A short history of cyber espionage

Threat Intel’s ‘History of…’ series will look at the origins and evolution of notable developments in cybersecurity.

Throughout history, nation states have been trying to undermine each other through clandestine activity, whether its spying, sabotage, or subversion. The rapid growth of the internet during the 1990s opened up a new frontier in the arena of international espionage, and it wasn’t long before we began to read ominous warnings about cyber warfare. Could a country’s enemies shut down its power grid, take out its telephone system, or even hijack its nuclear missiles?

Given the covert nature of the beast, we don’t know exactly when or how cyber espionage began. But if we had to guess, there’s a good chance that early operations didn’t resemble the plot of a James Bond movie and were actually quite mundane. Signals intelligence — intercepting and decrypting enemy communications — has long been a bread and butter operation for intelligence agencies and its quite likely that early efforts involved the expansion of this into cyber space.

Signals intelligence, intercepting and decrypting enemy communications, has long been a bread and butter operation for intelligence agencies

First cases

The first documented case of cyber espionage pre-dated the web itself. In 1986, Clifford Stoll, who at the time was managing computers at Lawrence Berkeley National Laboratory in California, noticed some strange activity in computing time records. This eventually led him to a hacker who appeared to be systematically targeting computers at military bases around the U.S. looking for military secrets. He eventually created a trap for the attacker, luring him in with a cache of fake information. The hacker fell for the bait and was identified as Markus Hess, a West German who had been selling stolen information to the KGB.

Earlier still, the CIA is alleged to have caused the explosion of a Siberian gas pipeline in 1982 by duping Soviet agents into stealing booby-trapped industrial control software, which caused the pipeline to malfunction. The incident was long the subject of rumor but appeared to be confirmed in 2004 when Thomas Reed, a former member of Ronald Reagan’s National Security Council, wrote about it in his book. However, Reed’s account has been disputed by some experts, including well-known cyber security researcher Jeffrey Carr.

The case that really brought cyber espionage to public attention was Moonlight Maze, the name given to attacks against US government targets, which became public in 1999 with the publication of a story in Newsweek. An FBI investigation found that the group responsible had compromised the US Navy, Air Force, Department of Energy, and NASA, among other targets, and stolen so many documents that, if stacked, they “would be taller than the Washington Monument”.

While Moonlight Maze was one of the first operations to be uncovered, it certainly wasn’t the only underway at this time. While the activities of the Equation Group, a highly advanced, well-resourced cyber espionage group, only became public in 2015, available evidence suggests that it was operating as early as 2001.

Although not immediately apparent at the time, at least to the public, the level of activity began to really increase in subsequent years, with many of the major cyber espionage groups first showing signs of life between 2005 and 2010.

Activity really began to ramp up between 2005 and 2010

It took a few years to join the dots, but by the end of the decade cyber espionage was back in the spotlight, this time with Google disclosing that it and at least 20 other large companies had been targeted by a group called Aurora (known to Symantec as Hidden Lynx). By our estimation, Hidden Lynx had approximately 50 to 100 operatives at its disposal and was capable of carrying out hundreds of simultaneous attacks against diverse targets, indicating how cyber espionage operations had scaled up over the years.

Sabotage!

Perhaps one of the most dramatic developments in the world of cyber espionage occurred with the discovery of Stuxnet. It was probably the first real-world example of the kind of ambitious and highly destructive cyber attack that had always been seen as theoretically possible but had hitherto only been the subject of doom laden warnings.

The story of Stuxnet is worthy of an entire post itself (and if you haven’t seen Alex Gibney’s documentary on it featuring my colleagues Liam O’Murchu and Eric Chien you should check it out) but to summarize briefly: Stuxnet was a mysterious piece of malware that appeared in 2010 and initially garnered attention because of its use of a zero-day vulnerability to spread via removable drives. However, it was only after extensive investigation by Eric and Liam that its true purpose became apparent.

Stuxnet was designed to target industrial control systems, in particular, to hijack Programmable Logic Controllers (PLCs). PLCs are used to run and monitor industrial systems. However, Stuxnet was designed to attack a particular type of PLC, namely those being used in the Iranian uranium enrichment program which, at the time, was the subject of a diplomatic standoff.

Stuxnet changed the output frequency of the PLCs for short periods of time and covered up the modification to avoid alerting the system’s operators. The modification caused the system to malfunction, essentially sabotaging the equipment being used.

Stuxnet was designed to sabotage industrial control systems

Even now, seven years later, the complexity and ambition of the Stuxnet attack stands out. The attackers needed to gather extensive intelligence even before the attacks began in order to know exactly what equipment the target was using. Secondly, they had significant obstacles to overcome to deploy the malware, since the targeted computers weren’t connected the internet (hence the ability to spread via removable drives).

For a while, it appeared that, with Stuxnet, we’d seen the future of cyber espionage and we were facing into an era where states would swap confrontation on the battlefield for taking down their enemy’s infrastructure in cyber space. Sure enough, another destructive attack followed not too long after Stuxnet, when Shamoon, a destructive disk-wiping worm, was used in a wave of attacks against the Saudi Arabian energy sector.

