A new breed of sophisticated hacker is emerging as one of the most worrisome digital adversaries for western intelligence chiefs: cyber privateers.
Just as England’s Queen Elizabeth I officially licensed pirates to plunder the treasure ships of her rival Philip II of Spain in the 16th century, nations such as Russia and Iran are increasingly arming and encouraging criminal and activist groups with the cyber weaponry necessary to harm their adversaries, while keeping themselves at arms length, say senior security and defence officials in the US and Europe.
“A lot of the techniques that were the preserve of state-sponsored attackers are starting to make their way into broader communities of criminals,” said Simon Goldsmith of the defence contractor BAE System’s cyber unit, Applied Intelligence. “It’s proliferating in a massive way and the object of attacks by these groups is moving from large financial theft to using the same techniques to commit sabotage and for intelligence-gathering.”
State use of proxy agents to carry out disguised attacks is not new. But a recent shift has been noted, with a significant increase in the sophistication and number of worrisome attacks from non-state groups, western security officials have told the Financial Times.
They point to a handful of serious attacks in which proxy organisations or criminal groups appear to have played a central role — with a nation state agency working in the background.
When Sony Pictures was hacked last year, the US government confidently attributed the attack to Pyongyang. However, several follow-up incidents may not have come from North Korea, even though they were disguised to appear as though they were state-sponsored. Officials say cyber privateers were probably responsible.
Likewise, when an attack was launched against JPMorgan and other large US banks last year, many in the US cyber and intelligence community believed that the Kremlin was responsible. But the US government refrained from publicly accusing Moscow because the origin of the attacks was so murky.
And, increasingly in Europe, campaigns against sensitive national infrastructure and intelligence targets appear to be linked to cyber groups whose previous interest was extortion and criminal enterprise.
Admiral Michael Rogers, US Cyber Command chief and director of the National Security Agency, has repeatedly highlighted the issue as one of the most significant trends to develop in the digital security environment this year, according to two military officials familiar with his thinking.
“[Something] I look for in the future [is] nation states using surrogates as a way to overcome our capabilities in attribution.” he said in a rare public speech in May.
Some criminal groups are now routinely using tools that could only have been developed by nation states.
“One of the reasons this business is getting more interesting is because the difference between government and non-government is becoming increasingly unclear,” said Ewan Lawson, a senior research fellow at the UK’s Royal United Services Institute and a former cyber warfare office at the UK’s Joint Forces Command.
“What is happening is that adversaries are turning to these peripheral groups and saying, ‘Here’s a list of areas we are happy for you to go into and here are some tools to do it.’ It’s a charter to hack.”
One telltale sign comes from tracing the “DNA” of pieces of malware — the malicious software used in attacks. Disentangling the evolution of such cyber weapons is nevertheless tricky: while criminals could have been given them by government agencies, they could also have copied malware already in use.
One of the greatest concerns around the rise of cyber privateering is that once criminal groups have been equipped with the ability to penetrate well-defended organisations such as foreign government agencies or utilities, there may be little to stop them from turning their attention later to other, more lucrative targets.
Officials also worry about their propensity to slip up, or overstep the mark. “They are generally more dangerous because they don’t necessarily have the situational awareness to moderate their impact,” said one western security official.
While countries such as the US are growing more confident in attributing — and retaliating to — attacks, most expect their adversaries in cyber space to ramp up their use of privateer agents.
“The Russians, in particular, spend a lot of time thinking very carefully about how to avoid stepping over the evidentiary standards of what qualifies for an armed attack or the use of force, particularly in cyber space,” said Jim Lewis, director of the strategic technologies programme at the Center for Strategic and International Studies think-tank.
“They don’t want that trail of breadcrumbs to lead right up to the Kremlin. We’re going to be more and more hamstrung by this.”