Espionage among nations is not a new phenomenon; it has existed since the early medieval period. The world of spies has evolved with the times, and we are now facing a bigger challenge under the name of cyber espionage. This new form of organized and deliberate threat uses cyber warfare techniques to gain economic, military, or political benefits. Highly skilled cybercriminals are recruited to damage or shut down government or military infrastructures, or to gain unauthorized access to financial systems. They are highly capable of creating a situation of complete chaos on a global level, from changing the outcome of major political elections to creating mayhem at international events. The disturbing part of cyber espionage is that the perpetrator follows the modus operandi of ensuring that their tracks remain untraceable for years on end.
With the gradual adoption of this infamous practice, now the threat has extended its arms in several other domains too. According to the Verizon 2018 Data Breach Investigations Report, the major industries facing the issue of cyber espionage are public administration, manufacturing, and education .
This has made all, from large to smaller organizations, consider the option of cyber-espionage prevention.
Understanding Cyber Espionage
Cyber espionage is an act of gaining unauthorized network or system access, usually to obtain the sensitive data of a government or a military infrastructure using proxy servers. This notorious practice is an attempt to damage or misuse compromised data, which usually refers to political, economic, or military data. In the world of cyber espionage, the threat actors are generally either state-affiliated actors or nation-states with the motive of strategic advantage.
Recently, a California-based cybersecurity firm, FireEye, unveiled the motives of an Iranian cyber-espionage group called APT39. The group’s major target remains to be the telecommunication firms in the Middle East. It was found that the group’s espionage activities were in the interest of Iran. The reason behind targeting the telecommunications industry is that it stores a huge amount of personal and customer data which results in a wide range of potential targets across multiple verticals .
Latest Cyber-Espionage Cases
The listed cyber-espionage incidents will make you believe in the colossal capabilities of cybercriminals.
1. Renewed Cyber Attacks in 2019 from Chinese and Iranian Hackers on US Agencies
It’s been recently revealed that Chinese and Iranian hackers are aggressively attacking the government agencies and businesses of the United States. Cybersecurity experts believe that these attacks are a result of Trump’s withdrawal from Iran nuclear deal and the trade war with China. In January 2019 the US intelligence chiefs reported that China, Iran, North Korea, and Russia are the main cyber adversaries of the nation. These countries are linked with the cyber-espionage activities like stealing information to influence the citizens and/or to derange the critical infrastructure in the United States. The report clearly mentions the objective of the Iranian hackers, “to gain intelligence and position themselves for future cyber operations” .
2. Pakistan’s Foreign Affairs Ministry Website Hacked Post-Pulwama Attack
Pakistan’s Dawn reported in February 2019 that the website of the nation’s Ministry of External Affairs has been hacked and various countries mentioned that the website is inaccessible to them. The website seems to be functioning in Pakistan but visitors from other countries like Holland, Australia, Britain, and Saudi Arabia are facing issues while opening it. The report also mentions that these cyberattacks could be originated from India. This is said to be the result of the terrorist strike in Pulwama, Kashmir, which occurred on February 14, 2019 .
This is not the first time Pakistan is facing such an issue. Earlier in 2017, Pakistan Peoples Party’s official website was said to be defaced by Indian hackers. In the same year, another official website, this time belonging to Karachi Police, was hacked and defaced presumably by Indian hackers .
3. Kaspersky’s “Slingshot” Report 2018
Kaspersky Lab in 2018 exposed the presence of a then-active advanced APT (advanced persistent threats) actor. The malicious loader internally named as “Slingshot,” because of the names of the threat actor’s unencrypted samples and components. Most victims of the group were individuals and not organizations. The victims of “Slingshot” belonged to African and Middle Eastern nations. As per Kaspersky’s researchers, the first compilation of the attack dates back to 2012.
The primary objective of “Slingshot” was to collect screenshots, keyboard data, network data, passwords, USB connections, other desktop activity, clipboard, and more, which links it to the cyber-espionage pattern. Later, former US intelligence officials came forward to accept that Slingshot is a US military program to gain access to terrorists’ commonly used computers .
4. Chinese Hacking Group’s Cyber-Espionage Campaign
Symantec revealed in June 2018 that a group of Chinese-linked hackers was targeting two United States-based satellite firms. Other than that, the sophisticated hacking group also targeted defense contractors and telecommunications companies in the United States and Southeast Asia. The efforts of the group were believed to be carried out in the interest of the nation. The primary drive for this cyber-espionage campaign was to intercept the military and civilian communications of the victim nations. Hacking with the purpose to intercept is rare but it exists. But in this case, the hacking group deliberately infected the systems controlling the satellites. The motive of their act was to change the positions of the orbiting devices and disrupt data traffic.
