Election year alert: US cyber threats from major state actors – interview


In an election year, understanding adversaries’ cyber warfare tactics is just as critical as understanding their physical strategies, Crystal Morin, a former intelligence analyst for the US Air Force and current cybersecurity strategist at Sysdig, thinks.

She helped me to “read” the recent threat assessment report by the US government intelligence agencies, highlighting the increase in cyber threats, regional conflict, and artificial intelligence. Is the United States giving its adversaries too much power or, on the contrary, underestimating them?

We will be talking about the mighty four adversaries to the USA – China, Russia, Iran, and North Korea.

The king of the jungle – China

Recently, governments worldwide have gone public with various accusations towards Beijing. Finland said that China was behind its parliament hack, and the US and the UK accused Beijing of a sweeping cyberespionage campaign that allegedly hit millions of people.

The China-backed group has been accused of running a 14-year-long campaign where the defendants sent over 10,000 emails to journalists, politicians, and companies to “repress critics of the Chinese regime, compromise government institutions, and steal trade secrets.”

China’s influence in cyberspace is more far-reaching than that. China has been racing the US to achieve science and technology (S&T) superiority and use it for economic, political, and military gain. It pours investment into R&D in fields like biotechnology, quantum computing, semiconductors, and artificial intelligence (AI), another tool that might give an edge in hybrid warfare.

To the US, China is the most active and persistent threat that might attempt to cripple the US government, its private sector, and critical infrastructure networks.

“If Beijing believed that a major conflict with the United States was imminent, it would consider aggressive cyber operations against US critical infrastructure and military assets,” the Annual Threat Assessment of the US Intelligence Community reads.

Morin thinks it is fair to say that China is the most prevalent threat, having a lot more manpower than other countries, as well as building its technical capabilities for years. But China is playing a quiet game.

“We're only aware of how good they are or what they're doing from vendors and open source communities who can find and share this information. Or from what our government decides to share with us. There's a lot more information and knowledge far beyond what we know and what is put in open source,” Morin hinted there’s just so much more we don’t know.

Iran’s opportunistic approach

Iran doesn’t seem to be the scariest state threat actor out there yet, but the US intelligence community emphasizes the regime’s growing expertise as well as willingness to conduct aggressive cyber operations.

Last December, the US accused the Iranian Revolutionary Guard Corps (IRGC) of launching attacks on its water sector. Namely, a Pennsylvania water facility was hit by Iranian hackers.

“Tehran's opportunistic approach to cyber attacks puts US infrastructure at risk for being targeted, particularly as its previous attacks against Israeli targets show that Iran is willing to target countries with stronger cyber capabilities than itself. Iran will continue to conduct malign influence operations in the Middle East and in other regions, including trying to undermine US political processes and amplify discord,” Annual Threat Assessment of the US Intelligence Community reads.

Crystal Morin reckons that Iran is downplayed because the US is more worried about China and Russia.

“Iran is the outlier here. They like the spotlight. They like to play these cyberattacks to say, hey, we're capable too,”

Morin said.

But Iran, she reckons, is capable, too.

“They are incredibly intelligent. They know what they're doing. They are going to be more obvious, forceful, and impactful with their cyberattacks than, say, Russia or China. Russia and China are much more strategic,” Morin added.

North Korea – a crypto thief

The regime of Pyongyang is notorious for its crypto heists and is expected to keep up, being cut off from access to international markets and eager to fund its ballistic missile and nuclear weapons development programs.

Another source of funding is its program of IT workers dispatched abroad -–Japan was the most recent country to warn about “North Korean IT workers posing as Japanese individuals and using online platforms provided by Japanese companies to secure business contracts and earn income.”

The regime, same as other countries mentioned in this article, is big on cyber espionage, with Kimsuky being among its better-known espionage groups targeting South Korea, the US, Russia, and Europe.

“They're focused on funding their military and research. Also, data exfiltration, being able to steal proprietary information from their adversaries like us or various countries in Asia. They're going to look for information that they can use to better improve their military capabilities,” Morin emphasized.

Russia’s bears

Did you know that if a cyber group has the word “bear” in it (Cozy Bear, Venomous Bear, Energetic Bear, Fancy Bear, etc.), it will most likely be a Russian? They’re domesticated and sophisticated bears tied to the Kremlin’s agencies. Coupled with opportunistic, financially motivated, yet very patriotic Russian hackers targeting enemy state’s enterprises, it becomes a cyber power to be reckoned with.

Hackers causing power outages, election meddling, and disrupting adversaries' communications is what makes Russia infamous in the cyber realm.

Much of its effort is now directed towards Ukraine – either going phishing and finding other ways to collect sensitive information that would give the Kremlin an edge in the war – or attacking critical infrastructure like telecommunications and power.

Viasat’s European satellite network was attacked by the Kremlin on the day Russia invaded Ukraine – February 24th, 2022. It’s one of the first confirmed instances where a nation-state interfered with commercial satellite services to advance its military goals. Then, in 2023, Kyivstar, the telecommunications company that covers all major cities in Ukraine, was hit, affecting over 24 million mobile subscribers for multiple days that December.

And, of course, let’s not forget hacktivists and financially motivated yet very patriotic hackers attacking the state's enemies’ enterprises.

Russia maintains its ability to target critical infrastructure. including underwater cables and industrial control systems, in the United States as well as in allied and partner countries,” the Annual Threat Assessment of the US Intelligence Community reads.

The war in Ukraine is a stellar example of the fact that cyber and kinetic wars go hand in hand, and one couldn’t exist without the other, at least in modern warfare.

Cyber warfare is held in conjunction with kinetic warfare. They still have tanks. They still have soldiers with guns, their boots on the ground. They're using UAVs and airplanes and dropping bombs. Cyber warfare is used in support of all of those actions. You'll see a cyber attack followed by a kinetic attack or vice versa,” Morin explained.

What to expect in 2024?

For starters, election meddling. “There's going to be interference. We know there's going to be misinformation and social media propaganda. It's happened for at least the last two, if not several, election cycles before in the US and beyond. Many governments across the world are saying that they're seeing misinformation campaigns. They're seeing their adversaries try to confuse the general public,” Morin reckons.

What else? State actors, such as individual crooks, will rely more heavily on artificial intelligence.

“We're starting to see some evidence of APTs (advanced persistent threats) and criminals using AI in their cyber attacks. We also see our government, and the UK government explaining how they're using AI tools, how they're regulating AI tools for military, governmental use, critical infrastructure, everything. If our federal governments are saying that they're using these tools, why wouldn't our adversaries be using them, too? There’s just not quite enough evidence in open source backing up those statements.”

As always, there’s also going to be plenty of financially motivated and opportunistic attacks by individual cybercriminals, who might have their political views and allegiances, too.

“We saw a lot of that in Russia and Ukraine, where these actors aren't necessarily tied to the government at all,” Morin said.

Being technically savvy and having strong opinions, they might have used their knowledge to support one side or another.

“Cybercriminals can inadvertently cause harm and damage to networks and people. Not necessarily intentionally, but that's most of what we would see. What we have seen, I would think especially in Russia, Ukraine, Palestine, Israel too,” Morin explained.