Nation States Distancing Themselves from APTs

Increasingly, governments are outsourcing state-sponsored attacks to mitigate risk and maximize intelligence.

SAN FRANCISCO – Security researchers say a new trend in privateering is gaining traction among nation states, which are increasingly contracting with private companies to carry out state-sponsored attacks.

Typically APT attacks have been the work of  internal government spy apparatuses, but outsourcing allows nation states to shift risk, dodge attribution claims and take advantage of more sophisticated APT tools available on the black market, according to a report by Cybereason’s Intelligence Unit, released Tuesday at the RSA Conference.

Cybereason said China, Russia and United Arab Emirates are three of many countries that are increasingly outsourcing targeted operations to individual hacking groups and companies that range from established organizations, to ones created out of whole cloth for the sole purpose of an APT campaign.

“This trend has been slowly building over the last five years. Over the last year to year-and-a-half, the number of operators in this space have grown large enough to merit an investigation,” said Ross Rustici, associate director, intelligence research, Cybereason.

Cybereason’s report singles out a number of Chinese firms as examples of a private company carrying out attacks on the behalf of China’s equivalent of the National Security Agency. Threatpost attempted to contact China-based Bo Yu Guangzhou Information Technology which was named in the report and did not get responses in time for publication.

“(Chinese firms) are expanding their entrepreneurial activities by contracting with private companies. Given their relationship with government, these companies likely have tacit permission to operate against foreign entities as long as the activity doesn’t produce significant issues for the government,” the report states.

Having private firms spy for nation states isn’t new. “This method, long used by Chinese human intelligence operators has transferred over into the cyber arena,” according to the report.

“In some ways, this is a very old story,” Rustici said. “However, given the centrality of attribution in both state-level cyber interactions and in understanding private sector intrusions, we felt that this phenomenon merited further discussion.” According to Cybereason’s analysis, these types of privatized state-sponsored APT campaigns have been successful at accomplishing low to mid-tier goals.

China, according to Cybereason, is leading the trend in APT outsourcing. Unlike past reliance by China on it People’s Liberation Army (PLA) hacking unit, more recent attacks are being carried out by full-fledge independent China-based companies that typically offer security solutions as covers for their spying apparatus.

“One of the drivers appears to be the increasing nature of public attribution and the need for more clandestine, plausibly deniable, operations. It is far easier to hire a group of outsiders and then arrest them if they get caught with their hand in the cookie jar than say a member of the military,” Rustici said.

Past APT attacks have outsourced pieces of a campaign, but few have farmed out the entire platform as they are now, said the report.

Private Chinese companies that align with the Ministry of State Security’s intelligence and security agency goals and targets, have been caught and identified, Cybereason said. But none of those have ever been tied back to China’s MSS, said Cybereason. “This demonstrates the significant advantage outsourcing has over indigenous capabilities, especially for organizations that have a significant risk, should they be exposed,” the report states.

Besides attribution, another driver of this trend is a reduction in the time and money required to find, develop, and build exploits and malware against specific hard systems, Cybereason reports. “This means that there is an ever-increasing pool of highly talented and sophisticated hackers going after increasingly unique systems,” according to the report.

Suggested articles