The hackers are not alone.
Researchers from cybersecurity firm Kaspersky on Wednesday revealed several cases of mysterious groups breaking into the infrastructure of suspected state-backed hackers. The cases highlight the murky world of spies targeting other spies, how hackers working for nation states could be collecting data out in the wild in unconventional ways, and how the practice can muddy the idea of attribution—ultimately determining who was behind a particular hack.
“It can be all sorts of people for all sorts of reasons,” Costin Raiu from Kaspersky said during a presentation at the annual Virus Bulletin malware conference in Madrid. Juan Andres Guerrero-Saade also co-authored the research.
Gaining signals intelligence comes in many different forms: Perhaps an agency solely uses its own resources to gather information, other agencies share data, or maybe a third party, such as an internet service provider, hands over the goods.
But sometimes, spies will piggyback off the work of another state’s hackers, as a part of “fourth-party” collection. As Der Spiegel previously reported using documents acquired by Edward Snowden, fourth-party collection is essentially letting other people do the dirty work, and then stealing the results, with the National Security Agency apparently making use of the technique.
By the Kaspersky researchers’ definition, this approach can also include one intelligence agency disrupting another’s operation by hacking their infrastructure.
In one case, the researchers explained how they previously dug into a group known as Energetic Bear. This group is likely linked to the Russian government, and has hacked an array of gas- and oil-industry targets.