Which nation is the most prolific hacker?

State sponsored hacking is, truth be told, something of a mixed bag of motives, capability and success. It can be quite difficult, even for government agency and IT security professionals who spend much of their time engrossed in such things, to determine with any degree of certainty just who is hacking whom. In this article, I have a go at pointing the wagging finger of blame.

The consensus within the IT security industry is that China is almost certainly the most prolific of the nation state hackers, closely followed by the United States. Odd then that these two should have recently reached an ‘accord’ which agreed that neither country would “conduct or knowingly support cyber-enabled theft of intellectual property”, but which stops short of saying that cyber-spying must stop entirely.

Just as it’s pretty much a given that the US continues to hack Chinese concerns, as well as others across the world, so China does the same. Although not much is publicly known of the US state-sponsored spy activity, outside of the Snowden/Wikileaks revelations, much more is known when it comes to China and Unit 61398 of the People’s Liberation Army (PLA) 3rd Department.

Obviously, those countries with plenty of economic clout or political/military will are amongst the most prolific and successful (whether publicly recognised or not) of nation state hackers as they tend to have the best resourced hacking teams. The exception to this rule are tinpot dictatorships which can redirect resources wherever the great leader/ruling nutjob sees fit. This is why North Korea makes it into our list.

Continues on page 2

1. China

Although China doesn’t restrict itself to targeting just the United States, it certainly appears to have painted the biggest bullseye on its traditional political enemy. The reasons why, however, are perhaps less to do with politics and more to do with economics.

The picture we see painted here is one where it isn’t just the US government or military that are targeted, but pretty much every industry across every sector. Unit 61398 of the PLA is thought by many experts in the field to have been behind the OPM breach, a counter-intelligence treasure trove of information about millions of people who work, or have worked, for the US government.

Meanwhile, the Deep Panda hacking group (believed to have Chinese government sponsorship) is understood to have been behind the Anthem breach which appears to have been all about understanding how healthcare operations work in other countries. The Anthem breach gives us some useful insight into how Chinese nation state hacking is a very broad church, encompassing a congregation that sings the praises of traditional espionage alongside stealing commercially sensitive data – and even strategically valuable infrastructure and economy building information.

China, it would seem, sees hacking as a short cut to driving innovation within business by stealing intellectual property as well as a means to improve its society and strengthen its military capability.

2. United States

The United States has many enemies, and the most active of its cyber-hacking enemies is right there at the top of this list. With China, North Korea and Russia (not to mention Iran, which was narrowly edged out of our top five list) actively targeting every sector from government and military intelligence through to the public sector and commercial enterprises, the US could probably do without its friends putting the boot in – but Israel is thought to have done just that with the Duqu worm deployment during the Iranian nuclear talks.

No wonder then that the US is right up there at the top of the pile when it comes to the sheer volume of state sponsored hacking it does, and the vast resources it dedicates to it. China only edges it out of the number one spot as it would appear to be more successful in actually breaching its targets.

Leaving the Edward Snowden NSA revelations to one side (hacking your own citizens and businesses is a discussion for another article) the United States appears to focus on intelligence gathering when it comes to hacking foreign nations. This could have something to do with how long it has been in the state-sponsored cyber hacking game, with rules and regulations in place that limit it to using such activities to address national security issues rather than seek out financial benefits.

Now headed up by the United States Cyber Command (USCC) which was formerly established in 2009, the CIA and NSA were almost certainly involved in cyber-espionage activity before then as part of their respective ‘preempt threats’ and ‘collect intelligence’ remit. The NSA mission statement even talks of ‘enabling computer operations’ – as if this were ever in doubt. The USCC mission statement goes further, spelling out that it will ‘conduct full spectrum military cyberspace operations’ when required.

It is thought that the Cyber National Mission Force which undertakes these operations runs to more than 6,000 military personnel across 130 different teams. Meanwhile, we know that the NSA employs a group of around 500 ‘elite hackers’ analysts and engineers which goes by the name of Tailored Access Operations (TAO). Although best known through the Snowden leaks, TAO is part of the NSA Signal Intelligence (SIGINT) Directorate and as such will help gather intelligence by any means possible, and from anyone it is asked to. Indeed, a former chief of TAO has admitted that its job was to “support computer network attacks as an integrated part of military operations.

3. Russia

Russian state-sponsored hacking groups are thought to include APT28 (also known as Sofacy) which was operating from 2007 until at least last year, and APT29 (thought to have evolved from the MiniDuke group) which has been seen recently exploiting a data theft tool called Hammertoss.

