According to a new report on state-sponsored cyber-espionage, China’s notorious Unit 61398 and the U.S. National Security Administration (NSA) aren’t the only government bodies doing their best to snoop the Internet.
The Russian government hacked, penetrated, and launched surveillance on hundreds of companies during the past decade, primarily for economic reasons rather than political, according to security firm CrowdStrike, which briefed Reuters in advance of the Jan. 22 release of its first Global Threat Report: Year in Review.
In the report, CrowdStrike tracks the online activity of 50 groups of “cyber threat actors” from China, Iran, Russia, North Korea, Syria and elsewhere. Some of those groups are independent criminals; some take funds and partial direction from government officials, and some are actual members of foreign intelligence services.
The report outlines many of the techniques large-scale online espionage groups use to penetrate targets, including the increasingly common strategic web compromise (SWC), in which attackers infect web sites used by their victims to deliver very targeted malware attacks.
Its main purpose is to identify the bad actors, flag their activities, and identify their objectives in order to head them off, according to Dmitri Alperovitch, co-founder and CTO of Crowdstrike, in a statement announcing the report. According to CrowdStrike, agencies of the Russian government and affiliated groups spent 2013 attacking hundreds of American, European and Asian companies as acts of industrial espionage rather than political spying.
“”These attacks appear to have been motivated by the Russian government’s interest in helping its industry maintain competitiveness in key areas of national importance,” Alperovitch told Reuters in an interview late on Jan. 21.
During two years of observation by CrowdStrike, the Russian group nicknamed “Energetic Bear” successfully penetrated European energy companies, defense contractors, tech companies and government agencies, the report found. It also attacked manufacturing and construction companies in the U.S., Middle East and Europe as well as a large number of U.S. healthcare companies.
The Russian attacks mark a significant shift in Russian cyber-espionage policies, which had previously focused on defense and political interests. “They are copying the Chinese playbook” Alperovitch said of the Russians, referring to the well-documented, decade-long series of attacks on Western businesses by the Chinese Army’s notorious Unit 61398 which, among other China-based state agencies, attacked more than 150 companies searching specifically for information on new products, marketing plans and information that would help Chinese companies compete for business against those targets, according to a February report from U.S. security firm Mandiant.
An April 2013 report from a Verizon security research unit agreed with Mandiant’s conclusions, estimating that 96 percent of commercial espionage efforts it was able to identify during 2012 and 2013 came from threat groups within China.
“Cyber espionage is very lucrative for economic benefit to a nation,” Alperovitch told Reuters.
The Russian group used specialized implants and “several unique toolsets” to attack their targets, a description that resembles the super-spy-gear revealed in a National Security Agency catalog released by whistleblower Edward Snowden.
The Russians didn’t stick to just specialized hardware, however: they were also fond of “strategic web compromise” or “watering hole” attacks in which attackers infect web sites that are popular with users at their target company, which allows them to insert malware or other security-penetrating software into the target without having to do it themselves.
“Compromising and weaponizing a legitimate website has significant advantages over spear phishing, which historically has been the most common method of launching a targeted attack,” according to Adam Meyers, vice president of Intelligence at CrowdStrike, who was quoted in the release announcing the report. “We believe this will tactic will be used with increasing frequency among the adversaries that we are tracking.”
The Chinese weren’t idle during 2013, however, according to CrowdStrike’s report, which lists Chinese government-sponsored attacks under the nickname Emissary Panda. Panda groups were also fond of watering-hole attacks during 2013, directing them primarily against foreign embassies located in the U.S. “This adversary collected sensitive intelligence from the defense industrial base, aerospace, telecom and shipping sectors,” according to the report.