Identifying the guilty: tying nation states to cyber espionage

Summary:  It’s the cycle of our time. Cyberattack on us. The government points a figure, without evidence and encumbered by their history of lies (and of committing similar deeds).  Today cyber intelligence analyst Emilio Iasiello explains why attribution is so important but difficult to do.  (2nd of 2 posts today.)

“Attempt the end and never stand to doubt;
Nothing’s so hard but search will find it out.”

— Robert Herrick, “Hesperides” (1648).

Lighthouse shining in a storm

Tying Nation States to Cyber Espionage

By Emilio Iasiello. From DarkMatters, 3 March 2015
Providing superior attack intelligence.
Posted with their gracious permission.


Cyber espionage is a significant contributor to what then Director of the National Security Agency Keith Alexander termed “the greatest transfer of wealth in history.”

While 2014 marked some of the more sensationalized breaches committed by cyber criminals, espionage actors continued to demonstrate their prowess by targeting a wide variety of sectors in support of information theft. Yet, as more cyber espionage campaigns have come to light, there is a growing body of evidence to suggest that part of this actor set is composed of enterprising independent contractors looking to monetize their efforts, rather than being directed by or working directly for a foreign government.

The case of Su Bin articulates why this new “as-a-service” model could potentially provide an opportunity for miscalculation and error, thereby impacting governments from developing appropriate response actions.

Attribution in Cyberspace is Difficult at Best

There are several attribution difficulties in cyberspace due to the dynamic landscape and multitude of complicated techniques and insecure infrastructure that can be leveraged to obfuscate or misdirect the attacker’s origin, as well as identity. Many of these have been captured in several 2014 publications by respected experts in the cyber field.

Jeffrey Carr cites over reliance on technical analysis such as signals intelligence without the benefit of corroborating and independent intelligence sources (such as human intelligence) as one complicating factor impacting the fidelity of attribution efforts. Carr extracts quotes from such notable senior government officials and security experts incorrectly advocating the ease with which attribution can be ascertained via trace back techniques and digital forensics.”

In a December 2014 article in Journal of Strategic Studies, Thomas Rid and Ben Buchanan acknowledge that attribution in cyberspace is a slow evolution, with many conflicting opinions by experts and government officials.  The authors conclude that, “on a technical level… there is no one recipe for correct attribution, no one methodology or flow-chart or check-list.”

Indeed, it would seem fairly easy for a state government to send a team to operate out of a different country, using keyboards of another language, and malware in yet another language, according to another expert. How can technical analysis and forensics assist in attributing that level of obfuscation?

Now add to the mix actors that may not even have any relation to a nation state but may be doing the work either for hire or on independent contract. When viewed through this lens, traditional technical analysis may not prove as instrumental a factor in ascertaining if a nation state is sanctioning this activity, or more importantly, which one.

Cyber investigation

Espionage As-a-Service Business Model

Espionage-as-a-Service (EAAS) refers to the practice of independent actors stealing sensitive information for commercial purposes with the intent of selling it to interested nation states.

In many of these incidents, the types of organizations targeted and information stolen would certainly reflect a nation state’s interests and therefore would be inaccurately attributed to a particular nation state’s sponsorship.

These actors are typically independent contractors and although state actors can certainly conduct cyber espionage for their own economic advantage, the motivations are notably different and more akin to cybercrime or commercial espionage than national security state-driven.  Therefore attribution to a particular nation state would be inaccurate.

Overlapping targets and shared TTPs pose more challenges.  Phishing e-mails with embedded malware is a TTP shared among most hostile cyber actors.  Tools such as rootkits and remote access Trojans (RAT) are being used by criminals an espionage operators alike.

Even hacktivists have been known to use RATs to steal and leak information.  In 2014, Russian hacktivists used a RAT to breach the Chinese Embassy in Moscow and released documents related to Russia’s spying on Ukraine {Bitdefender, March 2014}

In January 2015, a researcher reported finding banking malware on industrial control systems, indicating that a target typically believed to be attractive to espionage operators is either being used by espionage actors or is becoming a target for criminals now as well. {Source: Dark Reading}


The Case of Su Bin

In June 2014, the Federal Bureau of Investigation (FBI) arrested Chinese citizen and Canadian resident Su Bin.  According to the criminal complaint, Su Bin gained unauthorized access to Boeing computers and other unidentified companies from 2009 to 2013 with the intent on selling illegal obtained sensitive information.  The complaint stated that once information was identified as possibly valuable by Su Bin, he obtained the assistance of two unnamed individuals to engage in the network reconnaissance and intrusion operations.  {Wall St Journal}

At first blush this incident would seem to reinforce the U.S. Department of Justice’s mid-2014 indictment of five Chinese military officers for cyber spying, and provide another evidentiary bullet of China’s massive cyber espionage activities. After all, there were many data points that were consistent in both espionage efforts, including the implementation of phishing e-mails (a preferred tactic for cyber espionage actors) to the targeting of select individuals working in a particular area of interest; the use of command and control network of computers to facilitate cyber operations; and the use of hop points in order to mask the true origin of the network exploitation effort.  [ibid]

Nevertheless, certain evidence revealed in the complaint revealed that Su Bin and his co-conspirators were neither state-controlled, state-directed, nor state-contracted, despite significant circumstantial evidence to the contrary.

