How nation-states hack each other: the (extra)ordinary routine

Cyber operations are part of statecraft, and every nation, no matter how big or small, engage in it, whether it’s espionage, cyber-attacks, or disruption, CyberNews learned at the MIT Tech Review conference Cyber Secure.

“This is the game that all nations play,” Ben Buchanan from the Georgetown University Center for Security and Emerging Technology said during a panel discussion about how nations hack each other.

Meanwhile, Field Chief Security Officer at Palo Alto Networks M. K. Palmore pointed out just how dangerous nation-state adversaries can be as they have deep pockets and resources to engage in cyber operations.

Nation-states are engaging in cyber operations more aggressively than before. Actually, they have moved beyond just espionage and now use cyber means to attack each other or cause chaos and disruption.

“Cyber operations are not extraordinary, and it’s not the end of the world when one is used. It’s not nuclear Armageddon. It’s not even war. Rather than imagining cyber 9/11 or cyber Pearl Harbour, we instead have to look at the cases that actually happen,” assured Ben Buchanan.

Ben Buchanan said.

According to him, cyber operations actually aren’t that extraordinary. They are almost ordinary, and they happen every single day.

“These operations are a fundamental part of statecraft, a fundamental part of how nations project power,” he added.

And we, as users, are often caught in the crossfire of nation-states’ efforts to spy on and hack each other.

Who is the enemy?

M. K. Palmore examined the emerging and ongoing threats in the cybersecurity landscape across industries. He was surprised that ransomware is still a viable force against enterprises. Most of the malware, he explained, heavily relies on known vulnerabilities. Therefore, companies are not doing their job well enough to protect themselves from ransomware.

Palmore put adversaries under four categories. Financially motivated actors fall under the first category and are responsible for the most cyber adversarial activity, he explained. Of course, then there are the insider threats, and hacktivists usually seeking disruption.

“Of course, you have advanced and persistent threats -- nation-states with deep pockets, extensive resources, and strategic objectives,” he said.

The ability to monetize the attacks keeps criminals engaged in their activities. They typically use bitcoin to monetize their crimes. And the value of this digital currency recently saw a spike in value.

Palmore also described this adversarial behavior. Cyber adversaries, according to him, are not ordinary and average criminals. They are highly skilled, intelligent men and women.

“They are some of the best that you can find in the industry. These individuals, if they were to be hired, they would be very highly paid,” he said.

Moreover, they are experts on high turn investment, and so they are using the path of least resistance to make the most value of their activities.

When it comes to nation-state threat actors, Palmore emphasized, it’s important to remember that it is people’s job to get up and engage in cyber activities. They are given the necessary tools and resources to do that. And, as he mentioned, they are hired by a nation-state, which usually means that they have deep pockets for this kind of activity.

READ MORE: How Russia changed its hacking tactics in 2014

Three categories of cyberoperations

Ben Buchanan, Director of the CyberAI Project at the Georgetown University Center for Security and Emerging Technology, explained that through cyber operations, states project power, and he put them under three categories.

The first is espionage. Because data is more portable now, it enables cyber espionage at a level never seen before, and it allows countries to have big data sets on their adversaries.

Unfortunately, countries have moved beyond cyber espionage, and they now engage in cyberattacks, which fall under the second category. As an example, Buchanan mentioned the power blackout in Ukraine in 2015 and 2016. And while a Russian cyberattack on the Ukrainian power grid in 2015 was manual, the blackout in 2016 was automated. This is a sign of the ambition of hackers to have ever more powerful effects on targeted societies.

“If you look at the last 20 years of cyber operations, you can see that the attacks are getting more scalable and more sophisticated, and they are doing real damage,” he explained.

As espionage and cyberattacks sometimes are not accurate to describe nation-states’ operations, the concept of destabilization and subversion becomes handy. The most obvious example is Russian interference in the US elections in 2016, but Buchanan did not retell this story and used a lesser known example instead.

In August of 2016, a Twitter account called Shadow Brokers appeared online, claiming that the National Security Agency’s (NSA) cyberweapons were for sale and that they were going to have an auction.

“Unlike in many other cases, that would be easy to dismiss, saying that they are just conspiracy theories, Shadow Brokers were for real. They did have access to NSA tools,” he explained.

And over the course of next year, they began dripping these tools out, as Buchanan put it, in oddly worded messages revealing a lot of American hacking capabilities for all the world to see.

“Unlike Edvard Snowden or unlike previous press reporting on NSA hacking capabilities, which just revealed the existence of the capability or the use of it, the Shadow Brokers actually revealed the tools themselves. It’s like taking arrows out of NSA quiver and distributing them for anyone to use,” he explained.

The most devastating cyberattack in history was in part enabled by the most devastating cyber destabilization in history,

Ben Buchanan said.

And the effect of this was twofold. First of all, this weakened American hacking capabilities as these tools became less useful. It also destabilized the broader internet because these tools were out there for anyone to use.

“The first major instance of the use of these tools was North Korea that took the most powerful tool - Eternal Blue. It was so powerful that an NSA operator once compared it to fishing with dynamite, and North Koreans re-used this to carry out an attack called Wannacry, which did 4 billion dollars of damage in 2017,” Ben Buchanan said.

Just a month later, the Russian Petya attack occurred, also using NSA’s Eternal Blue tool.

“The most devastating cyberattack in history was in part enabled by the most devastating cyber destabilization in history,” he said.

Even to this day, it is unknown who these Shadow Brokers are.

Both experts, when asked by CyberNews, admitted that all nations, no matter how big or small, engage in cyber operations, and we as users are often caught in the crossfire.