Cyber espionage is a form of cyber attack that steals classified, sensitive data or intellectual property to gain an advantage over a competitive company or government entity.

Let’s Define Cyber Espionage

Espionage, according to Merriam-Webster, is “the practice of spying or using spies to obtain information about the plans and activities especially of a foreign government or a competing company.”

Take this into the cyber world, and the spies are armies of nefarious hackers from around the globe who use cyber warfare for economic, political, or military gain. These deliberately recruited and highly valued cybercriminals have the technical know-how to shut down anything from government infrastructures to financial systems or utility resources. They have influenced the outcome of political elections, created havoc at international events, and helped companies succeed or fail.

Many of these attackers use advance persistent threats (APTs) as their modus operandi to stealthily enter networks or systems and remain undetected for years and years.

Headlines about cyber espionage usually focus on China, Russia, North Korea, and the United States, whether as the attacking state or the victim of attack. However, the UK’s Government Code and Cipher School (GCCS) estimates that there are 34 separate nations that have serious well-funded cyber espionage teams.

These state-based threat actor teams are comprised of computer programmers, engineers, and scientists that form military and intelligence agency hacking clusters. They have tremendous financial backing and unlimited technological resources that help them evolve their techniques rapidly.

Eric O’Neill, a former undercover F.B.I. agent who is a National Security Specialist at Carbon Black, is quite familiar with espionage. In an article called Hacking is the New Face of Espionage, he says “the contemporary battle is fought with keyboards and software rather than dead-drops and balaclavas.” He goes on to say with cyber war now being fought on a global scale, there is more onus on security than ever. “Too many organizations are not taking the threat as seriously as they should,” notes O’Neill.

He adds, “It is no longer enough to defend and react if you are breached. Taking a ‘bad-guy’ approach is a massive step forward when tackling your attackers in the world of cyber espionage.”

So what have the masters of cyber espionage been up to lately? Here are a few of the nation-state attack groups that have been headlined repeatedly over the years.

North Korea
North Korea reportedly has an army of more than 6,000 hackers that raise money to pay for the country’s nuclear program. A recent attack attributed to North Korea is APT37, which took aim at South Korea, Japan, Vietnam, and the Middle East. The attack was purportedly led by a well-known hacking group called Lazarus, which has been active for the last five years or so. The group has been cited for attacks such as the Sony Pictures one in 2014, which netted tens of millions of dollars, and it may be responsible for the $81 million cyber heist of a Bangladeshi bank in 2016. They also are blamed for the 2017 widespread WannaCry attack, which wreaked billions of dollars of havoc on companies, banks, and hospitals around the world.

Vietnam
Onto Vietnam, and there is OceanLotus, a cyber espionage group which could potentially be behind the attacks called APT32 and APT-C-00. These threats have been aimed at corporate and government organizations in Vietnam, the Philippines, Laos, and Cambodia and focus on foreign corporations with interests in Vietnam’s manufacturing, consumer products, and hospitality industries.

China
One of China’s well-known attack groups is TEMP.Periscope, or Leviathan. This group has recently been escalating their attacks and targeting U.S. companies in the engineering and maritime fields that are linked to the South China Sea and some of the world’s busiest trading routes. Another group of Chinese threat actors, APT10, is blamed for a campaign that perhaps started as early as 2009. As potentially one of the longest sustained cybersecurity threats in history, APT10 recently attacked companies through managed service providers in multiple industries in several countries, as well as some Japanese companies, causing an unknown amount of damage through the theft of large volumes of data.

Another potential nation-state attack is Slingshot APT, which may have links back to the government of the United States. Slingshot APT has similarities to a threat actor known as Grey Lambert or Longhorn, which has been linked to the U.S.’s CIA. The campaign may have been active for six years or more, and targeted the Middle East and Africa via sophisticated evasive and stealthy tactics that help the actors successfully exfiltrated large volumes of sensitive data.

Lazarus may be responsible for a $81M cyber heist on a Bangladeshi bank that occurred in 2016.

In the article above, Eric O’Neill suggests that the best defense is a good offense. Here is some of the steps that Eric recommends for battling cyber espionage:

• Understand where the threats are coming from. When cybercrime first hit the scene, there initially were stand-alone criminals working toward their own, personal agendas. According to Eric, those days are over and nation-states have wised up to the potential benefits of digital warfare and cyber espionage.
• Discover the motive. Understanding the source can provide a much better chance of discovering the motive. The reason a state actor is attacking might be entirely different from someone operating on their own accord. These reasons can range from trying to gain a competitive advantage, to disrupting a system or location. The motive of an attack can often tell a lot about the method, and vice-versa. Hence, if the method is known, there can be a greater understanding of the target, which leads to a better grasp of the method most likely to be used to infiltrate it.
• Think like a hacker. When looking for the motive, thinking like a hacker could help a company catch a hacker faster. Catching criminals doesn’t happen by accident, and when thinking like a hacker, a clearer picture of what their movements may be can emerge more quickly. Putting this into practice is imperative, not only in the aftermath of a breach, but in protecting a company from one in the first place. If a security team can get into the mind-set of a hacker, it can actively seek out its own vulnerabilities, understand what tactics might be used to gain entry, and what data can be accessed using those methods.
• Identify the hacker’s techniques. Having knowledge of the potential techniques that a hacker might use can provide an invaluable weapon when fighting back against cybercriminals. A near-constant gathering of information is the key to success here. Eric recommends having as many external sensors as possible, as well as participation in a vocal community that is sharing information.
• Take a proactive approach. Developing a proactive approach to security is often the most effective way of protection. The sentiment “the best defense is having a good offense” really does ring true here, according to Eric. By taking the fight to attackers, they can be stopped in their tracks and companies can prevent breaches at the source. With more sophisticated methods being used, and a greater volume of attacks, having a strong force is mission critical. As Eric notes, “Now is the time to start thinking like a bad guy and fight back.”