enterprise security tips privacy

SecurityTrails Blog · Jun 16 · SecurityTrails team

Cyber Espionage: Cloak-and-Dagger in Cyberspace

Reading time: 12 minutes

Spies and the world of espionage have been around since the beginning of time. Information has always been power; even our predecessors knew it.

It was in roughly the fifth century BC when Chinese general Sun Tzu wrote in his work The Art of War: “If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat.”

By the 19th century, more advanced strategies of espionage and government intelligence agencies had been developed. And by the start of the First World War in 1914, all leading powers had at their disposal highly sophisticated ways of conducting espionage and analyzing intelligence, gathered by their spies.

Now in the 21st century, the battlespace has changed. This is thanks to the widespread use of the internet and information and communication technology. Among many of its hallmarks, the internet has on one hand empowered freedom of speech and expression by providing everyone the opportunity and space to communicate and seek information, but at the same time it has made everyone more vulnerable, and actually less secure.

According to the reports of some well-known whistleblowers, everyone is under surveillance, whether by governments, military forces, law enforcement and intelligence agencies, hackers, criminals or terrorists. Everyone is spying on everyone now.

When we hear “cyber espionage”, the first things that come to mind are the various nations trying to steal other countries’ secrets. Industrial espionage has also plagued businesses for decades.

However, the harsh reality is that in recent years, cyber espionage has grown as a threat to organizations of all sizes. It can be seen in a targeted attack, or organizations can be caught in the crossfire when the target is actually another organization. These incidental victims become collateral damage, as in a supply chain attack.

Either way, being directly or indirectly caught in a cyber espionage attack can be devastating. So let’s learn more about what cyber espionage is, who should be worried about this threat, and how you can protect your organization from these modern day cloak-and-dagger operations.

What is cyber espionage?

Cyber espionage involves the use of technology by groups or individuals engaging in an attack or series of attacks to gain unauthorized access to systems and obtain classified data (data breach). With such stolen information, attackers can offset all operations and advantages the target may have had.

Usually, the goal is to collect intelligence data, intellectual property or government secrets from the target, whether it’s valued for securing competitive advantage, enhancing the state’s security, and/or gaining military power over the other country. The consequences of cyber espionage are vast, and can include the loss of data, intellectual property, or competitive advantage; as well as the disruption of infrastructure.

This type of attack is usually carried out by:

  • Government actors
  • Nation states
  • State-sponsored groups
  • Organized crime groups
  • Rivaling organizations that are out for corporate secrets

With this in mind, we can see that most often the targets are government entities and corporations.

While espionage has been around for a while, the use of technology and inter-connectivity over the internet has rendered spying in the realm of cyberspace an easier, faster, and more effective way of collecting intelligence than ever before possible.

Firstly, you don’t require someone snooping around corporate offices, trying to eavesdrop on whispered secrets, seeking valuable contacts and persuading them to divulge valuable information. Cyber spies can get all that information and intelligence without ever needing to leave their computers.

Secondly, cyber espionage burdens the attackers with fewer risks; they can remain in the targeted system for longer periods of time without being noticed, and even if the attack is discovered, there’s less of a chance that the true perpetrators will be revealed.

And lastly, the amount of data and intelligence gathered in a given cyber espionage operation is vastly larger than that collected through traditional spying activities.

An organization’s systems can be attacked through known vulnerabilities, with phishing attacks (spear phishing predominantly), zero-day exploits and malware distribution being the most identifiable. If all the characteristics of cyber espionage attacks sound quite similar to those of advanced persistent threats (APTs), you wouldn’t be mistaken. Many cyber espionage operations have been attributed to APT groups, and one of the common goals of these groups is the collection of intelligence with their persistent and long-term stays in target systems.

Most popular cyber espionage attacks

Cyber espionage attackers, as mentioned above, usually break into systems with:

With social engineering, the focus is to psychologically trick the target into divulging private information, giving them access, or even providing data that would allow attackers to gain more knowledge about the target’s systems.

