The Cyber Strategy released earlier this week by DoD has mentioned an increase in the state-sponsored cybercrime from People's Republic of China (PRC), particularly against sensitive targets that could affect military responses.
According to the agency, this is done in order to "to counter US conventional military power and degrade the combat capability of the Joint Force."
The DoD claims in their report that the PRC "poses a broad and pervasive cyberespionage threat," monitoring movements of individual beyond its borders, and further acquiring technology secrets, and eroding the capabilities of the military-industrial complex. However, the NSA cautioned that the operation goes beyond routine information collecting.
"This malicious cyber activity informs the PRC's preparations for war[…]In the event of conflict, the PRC likely intends to launch destructive cyberattacks against the US Homeland in order to hinder military mobilization, sow chaos, and divert attention and resources. It will also likely seek to disrupt key networks which enable Joint Force power projection in combat," the report stated.
The notion that cyber activities can signal impending military action is consistent with predictions made earlier this year in the wake of the Volt Typhoon attacks by Microsoft and others. With a series of compromises that targeted telecom networks, power and water controls, US military bases at home and abroad, and other infrastructure whose disruption would interfere with actual military operations, the Beijing-backed advanced persistent threat (APT) made national headlines in the US in May, June, and July.
However, the operational technology (OT) used by the victims has not yet been impacted by the compromises. But, CISA Director Jen Easterly warned at Black Hat USA in August that if the US gets involved in a potential invasion of Taiwan, the Chinese government may be positioning itself to launch disruptive attacks on American pipelines, railroads, and other critical infrastructure.
"This APT moves laterally into environments, gaining access to areas in which it wouldn't traditionally reside[…]Additionally, this threat actor worked hard to cover their tracks by meticulously dumping all extracted memory and artifacts, making it difficult for security teams to pinpoint the level of infiltration," says Blake Benson, cyber lead at ABS Group Consulting.
Taking into account the military-focused cyber activities that can potentially entail collateral damage to bystander business, there could also be a sort of ‘anti-halo effect’ at work, according to John Gallagher, vice president of Viakoo Labs at Viakoo.
"Virtually all exploits launched by nation-states 'leak' over to non-nation-state threat actors[…]That means organizations who depend on IoT/OT systems will be direct targets at some point to the same threats being launched against national critical infrastructure," warns Gallagher.
Marketers of these companies have been pin pointing locations these groups are originating from, warning users of these ‘advanced persistent threat’ groups (APTs). The groups have majorly been tracked back to Russia, China, North Korea and Iran.
Russia’s most popular cyber company Kaspersky were made to investigate its own employees when several staff members’ mobile phones begin distributing their information to some shady parts of the internet.
"Obviously our minds turned straight to spyware but we were pretty sceptical at first[…]Everyone's heard about powerful cyber tools which can turn mobile phones into spying devices but I thought of this as a kind of urban legend that happens to someone else, somewhere else," said chief security researcher Igor Kuznetsov.
Igor came to the conclusion that his intuition had been correct and that they had in fact discovered a sizable sophisticated surveillance-hacking effort against their own team after painstakingly analyzing "several dozen" infected iPhones. Apparently, the attackers had found a way to infect iPhones by simply sending an iMessage, that after installing malware to devices, deleted itself from the device.
In the operation to tackle the issue, the victims’ phone contents were tracked back to the hackers at regular intervals. This included messages, emails, pictures, and even access to cameras and microphones.
Once the issue was solved, on being asked, Kaspersky did not tell the origin of the attack, saying they are not interested “in from where this digital espionage attack was launched.”
The incident raised concerns of the Russian government. Russian security agencies released an urgent advisory the same day Kaspersky reported their discovery, claiming to have "uncovered a reconnaissance operation by American intelligence services carried out using Apple mobile devices.”
The bulletin even accused Apple of being involved in the campaign, however the conglomerate denied the accusation. Neither did the firm in question, the US National Security Agency (NSA), comment on the accusations.
In addition to this, the US Government issues a statement with Microsoft last month, confirming that the Chinese state-sponsored hackers have been found “lurking inside energy networks in US territories”.
In response to this, China denied the accusations saying the "story was a part of a disinformation campaign" from the Five Eyes countries – the UK, Australia, Canada and New Zealand.
Chinese Foreign Ministry official Mao Ning added China's regular response: "The fact is the United States is the empire of hacking."
But as with Russia, China now appears to be taking a more assertive stance in criticizing Western hacking.
According to China Daily, China’s official news source, the foreign government-backed hackers are currently the biggest threat to the nation's cyber security.