The group activated itself in 2013 but after the political agreement between the United States and the Chinese government in 2015, it apparently went underground. Symantec has attributed this cyber-espionage group as “Thrip” .
5. A 12-Year Campaign of China Exposed in 2018
With the United States’ accusation of two alleged Chinese-sponsored hackers actively breaching the computers of different government agencies and firms of at least 12 countries, in 2018, a 12-year cyber-espionage campaign has come into light. The massive campaign is seemingly controlled by the main intelligence agency of Beijing. The primary objective of the campaign was to steal trade secrets and other intellectual property of government agencies. It also aimed at identity-related data theft of major corporations of the United States and a minimum of 12 other nations.
The Justice Department and the US allies allegedly uncovered that Beijing was trying to vacuum technology-related and intellectual data to become the world’s economic and technological superpower .
6. A Leaked Trump–Duterte Transcript Proving Cyber-Espionage Story 2017
A stolen transcript of a phone conversation between the US President, Donald Trump, and his Philippine counterpart, Rodrigo Duterte, was first uploaded on the Internet through malicious email attachments . These sensitive documents were obtained by a hacker group which was allegedly linked to the Vietnamese government. The documents were hacked from the Philippine government’s surveillance. The leak seemed bigger than the revelations of just a few documents. Cybersecurity investigators soon found that the attack was carried out by a malicious hacker group called APT32 (also known by the name of OceanLotus Group). As per various cybersecurity firms, APT32 is an attributed unit of the Vietnamese government.
Amy Chang, an affiliate of the Harvard Belfer Center’s Cyber Security Project, believes that the rise of Duterte in the Philippines is the reason behind the leaked transcript .
7. Intensive Cyber-Espionage Campaign of APT28 Against Montenegro’s Government
Before Montenegro joined NATO in 2017, APT28 (also popularly known as “Fancy Bear”), a malicious hacking group linked to the Russian intelligence, actively participated in a cyber-espionage campaign against the Montenegrin government. The campaign depicts Russia’s desire to intrude in the political affairs of foreign nations. Two booby-trapped attachments had been sent to Montenegrin government officials over the email to load a flash exploit framework through a command-and-control infrastructure.
Other than this campaign, earlier in 2016, the group was also involved in hacking into the Democratic National Committee .
8. Vietnamese Campaign Against ASEAN 2017
An APT group, APT32 (also known as OceanLotus Group), allegedly linked to the Vietnamese government, started attacking the Association of Southeast Asian Nations (ASEAN) as part of its cyber-espionage campaign. The incident response firm Volexity, in 2017, identified and uncovered the widespread mass digital surveillance and the attack campaign of the group. It also targeted the media, human rights, and civil society organizations.
The group conducted the attacks through multiple strategically compromised websites of government, military, media, civil society, human rights, and oil exploitation firms. The attacks were surgical in nature as it targeted only whitelisted visitors of these websites, who were shown a fake screen to gain control of their contacts and emails.
According to cybersecurity experts, the APT32 group started its activities in 2012 or perhaps even before that. It is known as one of the most advanced APT groups because of its rapidly evolving capabilities .
9. “Sowbug” Targeting South America’s Government Organizations
A cyber-espionage group, “Sowbug,” with nation-state capabilities, targeted government organizations of selected nations. According to the Symantec revelation in 2017, Brazil, Peru, Ecuador, and Argentina were few nations under the sophisticated attack of Sowbug. The group is active since 2015 and seems to be interested in data related to the foreign policy of the region. This is a rare organized cyber-espionage campaign in the South American region.
Sowbug uses its own malware which can target multiple systems at the same time. In 2015, the same group was involved in illegally extracting documents from the foreign affairs ministry of a South American nation .
Where to Begin to Combat a Cyber-Espionage Attack?
There are various technologies available to stop cyber-espionage attacks, from behavioral analytics to the presence of indicators of compromise (IoC). EC-Council’s Certified Threat Intelligence Analyst (C|TIA) program has a module specifically designed to deal with the collection, creation, and dissemination of IoCs in various formats. It covers the retraction of IoCs from different sources and includes data collection techniques. It also helps you to develop the skills to protect the infrastructure of an organization against cyber threats. Threat analysis and threat intelligence evaluation are a few other skills that are also be a part of this program.