Just as we’ve seen with APT attacks, spear phishing is also a type of social engineering cyber espionage attackers employ. What sets spear phishing apart from the “regular” kind is that, while phishing campaigns involve emails containing malware-infected attachments or links to a broad list of recipients, spear phishing is specifically designed and targeted to a specific target, sometimes even to just one individual. This means they are much more likely to succeed in tricking a target into clicking links and opening attachments, as the content in the email is related to the target’s interests and services they use. And in cyber espionage, attackers are usually well aware of their targets—and who can provide them with the access they need to continue with their operation.

  • Exploiting CVEs and unknown vulnerabilities in both organizations’ systems and software they utilize

A zero-day vulnerability is a flaw or a weakness in software, hardware or firmware that is often publicly disclosed, which researchers may have already announced, but has yet to see the release of an official patch or update. When such an unpatched vulnerability is disclosed, it’s usually a race between vendors and malicious actors to find out whether or not the flaw will be exploited before the patch is rolled out. Just last year, Windows zero-day was exploited by the Buhtrap hacking group in their cyber espionage operation to compromise governmental computing systems.

  • Watering hole attacks

While an uncommon type of cybercrime, watering hole attacks do happen and are often attributed to cyber espionage. Here, a cyber criminal targets a specific group of end users, usually employees in corporations and government offices, and profiles them to find out which websites these users frequent, then infects those websites with malware. The attackers would inject malicious code into the website, to redirect the user to a different site where it will be injected with malware. Doing so, they will gain access to the network of the user’s organization.

While hearing the term cyber espionage might make you think of something straight out of the movies that poses a threat only to government agencies, you would be mistaken. So, we must ask ourselves:

Who is under the threat of cyber espionage?

The simple answer would be: everyone. Even if you think you don’t possess any data of value to attackers, and that cyber espionage is exclusively a threat to governments, the basic customer data you possess can help attackers in an operation of a much grander scale. The target may be a larger organization, with you a mere step on the road.

There are usually two types of cyber espionage attacks:

Governmental

With the current situation regarding the COVID-19 pandemic, there has been a rise in Chinese cyber espionage efforts. One new operation is the work of a group known as APT41. This campaign has targeted more than 70 enterprises in 20 different countries.

Nation states have and always will perpetuate cyber espionage against other states and governments, a rivalry that’s easy to understand. Frequently the goal is to obtain strategic military advantages over the enemy, or to act against an opposing states’ commercial interests.

Industrial

Today, most organizations have information that can be valuable to attackers, and are at risk of suffering under industrial cyber espionage. Larger organizations and corporations have long attempted to gain advantage over competitors by stealing classified information, company secrets, patents, and more. But the threat of cyber espionage doesn’t spare small and medium-size businesses (SMBs).

SMBs shouldn’t ignore the fact that they too can find themselves involved in cyber espionage, nor should they find comfort in a false sense of security. These types of businesses are often an entry point into the supply chain of a larger enterprise (the target).

As larger enterprises often maintain better cybersecurity posture, attackers are turning more and more to smaller businesses in the supply chain. They can leverage the intelligence gathered from them to break into the larger main targets.

While being collateral damage may not be as devastating as being the main target, the possibility of losing your reputation with partners and customers isn’t worth the risk. Any information you have is of possible interest to cyber criminals—and this can be anything, including:

  • Product designs
  • PII ad confidential data about your employees, customers and clients
  • Intellectual property
  • Market intelligence and patents

Notable cyber espionage operations

Cyber espionage attacks continue, whether governmental or commercially-motivated. Here’s an overview of the 10 most notable cyber espionage attacks. We particularly wanted to mention two campaigns that have really left a mark in the way we view cyber espionage.