In fact, many of the e-mails on record described activity more akin to industrial or commercial espionage, rather than traditional nationalistic cyber espionage such as lacking professional intelligence tradecraft practices, having no particular customer in mind, and referring to a potential customer as financially “stingy.”  [ibid]

Some may view that the type of targets and the type of information taken greatly increases attribution toward a nation state’s interests and more than likely reflect that the operators were state agents or at least tasked by or hired by a government.

While this may hold true for part of the cyber espionage activity being conducted, it is not representative of all.  Therefore, by declaring that a particular cyber espionage event is consistent with Nation State “X’s” interest may unfairly implicate a country.

While governments’ national strategic development plans have been a key piece of evidence linking a nation state to cyber espionage activity, a report by Taia Global shows that many governments share similar plans, particularly with regards to high priority research and development.  [Tai Global]

To use these broad plans as key pieces of evidence linking a government to activity without performing due diligence on other countries with the same objectives risks drawing the wrong conclusions with regards to who the real perpetrator is, as well as causing an organization or victim government to engage in an ineffectual course of response action.

Thankfully in this particular instance, the FBI had penetrated the operation deeply enough to bring enough doubt that Bin and his co-conspirators were working on behalf of Beijing.  However, given the fact that past espionage campaigns have strongly suggested or even implicated a foreign government based on largely circumstantial evidence, it’s easy to see how espionage-as-a-service can be misattributed.

The Attribution Problem
The INFOSEC Institute


Attribution has been a flawed science thus far; technical analysis has been the foundation for such efforts yet remains an imperfect system without the advantage of other independent sources of corroborating information.  As more groups engage in EAAS using overlapping TTPs, attribution efforts will only become more difficult.

For the near term, knowing the category of hostile actor (e.g., espionage, criminal, hacktivist, etc.) rather than trying to drill down to a specific identity should be enough for organizations to conduct risk management of key holdings.

Determining “how” and “why” a breach was successful and adopting a lessons learned approach in order to continuously improve their defenses will greatly assist organizations to bolster their resiliency in the face of a dynamic and evolving threat space.


Emilio Iasiello

About the Author

Emilio Iasiello has more than 12 years’ experience as a strategic cyber intelligence analyst, supporting US government civilian and military intelligence organizations, as well as a private sector company providing cyber intelligence to Fortune 100 clients. He has delivered cyber threat presentations to domestic and international audiences and has published extensively in peer-reviewed journals.  {From the Norse Corp website.}

About Norse

Norse is the global leader in live attack intelligence. Norse delivers continuously updated and unique Internet and darknet intel that helps organizations detect and block attacks that other systems miss. Norse’s globally distributed distant early warning grid of millions of dark sensors, honeypots, crawlers, and agents deliver unique visibility into the Internet – especially the darknets, where bad actors operate.  Norse products tightly integrate with popular SIEM, IPS, and next-generation Firewall products to dramatically improve the performance, catch-rate and return-on-investment of your existing security infrastructure.

For More Information

For more about this subject see “The Attribution Problem in Cyber Attacks” by Dimitar Kostadinov at INFOSEC Institute. For DoD’s response to these problems see “Cyber chief: Efforts to deter attacks against the U.S. are not working“; their (not a surprise) is that they want a bigger offensive capacity — just like the overkill in nukes they pursued for decades. They didn’t destroy the world then, and hopefully will not do so now.

See all posts about Cyber-espionage and Cyber-war! If you liked this post, like us on Facebook and follow us on Twitter.

4 thoughts on “Identifying the guilty: tying nation states to cyber espionage”

  1. Thank you for your blog, I found it interesting. One thought did occur to me …
    It really does not matter if there is accurate tracing of the origin of a hack, malware or virus. Once the NSA or the CIA have made the accusation the mud has been thrown and it is now an exercise for the accused to try and wipe it off. The agenda has been set and the reality is from that point immaterial. The forces of darkness (The media networks) are too lazy and uninformed to follow up on a story, they are on to the next one before the mud has dried.
    You an expert in the field admit that ascribing blame or attributing a source is very difficult so it is nigh impossible for the man in the street or a journalist.
    The result is that the rats that infest the belfries of the mind can say anything… It was the Chinese or the North Koreans working from building 36189 in Kwong and who is going to check?
    That is why I appreciate blogs like yours. At least we now know what news reports to be wary of.

    1. Zander,

      I agree on all points, and believe you have gone to the heart of our problem. In Government officials’ lies erode the Republic’s foundation I described some of the bigger lies government officials have told us since WWII. But they lie only because we believe them, and don’t hold them to account when we learn that they’ve lied.

      We get the government we deserve. Perhaps it’s the government we want. We’re the guilty parties. That’s the harsh truth we work so hard to avoid.

  2. Pingback: Prepare for Cyberwar | Bill Totten's Weblog

  3. Pingback: Prepare for CyberWar | TRUTH TIME

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Scroll to Top
%d bloggers like this: