Strategic Cybersecurity, Module 6: Adversaries and APTs.
This lecture explains who are the United States’ adversaries in cyberspace (Russia, China, Iran, and North Korea) and their varying offensive cyber capabilities to effect various outcomes. The module also introduces the idea of Advanced Persistent Threats (APTs), which is how countries organize their capabilities to conduct cyber attacks.
Once you have completed the readings, lecture, activity, and assessment, you will be able to
- Define the term Advanced Persistent Threat (APT)
- List the four major cyber adversaries of the United States.
Is our country under siege? Many intelligence experts would agree that, indeed, we are, given the evidence of Russian interference in the 2016 presidential election and U.S. multinational corporations making weekly revelations of breaches into their computer networks.
In May 2017, Daniel Coats, Director of National Intelligence, testified to the U.S. Senate Intelligence Committee that our adversaries are becoming more adept at using cyberspace to threaten our interests and advance their own.
And despite improving cyber defenses, nearly all information, communication networks, and systems will be at risk for years. Cyber threats are already challenging public trust and confidence in global institutions, governance, and norms, while imposing costs on the U.S. and global economies, remaining undeterred from conducting reconnaissance, espionage, influence, and even attacks in cyberspace.
Who are these adversaries whom Coats and others speak of? Most intelligence analysts following the cyber threat landscape will tell you that our most formidable nation-state adversaries are Russia, China, Iran, and North Korea. In fact, Director Coats listed these same four countries as our primary cyber foes after the remarks to the Senate Committee just mentioned.
Each of these adversaries has various offensive cyber capabilities to effect various outcomes.
Russia possesses a multitude of cyber tools but seems to focus largely on information operations. Information operations encompass various techniques of deception and psychological operations, such as the dissemination of propaganda or fake news, to disrupt the ability of one's adversaries to make logical and informed decisions.
China, on the other hand, tends to use its cyber capabilities to commit espionage or the theft of information from governmental or corporate databases. China often focuses on stealing information that can be used for economic or military advantage.
However, Director Coats has noted that Beijing has also selectively used offensive cyber operations against foreign targets that it believes threatens Chinese domestic stability or regime legitimacy. You may recall from a prior module's reading Rosenzweig's discussion of the Chinese intrusion set Ghostnet.
Ghostnet is believed to be malware engineered by China to spy on computers used by the Dalai Lama. China fears that the Dalai Lama could stoke massive insurrection within Tibet, which China considers one of its provinces.
Although Iran is currently not as capable as Russia or China in terms of cyber capabilities, the country is quickly catching up.
Iran suffered under strict economic sanctions under many years that prevented its purchase of advanced computing technology. However, the sanctions regime ended in January 2016. Iran is now free to import advanced computers, leading many experts to believe that the country can make enormous strides in its capability to conduct cyber attacks.
One area of particular interest to Iran seems to be breaching adversaries' industrial control systems. This is likely due to the country's own victimization by the Stuxnet worm, which affected an industrial control system operating uranium centrifuges at one of its nuclear facilities.
In fact, Director Coats noted that in 2013 an Iranian hacker conducted an intrusion into the industrial control system of a U.S. dam.
Of the four U.S. adversaries noted in this module, North Korea is likely the adversary with the least cyber capability, although the country has managed to wreak havoc on several U.S. corporations. In 2014, North Korea launched a devastating cyber attack against Sony Pictures after threatening Sony not to release the motion picture comedy The Interview, which was highly critical of North Korea's leader.
Unlike Russia, China, and, to a certain extent, Iran, North Korea employs its capabilities to gain respect from the international community.
This allows North Korea to punch above its weight, for instance, as the country has been largely marginalized by the international community.
Advanced Persistent Threat
How do these countries organize their capabilities to conduct cyber attacks? In many cases, especially with regard to China and Russia, countries organize their efforts via an Advanced Persistent Threat, or APT.
Recall the various intrusion sets from Rosenzweig's Chapter 3: “Titan Rain,” “Byzantine Hades,” “Byzantine Candor,” Operations “Shady RAT” and “Night Dragon,” as well as others.
Countries often will organize an effort to steal a certain type of information or disrupt a certain capability into an APT. Depending on the size of the effort, dozens or even hundreds of computer experts may be found in the same office building, all with the same express mission.
As an example, Rosenzweig mentions that the APT known as Byzantine Hades may have stolen designs of the F-35, America's newest fighter jet, from the contractor who was building the plane.
This theft of advanced military technology from the United States makes perfect sense, given that China is rapidly trying to reach military parity with our country.
This module should have provided you with a good idea of who our adversaries in cyberspace are and how they are organized. The next module will turn to the problems that an open system such as the Internet creates for sovereign nations that want to restrict the flow of information into their borders.
Quiz Question 1: Which of the following nation-states was not listed by the director of U.S. National Intelligence, Daniel Coats, to be among our most formidable nation-state adversaries?
E: North Korea.
The answer is A: Afghanistan.
Quiz Question 2: Which of the following best describes an Advanced Persistent Threat (APT)?
A: a highly organized, continuous process of computer hacking, often orchestrated by a nation-state or highly-sophisticated criminal entity, and with the purpose of targeting a specific type of information or person for exploitation.
B: a type of malware that is able to take mirror images of specific computer networks.
C: a type of logic bomb invented by the U.S. military.
D: a strategic threat posed by one of the United States' major adversaries, with the potential to disrupt the majority of industrial production in the country.
The answer is A: a highly organized, continuous process of computer hacking, often orchestrated by a nation-state or highly-sophisticated criminal entity, and with the purpose of targeting a specific type of information or person for exploitation.
The activity for this module asks that you locate a map of the world. Indicate where the United State's four most formidable nation-state adversaries are located, and next to each, provide a text description or illustration of how each uses cyber capabilities most typically.