Iran and North Korea: The new kids on the (cyber-warfare) block

News by Doug Drinkwater

North Korea and Iran are the new players among at least 39 with military cyber-space operations, according to a new report.

In its 77-page ‘Global Threat Intel' report published on Tuesday, US-based security firm CrowdStrike detailed everything from increasing cyber-espionage and the rise of sophisticated ransomware to Lizard Squad, cyber-enabled warfare and Chinese, Russian and Iranian threat actors.

On the latter, the report, perhaps unsurprisingly, came to the conclusion that China and Russia are the most sophisticated as far as cyber-operations are concerned.

“China-based adversaries continued to be the most prolific in the targeted intrusion space, but public reporting on a number of actors linked to Iran and Russia show the breadth of the threat from targeted intrusion operators.

“China is, by now, well known for conducting cyber-espionage campaigns focused on accessing intelligence about intellectual property, mergers and acquisitions, and technologies highlighted in its Five-Year plans. Targeting these technologies and strategic business information allow its domestic companies to rapidly make “leap frog” developments, and to benefit from favourable bargaining positions, thus elevating them to become global leaders.”

The report further notes: “This behaviour is expected to continue in 2015, as will continued targeting of foreign government entities in an attempt to access information related to the global strategy and plans of these countries.”

CrowdStrike says that there are now as many as 39 state-sponsored and nationalist adversaries carrying out this kind of surveillance, and adds that countries are beginning to see the value of “collecting intelligence in the information domain”.

China is allegedly putting this intelligence to good effect, even watching Russia because it is working closely with Putin.

“One of the primary reasons for this increase in Russian targeting by China-based adversaries is likely that ties between China and Russia have recently been growing stronger,” it reads, citing the £262 million (US$ 400 million Russia gas deal,  the construction of a bridge between the countries and the use of a part of eastern Russia. They also revealed a plan to set up GPS ground stations in each other's countries.

Russia is not far behind with targeted campaigns such as Energetic Bear, Fancy Bear and Venomous Bear, while Iran and North Korea are expected to close the gap in the years to come.

Considering what could happen in the coming year, researchers at the endpoint protection firm said of North Korea's activity: “CrowdStrike Intelligence predicted that North Korea might use its cyber-operations to project power during 2014. That prediction came to fruition when a North Korean adversary attacked Sony because of one of the studio's movies that North Korea perceived as an act of war.”

Iran ‘spied' on UK and US

Iran is also being closely watched. The country signed the delayed Joint Plan of Action (JPOA) agreement with an intergovernmental negotiation body consisting of China, France, Russia, UK, US and Germany, to reduce its stockpile of enriched uranium.

“The JPOA could be a driver or tipping point for future cyber-attacks by Iran against western targets. Iran has publicly noted the understanding that negotiations can be influenced and has demonstrated historically that it is willing (and has capabilities) to conduct cyber-operations to influence negotiations if it sees fit to do so.”

CrowdStrike notes that there is speculation Iran launched retaliation attacks after an APT attack in 2012, while it says that “recent open-source activities in the Iranian underground suggest Iran may be attempting to structure or resource for possible future cyber-operations.

“There have been visibility changes with regard to information surrounding Iranian hackers, as well as forums and websites. Popular forums for Iranian hackers ISCN and Shabgard have been shut down and are no longer publicly accessible. Despite the shutdowns, there will likely be little change to the communication occurring between affiliated hackers in closed communications pathways. The closing of these forums could be in anticipation of future malicious activity and a desire to decrease the public profile of individuals in the Iranian underground.”

Researchers cited ‘Rocket Kitten', ‘Flying Kitten' and ‘Charming Kitten' campaigns targeting western governments and companies in 2014, and expect more in the coming year.

“The motivation to attack such targets will only increase during 2015. However, should the process around the JPOA and CPOA take a turn that Iran perceives as disadvantageous, the motivation will likely greatly increase. Recent revelations indicate that Rocket Kitten may have, in fact, targeted the JPOA negotiations using spear phishing that may have targeted diplomats involved in the meetings”.

This declaration came only hours before The Intercept reported that Iran has been learning from western hacking techniques, specifically those employed by the NSA.

More generally, CrowdStrike sees cyber having a greater impact on world conflicts.

“Last year's report included cyber-spill over as something to look for in 2014, and it will be equally as important in 2015. Increasingly, real-world physical conflicts are carrying with them associated cyber-components. Sometimes the related cyber-operations are carried out by entities directly engaged in the conflict, and other times entities not directly involved will engage in cyber-operations in an attempt to support one side or the other.

Raj Samani, VP and EMEA CTO at Intel Security (formerly McAfee), told that cyber-enabled is not overly new as a concept.

“The reality is this whole concept of cyber-warfare – or the use of cyber as being part of warfare- isn't new, it's been used as a precursor in conjunction with traditional warfare for years,” he said.

He added, however, that cyber was increasingly becoming the fourth element after land, sea, and air. “This is the transition and evolution of crime and espionage.”

Even those without cyber-capabilities have opportunities, says Samani, who last week spoke to one government official who said that there are 20 to 30 hacking groups with nation-state capabilities, available to hire.

Speaking on Iran's capabilities, he said that the US government had grown concerned about the country's "beefed up" security after Stuxnet and said that cyber is an altogether easier – and less expensive -  method of doing battle. “This really is key point, when you start to consider land, area, sea, cyber is increasingly more cost effective.

He adds: “The other key point is that attribution is particularly difficult when you start to consider cyber."

Attribution, he said, could only be ascertained after reviewing the systems impacted, systems used in the attack and interviewing the culprits. Citing FireEye's recent report on Skype hackers stealing Syrian battle plans, he said that there was no clear evidence who was behind the attack, which would be tricky anyway given how easy it would be for attackers to put down ‘false flags'.

Jason Steer, director of security strategy at FireEye EMEA, added that all countries were seeing the benefit of gathering intelligence.

“I think we can say that any country with an internet link is now using cyber as an opportunity to gather extra intel on citizens of interest, enemies and friends as well….cyber is just an extension of the intelligence gathering that they have done for many years in other channels.  Not using cyber would put them at a disadvantage frankly.”

“The opportunities are  endless. Information gathering is inevitable via computers and mobile phones given we use them for all aspects of our lives now.”

The report also highlighted:

  • There is a growing use of Dyreza and Dridex (Bugat) malware families ever since the take-down of the Gameover Zeus and Shylock botnets.
  • Ransomware continues to become more sophisticated, with  Dridex P2P more resilient as one example. The findings chime with Cisco's latest report on CryptoWall 3.0.
  • Cyber-criminals are targeting third-party services like DNS providers and are increasingly reliant on sandbox-aware malware. They're skilled too – with C# and Python scripting languages more in use.
  • Lizard Squad has “poor" security practices” which allowed CrowdStrike to easily provide attribution on possible members of the group. As the group often rents botnets and runs booters, the firm says that this is confirmation their skill level is “relatively low”.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews