The curious case of cyber warriors: backing nation states in cyberwarfare

Traditional warfare seems no longer fit for purpose, overshadowed by the possibility of mutual destruction thanks to the creation of nuclear weapons. In light of that, cyberwar has been picking up the pace, with nation states reaching out to the most mysterious actors of all: cyber warriors.

Government-backed or state-sponsored hacking is certainly not new. It can range from taking down an online news outlet critical of the government to committing cyber espionage or crippling the financial or defense systems of enemy states.

Whatever the outcome is, the motivation is always political or economic, with threat actors having a specific goal in mind – quite to the contrary of an opportunistic approach of many low-profile cybercriminals. As geopolitical analyst Irina Tsukerman puts it, state-sponsored hackers are generally involved in espionage, surveillance, sabotage, or ransomware (through hacks, malware, and sometimes in combination with human-focused social engineering methods) to advance political goals and sometimes to advance the interests of a state actor.

Although, the concept of a cyber warrior has only recently started to enter our lexicon.

“Cyber warriors are computer experts who use their knowledge of information technology to wage war in cyberspace. They can be civilians or military personnel, and can be employed by governments, military organizations, or private companies,” Thomas Kelly, CTO at Life Part 2, told Cybernews.

You can find cyber warriors belonging to state-sponsored hacking groups (also referred to as advanced persistent threats (APTs) by pundits) across a variety of nations, including the US, Iran, Russia, Pakistan, Vietnam, China, and North Korea.

“Cyber Command, as well as each branch of the US military, have cyber warriors. The majority are military personnel, with some contractors who come out of the SI community. The US has been dramatically increasing this force as the cyber insurgency burgeons across the West due to the axis of four rogue nation states,” Tom Kellermann, CISM, Senior Vice President of Cyber Strategy at Contrast Security, told Cybernews.

Becoming a cyber warrior: what it takes to be recruited

Joining the national cyber army might sound like a lucrative opportunity for many tech specialists. Following the official announcement on the US army page inviting people to join “the battlefields of the 21st century” located in cyberspace, we began to wonder: how are cyber warriors typically recruited?

“Most APT groups are recruited through official channels such as government websites, job fairs, and social media. However, some APT groups are also recruited through unofficial channels such as hacking forums and black markets,” Kelly explained.

Christine Walker, an IT expert specializing in software development, echoes that view, emphasizing that although it might sound unbelievable to some, both governments and independent research have confirmed that APT groups have been hiring people through official channels to become part of their team.

“The case of APT-29 is a good example of this, as the group has been caught hiring through email advertisements, giving full details about the duties and requirements. The same happened with another group called Softex, which was also recruiting through email advertisements. The Softex group was also advertising jobs on LinkedIn, Quora, and Facebook.”

A job advertisement via the US GoArmy website

Already in 2021, BlackBerry researchers noted an increase in the outsourcing of cyber espionage to mercenary APT groups. This allows nations to protect themselves from being identified, effectively hiding behind the attackers. And while, in theory, anyone can hire a mercenary APT, typically, the more sophisticated actors will prefer customers of the highest profile.

But what skills are needed to join the cyber army? Well, it seems like simply having tech and cyber knowledge is not likely to cut it – patriotism is an essential entry requirement.

“The best cyber warriors have a mix of education, experience, and skills that few others possess. They must be both versatile and adaptable, with a talent for thinking ahead and outsmarting their opponents. Cyber warriors must also possess an unwavering commitment to serve their country's best interest at all times,” Walker said.

For example, some of the jobs listed on the US Army’s website include Cyber And Electronic Warfare Officer – responsible for coordinating electronic attacks; Cyber Operations Officer – responsible for conducting defensive and offensive cyberspace operations; and Cryptologic Intelligence Analyst – responsible for analyzing information used for locating and identifying targets.

“Their work is never directly in the line of fire, but their efforts are critical to winning the information battle as part of a larger military campaign. They use their knowledge and skills to help safeguard military networks and achieve mission objectives,” Walker told Cybernews.

APTs by country: are all state-sponsored hacking groups essentially the same?

Russia, China, the USA, and North Korea all have APT groups in charge of targeting enemy states. In Russia, Cozy Bear, active since 2008, is widely linked to the Kremlin’s attempts to influence the 2016 US presidential elections. In China, Double Dragon, active since 2012, has been involved in cyber espionage against 14 countries. The USA’s Equation Group, active since 2001, targeted Iran’s nuclear program. Finally, North Korea’s Lazarus Group, active since 2010, is notoriously known for the 2017’s WannaCry ransomware attack that infected more than 300,000 devices across the planet.

“They are skilled at creating havoc on their prey and are evasive, eminent, and effective at it,” said Kathryn Snapka, IS Manager and Founding Partner at The Snapka Law Firm.

However, these groups are surely not the same. The difference in the scale of attacks is not the only thing so striking about each nation’s APT. It’s the objectives, range of targets, and motives that separate their offensive capabilities.

“American APTs are more likely to use sophisticated tools and techniques than their Russian or North Korean counterparts. They are also more likely to target a wider range of victims and are more likely to use social engineering techniques to gain access to their targets,” said Kelly.

Walker highlights similarities between the nations, saying that all are known for their use of malware, yet agrees that American APTs are more sophisticated.

“American APTs are more likely than Russian or North Korean ones to use spear phishing attacks in order to gain access to their target's systems. Second, American APTs also tend to be more financially motivated than those from Russia and North Korea. They are interested in stealing data that has an exchange value rather than using it for espionage purposes.

“In contrast, Russia and North Korea use malware in order to steal information that can be used for future blackmail campaigns. Finally, American APTs tend to be more interested in targeting companies than individuals. This is because these companies are likely to have the data that they want rather than individuals who might not be as well defended against such an attack.”

Tsukerman also suggests that the difference lies in the threat actors themselves. As such, democratic regimes are more concerned with the reputation of their employed cyber warriors. For example, she explains that the private actors cooperating with the US government are closely monitored and are not allowed to engage in crimes or other objectionable actions that can undermine the US agenda. By contrast, Russian and North Korean non-state actors often come from criminal backgrounds and make money from other mercenary projects or through criminal activity.

“Russa, North Korea, and other authoritarian regimes are far more reliant on offensive capabilities than the US and, for that reason, prefer to maintain informal networks of reliable non-state actors who cooperate with the authorities as needed. The US is limited in offensive operations due to concerns about possible escalation, and for that reason, generally relies on formally acquired professional personnel with direct state affiliation for offensive operations.”

Finally, it’s important to remember that analyzing each nation’s cyber army is often a struggle as they’re meant to be low-profile. That’s why it’s often so hard to conclusively attribute an attack to a specific country. However, according to tech expert Joseph Puglisi, this is not the case with the United States.

“With the increasing number of APTs and people who are masking themselves with other countries' names, it is difficult to know the difference. However, It may be obvious during an ongoing war to want to attack the other country digitally. However, American APTs are very direct. They do not often hide their identity, and they target other countries,” Puglisi explained.

Protecting yourself against APT attacks

Although the majority of well-known APT groups belong to Russia and China, the US is certainly not lagging behind in terms of its offensive cyber capabilities. Despite having different approaches, all nations are trying to stay ahead of each other in the cyber race.

“The US and people abroad are taking a more sensitive approach to cyber preparedness. There is a constant struggle to outwit each other and take advantage of the knowledge learned and applied. I believe this method of transparency is linked to hiding in plain sight their level of cyber preparedness,” Puglisi commented.

In such an environment, it is critical for organizations to level up their cyber defenses. Kellerman gives specific advice for those wishing to protect themselves against APT attacks:

“[One can do so] by expanding threat hunting, deploying cloud security, employing RASP, using XDR, and hiring an MDR.”

Puglisi also suggests following these steps and ensuring:

  • Proper IT [systems] in organizations that indicate when there is a breach.
  • Collaborating with highly profiled and sophisticated tech providers.
  • A strong firewall.
  • Constantly checking for any breach even before you are alarmed about one.

The majority of attacks by state-sponsored hackers will likely go unattributed, which allows room for speculation and for states to blame each other at their will. It’s important for cyber warriors to remember that despite their best motives, they will eventually become a tool in their government’s hands – a tool quite powerful in today’s IT-driven world.

“The purposeful diplomatic tactic of naming and shaming nation states for their hacking can occasionally be used. However, authoritarian governments rarely acknowledge their flaws, and those who challenge them might be reluctant to acknowledge that they are also aggressive, albeit for different reasons,” said Snapka.