Congressional Cybersecurity Report Warns of Dim Outlook
Cybersecurity has become a primary focus for lawmakers, federal agencies, and the private sector. Cyberattacks have prompted official government actions in the form of Executive Orders, Operational Directives, ransomware guidance, ransomware notification legislation, and dozens of bills aimed at enhancing cybersecurity across industry sectors. A recent report by the Congressional Research Service highlights the different methods and motivations of nation-state actors and cybercriminals.
When the U.S. government begins investigating a cyber incident, their first goal is to identify the entity behind the attack. The offending actor(s) often try to complicate these efforts by obfuscating evidence and using new infrastructure that makes tracking difficult. That’s one reason why “attributing cyberattacks is difficult, but not impossible.” While the victim may lend clues to the identity of the perpetrator, government investigators look at the specifics of the event to attribute the origin of an attack.
This includes examining the tradecraft (techniques and tactics), malware (software), features (data encryption or logging keystrokes), infrastructure (command and control servers), and intent of an attack to assess and attribute responsibility to the proper party. The confidence level of any attribution varies from high to low. Claims of attribution often come from different sources, with varying degrees of authenticity.
The highest level of authentic attribution, primary sources, comes from U.S. government entities. Even the authoritativeness of primary sources can range from “a court finding that a party was guilty of committing the attack—usually by violating the Computer Fraud and Abuse Act or the Economic Espionage Act.” Less authoritative primary sources may include a grand jury indictment or a statement from a top government official.
Secondary sources are claims made by non-governmental entities, typically cybersecurity firms. Although they lack access to classified information, these firms can pay top-dollar for the best minds in cybersecurity research and gain valuable information from the methods and motivations of an attack. Cybersecurity firms typically do not attribute attacks to nation-states, preferring to “attribute an attack to an actor set that the firm is tracking…sometimes referred to as an Advanced Persistent Threat.”
Supposed sources are mainly statements reported by mainstream news media. Although they typically source their information through government officials and secondary sources, they lack the capacity to examine these claims. The last, and least authoritative claim of attribution is pure conjecture. Often, victims of an attack will make baseless claims through social media without any ability to independently corroborate these claims.
The report notes that “cyberattack” is a broad term encompassing a variety of malicious activity. Whether an attack is carried out through Distributed Denial of Service (DDOS), Phishing, Ransomware, Supply Chain or Zero-Day methods may help investigators determine who is behind the attack.
The report examined 23 cyberattacks attributed to nation-state actors from 2012-2021. Of those 23 attacks, 9 have been attributed to China, 8 to Iran, 5 to Russia, and 1 to North Korea. These 23 incidents likely represent only a small fraction of cyberattacks committed by U.S. adversaries. Despite the small sample size, the attack descriptions help us gain insights about each nation-state’s strategic objective.
Half of the cyberattacks attributed to Iran were perpetrated by the Islamic Revolutionary Guard Corps (IRGC). According to the Council on Foreign Relations, the IRGC “has gained an outsized role in executing Iran’s foreign policy and wields control over vast segments of the economy.” Iran also allows criminal groups and government-sponsored actors to operate within its borders. Many Iranian attacks are aimed at harming U.S. national security interests, with a distinct focus on gaining access to military data. From 2015 to 2019, Iran “conducted spear phishing attacks against satellite and aerospace company employees.” Further, from 2013-2020, the Islamic nation “targeted universities, think tanks, defense contractors, and aerospace companies.” A 2020 attack allowed Iran to steal data “pertaining to national security, foreign policy intelligence, non-military nuclear information, [and] aerospace data.” These targets reflect Iran’s interest in solidifying itself as the regional hegemon through military prowess.
China has focused its cyber intrusions across U.S. industry sectors, with specific interest in obtaining data that could benefit its economy. China’s theft of U.S. intellectual property (IP) is not a new phenomenon. Many of the attacks were carried out by China’s intelligence and security agency, the Ministry of State Security (MSS). Of the 9 attacks attributed to China, 5 directly resulted in the theft of intellectual property. Almost no sector of the economy was spared, with attacks targeting the technology manufacturing, healthcare, energy, defense, business, educational, genetics, aircraft, shipping, and even the gaming industry. China often engages in long-term cyber campaigns. For example, from 2006 to 2014 China “hacked into computers of U.S. manufacturers in order to steal sensitive information to benefit Chinese state enterprises.” While many of their campaigns fail to garner headlines or public action, the 2017 Equifax Hack, which exposed the PII of nearly 150 million Americans, resulted in the arrest of four members of China’s People’s Liberation Army. In January of 2020, Equifax agreed to a settlement of up to $425 million to help those affected by the breach.
Nation-state cyberattacks from Russia are typically carried out by its military intelligence service, the GRU. The specific attacks highlighted in the report suggest Russia is motivated more by sowing discord in the international system than obtaining specific monetary or military assets. During the 2016 U.S. election, Russia “targeted political campaigns, state boards of elections, state secretaries of state, and companies providing technology for elections to steal and leak their sensitive data.” While there is no evidence to suggest the Russians were successful in altering vote counts, reporting shows that they did manage to spread misinformation, release troves of hacked emails damaging to Secretary of State Clinton, and erode faith in democratic institutions. From 2015 to 2018, the GRU undertook a campaign that targeted the Ukrainian government, French elections, U.S. hospital systems, the PyeongChang Winter Olympics, and Georgian government entities. Following revelations of illegal doping at the 2014 Sochi Olympics, the GRU hacked into computers of the World Anti-Doping Agency, United States Anti-Doping Agency, and FIFA and “published stolen and altered information from these entities to retaliate for and delegitimize doping charges against Russia’s sporting organizations.”
The report also details 30 cyberattacks carried out by foreign criminals, noting that these entities “use cyberspace as a medium for conducting profit-bearing schemes,” as well as non-profit-motivated, “operations intended to embarrass the victim.” Although many cybercriminals — specifically those from hostile countries – operate with tacit approval from the government and often serve as “freelancers,” all the following incidents were determined to be for personal, rather than state benefit.
It appears cybercriminals have found safe ground in Eastern Europe. Ukraine or Romania was the perpetrator’s country of residence in 13 of the 30 attacks. Unsurprisingly, 9 of the identified attackers resided in either Russia, Iran, or China. Many of the criminals used ransomware tactics to extract payment directly from the victim, while others used botnets to collect sensitive data. Criminals often targeted financial institutions to steal credit card information, PII, and identities to either use or sell for profit.
This report demonstrates the tremendous effort by the U.S. government to identify and attribute the origins of a cyberattack. There is little doubt that cyberattacks over the next ten years will far exceed the numbers from the previous decade. Perpetrators are using increasingly sophisticated methods that make it more difficult for the government to attribute an attack and questions of legal jurisdiction in cyberspace make it difficult to hold anyone to account. However, the public and private sectors are far more attuned to cyber threats now than they were a decade ago.