This paper serves multiple purposes, revolving chiefly around nation state threat actors, and their usage of advanced persistent threats while executing their attacks on targets. We found this topic fascinating because of the unique nature of nation state threat actors when compared to the other threat actors that are commonly identified.
First of all, nation state threat actors have a large variety of different aims, ranging from surveillance and espionage to hostile takeovers and the ability to wreak havoc on the infrastructure of opposing nations. Additionally, they can also perform attacks on commercial interests that might not align with their own, or which hold information that they deem valuable. In this report, we will be outlining in greater detail how these motivations shape the goals of nation state threat actors, and will discuss the examples that are publicly known of nation state threat actors performing attacks. From this discussion with examples, we hope to give the reader a better grasp of the reasons why attacks like this are performed.
Because of these unique goals, and the large budgets that they have at their disposal, nation state threat actors have also built many unique tools and weapons. Naturally, the majority of these are heavily classified, but some of this information has been released or leaked to the public. In our report, we will outline some of these weapons, to give the reader context on the abilities of nation state threat actors that we know of.
Finally, we will discuss how, given the information we know, we believe that the future will be shaped by nation state threat actors. Though much still remains classified, and likely will remain classified, we are still able to attempt to look at how our nation states’ cyber policies will change and evolve.
In order to understand the unique attributes of nation state threat actors, we first need to develop a broad understanding of what a threat actor is. At a basic level, threat actors are “groups or individuals who, with malicious intent, aim to exploit weaknesses in an information system or exploit its operators to gain unauthorized access to or otherwise affect victims’ data, devices, systems, and networks, including the authenticity of the information that flows to and from them.” This is a very broad definition, but it needs to be broad because of the wide variety of attackers and attack surfaces that individuals, companies, and nation states face constantly.
In order to better understand the different types of threat actors, they are commonly divided into 6 different types. These types are primarily delimited by their motivation, but these motivations also tend to reflect in their methods and targets.
Cybercriminals are among the most common threats that a given information system faces. They are primarily financially motivated, selecting their targets and methods to maximize their income while minimizing their expenses and likelihood of arrest or imprisonment. Since there are so many of them, the sophistication of a cybercriminal attack can vary widely depending on the ability of the specific threat actor. However, the typical cybercriminal attack will not be an exotic 0-day exploit requiring specialized knowledge and months of preparation, but will instead target vulnerable populations with known but still successful attacks.
Moving on from cybercriminals, hacktivists and terrorist groups are primarily motivated by ideology, with the primary differentiator between them being that terrorist groups are inherently accepting of violence to seek their ends. However, since these groups are not specifically dedicated to performing cyber crimes, their attacks tend to be lower in sophistication, relying on widely available tools that require little technical skill to deploy. Thrill-seekers, another threat actor category, are defined by their name, and will attack targets for personal satisfaction, and simply to show that they can. Though their motivations are different from the hacktivists and terrorist groups, they usually attack with similar levels of sophistication, and rarely inflict lasting physical or financial damage on their targets.
Insider threats are somewhat different from other threat actors because they are defined mostly by their position, instead of by their motivation. They are individuals who work within an organization and have some level of privileged access, which they intend to use to cause harm to that organization. Sometimes this threat actor may overlap with one of the other groups, for instance if a cybercriminal uses their insider access to steal customer information or trade secrets for profit. Other times, it may be a disgruntled employee, taking revenge against a layoff or firing.
Finally, nation state threat actors are primarily motivated by geopolitical aims, such as the takeover of a country or disruption of some or all of its internal infrastructure such as an electrical grid or GPS infrastructure. They are differentiated by the vast resources at their disposal. Because they operate with the blessing of a nation state, they can take advantage of much greater amounts of funding, and have access to more talent because their work is legal within their own country. Sometimes nation states will also have cooperative relationships with private sector entities, or even organized criminals, furthering their reach and allowing them to produce some of the most sophisticated and dangerous cyber threats.
Nation state threat actors have a multitude of ways in which they target their adversaries, with each attack leaving a lasting impact on the world at large. Whether it be in a cyberwar between two or more nations at war, or simply one actor electing to target its opposition unprovoked, there have been numerous instances of such attacks over the years. In this section, the authors will disclose information regarding some of these incidents as well as share the pivotal overarching global impacts.
In February 2022, the Russo-Ukrainian war experienced a large escalation as Russian troops launched a full scale invasion into Ukraine. Massive conglomerates of troops on the ground were involved in physical conflicts, with unrest beginning as early as 2014. Beyond troop engagements, hybrid warfare incorporating cyberwar has been used heavily by Russia and Ukraine in operations. In 2015 and 2016, Russia successfully attacked the Ukrainian power grid in what was the first successful cyber attack on one to date. In retaliation, Ukraine orchestrated the Surkov Leaks in 2016 which released thousands of emails related to Russian plans for its annexation of Crimea alongside instigating unrest in Donbas, Ukraine. The following year, in 2017, the Mass hacker supply-chain attack was carried out by Russia against Ukraine. This was said to be the largest known cyber attack at the time.
