Nation backed cyber attacks led by Russia, China, North Korea, and Iran for cyber espionage and intellectual property theft

Nation backed cyber attacks have gained currency and notoriety over the past couple of years, with , China, North Korea and Iran taking the lead in actively supporting aggressive cyber attackers, according to Israeli cyber defence firm HolistiCyber CEO Ran Shahor.

 

Shahor, while speaking on ‘geo-political tension and national state grade attacks’ at the Cyber Week held  in Tel Aviv, shared that each of the four countries listed above had a different motivation for backing cyber attackers and hackers. Russia does it to create disorder and panic in the western world; China mainly for IP espionage; North Korea and Iran originally for terror crimes though they have now moved to simple cyber crime. Stating that both Iran and North Korea started supporting nation-state grade cyber attacks after a long list of international, tight sanctions against them, the retired IDF Brigadier General said.

 

According to Google’s Threat Analysis Group (TAG), the most malicious cyberattacks in the U.S. are coming from Iran, North Korea, Russia and China. An official post, written by Google security engineer Billy Leonard, accused these nations of taking advantage of public interest in the war in Ukraine to spread malware. “Government-backed actors from China, Iran, North Korea, and Russia, as well as various unattributed groups, have used various Ukraine war-related themes in an effort to get targets to open malicious emails or click malicious links,” Leonard wrote.

 

America’s greatest vulnerability is its continued inability to acknowledge the extent of its adversaries’ capabilities when it comes to cyber threats, says Ian Bremmer, founder and president of leading political risk firm Eurasia Group.  The adversarial states in question are what U.S. intelligence agencies call the “big four”: Russia, China, North Korea, and Iran.” “We’re vulnerable because we continue to underestimate the capabilities in those countries. WannaCry, from North Korea — no one in the U.S. cybersecurity services believed the North Koreans could actually do that,” Bremmer described, naming the ransomware virus that crippled more than 200,000 computer systems across 150 countries in May of 2017.

 

CISA, Federal Bureau of Investigation (FBI), National Security Agency (NSA), and others have released a joint Cybersecurity Advisory (CSA) in Sep 2022 about  Iranian Islamic Revolutionary Guard Corps Affiliated Cyber Actors Exploiting Vulnerabilities for Data Extortion and Disk Encryption for Ransom Operations. “This IRGC-affiliated group is known to exploit software vulnerabilities in order to carry out their ransomware activities, as well as engage in unauthorized computer access, data exfiltration, and other malicious cyber activities,” the department said. In a statement in Sep 2022, the US Department of the Treasury accused the “group of Iran-based malicious cyber actors” of compromising networks based in the US and other nations since at least 2020.

 

According to the National Counterintelligence and Security Center  annual report ‘Foreign Economic Espionage in Cyber,’  Foreign economic and industrial espionage against the United States continues to represent a significant threat to America’s prosperity, security, and competitive advantage. China, Russia, and Iran stand out as three of the most capable and active cyber actors tied to economic espionage and the potential theft of U.S. trade secrets and proprietary information,it said.  “Despite advances in cybersecurity, cyber espionage continues to offer threat actors a relatively low-cost, high-yield avenue of approach to a wide spectrum of intellectual property,” it said.

 

“North Korea has invested heavily in disruptive and mine and offensive cyber capabilities as of Russia, China, Iran as well as other nations,” US Representative James Langevin told the Voice of America at a forum hosted by the Center for Strategic and International Studies in May 2020.

 

Borge Brende, president of the World Economic Forum, weighed in, stressing the economic cost of cyber crimes. “It is very hard to attribute cyberattacks to different actors or countries, but the cost is just unbelievable. Annually more than a thousand billion U.S. dollars are lost for companies or countries due to these attacks and our economy is more and more based on internet and data.”

 

Employees at both small companies and defense giants like Lockheed Martin Corp., Raytheon Co., Boeing Co., Airbus Group and General Atomics were targeted by the hackers. The hackers known as Fancy Bear, who also intruded in the U.S. election, went after at least 87 people working on militarized drones, missiles, rockets, stealth fighter jets, cloud-computing platforms or other sensitive activities, the AP found.

 

The programs that they appear to target and the people who work on those programs are some of the most forward-leaning, advanced technologies,” said Charles Sowell, a former senior adviser to the U.S. Office of the Director of National Intelligence. “And if those programs are compromised in any way, then our competitive advantage and our defense is compromised.”

