by James Scott, Sr. Fellow, ICIT
Allegations of cyber-incidents, IP theft, and cyber-attack have significant tangible results and seismic geopolitical implications. Most compromised organizations do not detect breaches until eight months after the initial incident; consequently, typical attribution is based on the scraps of evidence that the adversary intentionally (as a diversion or demonstration of skill) decided or carelessly left behind. Because sophisticated attack kits are increasingly accessible and available to less sophisticated attackers, it is increasingly more difficult to retroactively distinguish one attacker from another. Competing vendors complicate attribution efforts by foregoing a systemic nomenclature and by storing information away into silos, where its relevance fades in the weeks or months necessary to develop “unique” content. Faux experts and the ill-informed attempt to garner credibility by rapidly attributing every cyber-attack to whichever Chinese or Russian advanced persistent threat (APT) group dominates the spotlight at that moment. They fail to realize that accurate attribution depends on reliable analysis of the indicators of compromise (IoCs); the adversarial tools, techniques, and procedures (TTP) utilized; and on a holistic attacker profile generated from the systematic aggregation of past adversary behavior, target demographics, unique operational procedures, and many, many other characteristics.
Western critical infrastructure is subjected to cyber-assaults from nation-state adversaries, cyber-mercenaries, Hail-Mary threat actors, cyber-terrorists, and cyber-criminal gangs from China, Russia, North Korea, the Middle East, South America, and nearly every other global region. China and Russia are by far the most active and they sponsor the most prevalent and the most sophisticated adversaries. China maintains its geopolitical and economic status by conducting cyber-operations on Western organizations and critical infrastructure. China leverages its significant resources and vast population in an inexorable barrage of APT campaigns intent on advancing China’s 13th Five-Year Plan by stealing valuable intellectual property and geopolitical data from U.S. companies and critical infrastructure organizations. People’s Republic of China (PRC) liaisons, implanted within organizations operating in China, intentionally undermine the security of devices and systems by lacing them with vulnerabilities and backdoors for nation-state and cyber-mercenary APTs to exploit. Sophisticated cyber-espionage groups conduct extensive campaigns, such as the Deep Panda assault on the Office of Personnel Management (OPM), in order to develop robust espionage databases that can be integrated with demographic and psychographic big data analytics applications for decades to come.
The PRC assuages culpability by outsourcing layers of its cyber-warfare operations to cyber-criminal and cyber-mercenary APTs that are hired on the Dark Web, are gifted sophisticated malware and resources, and are tasked with targeting U.S. critical infrastructure. Most Chinese cyber-attackers are not as sophisticated or as stealthy as Russian adversaries. However, they are more numerous, and attribution is intentionally clouded through shared malware, infrastructure, and target demographics. Approximately one-hundred Chinese APTs have targeted U.S. critical infrastructure over the past few years. If the swath of Chinese cyber-assaults is not stymied, then targeted critical infrastructure will be crippled, targeted geopolitical systems will be undermined, and the PRC will continue to accelerate cyber havoc on Western critical infrastructure.
Russia, in this cyberwar, is America’s singular technological peer, possessing a unique stealth and sophistication that continuously and effortlessly crashes through the layers of most critical infrastructure organization’s cyber defenses. Recently, Russia has been deemed the culprit in everything from election tampering and information warfare to CIA leaks channeled through WikiLeaks. Attribution has been based on third party hearsay and flimsy forensic analysis only to be convoluted even further by political agenda driven talking points of government officials and faux experts and then reported on by a ready media.
When a government official uses the broad stroke attribution of “It’s the Russians,” the immediate response should be: Which Russian APT is responsible? How do you know?, What imitators have been analyzed, that could impede forensic analysis efficiency?, What tools were used in the breach? and How long have those tools been available on Deep Web markets and forums?. More often than not, in-depth investigation will reveal that the tools used in the breach have been available for free download for several months, the IP address leap frogs globally to obfuscate the actual location of the attacker, and at the end of the day the entire attribution was based on convenient, but ultimately inconclusive evidence and little more.
Now, more than ever, accurate attribution is crucial and must be based on the systematic profiling of Nation States, Cyber-Mercenaries, Hail-Mary threat actors and cyber-criminal gangs, based on the holistic aggregation of reliable intelligence that was collected via a combination of academic research and dark web monitoring.
The Institute for Critical Infrastructure Technology offers the only advisory available that can help governments systematically and holistically profile the adversaries operating within their critical infrastructure. The demand for our Federal Agency and Congressional advisory has positioned us to expand our Advanced Persistent Threat profiling advisory to Five Eyes, European Union and NATO nations as well as private sector in select critical infrastructures.
We monitor the activity of more than 100 APTs for which we maintain detailed analysis: industries targeted, attack vectors (payload delivery and vulnerabilities exploited), exploit kit details (including payload function), copycat adversaries, cyber espionage tactics and procedures, APT biography and modus operandi, data being targeted and for what purpose and a host of other details that will inform law makers and officials as to the true nature of the threats targeting the critical infrastructure community. We will also cover next generation layered cybersecurity strategies that offer the most potent cyber defense.
Contact us for more information about ICIT’s APT profiling and industry-tailored briefings on Russian, Chinese, Cyber Caliphate and cyber-criminal gangs. Corporate sponsorship opportunities are also available for ICIT Fellows to lecture or hold a briefing in your area on this topic.