Armed with the knowledge of these attacks, it is possible to deduce the lasting global impacts that resonate. In certain attacks carried out by Russia or Ukraine, websites, energy services, telecommunication service providers, and banks were targeted. Globally, this means an increased need for security for these critical systems is now a necessity. Even a country currently at peace can be attacked at a moment’s notice by an adversary with an internet connection, so it is crucial to maintain system integrity at all times.
The chief motivator behind most attacks is the gathering of information. Knowing this fact, countries and large technology companies can take measures to protect their most important classified data and information through various encrypting tactics. Ensuring that company wide security and passwords are up to proper standards is another way to provide safety to this sort of data.
OPE (Operational Preparation of the Environment) attacks are another attractive option to nation state threat actors. These types of attacks are done preemptively to give a nation an advantage in an ensuing conflict, whether it be next week or years down the line. It can be described akin to installing a “kill switch” into a house’s power supply, giving the installer the opportunity to turn out the lights whenever he or she desires. Detecting these sorts of violations is critical to mitigate against their possible consequences.
Politics are another key area that have been impacted by nation state threat actors. For instance, a hacktivist group known as Black Reward infiltrated Iranian email systems and hijacked a few thousand emails. The group offered a deal to Iran in exchange for their information: release the currently imprisoned protestors, otherwise the emails will be released to the world. These sorts of attacks may be increasingly common in coming years, as different nations have different political agendas. Countries may view nation state threat actors as an effective avenue through which they can gain a political edge, which is a massive impact on the world as a whole.
A final impact seen from nation state threat actors is the way in which they level the proverbial playing field across the globe. In the past, large first world nations were only truly threatened by other world powers. These countries possess enormous military resources, both personnel and infrastructure, that allow them to operate far more efficiently and effectively than smaller nations without such large budgets. Now, though, a smaller country can simply gain access to the internet and potentially launch a full scale attack on a bigger rival country. This is the “great equalizer” and can instill confidence in these smaller countries that they are no longer defenseless if a first world country tries to attack.
In January 2010, Google made a decision to stop censoring the search results on its chineses service; google.cn. This happened after Google saw a highly advanced attack against their systems, which they believed was by or at least sponsored by the Chinese government. This attack was known as Operation Aurora. A mcAfee report about the operation reveals how exactly the attack was carried out. The first step was a sophisticated phishing technique known as spear-phishing. Spear phishers will select their target and research them extensively. They aim to know the company they work for, their colleagues and sometimes the projects they are working on.
Once they have that information, they construct an email that seems authentic, pretending to be one of the people the target normally interacts with. Within the email will be a link and clicking the link will kickstart the attack.
After clicking the link, the targeted google employee would be sent to a Taiwanese website that had a malicious javascript payload which had an internet explorer exploit. It would then allow the hackers to set up a backdoor that would connect back to command-and-control servers in Taiwan, and give the hackers access to internal systems.
Further investigation showed that they were also after intellectual property which could be trademarks, copyrights, trade secrets and even source code. Google attributed the attack to China and reported that the Gmail accounts of Chinese human rights activists were also targeted. Apart from Google, numerous other companies such as Adobe, Yahoo, Rackspace and more were also hit by the attack. Before operation aurora, non-defense commercial businesses had never been known to face that level of sophisticated attack. Since then, there have been several attacks on commercial businesses showing that they, too, had become targets of Nation-state actors.
The most distinctive feature that separates nation-state actors from regular hackers is the amount of research and sophistication that goes into their hacking tools and how complicated their exploits can be. Leaked documents from the NSA’s ANT catalog reveal some of them.
QuantumInsert is an exploit that can be useful when trying to access machines that can’t be reached through methods like phishing. It is a man-in-the-middle attack that is carried out when the hacker has access to the target’s network traffic. The hacker may have cloned a website and then simply wait for the victim to make a connection with the authentic website. After a page request is sent out by the victim, the attacker will try to send a response faster than the real website. By inserting a packet with similar identification, the victim’s browser accepts it as a legitimate response to the request. The response may have a malicious payload that will then infect the victim.
Dropoutjeep was an exploit revealed in NSA leaked documents that acted as a backdoor to the iphone. Dropoutjeep is a software implant developed in 2008 that could target Apple iphones, allowing the attackers to have access to their target’s contact lists, messages, voicemails, location, camera and mic. It also allowed the attacker to push files onto the target’s device, which could all be done remotely. At the time of the leaks, the documents mentioned this exploit could be installed using “close-access” methods but that research to allow remote installation was underway.
Candygram is another NSA tool developed in 2008 that is able to mimic a network’s cell tower. The Target is any cell phone that enters its base station’ range. As cell phones send off electromagnetic radio waves, they are intercepted by candygram and registered. It is mostly used when the attacker is tracking a target’s movements and location. This exploit can be used and erased remotely.
All these exploits were created more than a decade ago. With 14 years worth of technological advancements and research, nation-state actors throughout the world might have access to more complex and sophisticated tools than what is known to the public.
The future of nation state threat actors is largely speculative in nature, with attack trends oftentimes difficult to predict before they actually take place. Using past behavior to anticipate subsequent years of nation state threat actors is one such approach to achieve this predictive behavior. In this section, the authors will analyze past occurrences of nation state threat actors and seek to pinpoint how these instances may shape the future of threat actor attacks.