 

Cloud networks and the Next-generation technologies, such as Artificial Intelligence (AI) and the Internet-of-Things (IoT) are introducing new vulnerabilities to U.S. networks for which the cybersecurity community remains largely unprepared. Building an effective response will require understanding economic espionage as a worldwide, multi-vector threat to the integrity of the U.S. economy and global trade.

 

Cyber Espionage Threat

China is alleged to be carrying out widespread efforts to acquire U.S. military technology and classified information and the trade secrets of U.S. companies. The Chinese government is accused of stealing trade secrets and technology, often from companies in the United States, to help support its long-term military and commercial development. China has been accused of using a number of methods to obtain U.S. technology, including espionage, exploitation of commercial entities and a network of scientific, academic and business contacts.

 

China and its proxies have been observed attempting to identify and illicitly obtain valuable intellectual property and public health data related to vaccines, treatments and testing from networks and personnel affiliated with COVID-19-related research, which could jeopardize the delivery of secure, effective and efficient treatment options, the FBI and CISA warned in May 2020 .

 

In Nov 2017,  US  charged three Chinese nationals for hacking Moody’s Analytics, Siemens and GPS maker Trimble, accusing them of stealing sensitive information including emails of a prominent employee at Moody’s and intellectual property. The accused allegedly entered company networks using spear phishing emails with attachments and links to malicious software. When employees clicked on the links, the hackers would gain access to the computers, and search for  confidential commercial information.  The U.S. Justice Department in Jan 2016 charged six Chinese scientists for stealing trade secrets and engaging in industrial espionage on behalf of China.

 

Defense Department’s annual report to Congress on China’s capabilities, asserts that China’s military conducted cyber probes and intrusions against U.S. computer networks to support intelligence collection and electronic warfare. “China is using its cyber capabilities to support intelligence collection against the U.S. diplomatic, economic, and defense industrial base sectors that support U.S. national defense programs,” the defense department said in the report.

 

Highlighting what the Pentagon describes as China’s focus on improving cyber capabilities to counter a “stronger foe,” the report said information gleaned by hackers “could inform Chinese military planners’ work to build a picture of U.S. defense networks, logistics, and related military capabilities that could be exploited during a crisis.” “The accesses and skills required for these intrusions are similar to those necessary to conduct cyber attacks,” according to the report. The intelligence gathering could also provide the ruling Communist Party “insights into U.S. leadership perspectives on key China issues.”

 

Moscow has used cyber operations to collect intellectual property data from U.S. energy, healthcare, and technology  companies. Moscow’s military modernization efforts also likely will be a motivating factor for Russia to steal U.S. intellectual property. An aggressive and capable collector of sensitive U.S. technologies, Russia uses cyberspace as one of many methods for obtaining the necessary know-how and technology to grow and modernize its economy. Obtaining sensitive U.S. defense industry data could provide Moscow with economic (e.g. in foreign military sales) and security advantages as Russia continues to strengthen and modernize its military forces. Indeed, Russian cyber actors are continuing to develop their cyber tradecraft—such as using open-source hacking tools that minimize forensic connections to Russia.

 

Iranian cyber activities are often focused on Middle Eastern adversaries, such as Saudi Arabia and Israel; however, in 2017 Iran also targeted U.S. networks. A subset of this Iranian cyber activity aggressively targeted U.S. technologies with high value to the Iranian government. The loss of sensitive information and technologies not only presents a significant threat to U.S. national security. It also enables Tehran to develop advanced technologies to boost domestic economic growth, modernize its military forces, and increase its foreign sales.

 

The report also points fingers at countries with closer ties to the United States to have conducted cyber espionage and other forms of intelligence collection to obtain U.S. technology, intellectual property, trade secrets, and proprietary information. U.S. allies or partners often take advantage of the access they enjoy to collect sensitive military and civilian technologies and to acquire know-how in priority sectors.

 

Emerging threat: Software Supply Chain Operations

2017  represented a watershed in the reporting of software supply chain operations. In 2017, seven significant events were reported in the public domain compared to only four between 2014 and 2016. As the number of events grows, so too are the potential impacts.Hackers are clearly targeting software supply chains to achieve a range of potential effects to include cyber espionage, organizational disruption, or demonstrable financial impact.

