A new breed of cyber privateer is on the horizon
We've seen an increase in nation-states contracting private companies to accomplish hacking operations and intelligence gathering. These groups operate with incredible sophistication, while enjoying a cloak of semi-protected "status" for their malicious activities.
Private sector be warned
The proliferation of these companies globally has dramatically increased the threat to the private sector, while at the same time decreasing the security community’s ability to prescribe attribution and motives to an action.
Every major player uses private corporations to augment their capabilities
Russia and China outsource wholesale hacking operations to individual groups and companies. The FVEY community tends to part out their contracts in a narrow fashion, while emergent players such as the United Arab Emirates use companies to provide the backbone of their operations.
In addition to their government services, these companies contract with, and provide services to, other clients. To do otherwise would greatly devalue the plausible deniability that is one of the major benefits of outsourcing.
Countries outsource operations to:
- Rapidly expand capabilities in a short period
- Increase plausible deniability of actions
- Mitigate risk of detection
- Gain technical expertise that they cannot recruit directly into the government
- Decrease overall operational costs
Let's talk China
The Chinese are notorious for using cutouts and sympathetic agents to collect information on their behalf. In 2014, Su Bin was arrested and subsequently sentenced to 5 years in jail due to industrial espionage against Lockheed and Boeing. Despite the obvious military application of this collection, Su worked for a private company in China and confessed to doing it for purposes of economic gain.
This method, long used by Chinese human intelligence operators has transferred over into the cyber arena.
Despite having a significant indigenous military capability, the Strategic Support Force which is viewed in China as an independent military service (the combination of USCC and NSA in the United States) to conduct cyber espionage. The human intelligence collectors got into the game and transferred their craft to technical collection.
BoyuSec of Guangdong
The use of private companies such as BoyuSec out of Guangdong allows for a human centric agency, the Ministry of State Security (MSS), to gain significant technical expertise while maintaining plausible deniability.
Demonstrating the significant advantage of outsourcing
Even though the private security industry has been tracking Chinese intrusion activity into governments and corporations globally for the better part of a decade, only PLA hacking units have been attributed to intrusions. Chinese APT groups that align with MSS goals and targets have been caught and identified, but they have never been attributed. This demonstrates the significant advantage outsourcing has over indigenous capabilities, especially for organizations that have a significant risk, should they be exposed.
A cottage industry of legitimized hackers for hire
Now, we are experiencing a new shift in these activities. BoyuSec and others like them are expanding their entrepreneurial activities by contracting with private companies. Given their relationship with government, these companies likely have tacit permission to operate against foreign entities as long as the activity doesn’t produce significant issues for the government. That tacit permission is promoting the growth of a vibrant, cottage industry of legitimized hackers for hire. No longer do companies need to go to the Dark Web to gain an unfair advantage over their competition. Furthermore, the capabilities that were once indicative of a Nation-State actor are now an affordable commodity for the private sector.
This additional contracting work, blurring the lines between nation-state and for profit, also creates significant problems for security, attribution, and international norms.
- Security - The time and money required to find, develop, and build exploits and malware against specific hard systems is the main deterrent for the legions of criminal actors. The payoff for less sophisticated more generalized capabilities far outweighs the potential payoff of finding an exploit for a specialized system. In this way, State-backed companies have an inverted incentive model. If they cannot find a way to crack sophisticated systems, they lose lucrative contracts and may wind up in jail for their efforts. This means that there is an ever-increasing pool of highly talented and sophisticated hackers going after increasingly unique systems. The proliferation of activity, which used to be the dominion of intelligence agencies, means that third parties who contract with these companies are getting access to significant capabilities that didn’t exist in the market two or three years ago, to be unleashed against competitors, activists, and even other countries.
- Attribution - Tying digital activity to a person and organization has always been a significant challenge. Even when the perpetrators are uniformed military members operating from a military base it takes years to gain enough circumstantial evidence to connect the online activity to real people. In a world where more and more state-sponsored activity is being conducted by corporations, attribution gets even more difficult. In the past, if military members hacked a system, the assumption generally held that they were acting on behalf of the state. With private corporations that cater to both states and companies, targeting now cannot be used as a reliable indicator of attribution. Is the Chinese company BoyuSec which works with both the Chinese government and Commercial IT firms hacking US companies for the Chinese government or a competitor? Is it evidence that China is breaking the Xi-Obama accord, or is it simply a case of competitive intelligence and cybercrime that must be dealt with bilaterally between the FBI and Ministry of Public Security in China?
- International Norms - The use of private companies to conduct state operations greatly reduces the efficacy of international norms. If companies become the primary purveyor of hacking, enforcement of norms becomes almost impossible due to the attribution problem described above. A country must prove that a company is working on behalf of the state and then have evidence that an action was taken at the behest of the state vice some other client before any retaliatory action can be taken. This undermines the headway that has been created over the last several years regarding intellectual property theft, the Wassenaar Agreement, the UNGGE, and other international forums.
Over the course of 2017, the Cybereason Threat Intel team will be releasing a research series discussing the changing capabilities of this market, the major state actors encouraging this behavior, and the implications for defending the private sector against this new breed of cyber privateer.