Hack-and-leak operations are typically viewed as coming from nation state actors. India is home to a vibrant, but unexplored hacker-for-hire marketplace that has serviced private detectives and developing nations for at least a decade. While the contours of this secretive industry are occasionally outlined by the infosec community, concrete examples or details remain elusive.
UNC1151 has targeted a wide variety of governmental and private sector entities, with a focus in Ukraine, Lithuania, Latvia, Poland, and Germany. The targeting also includes Belarusian dissidents, media entities, and journalists. While there are multiple intelligence services that are interested in these countries, the specific targeting scope is most consistent with Belarusian interests. In addition to the targeting scope, UNC1151 operations have focused on obtaining confidential information and no monetization efforts have been uncovered. Mandiant researchers were confident in attributing the activity to Belarus and noted that “sensitively sourced technical evidence indicates that the operators behind UNC1151 are likely located in Minsk, Belarus,” with researchers directly observing links to the Belarusian military.
Intrusion Truth, the mysterious analyst or group that tracks and exposes China-backed cyber threat groups and actors, have published more than two dozen reports since April 2017. The group has made a name for its threat investigating motivations and results. Several actors identified by Intrusion Truth later have been indicted by the US Department of Justice. On the other side, besides its anonymity, members of the cyberthreat intelligence community have widely questioned the legality of its methods, gaps in its research, and the very value of its efforts.
Over the past year, Microsoft observed multiple Iranian actors turn their attention to targets in Israel. For example, DEV-0133 (aka Lyceum) previously focused their attention on targets in Africa, but throughout 2021 this actor executed multiple campaigns on several different Israeli targets. This shift in targeting seen across multiple Iranian actors suggests that Iran is hesitant to directly provoke the United States and prefers to escalate its ‘cold war’ with Israel. Throughout 2021 Iranian actors have continued to heavily rely on ‘brute force attacks’. This style of attack includes indiscriminate exploitation of internet facing appliances (e.g. CVE-2021-13379 and CVE-2021-34473). Examples of these tactics will include aggressive scanning operations employed by DEV-0270, an actor closely related to PHOSPHORUS, and DEV-0343 an actor that aggressively targets O365 tenants via password spray attacks. The continued use of this style of attack suggests that Iranian actors find value in ‘indiscriminate’ exploitation and is still able to achieve its political objectives via this approach.
Sprawling espionage campaigns and occasional attacks against industrial control systems only teach us so much. Public perspective on the likely face of cyber-warfare has been manipulated by limited exposure to actual attacks and a perspective bias from available data. When military conflict eventually erupts between major players, they will look to target ships, planes, missile systems, and the networks that fuel their sensors, communication, and targeting. It is crucial to discuss how such attacks are possible and what they could achieve. The modern military is information security’s worst nightmare. In particular, we will focus on the US military and its decades-old, globe-spanning operational networks powering weapons designed by a dozen low-bidding contractors with enormous supply chains. Weapons must be remotely targeted, operated and maintained thousands of miles from home, and potentially work both over civilian and military infrastructure. For an attacker, that is an incredible playing field.
The Taliban controlled most of Afghanistan from 1996 to 2001 in what can only be described as a brutal regime. Among other things, the Taliban banned Internet access under their rule. After the Taliban were removed from power in 2002 Internet services returned to Afghanistan, with 22% of the population in Afghanistan having Internet access as of January 2021.
The targeted intrusion actor publicly known as Machete is one of few that has demonstrated both strong technical capabilities as well as a sustained target scope of entities in Latin America. One of this actor’s most notable tactics has been the consistent use of likely-legitimate, stolen government documents as decoy content to facilitate initial access efforts. While the threat actor has continued to employ this tactic throughout 2021, one incident in June revealed a new development: network infrastructure overlapping with an operation publishing sensitive information related to Ecuadorian political leaders online. This indicates that Machete’s contemporary network compromise activities have likely supplemented information operations meant to influence domestic politics within Latin America since at least early 2019.
Since 2020, the Iran-nexus threat landscape has evolved to include a significant ransomware component that does not have a readily apparent financial motive. While ransom notes and dedicated leak sites may profess a desire for cold hard cryptocurrency, the actual operations and observed behavior of responsible actors have signaled a distinctly different set of motives. Across four separate adversaries between 2020 and 2021, available evidence points to the Iranian cyber operations enterprise as having recognized ransomware’s potential as a cyberattack capability able to inflict disruptive impacts on victims with low cost and relatively plausible deniability. This trend built up momentum from discrete intrusions that dovetailed with espionage operations into high-visibility “lock and leak” campaigns against entities in the Middle East that persisted despite significant public scrutiny. The final picture that emerges is one where, with ransomware fully adopted as a tool of computer network attack, the potential target scope of state cyberattack operations is wider than ever.
While the “50 cent army” has become a cultural touchstone of the disinformation studies community, the term does not reflect contemporary CCP online propaganda tactics. States are increasingly turning to commercial firms to outsource their IO. By monitoring online discourse around topics of concern to the CCP, counter-IO researchers can better uncover disinformation content, the inauthentic accounts boosting them, covertly operated “state-controlled media” pages, and the entities behind them. Once an entity is identified, IO researchers can leverage OSINT tradecraft and breach data to find government ties, identify key individuals at the entity, and numerate TTPs on exactly how the entity is acting on social media platforms.
Over the past two years, ESET researchers uncovered strategic web compromises on more than twenty different high profile websites mainly located in the Middle East. Targets include Middle Eastern governments and media, European and African defense contractors, a media outlet based in the United Kingdom and a medical conference in Germany. We assess that this aligns with the activities of a threat group publicly known as Karkadann. In order to blend into the vast number of legitimate scripts loaded by the compromised websites, Karkadann disguises its domains as analytics or URL shortener services. Sometimes they also re-register old and abandoned domains that were used by analytics platforms years ago. A close tracking of their network infrastructure allowed us to make a link with the recent Citizen Lab publication “Hooking Candiru”. Karkadann is what Citizen Lab named the “Saudi-Linked Cluster”. These watering holes are operated in-house by the threat actor, it is very likely that they also are a customer of Candiru, an Israeli mercenary spyware firm.
Digital covert action has been on the rise throughout the 2010s, with hack-and-leak operations making up a significant share. The list of high-profile campaigns and operations is long, and ranges from Stuxnet to Shamoon, from Sony to Wannacry, and from the Kiev blackouts to NotPetya. All these major cases have one core feature in common: governments, and in many cases independent researchers from multiple different outfits, have attributed these cases with high confidence or even certainty to specific actors. Yet WikiSaudiLeaks stands out: the episode, so far, has not allowed any security company, nonprofit, or government to make a justified and credible attribution claim. The case is also curiously neglected in the literature. Both absences are all the more remarkable given that the covert action has generated an extraordinary amount of press coverage, with hundreds of stories in major outlets.
There’s a certain romance to ‘hacktivism’ that causes us to suspend judgment. We like thinking that egregious wrongs inspire grassroot forces to take up arms in defense of their ideals. Cyber serves as the great equalizer of the 21st century– so the underdog’s righteous groundswell finds expression via vigilante cyberattacks in the face of overwhelming forces. It’s a charming story. In reality, what we are seeing is hacktivism used as a flimsy cover for state-sponsored wiper attacks and hack-and-leak operations as early as 2013. North Koreans, Russians, Iranians, mercenaries, anarchists, conscientious IT administrators… how do we make heads or tails of the lone asymmetrical threat?