26 November 2019

Hacking and cyber espionage: The countries that are going to emerge as major threats in the 2020s

By Danny Palmer

Nation-state backed cyber groups have been responsible for major incidents over the last decade. And now more countries want the same power.

The continuing rise of state-backed hackers has been one of the most dramatic cybersecurity developments of recent years. And now it seems a new set of countries are keen to use the same tactics as some of their larger and more powerful rivals.

Cyber espionage has been going on pretty much since the dawn of the web, with Russia, China, Iran and North Korea generally seen as the countries most likely to be engaging in cyber-espionage campaigns against Western targets. Their Advanced Persistent Threat (APT) hacking groups target governments and organisations around the world. Western governments are spending big on their own cyber-espionage expertise too of course, and one of the most high-profile cyberattacks, the Stuxnet worm used against the Iranian nuclear project, was led by the US.

But it's not just the major superpowers and the usual suspects that are looking to take advantage of the internet for intelligence and other gains – and as we move into the 2020s, more governments are looking to level up their cyber capabilities.


"Over the last five years you've seen more and more countries gaining offensive cyber capabilities. You have a lot of different tiers, but none of them are at the level of the big four attackers that we talk about," says Sahar Naumaan, threat intelligence analyst at BAE Systems.

"There's a huge number in that second and third tier that are upcoming that haven't got to the level of professionalised level of APT you see from other states: but it's only a matter of time before you see them develop," she says.

While they don't sit up there with the most sophisticated hacking groups – at least yet – some of these operations have already emerged onto the world stage.

One of these is APT 32, also known as OceanLotus, which is a group working out of Vietnam that appears to work on behalf of the interests of its government. The main target of attacks are foreign diplomats and foreign-owned companies inside Vietnam.

Many of these campaigns begin with spear-phishing emails that encourage victims to enable macros to allow the execution of malicious payloads. It's not a sophisticated campaign, but it appears to be doing the job for now – and that's enough.

"Over the last five years there have been tactical evolutions along with new malware and new techniques, but they haven't taken a jump up to compete with the volume of Chinese attacks or the sophistication of the Russian groups," says Benjamin Read, senior manager of cyber-espionage analysis at FireEye.

"They've had a little bit of evolution," he continues. "But it's mostly internal surveillance against adversaries. You see a little bit of them on the world stage, but they mostly stay in that area, rather than becoming a worldwide player".

Examining how up-and-coming cyber powers are using tools against targets within their own borders could provide insight into what states are on the rise in this arena.

"Often the way you see the initial reporting on this is targeting of individuals inside the country first. In those cases the attacks target people who are classified as dissidents or against the government and the government is using cyber activity to track them and find them," says Ryan Olson, VP of threat intelligence at Unit 42, the Palo Alto Networks research division.

Some of these cases have been widely reported, including the increasing use of mobile malware to target journalists and human-rights activists in the Middle East.

The countries in this region tend to rely heavily on expertise from outside contractors, but it's not beyond the realms of possibility that their knowledge could be absorbed by home-grown talent and turned towards other targets.

"It's the same techniques they use to target them that could be used to target individuals in other countries, whatever their role might be," Olson says.

And there are regions of the world where the techniques deployed in attacks against dissidents and political opponents inside national borders have already been deployed against targets outside the country.

One of these areas is Pakistan, where a hacking operation known as the Gorgon Group isn't just only evolving techniques, but playing a balancing act between performing nation-state based activity and more traditional cybercrime.

Some of their credential-stealing attacks are sent out in their thousands in an effort to scoop up whatever information can be obtained using commonly available remote access tools such as NJRAT and QuasarRAT – all of which can be purchased on the internet.

But other campaigns that have been traced back to Gorgon are more targeted in nature, with evidence of attacks being directed towards diplomats and governments in Europe and in the US. One campaign involved links purporting to be job listings for high-level generals.

"Listings from what looks like a government website for high-level jobs – you can imagine the people who'd be interested in clicking that," says Olson.

If an attacker managed to breach one of those targets, it could potentially give them access to vast swathes of classified information to use as they see fit, be it for espionage or something else.

Cyber espionage against Western nations isn't new. But the evolution of campaigns coming from places like Vietnam, the Middle East, Pakistan and others means that there's likely to be more attacks coming in future, with each using their own techniques and lures in an effort to commit subterfuge against their intended targets.

But with new techniques and tools becoming available to hacking units outside of the big four – especially since the Shadow Brokers leak that released some of the US National Security Agency's secret tools into the wild, some of which have since been used in offensive campaigns – it's only going to get easier for smaller players to grab a piece of the cyber pie.

"There's a plethora of open-source information about how this stuff happens," says Read. "Cyber is a relatively easy capability compared to everything else, which has made things more closer together globally."

What that ultimately means is that as we enter the 2020s, nation-state backed cyberattacks are going to remain very much part of cyber espionage, and the murky side of international relations, as more countries look to develop in this space.

"Cyberattacks aren't going away. Their value to governments and other organisations isn't going to decrease in the next ten years," says Olson.

"So while we might be thinking about the big four a lot now, in the future there's going to be a lot more diversity in where the attacks are coming from and that's going to create more complexity for us trying to attribute these attacks because there's going to be more actors operating at a larger scale."

But will any of the second-tier players catch up and find themselves listed alongside China, Russia, North Korea and Iran as the nations that pose the largest threat to governments and organisations in the west? It seems unlikely, because not only are they starting from a position that's further behind, the major cyber powers will continue to move forward.

"The big four are also improving. It's not a static target you're catching up to," says Read.

No comments: