Suspected nation state cyber activity commands attention in the news, particularly as governments, as well as private vendors, feel compelled to call out foreign governments for being behind a range of operations ranging from destructive malware, cryptocurrency theft, traditional and commercial espionage, and disruptive attacks
Indeed “naming and shaming” appears to be the tactic du jour that proponents believe will curb or at least reduce hostile cyber acts, though history has thus proven that strategy to be an ineffective course of action. Nevertheless, whether treaties are signed, norms established, or offenders punished substantially, it can be assumed that states will not walk completely away from conducting operations in cyberspace and continue to leverage the domain in support of their national interests and objectives. Furthermore, it can be equally assumed that nation state cyber operations will invariably evolve from what’s currently being reported. As monitoring capabilities continue to mature, the tactics, techniques, and procedures (TTPs) of offensive actors will adjust accordingly, particularly if being the first to publicly claim attribution remains the shiny brass ring.
As long as being the first to publicly claim attribution remains the shiny brass ring, nation states operating in cyberspace can use this exuberance to their advantage. A decade ago, network defenders discussing “attribution” was so fragile that it had to be whispered so as not have it quickly dissipate. A long held mantra among some security professionals is that while not impossible, attribution in cyberspace is certainly difficult based on a host of factors favoring the attackers to include – proxies, hop points, anonymizers, among others. The implementation of false flags – operations in which an attacker tries to make their actions look as if it was the work of another known attacker – further impede attribution efforts. Now, a week rarely passes when a new report is published that identifies a particular nation state being the orchestrator of a cyber espionage campaign, despite the sophistication typically associated with nation state activity. Even the aforementioned false flag operations appear quickly attributed to a nation state, at least by some organizations.
So what has changed, and where does that leave the future of nation state offensive cyber activity?
The volume of suspected nation state cyber reports that are published begs the question how many of these attribution efforts are in fact correct. But setting that question aside, a more important question is what is the future of nation state offensive cyber operations in an age where their alleged online activities are being monitored and/or detected despite efforts to obfuscate them? There are three possible scenarios. Nation states can make no changes change from the current norm; states can engage in more stealthy and sophisticated TTPs in an attempt to further conceal their online presence; or states can launch noisier online activity in the hope to mask a more “quiet” operation being directed at targets in part of or separate from the noise.
The latter is worth consideration especially in the aftermath of the type of activity demonstrated by the WannaCry and NotPetya ransomware campaigns in 2017. Two governments have been largely suspected of being behind these two attacks, although no definitive proof has been offered implicating either. Global damage estimates associated with WannaCry activity have been listed at $4 billion USD, as the malware is believed to have spread to 150 countries. These attacks have been interpreted differently even though they shared many of the same characteristics. WannaCry was seen as an attempt to garner as much money from global victims as possible, a technique that has been identified as one government’s method of operation. The NotPetya ransomware attack that occurred later used the same exploits, and unlike most ransomware did not seem designed to make money from victims. Both the intent to make money, as well as the apparent indifference to not making money, seems to be the two “evidentiary” motivations that have helped attribute these activities in the public space.
These alleged state actors could have easily used the global noise as a screen from which to conduct a more surreptitious attack that has thus far gone unnoticed or unreported. And if they didn’t now, it certainly is something they can do in the future. Cyber criminals have been known to use distributed-denial-of-service attacks as a diversion in which to distract defenders and steal money as their primary objective. Considering WannaCry and NotPetya hit multiple sectors globally, it would be easy to stealthily target a specific organization amidst that confusion.
Threat actors in general, and governments in particular, can see how these activities are reported in the press and “analyzed” by computer security sector as a guide to how to conduct cyber operations in the future. If stealth operations are being allegedly detected by these entities, governments may choose to blend them into large cyber incidents that consume media resources. In these operations, malware would “escape” into the wild, spreading globally and infecting large numbers of computers. Within this noise, a government actor can conduct a more targeted campaign designed to steal information, exploit a system, etc. Moreover, if the true target can be a part of this larger noise, which would ultimately bury it with other victims that would span all sectors and industries. More consideration will have to be given to alternative hypotheses as to the motivations behind the attacks, the intent of the attacks themselves, and to conducting a comprehensive investigation that is not specifically focused on the most obvious target.
There has been too much reliance on associating TTPs and malware to specific state actors that seriously questions if immediate linkages can and should be made. Nevertheless, if this is true, one logical explanation as to why these TTPs continue to be used by these states is that there may be not reason to change them now. Finger-pointing will happen, plausible deniability will be asserted, and little consequence will be imposed. This has been the cyber standard so far. But to think that this status quo will continue in the near future is both careless and imprudent. As long as the cyber environment favors the agile, the innovative, and the adept, holding onto yesterday’s formulae for doing business risks missing the forest through the trees.
About the author
Emilio Iasiello has more than 12 years’ experience as a strategic cyber intelligence analyst, supporting US government civilian and military intelligence organizations, as well as the private sector. He has delivered cyber threat presentations to domestic and international audiences and has published extensively in peer-reviewed journals and blogs. Follow Emilio on Twitter