Cyber-terrorism is an underestimated risk capable of generating catastrophic losses. The challenge of protecting against cyber threats is made more difficult by the involvement of nation states in sponsoring acts of international cyber aggression via their proxies.
In the aftermath of the events of September 11, 2001, several innovative scenarios for terrorist attacks were postulated, but the vast majority were far beyond the capabilities of terror groups. Indeed, the tradecraft required to employ technology and tools effectively remains an important limiting factor, particularly against more harden targets such as critical infrastructures.
On the other hand, state-sponsored terrorism creates far more opportunity for a devastating attack, but any hint of a state-sponsored terror incident will likely be met with retaliation. However, cyber terror attacks that are done anonymously by a state operative or a proxy reduce the chances of reprisals. Accordingly, it is possible to postulate numerous novel cyberattack scenarios that might have a realistic chance of success, if sponsored or resourced by a state.
Cyberattacks can be a very effective asymmetric tool for causing damage to more militarily powerful adversaries. Cyber campaigns run by nation-states are a vital tool of statecraft and a low-priced way to retaliate against its adversaries. They range from nuisance webpage defacements to espionage and could escalate to attacks that cause serious disruption that might lead to loss of life.
Many states today also project their power in cyberspace through non-state proxy groups. Based on the Council of Foreign Relations’ Cyber Operation Tracker, there are at least 28 countries that are suspected of sponsoring cyber operations via a proxy group. Moreover, several of these countries are potential adversaries of the West, including China, Russia, North Korea and Iran.
Nation-states leverage non-state cyber proxies for four distinct reasons. First, proxy associations allow states to assert plausible deniability. This is particularly so in the case of cyber operations, where cyberspace makes attribution for attacks a difficult endeavor.
Second, states use cyber proxies to avoid engaging in direct conflict with one another. Operations by way of proxies tend not to impose the same cost of heightened casualties and tend to be much cheaper to execute. Many nations are currently pursuing cyberwarfare capabilities, oftentimes by leveraging criminal organizations and irregular forces.
Third, many non-state groups have advanced cyber capabilities that are beyond the abilities of even nation-states. Unlike in conventional warfare, states do not have the monopoly on cyber weapons. In fact, many non-state entities like criminal networks have sold their services and tools to countries such as North Korea. The recruitment of cybercriminals into state operations has led to an exchange of more sophisticated techniques, tactics and procedures (TTPs) that can potentially improve a nation’s cyber arsenal.
Last, nation-states leverage non-state cyber proxies because the current global environment is conducive for such actors to operate. The current international cyber-law framework remains feeble as states continue to be unable to agree on basic standard and norms of responsible behavior in cyberspace. This allows non-state groups to function in the global environment with impunity.
State-sponsored actors are organized and well resourced. Consequently, they have the luxury to be methodical in their attack schemes. They can be patient and build the appropriate agent and craft their attacks to suit their targets.
Typical attacks by state operatives or proxies will focus on the private sector. State regimes often direct their cyber operations against private industry, which is generally less well defended than government networks.
Consider the following incident in 2016 where alleged hackers linked to the Lazarus Group, an advanced persistent threat group (APT) linked with North Korea, carried out an US$81 million heist by breaching Bangladesh Bank’s systems and using the SWIFT (Society for Worldwide Interbank Financial Telecommunication) network to send fraudulent money-transfer orders to the Federal Reserve Bank of New York where the Dhaka bank has an account. These hackers quietly waited for months to familiarize themselves with the bank’s daily operations, all the while collecting passwords allowing them access to SWIFT network, which global financial institutions use to transfer information about financial transactions.
These were not the only attacks linked to the Lazarus Group. In January 2019, state-backed hackers from North Korea infiltrated the Bank of Chile’s ATM network and siphoned off $10 million, and in August 2018, $13.5 million was siphoned away from the India’s Cosmos Bank through simultaneous withdrawals across 28 countries.
State-sponsored cyber actors are resourceful and methodical. They conduct espionage, infrastructure disruption, and financial pilfering for their respective sponsors. As more critical infrastructure systems become connected, state proxies will exploit these new opportunities. It is essential that the cybersecurity community be vigilant to identify and track their tactics, techniques, and communication preferences.