“We may be at far greater risk from the internet than was ever suspected,” Michail McGuire, senior lecturer of criminology, said. His new study of the nation-state cybersphere shows that we may be closer to advanced cyber conflict (cyberwar) than at any point since the inception of the internet.
A study by Dr. Michael McGuire, Senior Lecturer of Criminology at the University of Surrey in the UK, shines a light on how the nation-state cybersphere is evolving. The study, sponsored by HP, delves into the publicly available information (such as whistle-blowers and insider leaks reported in the press) and analyses more than 200 known cyber incidents between 2019-2021.
The research highlights there has been a 100% rise in ‘significant’ nation state incidents between 2017-2020. It also draws upon first-hand intelligence gathering from informants across the dark web and consultations with an expert panel of 50 leading practitioners in relevant fields (such as cybersecurity, intelligence, government, academia, and law enforcement).
Key findings include:
- 64% of the expert panel said 2020 presented a ‘worrying’ or ‘very worrying’ escalation in tensions, with 75% saying COVID-19 presented a ‘significant opportunity’ for nation-states to exploit.
- ‘Supply chain’ attacks saw a rise of 78% in 2019; between 2017 and 2020 there were over 27 distinct supply chain attacks which could be associated with nation-state actors.
- Over 40% of incidents analyzed involved an attack upon assets that had a physical, as well as a digital, component – for example, an attack on an energy plant – a phenomenon labeled as ‘hybridization’.
- Tactics used by nation-states to acquire COVID-19-related IP data appear to have been road-tested by cybercriminals, which is characteristic of the way nation-states have become beneficiaries of and contributors to the Web of Profit that constitutes the cybercrime economy.
- There is evidence that nation-states are ‘stock-piling' Zero-Day vulnerabilities, while 10-15% of darknet vendor sales go to ‘atypical’ purchasers, or those acting on behalf of other clients, such as nation-state actors.
“Over the past year, nation-states have become increasingly bold in their use of cyber capabilities to bolster sovereign interests. For example, the recent SolarWinds supply chain attack is widely considered to be the most sophisticated nation-state attack since Stuxnet. There have also been several brazen attempts to steal intellectual property around Covid-19 vaccine development,” Ian Pratt, Global Head of Security for Personal Systems at HP, writes.
The study delves into the intersection between nation-states and the cybercrime economy, known as The Web of Profit. Nation-states are engaging with this Web of Profit - trading tools, data, services, and talent. Moreover, tools developed by nation-states, such as EnterbalBlue (the notorious exploit that was used by the WannaCry hackers in 2017), are making their way into the market.
“There has been a steady upwards trajectory in the severity, openness, and variety of nation-state cyber activities over the past twenty years. This has been driven, in part, by the widening use of cyber to support traditional military and intelligence goals – including surveillance, espionage, disruption, and destruction,” Pratt writes.
“The most striking finding”
One of the most striking findings of this research, McGuire writes, has been the unprecedented way in which nation-state cyber conflict appears to have become interwoven with many of the activities more typical of the (illicit) digital economy defined as the Web of Profit.
Approaches, originally refined by hackers and, eventually, cybercriminals, (such as SQL attacks, the use of DDoS, or attempts to spread infection) have been widely adopted by nation-states as strategic options.
For example, there has been a 200% increase in DDoS attacks against international agencies, such as the IMF, the UN, and the US State Department, recorded between 2017- 2018.
Nation-states are acquiring and weaponizing tools standardly used by cybercriminals (such as malware, keylogging, and surveillance devices). For example, the sample of attacks between 2010-2020 that were analyzed for this research suggests that around 50% involved low-budget, straightforward tools easily purchased on the darknet or other cybercrime markets.
Cybercriminals often benefit from sophisticated hacking tools originally developed by nation-states. There are even cases of governments actively sharing hacking tools. For example, the penetration testing tool PowerShell Empire has proved such a favorite for hackers that it was identified as one of the five most dangerous public hacking tools by the UK National Cyber Security Centre. Also, It has been widely used by nation-state-sponsored APT groups to compromise cloud services, extending its spread via Covid-19 phishing emails in 2020.
EternalBlue, one of the exploits acquired from the US National Security Agency (NSA) in the notorious Shadow Brokers leak, has now helped compromise over five million computers worldwide. It has caused several billion dollars of losses to businesses and governments globally and generated over $500 million in revenues for cybercriminals.
The study states that nation-states profit from the cybercrime economy. The huge value of an economy based around cybercrime activity has allowed some nation-states to engage with this for direct revenue generation or more indirect benefits. For example, through the (illicit) acquisition of digital currencies, data theft and trading intellectual property and trade secrets, or simply the sale of devices, which blur the boundaries between cybersecurity and cyberweaponry.
The case of North Korea
The cybercrime economy presumably generates $1,5 trillion in revenues annually. It does not only outstrip the profits made by Fortune 500 companies but the GDP (gross domestic products) of many countries.
Typical revenue sources may include trade secrets theft or data trading, theft in currency, digital money laundering, the lucrative (albeit legal) industry of building cybersecurity tools.
One relatively well-evidenced example of exploiting the cybercrime economy has been the case of North Korea (DPRK), the study reads. Most experts believe that it has been able to combine methods of generating revenues from cybercrime with digital innovation.
One approach has been bank robbery. Albeit in forms such as cryptocurrency theft, ransomware operations, or money laundering. For example, a well-evidenced set of hacking attacks on cryptocurrency exchanges in 2017 generated revenues equivalent to $571 million for the North Korean Lazarus APT group. The group used phishing and other techniques to access the exchange, providing a useful way of supplementing the North Korean government’s limited access to foreign currency.
Similarly, North Korean groups, probably government-sponsored, were involved in a 2016 attack using SWIFT credentials from Bangladeshi Central Bank employees to engineer an $81 million transfer – one of a series of attempted heists from banks in South East Asia by the group.
In 2018, the group switched their attention to ATM hacks, successfully engineering them into paying out millions of dollars on command using a specially adapted Trojan.
A 2021 report by the UN has suggested that over $300 million generated by the DPRK in 2020 through cybertheft was used to fund its nuclear and ballistic missile programs.
McGuire points out that we are closer to advanced cyber conflict than ever before. It is different from cyber competition or cyber conflict because nation-states begin to engage in repeated digital attacks and counterattacks. For example, sophisticated attacks aimed at compromising networks and causing loss of functionality. In essence, advanced cyber conflict is cyberwar.
Are we at war yet? According to the survey that the authors of this research conducted, 70% of the experts agreed that some form of agreement or cyber-treaty is now essential if nation-states are to avoid being drawn into more serious forms of online conflict.