Additionally, the Chinese company 360 Security Technology included a statistic with the warning, stating that it has found "51 hacker organizations targeting China." Requests for comments from the business received no response.
China also charged the US with hacking a government-funded university in charge of space and aviation research last September.
While many would brush off the accusation of China, there might could be some truth to it.
According to researchers, there are reasons why the western hacking groups never come to light. We are listing some of these reasons below:
An updated piece of information-stealing malware is being used against targets in Ukraine by the Nodaria spy organization, also known as UAC-0056. The malware was created in Go and is intended to gather a variety of data from the infected computer, including screenshots, files, system information, and login passwords.
The two-stage threat known as graphiron consists of a downloader and a payload. The downloader has the addresses of command-and-control (C&C) servers hardcoded in. It will look for active processes when it is executed and compare them to a blacklist of malware analysis tools.
If no processes on the blacklist are discovered, this will connect to a C&C server, download the payload, and then decrypt it before adding it to autorun. The downloader is set up to run only once. It won't try again or send a signal if it is unable to download and run the payload.
Graphiron shares several characteristics with earlier Nodaria tools like GraphSteel and GrimPlant. Advanced features allow it to execute shell commands, gather system data, files, login passwords, screenshots, and SSH keys. Further, it uses port 443 to communicate with the C2 server, and all communications are encrypted using an AES cipher.
Attacks against Georgia and Kyrgyzstan have been carried out by Nodaria since at least March 2021. The recognized tools used by the group include WhisperGate, Elephant Dropper and Downloader, SaintBot downloader, OutSteel information stealer, GrimPlant, and GraphSteel information stealer.
Broadly speaking, an act of cyberwar is any state-backed malicious online activity that targets foreign networks. However, as with most geopolitical phenomena, real-world examples of cyber warfare are far more complex. In the world of state-sponsored cybercrime, it is not just the government intelligence agencies that are directly carrying out attacks, but these days one can witness attacks from organized cybercriminal organizations that have ties to a nation-state.
These organizations are known as advanced persistent threat (APT) groups. The infamous APT-28, also known as Fancy Bear, which hacked the Democratic National Committee in the year 2016 is an excellent example of this type of espionage operation. In a way, this serves as the ideal cover for malicious state actors who want to attack and disrupt vital infrastructure while lowering the potential for generating a geopolitical crisis or military conflict.
If the Enemy Is in Range, So Are You
Whether a cyberattack is directly linked to a foreign government agency, attacks on critical infrastructure can have devastating repercussions. Critical infrastructure does not just refer to state-owned and operated infrastructures such as power grids and government organizations - banks, large corporations, and Internet service providers all fall under the umbrella of critical infrastructure targets.
As governments and private organizations continue to adopt advanced and connected IT networks, the risks and potential consequences will only increase. Recent research by the University of Michigan found security vulnerabilities in local traffic light systems. Although the flaw has subsequently been patched, this emphasizes the significance of robust, up-to-date inbuilt security systems to protect infrastructure against cyberattacks.
Defend Now or Be Conquered Later
With the rise in advancement and complexity in networks, the chance that vulnerabilities can be exploited as well increases exponentially. Every single endpoint on the network must be constantly monitored and secured if organizations are to have any chance of surviving a sophisticated state-backed attack.
Some organizations are seen learning this lesson the hard way. For instance, in 2017, US food giant Mondelez was denied a $100 million insurance payout after suffering a Russian ATP cyberattack, since the attack was assumed to be “an act of war” and was not included in the firm’s cybersecurity policy. The conglomerate and Zurich Insurance recently rectified this issue on undisclosed terms.
Endpoint security has never been more critical than it is today. The use of personal mobile devices as a work tool has become pervasive across almost every single industry. This rise in the bring-your-own-devices policy has in part been driven by the false assumption that mobile devices are inherently more secure than desktops.
However, for over 10 years, various governments and ATP groups with potential cyber capabilities have adapted to and exploited the mobile threat landscape with extremely low detection rates. Attacks on the state and public mobile networks can take down large parts of the workforce, impacting productivity and disrupting everything from the government’s decision-making to the state’s economy.
IT and security managing experts may not be the ones preventing the inevitable cyberattacks or cyber war, but they can defend themselves against major setbacks. If a device is connected to the infrastructure, physically or virtually, it has become a potential back door for cybercriminals to access the data and disrupt operations. Thus, if organizations want to avoid being victims of potential cyberwarfare, endpoint security should be a priority in conducting operations, from mobiles to desktops.