Cyberattacks by Nation-States

January 16, 2018


Cyber warfare is a weapon that weaker nation-states are using to try to level the geopolitical playing field. Iran and North Korea (stay tuned for our upcoming blog post on hospitals for more details on North Korea) have already engaged in efforts to cripple urban infrastructure in other countries via malware.

While attribution of these attacks is hard to prove, they have been repeatedly linked to nation-state actors. Hallmarks of nation-state attacks include targeting specific Industrial Control Systems (ICS) that manage critical urban infrastructure, focusing on obfuscation so that attacks are harder to attribute and spending considerable time conducting information gathering campaign about the target system(s).

In June 2014, the Finnish Security firm F-Secure posted findings that show perpetrators using the Havex Malware had targeted and compromised various critical infrastructure systems in Germany, Switzerland and Belgium. In CrowdStrike's 2014 Global Threat Report, they attributed Havex to a Russian group named Energetic Bear. The mutation rate – 88 variants – and the number of Command and Control Servers – approximately 146 found – point clearly to a state-sponsored threat.

One of the most dramatic attacks in recent times against urban infrastructure was the BlackEnergy malware assault on the Ukrainian cyber grid. According to forensic investigators, several IT companies tied to the energy sector were compromised in order to take control of Ukraine’s power system. This attack was assumed to be the work of a nation state – it targeted an institution that was widely known to have very few funds while the hacker made no activist demands. The attack vector was a social engineering attack involving a very targeted phishing email. The delivered malware, an Advanced Persistent Threat (APT), sat dormant for months as it downloaded the BlackEnergy payload. During that period it proliferated across networks, ultimately causing an hours-long electrical outage for thousands of citizens in December 2015. The program was so well concealed from detection that it could only be retraced after the fact. While attribution of such attacks is unreliable, it is widely accepted that Russian operators were responsible, given their aggression toward Ukraine and the malware already at play in their military operations.

Other nation-states have been more covert, focusing on discreet information gathering campaigns rather than actively disrupting systems using cyberattacks. Data theft is the specialty of China’s Unit 61398. This is a state-sponsored group whose objective is to amass large volumes of sensitive data that can ultimately be used to achieve political or military objectives. A particularly relevant example of such cyber espionage was conducted by a Chinese operative who goes by the name UglyGorilla. The attack entailed collecting data and digitally mapping dams, airfields and fuel routes. UglyGorilla was indicted by the US for this in 2014. Nothing came of the indictment.

Because nation-states are involved, there are clear opportunities to leverage defensive social engineering techniques such as cyber negotiation. Cyberattacks by nation-states are typically used as power signals, and in some cases are an indirect invitation to negotiate. The question, though, is how should an urban infrastructure operator or owner engage with nation-state hackers? We will explore the options in future posts!