Yet as time went on, it became apparent that operations like Stuxnet and Shamoon would be the exception and not the new norm. In retrospect, it isn’t that surprising. Sabotage, by its very nature, attracts a lot of attention, both to the attackers and the tools used. By contrast, traditional intelligence gathering allows attackers to maintain a much lower profile, reducing the risk of discovery.

Stealthy threats

That desire to maintain a low profile has been only partly successful. Over the past decade, security firms such as Symantec and its peers have progressively uncovered a wide array of groups that appear to be state-sponsored cyber espionage operations. It’s no longer just the realm of the major global powers. Many regional powers now have their own cyber espionage operations and there is evidence to suggest that even smaller states are moving into this arena, often through the purchase of off-the-shelf spying software.

To list every single cyber espionage group uncovered in recent years would be a book in itself, but there have been some very interesting discoveries. One of the most advanced threats we came across was Regin, which we discovered in 2014. An incredibly complex and stealthy piece of malware, it could be customized with a range of payloads depending on the target and was used in spying operations against governments, infrastructure operators, businesses, researchers, and private citizens.

However, Regin didn’t lack competition. For example, Dragonfly, another group we did extensive research on during 2014, was found to be targeting a range of strategically important targets in the US and European energy sectors, such as grid operators, major electricity generation firms, petroleum pipeline operators, and energy industry industrial equipment providers. The malware used by the group not only contained spying features but was also capable of sabotage, an option that the attackers appear not to have opted for yet.

Cyber espionage is also no longer the preserve of state sponsored groups. For example, during 2015, we discovered a group known as Butterfly, which had compromised a string of major companies over the past three years in order to steal information and intellectual property. However, the group had none of the hallmarks of state-sponsored attackers and instead seemed to be motivated by financial gain.

Leaky ships

Progressive uncovering of major cyber espionage groups’ activities has gone some way towards blunting their effectiveness. Not only are security firms better at protecting their customers, but end users themselves are more aware of the threat. More and more organizations are beginning to realize that it isn’t just governments that can come under attack; even relatively small organizations can be targeted. In some cases, it’s because they’re viewed as the weak link in a supply chain: compromising them could make it easier for attackers to move up the chain to their real targets. In other cases, the attackers could be interested in stealing their intellectual property or acquiring intelligence on their customers.

Alongside this, a series of high-profile leaks have also put the spotlight on cyber espionage, such as the revelations of former NSA contractor Edward Snowdon and, more recently, the Vault 7 leak and the release of files connected with the Equation cyber espionage group.

This glare of publicity may herald the end of the golden age of cyber espionage. A growing number of software and web companies are encrypting their end users’ data by default, so much so that encryption has become a bone of contention between governments and the technology sector. Some governments have argued that law enforcement agencies need a way of accessing encrypted messages in order to protect national security, while technology firms have pointed out that building back doors into their products will benefit the bad guys as much as the good guys. That’s not to say that cyber espionage is by any means on the wane, rather that nation state actors may have to work harder to compromise their targets in future.

Cyber espionage came out of the shadows again in the last 12 months, not least in the US presidential election, when a series of intrusions against the Democratic Party led to the leak of internal emails. A joint investigation by the US Intelligence Community concluded that two groups linked to Russia’s intelligence services were responsible for the campaign.

One of those groups, Swallowtail (aka APT28 and Fancy Bear) was also linked to a cyber attack against the World Anti-Doping Agency (WADA), which saw data relating to American Olympic athletes, British cyclists, and a number of other athletes stolen. Maintaining a low profile wasn’t a priority in this case and the group even created its own website (using the Fancy Bear nickname) to publish the stolen data.

Given how disruptive the attack on the US Democratic party was, it was hardly surprising that the same tactics were used in a bid to upset the French presidential election. On the eve of the decisive second round poll, the campaign of the eventual victor Emmanuel Macron was hit with a leak that saw thousands of documents and emails released online.

However, the leak appeared to have little effect on the eventual result (Macron won by a healthy margin). It’s effectiveness was blunted partly because it came so late in the campaign and also because such an attack was widely expected. What’s more, the Macron campaign said it took precautions by seeding its online presence with fake accounts containing false information, intended to slow the attackers down by forcing them to wade through stolen information in order to verify what was genuine.

What was going on? Why were groups that had spent years staying out of the public eye now suddenly acting in quite an overt fashion? The answer in part lies in a change of motive. Subversion rather than intelligence gathering was the goal of these attacks, and evidence that a foreign power may have been behind these attacks feeds into the doubt and confusion caused by them.

Permanent shift?

Whether the events of the last 12 months signal a long term shift to a more active form of cyber espionage remains to be seen. While recent attacks illustrate the disruptive potential of more overt cyber espionage operations, they arguably also demonstrate their limitations. As seen with the case of the French election, once the element of surprise is removed and politicians and the voting public become more aware of the threat, the potential impact may be lessened.

Check out the Security Response blog and follow Threat Intel on Twitter to keep up-to-date with the latest happenings in the world of threat intelligence and cybersecurity.

Like this story? Recommend it by hitting the heart button so others on Medium see it, and follow Threat Intel on Medium for more great content.

Like what you read? Give Dick O'Brien a round of applause.

From a quick cheer to a standing ovation, clap to show how much you enjoyed this story.