If you examine the history of cyber breaches, you will find that the most newsworthy are usually attributed to Russia, China, Iran, and more recently North Korea. This may, or may not be true, but to echo the words of Eugene Kaspersky: the reality is that everyone hacks everyone. Friends attack foes, but friends also attack friends… secretly of course.
Leaked documents provided by whistleblower Edward Snowden indicated that GCHQ was behind an attack against Belgacom, a partially state-owned Belgian telecommunications company. Belgacom’s major customers include institutions such as the European Commission, the European Council and the European Parliament.
Aside from monetary gain, it is often quite difficult to ascertain the exact motivations behind any cyber attack. However, a few inferences could be made if you consider that “operation socialist”, the code name for the Belgacom attack is said to have enabled GCHQ to launch “man in the middle” attacks. This means they could intercept communications between two parties, read and potentially change them without either side knowing.
However, it is not just GCHQ. The General Directorate for External Security (DGSE), a French intelligence agency, has been attributed to the Snowglobe malware campaign which targeted entities in Canada, Spain, Norway and Greece in addition to its main target of Iran. Careto aka “The Mask”, is a Spanish speaking group which has also targeted many European countries with its Nation State level capabilities. The NSA has also faced a string of allegations about its activities against allies.
So, is there any reason to expect this situation to change? The short answer is no. History has shown that the allies of today can become the enemies of tomorrow. These groups are therefore acting in the interest of national security. In addition, many countries are seeking to gain a strategic advantage – and that is not just China. As advances are made in the stealth and persistence of cyber tools and techniques, some countries may be encouraged to attack politically sensitive targets.
The ability to pin the blame on another party reduces the risk of hacking politically sensitive targets (including allies). To figure out “who done it” (i.e. attribution), analysts typically rely on signatures, indicators and trends. Specifically, this may involve malware code analysis, identifying command and control infrastructure, the keyboard language used for creation, the operating hours of the attackers, their social engineering tactics and past adversaries of the victim. The problem with this is Threat Intelligence Analysts and threat actors alike collate this information. What happens if an attacker skilfully mimics the tactic, techniques and procedures (TTP) of another attacker? Fortunately for analysts this is not easy to do, at least at nation state level.
However, attempts are being made to increasingly muddy the attribution waters. Threat actors copy, steal and repurpose each other’s tools and infrastructure. For instance, a server belonging to a research institution in the Middle East, colloquially known as the ‘Magnet of Threats’ simultaneously hosted implants for nation state actors Regin and Equation Group (English language), Turla and ItaDuke (Russian language), as well as Animal Farm (French language) and Careto (Spanish).
Similarly, investigations into a Lazarus Group campaign against Polish banks revealed false flag techniques were implemented to complicate attribution. Several Russian words were presented as commands in the source code, however closer inspection showed that the commands were most likely the result of an online translation tool or in some cases the commands were written as pronounced.
Imagine that you don’t follow Western media sources like the BBC or the New York Times. Also imagine you reside in Russia, China, North Korea or Iran. How would you view your country and the West in relation to hacking? If you take Iran, in April 2010 their industrial control systems (ICS) were attacked by the Stuxnet worm which was allegedly developed in a joint effort by the United States and Israel.
Iran’s nuclear infrastructure and its oil and gas infrastructure were also targeted by the Duqu malware from 2009-2011, and the Flame malware in 2012. Both Duqu and Flame have been linked to Stuxnet. From the perspective of some Iranians they were attacked by aggressors. It’s no surprise that following these adversarial cyber campaigns, Iran began rapidly developing its cyber capabilities, which they may have used to conduct retaliatory attacks.
As analysts we are taught to use techniques that mitigate against biases. A thought process that can assist with this is to remember that ‘everyone hacks everyone’. It is important not to jump to conclusions but to examine all the eventualities. Advances in evasive methods and false flag operations will continue to necessitate impartial critical analysis