Technical Discussion and Problems

The technical nature of this subject results in some unique features that require explanation.

When analyzing Cyber operations, it is important to understand the various means that are used to complete objectives and how sophisticated operators may differ from amateurs. For amateurs, the goal is often to cause havoc for individual amusement, support a greater cause, or possibly seek monetary gains through illicit means. These operators will often make use of more rudimentary tools, such as various types of malware, or rudimentary methods, such as phishing, to achieve their goals. Phishing is an attempt to obtain sensitive information online by disguising oneself as a trustworthy entity. The more advanced form is known as Spear-Phishing, where entities attempt to obtain sensitive information from specific targets. It is common for hackers to

29 "Advanced Persistent Threat Groups." FireEye. Accessed March 27, 2018. https://www.fireeye.com/current-threats/apt-groups.html.

30 APT28—A Window Into Russia’s Cyber Espionage Operations?. Special Report. FireEye, 2014.

https://www2.fireeye.com/apt28.html.

use false emails or websites to gather this information. In some cases, however, these amateur users may receive more advanced hacking tools from separate entities. For example, this has been an alleged practice of Russian government officers; dispersing more advanced tools to the public in order to achieve geopolitical objectives.³¹ More advanced criminal groups generally operate with the goal of enriching themselves financially; although some nation states will allegedly do the same.³² Often operations involve targeting the personal information of customers of large corporations. Once breached, this data may be sold on the black market. This has occurred frequently in the past decade to major companies such as Target, Yahoo, and Equifax.

In addition, criminal groups may seek out exploits and design their own hacks; which they may then sell for a profit on the black market.

Nation states will differ from individuals and unaffiliated groups in terms of why and how they engage in cyber operations. For the why, nation states generally have some geopolitical goals that motivate their cyber operations. For example, Russian operatives may want to destabilize unfriendly neighbors or add another layer of plausible deniability to their operations.

On the other hand, United States operatives may directly target specific items for destruction through kinetic means, as was the case in Iran. Generally speaking, the why is simply to pursue national interests. The how is where differences appear. These differences may result from disparities in technical abilities and even cultural aspects may affect how cyber operations are undertaken by separate nations.

31 Bumgarner, John and Scott Borg, “Overview by the US-CCU of the Cyber Campaign against Georgia in August of 2008” United States Cyber Consequences Unit, August, 2009,

http://www.registan.net/wp-content/uploads/2009/08/US-CCU-Georgia-Cyber- Campaign-Overview.pdf

32 Cordesman, Anthony H. with the assistance of Charles Ayers. Korean Special, Asymetric, and Paramilitary Forces. Washington, DC: Center for Strategic and International Studies, 2016. 29.

https://csis-prod.s3.amazonaws.com/s3fs-public/publication/160809_Korean_Special_Asymmetric_Paramilitary_Forces.pdf

The United States and its level of technical prowess is difficult to properly contextualize.

One example of the high level of technical abilities can be found in the EternalBlue exploit developed by the National Security Agency.³³ This exploit, targeting all Microsoft Windows versions prior to 8, was initially used to gather intelligence from targets worldwide. While extremely successful in this mission over the course of roughly five years, it was later stolen and released into the wild. This resulted in the subsequent worldwide spread of the WannaCry virus, that was one of the most disruptive in history. The WannaCry virus was developed using aspects of the EternalBlue exploit taking advantage of vulnerable Microsoft users; although, the goal of this virus was largely financial gain rather than to gather information. Another example would be that of Stuxnet, the computer worm that targeted and disabled Iranian centrifuges in a rare kinetic-style attack. As these varied operations show, the United States is far and away the most dangerous and proficient cyber power in the world. Most cyber operations are undertaken by the NSA, and involve cutting edge exploits to gather sensitive intelligence. A common technique used by NSA researchers involves finding zero-day exploits. These are exploits that take advantage of computer-software vulnerabilities and are completely unknown to those that would be interested in fixing said exploits. This includes the software and computer companies themselves, as seen in the earlier example of EternalBlue, where the NSA exploited Microsoft Windows vulnerabilities without notifying Microsoft. United States intelligence gathering is further enhanced by programs such as PRISM and MUSCULAR and alliances such as Five

33 Nakashima, Ellen, and Craig Timberg. "NSA Officials Worried about the Day Its Potent Hacking Tool Would Get Loose. Then It Did." Washington Post, May 16, 2017. Accessed March 24, 2018.

https://www.washingtonpost.com/business/technology/nsa-officials-worried-about-the-day-its-potent-hacking-tool-would-get-loose-then-it-did/2017/05/16/50670b16-3978-11e7-a058-ddbb23c75d82_story.html?

utm_term=.4ec69cfa3812.

Eyes. PRISM is the much written about program wherein the NSA gathers data from various United States internet companies such as Yahoo and Google. However, it should be noted that with PRISM, there are legal processes involved in data collection. MUSCULAR is another data collection program wherein the NSA and British Government Communications Headquarters clandestinely broke into communication links that connect data centers for Yahoo and Google.

MUSCULAR requires no warrants because of its clandestine nature and as a result has collected twice as many data points when compared to PRISM.³⁴ These are only some of the programs that have come to light, it would be unlikely for there not to be other intelligence gathering programs active. Five Eyes is an intelligence alliance composed of Australia, Canada, New Zealand, the United Kingdom, and the United States. It is one of the most comprehensive and successful intelligence gathering alliances in the world and Five Eyes nations jointly run intelligence gathering programs such as PRISM and MUSCULAR.