 

Floxif infected 2.2 million worldwide CCleaner customers with a backdoor. The hackers specifically targeted 18 companies and infected 40 computers to conduct espionage to gain access to Samsung, Sony, Asus, Intel, VMWare, O2, Singtel, Gauselmann, Dyn, Chunghwa and Fujitsu. Hackers corrupted software distributed by the South Korea-based firm Netsarang, which sells enterprise and network management tools. The backdoor enabled downloading of further malware or theft of information from hundreds of companies in energy, financial services, manufacturing, pharmaceuticals, telecommunications, and transportation industries.

 

US accuses China for carrying widespread economic espionage and intellectual property theft

“The biggest threat we face as a country from a counterintelligence perspective is from the People’s Republic of China, and especially the Chinese Communist Party,” Director of the Federal Bureau of Investigation Christopher Wray told in April 2020. “They are targeting our innovation, our trade secrets, and our intellectual property on a scale that is unprecedented in history,” he added.

 

Chinese hackers have targeted more than two dozen universities in the U.S. and around the globe as part of an elaborate scheme to steal research about maritime technology being developed for military use, according to cybersecurity experts and current and former U.S. officials. The University of Hawaii, the University of Washington and Massachusetts Institute of Technology are among at least 27 universities in the U.S., Canada and Southeast Asia that Beijing has targeted, according to iDefense, a cybersecurity intelligence unit of Accenture Security. iDefense said it identified targeted universities by observing that their networks were pinging servers located in China and controlled by a Chinese hacking group known to researchers interchangeably as Temp.

 

The majority of the universities targeted either house research hubs focused on undersea technology or have faculty on staff with extensive experience in a relevant field, and nearly all have links to a Massachusetts oceanographic institute that also was likely compromised in the cyber campaign, iDefense said. Some have been awarded contracts by the Navy. Others, including Sahmyook University in South Korea, appeared to be targeted due to their proximity to China, and relevance to the South China Sea, the analysts said.

 

The Chinese hacking group, which multiple security firms and officials have linked to Beijing, is the same one that has been linked to breaches of Navy contractors and subcontractors that have resulted in the theft of sensitive military information, such as submarine missile plans and ship-maintenance data.

 

The Obama administration in May 2015, indicted a Chinese professor Zhang Hao, 36, of Tianjin University, and the five other Chinese citizens of stealing microelectronics designs from American companies on behalf of the Chinese government.Mr. Zhang and six others took jobs at two small American technology companies, Avago Technologies and Skyworks Solutions that make a type of chip critical to cellphones.

 

The chip is popularly known as a filter, which is used for acoustics in mobile telephones; while the parts are small, the market for them worldwide is worth well more than $1 billion a year. According to the charges, the men took the firms’ technology back to Tianjin University, created a joint venture company with the university to produce the chips and soon were selling them both to the Chinese military and to commercial customers.

 

In Sep 2014, a Chinese engineer was charged with stealing millions of files of trade secrets related to engineering designs, testing data, business strategy and source code for magnetic resonance systems from GE Healthcare, According to GE and the FBI. According to the criminal complaint, GE officials discovered in June that Xie had accessed and copied about 2.4 million files — about 1.4 terabytes of data — from the company’s secure network, starting in February 2013. Much of the information was of the type Xie was not authorized to use and was not necessary to his work writing source code for magnetic resonance technology.

 

China, however, has continually denied it’s involved in any cyberespionage. In the past, it’s also accused the U.S. of launching cyberattacks, and pointed to leaks from former national security contractor Edward Snowden as evidence. In May 2014, the Obama administration indicted five Chinese military hackers, linked to Beijing’s key cyber warfare and cyber spying Unit 61398, for cyber attacks against U.S. companies involved in nuclear energy, steel manufacturing and solar energy.

 

Instead of traditional phishing that is used by scammers to send out a mass email hoping for someone to bite- the hackers used “spear phishing” that utilizes messages designed to resemble e-mails from trustworthy senders, like colleagues, and encouraged the recipients to open attached files or click on hyperlinks in the messages.

 

This installed malware that gave the alleged Chinese conspirators backdoor access to the company’s computers and access to corporate secrets. The hackers then methodically stole key commercial secrets, such as technical design details for Westinghouse nuclear reactor sales and solar panel technology. Internal communications containing valuable economic data were also stolen and provided by the PLA to Chinese state-run competitors.

 

The activities began around 2006 and continued at least through April. The companies hit by the cyber attacks include Westinghouse Electric Co., SolarWorld AG, United State Steel Corp., Allegheny Technologies Inc., the United Steel, Paper and Forestry, Rubber, Manufacturing, Energy, Allied Industrial, and Service Workers International Union, and Alcoa.

 

China’s foreign ministry had called the allegations preposterous and accused the US of double standards. The assistant foreign minister, Zheng Zeguang, summoned the US ambassador, Max Baucus, to lodge a formal complaint, according to state media. The authorities in Beijing also suspended China’s role in a joint anti-cyber theft group with Washington.

 

 

 

Top Chinese University linked to alleged Military Cybercrime Unit

According to Reuters, Shanghai Jiaotong’s School of Information Security Engineering (SISE) and the People’s Liberation Army Unit 61398 have worked in partnership on at least three papers in recent years. PLA Unit 61398 is well-known for its alleged links to cyberattacks on the West, after a report was released by security firm Mandiant which stated that an “overwhelming” number of cyberattacks originate from the single unit in Shanghai. However, it is important to note that there is no evidence to suggest that any of these academic parties are actively involved in cybercrime or military operations. Chinese officials have vigorously denied Mandiant’s claims, dismissing the report as “groundless,” reiterating China’s official stance that cybercrime is illegal, and stating that the Asian country has also been a target of such operations.

 

Cyber Security

Shahor said the solution against nation state-backed cyber attacks lies in getting into the mind of the attacker; working with a team of world-class experts with a proven attacker background; adopting a holistic approach by protecting the entire supply chain and not just the IT systems; darknet access for intelligence; and automation for efficiency.

Asking defenders against nation state-grade cyber attacks to prioritise and defend what matters, while also taking calculated risks, Shahor said that while nobody can be fully protected from cyber attacks, “you must be better protected than your competition”.

 

HolistiCyber CEO Ran Shahor  said that Israel has an advantage in dealing with nation state-backed cyber attacks as unlike the rest of the world that is fighting a short supply of cyber security experts, it has a regular supply of manpower as each year 1000 of brightest girls and boys who
must mandatorily serve in the Israeli army are cherry picked and trained to become cyber ninjas. Also, unlike most western countries that either do not allow cyber attacks or find them too expensive, Israel is a greenhouse for defence and offence technologies and has over 300 cyber
companies. Israel has also ensured that all sectors — the defence community, government sector, academia, private sector and international partners – work together to fight cyber aggression.

 

The U.S. Government (USG) continues to undertake numerous actions to counter economic espionage in cyberspace. Perhaps most evident are current USG efforts to protect critical infrastructure and other sensitive computer networks from malicious cyber activities. The USG also continues to work with the private sector to address science and technology gaps through cyber research and development as a way of mitigating the malicious activities of threat actors in cyberspace.

 

The USG will continue to improve its efforts to disrupt, deny, exploit, or increase the costs of foreign cyber operations that are targeting the nation’s most critical economic assets. Examples of USG actions include the following:

• Sharing information about cyber threats, vulnerabilities, and other risks;
• Promoting best practices, risk assessments, and capability development;
• Improving our responses to cyber incidents;
• Building and driving the market towards a more secure cyber ecosystem; and
• Partnering with allies to address cyber issues.

 

The FBI and CISA urge all organizations conducting research in these areas to maintain dedicated cybersecurity and insider threat practices to prevent surreptitious review or theft of COVID-19-related material recommended:

•   Assume that press attention affiliating your organization with COVID-19 related research will lead to increased interest and cyber activity.
• Patch all systems for critical vulnerabilities, prioritizing timely patching for known vulnerabilities of internet-connected servers and software processing internet data.
• Actively scan web applications for unauthorized access, modification, or anomalous activities.
• Improve credential requirements and require multi-factor authentication.
• Identify and suspend access of users exhibiting unusual activity.

 

The  authoring agencies urge network defenders to examine their current cybersecurity posture and apply the recommended mitigations in this joint CSA, which include:

• Patch all systems and prioritize remediating known exploited vulnerabilities.
• Enforce multifactor authentication (MFA).
• Secure Remote Desktop Protocol (RDP) and other risky services.
• Make offline backups of your data.

 

References and Resources also include:

https://technology.inquirer.net/99700/north-korea-is-key-cyberthreat-us-homeland-security

https://timesofindia.indiatimes.com/world/rest-of-world/russia-china-north-korea-and-iran-leads-in-supporting-aggressive-cyber-attackers-says-holisticyber-ceo/articleshow/92779362.cms