State vs. non-state hackers: Different tactics, equal threat?

Within the last six months, a number of embarrassing cyber intrusions involving government systems have come to light. The government revealed only recently that the State Department and White House unclassified email systems were breached sometime last year by Russia, personal information on about 22 million was taken from the Office of Personnel Management database, reportedly by the Chinese, and most recently, the Joint Chiefs of Staff unclassified email system was breached. (Russia again). Other nation states such as North Korea have also jumped into the fray – allegedly hacking Sony Pictures last fall.

In addition to those breaches, the United States was hit with other acts that could be called cyber vandalism, such as the hacks into the Central Command’s Twitter page by pro-ISIS hackers. Hackers claiming to be directly involved with the terror group recently said they obtained the personal information of service members and disseminated it to be used for future attacks against such individuals, for retaliation against U.S. military strikes against ISIS positions in Iraq and Syria. According to initial reporting by NBC News, ISIS claims to have obtained names, emails, passwords and phone numbers from individuals in the Air Force, Marines, NASA and the Port Authority of New York and New Jersey, though noted it is not clear how recent the information is or if the email addresses are still valid. 

This follows a similar incident in the spring in which pro-ISIS members claimed to have hacked Pentagon servers to gain biographical information for service members, a claim that turned out to be specious at best, as the hackers obtained the information through Google searches.

Cyberspace is simply another operational domain being utilized by both state and non-state actors and much like in the physical space, the tactics, targets, information and general operation by each in cyberspace are different.

Tip of the spear

For example, the hack against the Joint Chiefs was described as one of the most sophisticated attacks ever.  However, it did not deviate from what has become a hallmark of Russian hacking abilities – a tactic called spear phishing, which was also used in the incident that took place last year against the State Department and White House systems. Spear phishing involves emails that appear top come from a trusted source that try to lure people into clicking on a link andn ultimately revealing their passwords or other information. Hackers mcan then use that information to infiltrate a network.

“Practice makes perfect,” Ryan Kazanciyan, chief security architect at Tanium, a cybersecurity company, told Defense Systems regarding Russia’s history with such phishing campaigns. He added that groups are very familiar with how to gain access into environments such as closely guarded government networks. The key, he said, is that the entire system does not have to be compromised up front – once a particular corner of the network is compromised, hackers can then move laterally and eventually up the chain to more high-value individuals or targets. Last year, for example, Russian reportedly lifted the president’s daily schedule, with is not classified is not made public.

In the case of the OPM hack, hackers purported to be with the Chinese government – the U.S. has not publically named China as the culprit – stole the information for intelligence purposes. There are myriad uses for the information taken from OPM; the military and intelligence blog War on the Rocks identified nine of them:

• Identify undercover officers
• Neutralize U.S. government officials
• Threaten overseas family members
• Harass clearance holders or their families in the United States
• Wire you for sound
• Figure out exactly what it takes to get a security clearance
• Publish the data
• Guess passwords
• Spear phish.

The intent for nation states in orchestrating hacks are more traditional, such as long-term intelligence, Haiyan Song, vice president of security markets at Splunk, a global software firm, told Defense Systems. Such intelligence troves will help nation states better plan and prepare for future operations and counter operations against the United States. Even unclassified information taken in aggregate can provide attackers with a valuable amount of knowledge, such as travel plans and other indicators taken from conversations and data, Kazanciyan said. Although classified information is better protected, hackers often are able to stay under the radar in unclassified networks, giving them a long-term view of activity.

NBC News recently reported  that Chinese officials have had access to emails from top U.S. national security and trade officials dating back to 2010. Chinese attackers also gained access to email address books, which allowed for more efficient targeting in the way for more authentic looking and better cloaked phishing and malware attacks on friends and colleagues. 

Getting personal

Attacks from non-state actors, on the other hand, tend to serve the purpose of coercion and personal gain.  While nation states are motivated by geopolitics and deterring other states, non-state actors have typically been motivated by financial gains and ideology, Song said. In the case of the attacks by pro-ISIS sympathizers and members purported to be associated with the group, the information they made public – names and contacts of military personnel and their families – serves as retribution for military action and coercion to cease such behavior. 

The Defense Department is holding its cards close to its chest, not devolving much information about the incident. It still is not clear if any Pentagon systems were actually breached. “I don’t want to downplay the incident, but this is the second or third time they’ve claimed that,” Army Chief of Staff Gen. Ray Odierno told reporters at a Pentagon briefing a day after the incident was reported. Odierno said that in the first two incidents, the lists published by hackers were not taken via cyber attack. Rather, the lists were separate from the networks. “So far, I have not seen the list myself, but what I believe is that this is no different than those other two times,” Odierno said. “But I take it seriously because it’s clear what they’re trying to do. And so it’s important for us to make sure that all our force understands what they’re trying to do – even though I believe they have not been successful with [what they are] claiming.” 

It is still unclear if non-state actors such as ISIS have the capabilities that nations such as Russia or China have—global security firm Flashpoint Intelligence agreed that the group’s claims of Pentagon network intrusion were likely overstated—but their attempts do raise concerns about potential damage coming from so-called lone-wolf attacks.

Different language

One common difference between non-state-actor phishing campaigns and the targeted spear-phishing campaigns like the one targeting the Joint Staff is language. A lot of non-state phishing features emails with grave spelling and grammar mistakes, because they are targeting individuals that cannot necessarily tell the difference. Nation states will hire linguists to increase the authenticity of the phishing emails. It’s not necessarily a deficiency in the capabilities of non-state actors vis-à-vis nation states, but different targets and resources. 

Another difference: While nation states typically don’t advertise their intelligence victories—in fact, they typically issue firm denials—non-state actors are more willing to brag about their successes in cyberspace if it serves their cause, Song noted.

The hack of Sony pictures by North Korea, however, was something of a hybrid. At the Aspen Security Forum recently, Adm. Michael Rogers, head of U.S. Cyber Command and the National Security Agency, said that what was most unique about the Sony hack was the publicity and build up. North Korean was upset over the pending release of “The Interview,” a comedy about a plot to assassinate North Korean leader Kim Jong-un. Rogers noted how the North Koreans, leading up to the incident, were threatening to do something – and they eventually did. This was important because the North Koreans used cyber for coercion – don’t do something, in this case, don’t release the movie.

In fact, this incident demonstrates a potential blurring of lines between state and non-state actor targets, tactics and intents. “The state actors, sometimes they go steal intellectual property and they steal trade information that helps them to become more economically competitive,” Song said. Non-state actors utilize similar practices to serve their ideological beliefs, to air grievances, or gain publicity behind their causes. Additionally, some states have even begun to hire hackers to do their bidding as a means of complicating the attribution problem further. 

While states probably have the greatest capacity and the most sophisticated technologies at their disposal to conduct attacks, not to mention greater government protection from prosecution, non-state actors might be just as capable, though in a different way. In terms of expertise, non-state actors’ ability to collaborate with each other more easily could afford them more threatening capabilities, as they can come up with new techniques and malware through the network they have developed, Song said.

Between state and non-state actors, “I don’t really see a big gap from a technology and skill perspective,” Song said.