In addition to intelligence collection through zero-day exploits, the United States has also shown an ability to engage in kinetic style attacks when needed. The most famous example of this is found in the Stuxnet worm, previously mentioned. The Stuxnet worm was developed to target Iranian nuclear centrifuges, and ultimately infected hundreds of thousands of computers and caused 1,000 machines to be damaged. The design of the worm itself made use of zero-day exploits, however its introduction to Iranian computers was likely carried out through an infected USB disk. A computer worm is a self-replicating computer program that may spread to other

34 Gellman, Barton, and Ashkan Soltani. "NSA Infiltrates Links to Yahoo, Google Data Centers Worldwide, Snowden Documents Say." Washington Post, October 30, 2013. Accessed March 24, 2018.

https://www.washingtonpost.com/world/national-security/nsa-infiltrates-links-to-yahoo-google-data-centers-worldwide-snowden-documents-say/2013/10/30/e51d661e-4166-11e3-8b74-d89d714ca4dd_story.html?

utm_term=.12576195b082.

devices and when spread executes commands. In the case of Stuxnet, this was to manipulate centrifuge operating systems and cause direct damage.

Lastly, the United States likely has its own Advanced Persistent Threats targeting various nations. An Advanced Persistent Threat is a long-term stealth hack, wherein operators work on a normal schedule to discretely retrieve data from the target. The term itself may refer to traditional espionage or attacks, but generally is used to refer to long-term intelligence missions.

Targets may range from governments to private businesses. Most current writing will refer to Russian and Chinese led Advanced Persistent Threats that have been discovered, although it would be hard to discount the strong possibility of United States operators engaging in this approach as well.

Russian approaches to cyber operations have so far differed from United States approaches. This is likely due to separate geopolitical objectives, as well as a historical context that does not separate cyber operations from conventional operations as clearly as its American counterparts. There are two primary types of operations that have become signatures of Russian intelligence in the past decades. The first has been waging Information War, which in combination with other operations becomes the trademark Hybrid Warfare. Russian operatives are known for manipulating ingoing and outgoing information from target areas along with conventional and irregular combat operations to pursue national interests without attribution and/or retribution. Examples of this approach are common in the past decades, culminating in Ukraine, where Russian forces were able to disguise and muddy available intelligence long enough to establish boots on the ground. The cyber aspect of this Hybrid Warfare owes much to

the Soviet legacy of Information Warfare and propaganda. Russian forces use cyber methods such as fake news and other types of subversion through the mass media to influence various populaces. A second important type of operation are the previously mentioned Advanced Persistent Threats. One of the most famous is known as Cozy Bear, or advanced persistent threat APT29. APT29 was implicated in the spear-phishing campaign against the Pentagon in 2015, the Democratic National Committee hacks in 2016, and in attempting to hack into various other government databases.³⁵ Russian APT's are, along with Chinese, considered some of the most proficient in the world.

In a cyber landscape that sees security threats growing in number each year, it is more important than ever to pursue adequate defensive measures. The easiest way to immediately see defensive gains is through simple cyber hygiene. This involves frequent internal educational programs and testing for government workers. Developing awareness of what Phishing is and why to avoid strange USB sticks or other possibly compromised materials would help the most in the short term. In the medium term, developing a strong defensive cyber posture would help greatly in reducing incursions. This would be as a result of multiple factors. Firstly, a more secure network will inherently ward off attack attempts because of the time required to penetrate secure systems. Time would be better off spent pursuing other objectives. Secondly, a more secure network would simply be harder to penetrate if attempts were made. Long-term, accurate attribution of attackers would tip the balance further towards the defender. If hostile operators were able to be identified and shamed, this would cut down on attempts because there would be

35 HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group. Special Report. FireEye, 2015.

https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf

an inherent risk associated with hacking. Currently, there is a small element of risk, but attribution technology has not advanced enough to consistently attribute hacks to the hackers in a timely manner.

Attribution is one of the largest problems facing network security experts. There are currently several ways to attribute an attack. One involves analyzing the source data, such as the IP addresses of the attackers or even emails. However, this information can easily be falsified to provide a false trail. Another involves analyzing the actual programming of the malicious software. For example, maybe the software was written on a Cyrillic keyboard, linking the attacks to Russian operatives. However, again, this is information that could be planted to provide a false trail for forensic analysts. A third option involves analyzing the behavior of the attackers. For example, if the attacker is an Advanced Persistent Threat, if they operate during regular government business hours in China consistently, it is likely of Chinese origin. Another option involves analyzing what was attacked or what data was taken. Sensitive financial information likely leads to criminal enterprises, whereas sensitive personal information on specific government officials would likely lead to a nation-state actor. Lastly, analysts may consider larger geopolitical factors in attributing hacks. For example, if a regime is currently under harsh sanctions and needs untraceable liquid assets, it may target bitcoin repositories or attempt to find other means of obtaining financial assets. Attribution currently is largely a guessing game and highly speculative, as it is extremely difficult to completely and conclusively attribute attacks. Without conclusive evidence of wrongdoing, it is impossible to punish a transgressor, and without any forms of penalty for cyber wrongdoing attackers will continue to

operate with relative impunity. Further, when it is borderline impossible to conclusively attribute certain operations to certain nations, this impacts how security and threat reports may be analyzed by scholars.