Operation Aurora

Beginning in mid-2009 and revealed at the start of 2010, these cyber espionage attacks believed to be purported by China were named Operation Aurora. The attacks were launched against a large number of organizations, most notably Google, Adobe and Microsoft, with the organizations targeted through a vulnerability in Internet Explorer. Once the operation was revealed by Google, they announced that the attackers had been collecting intelligence on Chinese human rights activists and their Gmail accounts.

Operation Shady RAT

In 2006, one of the most notorious cyber espionage operations ever discovered was carried out against more than 50 different organizations. Some of the targets were the governments of the US, Canada and South Korea, as well as the UN and the International Olympic Committee, all of whom fell victim to this campaign mere months before the 2008 Olympic Games in Beijing. This cyber espionage operation lasted five years and was named “Operation Shady RAT”.

The attacks were carried out through spear phishing, with malware-infected emails containing a RAT, or remote access tool. Data stolen in Operation Shady RAT included government secrets and other sensitive data, with the total stolen data believed to be in the amount of petabytes.

As with most of these operations, the true perpetrators were never officially confirmed, but it is widely believed that China was behind Operation Shady RAT.

How to protect your organization from cyber espionage

Although these attacks often do sound like movie fodder, the truth is that they are part of the current threat landscape. Every organization should be diligent about protecting their networks, systems and entire infrastructure from cyber espionage attackers.

Here are some of the first steps to take to protect your organization against cyber espionage:

Cybersecurity culture

As with many types of cyber attacks, social engineering remains the main vector used to carry out cyber espionage attacks. Many malicious actors prey on naive and unaware employees and trick them into giving them access to corporate data.

The lack of cybersecurity culture in many organizations is one of the main reasons why spear phishing and social engineering in general are so successful. That’s why it’s important to raise awareness about network security threats and risks, how attacks play out, how to spot clear signs of a fraudulent email, how to document these events, and how to act in a situation when it’s believed to have been targeted.

Choose a perfect security solution

Utilizing firewalls, anti-malware and virus solutions as a starting point is often not enough. You need to have the perfect security solution in place, one that is suited to your security needs. In the case of cyber espionage attacks, you should look for a solution that offers application controls, vulnerability assessment, device controls and defense against zero-day exploits along with patch management.

Email security

Phishing and spear phishing are, as we mentioned, also among the most used attack vectors in cyber spying. Besides educating your employees about these dangers as well as reporting and prevention, you should act proactively to defend against attacks. This is best done by enforcing strong email security protocols. Implement DMARC authentication and 2FA and/or MFA, and deploy an automated email encryption solution.

Password policies

Cracking passwords is one of the oldest tricks in the book, and with reason—many people don’t practise safe password practices. Some reuse old passwords across many devices, or even use one generic password like “123456”. And cyber espionage attackers often try brute force techniques to gain unauthorized access to corporate or government systems and networks.

This is why it’s essential to have a password policy in place that dictates how often a password needs to be changed as well as the complexity of the password, and provides notification if the password has been used on other accounts. Using a password manager that will do all this, and more, is vital.

Incident response plan

As the threat of cyber espionage is real and constant, we shouldn’t question whether we will be attacked, but rather when we will be attacked, and how to act in that situation. An incident response plan is therefore necessary, one that dictates and outlines the steps that need to be taken in case the organization is suspected to be under a cyber espionage attack, and details how to recover after the attack occurs.

Conclusion

As we’ve learned, cyber espionage is not something that should only worry government agencies and nation states. Industrial and commercially-motivated cyber espionage is now an everyday part of the cyber threats befalling businesses both large and small. In order to protect your systems and prevent your sensitive information from being divulged by cyber criminals, even small and foundational steps that constitute good cybersecurity posture can be enough.


Detect and prevent cyberespionage and any other types of cybercrime by identifying sensitive areas of all your digital assets. SurfaceBrowser™ helps you explore the unseen area of your DNS records, domain names, IP addresses, SSL certificates and open ports. And all of that in a single unified place. Contact us to learn more.