According to the recent CrowdStrike Global Threat Report, global cybersecurity threats continue to rise year-over-year. That is a constant that won’t likely change. However, the source of threats and their complexities are anything but moored in concrete. Both state-sponsored and e-crime intrusions are taking their toll on our agencies. But statecraft and tradecraft are no longer binary realities as the overlap between the two types of threats increases.
We saw very clearly in 2020 that statecraft didn’t sleep during the global pandemic. The impact of the recent breach that impacted the Departments of Homeland Security, Department of the Treasury, and as many as ten other government agencies, is still pregnant with unknown consequences. Iran, China, Russia, and North Korea remain active and serious adversaries. They have clearly engaged in social engineering, cloud-based attacks, and cyber espionage.
Tradecraft’s bold flex over the last three years has been striking. CrowdStrike’s Director of Strategic Threat Advisor Group, Jason Rivera illustrated this reality at the recent CrowdStrike webinar entitled, Blurring the Lines Between Statecraft and Tradecraft:
“In 2018, the top three threat actors, combined, made approximately $30-40 million in total ransom funds. In 2019, the top actor we track, Wizard Spider, became the most successful e-Crime actor in human history and literally made $100 million in a single year…And then it is estimated… that Wizard Spider netted approximately $150 million in a single year in 2020.”
But, the ability to neatly place these threats into categories has vanished. Nation-states have begun adapting techniques of e-crime actors and even farming out this work to tradecraft operatives.
Not only does the threat landscape appear daunting due to the sheer increase in volume and effectiveness, but it has also become decidedly more complex to track, prevent, and mitigate. “We saw an increased reliance on the private sector and partnerships with the private sector…” Rivera explained. For example, Iran contracted with the private e-crime actor called Pioneer Kitten, while China employed several in its actions against the U.S. and others.
Some of the newly discovered techniques that threat actors now utilize are access brokers, or takeover operations. Using underground marketplaces, private hackers access and infiltrate organizations and government agencies and offer this access to the highest bidder. There is the initial intrusion by the tradecraft operative, then a secondary by the statecraft bidder. This blurring of lines, or hybrid-type threat, makes our work increasingly difficult.
With the prominence and availability of cryptocurrencies like Bitcoin – and the availability of social media sites as connectors – these malicious actors can also now make easy partnerships. They often first connect on a public social network and then – after initial contact – move to secure messaging applications with end-to-end encryption to negotiate terms. They will initially receive funds via the prevalent Bitcoin currency, which has availability but also has tracking of funds. Then, they will move their funds into to a lesser known and less obvious currency to avoid being tracked by law enforcement.
Together, these technologies and services deliver an increased ability to be obscure, have greater complexity, and garner huge rewards for the risk.
Another disturbing method of intrusion involves a state-sponsored actor masquerading as an e-crime or other intrusion. “It can often be very difficult to understand who exactly is engaging in the operation and what exactly is their intent,” Rivera confirmed.
The reality of this blurring of lines between statecraft and tradecraft is daunting. But, there is work that can be done. Tactically, we need to utilize automation to empower our efforts. “…we are seeing huge volumes of attacks, quadruple, or triple what we’ve seen before,” Rivera urged. Using automation to determine indicators of malicious activity across such a large volume is necessary.
Second, learning from others who have been attacked is key. If a peer entity has experienced an intrusion and shares intelligence reporting, then we can detect similar attacks within our own agencies. Lastly, Rivera suggested, “Having services and an incident response (IR) retainer could be very useful in terms of having those relationships [to leverage]…if something were to happen…you would be able to rapidly respond…”