated China's growth trajectory considerably, as well as improved the country's conventional military capacity. Over the past couple of years however, and especially since the time period surrounding the September 2015 Xi-Obama agreement not to conduct industrial cyber-espionage, Chinese activity in this vein has by most accounts fallen off considerably. Whether this is due to an actual desire on the part of Beijing to conform to that agreement, a significant reform of the People's Liberation Army that was initiated around the same time period, an improvement in Chinese cyber-espionage operators' operations security practices, or another unknown reason, we cannot say.
“In wartime, China is likely to utilise its cyber-attack capabilities in a variety of ways. The most obvious would include the disruption, degrading, or destruction of its adversary's Command, Control, Communications, Computers, Intelligence, Surveillance, and Reconnaissance (C4ISR) networks in a bid to paralyse the war effort and leave conventional military units blind. But, depending on the scale of the conflict and a variety of factors affecting escalation, Beijing could also turn towards attacks on civilian networks and/or critical infrastructure in order to cause disruption on an adversary's home turf, distract from the theatre of conflict, and inflict economic, social, and political pain on the opposition in the long term.”
SC also asked, how big a cyber-threat is North Korea really? Would the rest of the world not simply be able to crush the country if it chose to retaliate?
Condra responded: “North Korea is an interesting case in that, despite its relative economic backwardness and international isolation, it has developed advanced cyber-attack capabilities—and has a proven track record of using them in the pursuit of various ends. One of the challenges with North Korean threat actors is that they in many ways break the mould of what most think of as nation-state actors, which makes it very difficult to predict what organisations they may target next, the tactics, techniques, and procedures (TTPs) they may leverage, when they may take action, or even what may spur them into action. A few good examples of this include the attack on Sony Pictures Entertainment, ostensibly due to the impending release of a film negatively depicting North Korean leader Kim Jong Un, attacks on international financial institutions in efforts to siphon away cash likely to fund the regime, and the use of ransomware like WannaCry. All of these behaviours and/or TTPs are not generally associated with nation-states and thus make it difficult to predict and model risk when it comes to North Korean threat actors.
“In the event of direct kinetic military conflict with North Korea, it is very likely that the regime would turn to cyber-weapons as a means of resistance and of degrading and/or destroying the adversaries' capabilities in theatre. Given the country's relatively rudimentary Internet infrastructure, however, is it unlikely that such efforts would be highly successful, at least as long as they are emanating out of the borders of the DPRK. North Korean threat actors, however, are known to operate outside of the country's own borders, in other countries such as China, and increasingly in Southeast Asia. As a result, cutting off the DPRK's internet access may not be enough to completely stifle the regime's efforts at a digital counterattack.”
“We do not consider the Five Eyes countries, in general, a threat to Western entities. This is largely because the Five Eyes do not conduct destructive cyber attacks against their allies, and nor do they engage in cyber-enabled industrial espionage. Nevertheless, it would be naive and fundamentally incorrect to assume that the Five Eyes do not use their various intelligence apparatuses to collect against one another and their close allies, but mostly at a governmental level in order to facilitate better strategic planning and policymaking. While this behaviour might be unbeknownst to a large segment of the population, this is a norm for nation-states and most national leaders understand that fact and accept it as an immutable part of life, despite sometimes being forced for political reasons to condemn it publicly.”
We also asked Condra, what for him was the most surprising finding of the research?
He concluded: “Perhaps the most surprising eventuality in 2017 was the rapidity with which the traditional Deep and Dark Web (DDW) market environment collapsed following high-profile law enforcement action against several marketplaces. Long considered exceptionally hard targets for law enforcement due to the high levels of anonymity traditionally afforded by the Tor network, law enforcement in 2017 made significant headway in cracking down on prominent illicit DDW marketplaces such as AlphaBay and Hansa, which were both taken down in the latter half of the year. Moreover, at least two other well-known shops—Evolution and Agora—abruptly closed, leaving DDW actors largely out in the cold. Inevitably, however, demand for DDW services is unlikely to simply vanish, but instead shift to new mediums; in this case, we observed the move towards decentralised marketplaces and alternative platforms, such as Discord, for the conduct of illicit activities. This type of shift largely mirrors other similar trends on the DDW away from traditional mediums of online communications such as IRC, Facebook, and Twitter, towards either more obscure communications mediums or end-to-end encrypted chat applications.”