Preparation for conflict is one major development caused by nation state threat actors, both currently and into the future. In 2007, several cyberattacks targeted Estonian websites, including their parliament, financial institutions, newspapers, and ministries. Around that time, Estonia and Russia had disagreed about the placement of a Soviet-era grave marker. This led to Russia being presumed, and confirmed, to be the attacker. In the years since, Estonia has strongly bolstered their cybersecurity in an effort to reduce or eliminate future attacks. Other countries who experience the negative impacts of nation state threat actors will seek to do the same in future years, as they experience the ill effects for themselves. Cybersecurity practices being strongly emphasized are a key development to watch out for moving forward.
Another future trend in nation state threat actor attacks is the targeting of private citizens. Tools used by nation state threat actors, discussed earlier in this paper, “have been observed targeting dissidents, human rights defenders, journalists, and other private citizens.” These sort of attacks bring into question the safety of high profile individuals worldwide, whether they be government officials, entertainers, or scholars. Nations attacking a specific individual to acquire information will become increasingly common with the advent of successful private citizen attacks.
This also leads to more of a concern involving the tradeoffs between user privacy and user security. In upcoming years, large technological companies may face increased pressure to protect user data and only collect authorized information. At the same time, in order to protect their consumers, it may be necessary to extract more information from users to better protect them. Finding the opportune balance between user protection and cybersecurity will be a main point of focus for companies and countries in the future.
On the more speculative front, experts expect certain trends to begin to shape beginning in 2022 and onward. Artificial intelligence innovation, used for attackers and to practice preventative measures, will become further utilized as machine learning gains exposure and continues improving. Certain forms of nation state threat actor violations such as software supply chain attacks will also become more common. Specifically, ransomware attacks tripled from 2020 to 2021, and should see further notoriety moving forward as adversaries uncover the advantages of ransomware software.
Advanced persistent threats are another wide ranging area that have grown and developed in recent years. Experts predict a rise in “mobile devices exposed to wide, sophisticated attacks.” In 2021, more zero-day attacks occurred on iOS than ever before, and this trend is expected to continue into 2022 and beyond. In general, the user does not have the option to install a security package on iOS, which opens the door for easy opportunities for APTs.
A second advanced persistent threat increase will stem from the recent influx of employees working from home. Cybercriminals leverage unprotected home computers used by remotely working employees in order to penetrate their respective corporate networks. Specific APT types expected to be on the rise are social engineering designed to steal credentials and brute-force attacks in an effort to access weakly protected servers.
Finally, a cascade of advanced persistent threats against outsourced services and cloud security have arisen since the early 2020s and will continue in future years according to experts. Cloud computing and software architectures based on microservices run on third party services are more susceptible to attacks, making companies deploying these strategies optimal targets for advanced persistent threats in coming years.
Overall, the explosive growth of technology in recent years has led to innovative products around the world. This increased period of innovation also increases the possibility of threats, whether they be nation state threat actors or advanced persistent threats. The future is difficult to predict, but one certainty is that cybersecurity will remain a vital practice into the future as these threats manifest themselves.
As explored throughout this work, nation state actors oftentimes represent the cutting edge of what is possible. With the resources of a nation state behind them, malware creators are able to design, develop, and deploy advanced persistent threats that are unseen from other threat actors, and can bypass even the most sophisticated defenses. However, one needs to ask, why does this impact the average citizen of a nation state?
The root of this topic’s importance lies in the way that we have, as a society, made the internet a key part of our daily existence. This extends beyond just the smartphones in our pockets or the computers on our desks, however. New Internet of Things devices are released every day, ranging from doorbells and security cameras to smart fridges and even smart toasters. Though they offer some convenience to users, they are also able to be harnessed by nation state threat actors to create massive DDOS attacks on scales never seen before, to cripple critical infrastructure such as electrical grids or ISPs in a difficult to trace manner. Not only as a consumer, but also as citizens of nation states, it is important to be aware that practicing bad cybersecurity practices, such as using insecure protocols for a wifi network, using the same password across many accounts, or not updating the firmware on IoT devices, can cause not only monetary damage, but also damage to your country or other countries.
In addition to this, it is important that we are aware of the danger of cyber attacks from other countries while we are exercising our political rights to vote. The nature of cyber warfare means that relatively small nation states can still present a threat to larger ones, because of the ability of these nation states to create malware and attack the relatively large attack surfaces of public infrastructure. For many of the citizens of the United States, it is important that we vote to keep this infrastructure well maintained when it comes to IT infrastructure, because, though it may be less visible than the roads we drive on or the public services we take advantage of, the possible cost of not maintaining it vastly outweighs the cost of proper maintenance.
In conclusion, we hope that this work will broaden the viewpoint of the reader to clearly see how nation state threat actors shape the modern geopolitical landscape, at both the macro and micro levels. With this knowledge, we hope to enable more informed daily choices, whether it be in regards to personal cybersecurity decision making, or the exercising of the right to vote, among other civic duties.