Targets have been largely focussed within Eastern Europe, and particularly upon government and military connections in Chechnya, Estonia, Georgia and Ukraine. NATO targets have also been firmly on the radar for Russian hacking attention across the last decade as well. As the APT designation suggests, much of the activity reported by various research groups has been of the Advanced Persistent Threat variety much loved by nation state hackers.

APT attacks tend to be well researched, well executed and very well financed. Although it’s always going to be something of a guessing game as to who is doing what, to whom and why, researchers have suggested that it seems highly likely that APT28 was sponsored by the Russian government given the Russian language code-build environment and the fact most of the work was done during Russian working hours. Unlike some of the activity from Unit 61398, which has been geo-located back to a known PLA building in China, no such direct evidence is available in the case of the Russian groups beyond the fact that their working hours link activity to Moscow and St. Petersburg.

Like the Chinese, the Russians appear just as happy to hack foreign businesses for financial gain as well as nation states for intelligence gathering purposes. The financial element may well be linked, as some experts suspect, to the government’s ties with organised cybercrime gangs who are allowed to operate with relative impunity if they perform hacking favours for the powers that be.

Where Russia really comes into its own is with the sheer quantity of skilled coders and hackers it has to recruit from. Hardly surprising then, that when at the end of last year a ‘Stuxnet-like’ attack on a German steel plant managed to cause the shutdown of blast furnace hardware, it was blamed by some on Russian state-sponsored hackers.

4. Israel

Israel has, without much doubt, one of the most capable of cyber-army units in the form of Unit 8200. It also has, equally without much doubt, its fair share of nation state enemies. Helped in no little part by the alliance it has with the West, in particular the United States which has provided huge amounts of aid (including military funding), Israel has fought to demonstrate just how powerful a cyber force it is.

It famously set these powers against Iran back in 2008, where it was heavily involved in the destruction of the programmable logic controllers for the centrifuges producing weapons-grade uranium at an Iranian nuclear processing plant. In what became known as the Stuxnet worm attacks, an incredible level of resource was put into this one hack; from the coding complexity, through to the use of three hugely valuable zero day exploits, to the fact that this was the first attack known to have ‘jumped the gap’ and actually disabled critical national infrastructure hardware. None of this came cheap, but it served to highlight that Israel is capable and willing to go on the cyber offensive in order to defend itself.

In recent news, it is thought that Israeli hackers were behind the use of a new Duqu spy worm variant (originally derived from Stuxnet) to infect three hotel networks where the US/Iranian nuclear negotiations were being hosted. The same worm, utilising three zero day exploits, was also found within some Kaspersky systems, and led to Eugene Kaspersky condemning the attackers for attempting to spy on cybersecurity companies.

5. North Korea

The Democratic People’s Republic of Korea (to give it its full title) is pretty much the dictionary definition of a tinpot dictatorship, with the ‘supreme leader’ Kim Jong-un at the helm.

South Korea remains the principal target for most of its state-sponsored cyber attacks – after all, the two countries are still officially at war. It’s not an exclusive foe though, with the United States, which maintains a military presence in the South to help police the fragile truce, also on the hacking radar.

Just how successful it has been is open to much debate within both IT and national security communities. As far as South Korea is concerned, much of the hacking is government and media focussed but there are also critical national infrastructure targets such as nuclear reactors on the radar – not that it’s had any success so far.

When it comes to the US, the highest profile alleged attack was on Sony Pictures in response to The Interview movie which mocked Kim Jong-un. Although there is still no definitive proof in the public domain, US intelligence agencies have pointed towards the North Korean elite hacking unit, Bureau 121, as being behind it. We are told they know this as US intelligence has spyware in place which monitors the 5,000 to 6,000 hackers in its employ. That there was no advance warning of the Sony breach despite this supposed surveillance does pour some cold water on the claims, but even so North Korea remains the most likely suspect.

This is at the very least somewhat surprising though – North Korea has little in the way of resources to build a truly world-class cyber-warfare division. It is thought that some of the traditional military budget has been siphoned off to the online side of things, and most of this has gone towards establishing Bureau 121 as its (much smaller and far less capable) version of the Chinese PLA Unit 61398. Bureau 121 is thought to have received training from Russia, which is known to provide such services from within its own state-sponsored cyber capabilities.

But what about the hackers who aren’t government-controlled? Click here to take a closer look at Anonymous – the global hacking collective – and find out where it came from and who it’s targets are.