Government hacking exploits, unfortunately, pose a very real threat for organizations of all kinds, and those of us working in cybersecurity need to be aware of it.
A decade ago, the majority of government-sponsored attacks were launched against other governments, and most aimed at demonstrating a state’s capabilities rather than causing real disruption. There are now signs that this is changing: governments around the world have ramped up cyber operations and are increasingly targeting commercial organizations.
Get the Free Essential Guide to US Data Protection Compliance and Regulations
In just the last few months, we have seen many government hacking attempts:
- July 2020. Canada, the UK, and the U.S. announced that hackers associated with Russian intelligence had attempted to steal information related to COVID-19 vaccine development.
- July 2020. Media reports say a 2018 Presidential finding authorized the CIA to cyber operations against Iran, North Korea, Russia, and China. The operations included disruption and public leaking of information.
- June 2020. Suspected North Korean hackers compromised at least two defense firms in Central Europe by sending false job offers to their employees while posing as representatives from major U.S. defense contractors
In this article, we’ll look at the top exploits used by governments, and how to deal with these attacks:
- Top Exploits Used by Hackers
- What Classifies as Government Hacking?
- What Is The Government Doing to Stop Hacking?
- Government Hacking Case Examples
- How to Deal with These Types of Attacks
For the purposes of this article, we will define ‘government hacking’ as government entities (e.g. national security or law enforcement agencies or private actors on their behalf) exploiting vulnerabilities in systems, software, or hardware to gain access to information that is otherwise encrypted, or inaccessible. As we’ll see, these practices are extremely common.
Top Exploit Methods Used by Government Hackers
When it comes to describing the exploits and tactics used by government hackers, we are faced with two difficulties. One is that the methods that government hackers use are cloaked in secrecy. Secondly, each government has different motives when it comes to launching attacks, and therefore uses different tactics.
There are, however, some ways of finding out a little about how government hackers operate. One source of information on this is generously provided by Verizon as part of its annual Data Breach Investigations Report (DBIR). This report indicates that government hacking has increased significantly over the past few years, and details the most common methods used by government hackers:
Another source of information on government hacking has come from leaks from the US government. Back in 2016, Wikileaks published a huge portfolio of CIA reports known as Vault 7, and these provide an interesting insight into the methods used by the US government. The analysis highlights a shocking series of security failures at one of the world’s most secretive entities, but the underlying weaknesses that gave rise to the breach also, unfortunately, are all too common in many organizations today.
The third source of information comes from cyber weapons that have been caught “in the wild”. The canonical example of this is Stuxnet, a weapon developed by the US military to sabotage uranium enrichment centrifuges in Iran. Stuxnet was unlike any other virus or worm that came before. Rather than simply hijacking targeted computers or stealing information from them, it escaped the digital realm to wreak physical destruction on equipment the computers controlled. Since the release of the weapon in 2010, many analyses have performed post-mortems on the virus, in order to reveal the capabilities of government hackers.
By analyzing these sources of information on the methods used by government hackers, and by slicing the raw data that DBIR provides, we can provide a little more insight into these government-orchestrated attacks. In the table above are listed the top six attack mechanisms used by state hackers. As the DBIR notes, these 121 breaches are based on well-rehearsed exploits in which certain actions almost always appear.
The breach incidents most likely go something like this: a user sitting at a desk somewhere—Fortune 500 company, defense contractor, research university—falls for an email phishing attack in which a backdoor is loaded onto the user’s computer. This is a particular source of a threat if the employee is working remotely.
This bit of malware then contacts the foreign government’s command and control (C2) server. The C2 servers instruct the backdoor to perform some simple commands, which can include walking a file system and then exporting data that is considered interesting. Often the foreign government is also searching for the file of password hashes—password dumping—so that it can do a reverse lookup and then hack into these accounts remotely.
Of course, this is not an unusual scenario for a more sophisticated type of non-government hacker. The key point here is that traditional preventive methods and Plan B-type mitigation would still apply.
For example, the current DBIR yet again reminds readers—they’ve been saying this for years—that two-phase authentication would block 80% of attacks involving passwords. What works for ordinary cyber thieves do just as well for cyberspies logging in from mainland China. And auditing and monitoring of file activity would spot Jane’s military worker accessing documents and system files she doesn’t normally touch.
We’ve little doubt that US military contractors who have been compromised were victims of the scenario we sketched out. A more detailed account of an actual attack by the Chinese military can be found here. It roughly follows this scenario based on the DBIR data but has some interesting variations.
Our advice to companies dealing with these types of attacks? Stay calm, carry on, and focus on the breach prevention and mitigation techniques—check out the 2013 DBIR for more ideas—you had always intended for using against standard cyber thieves.
Quick Review: What Classifies as Government Hacking?
One of the major difficulties faced by organizations when it comes to government hacking is working out if a particular attack originated with a government at all.
Tracing the source of an attack in this way is known as “attribution”, and it is extremely difficult to do. The difficulty is also compounded by the fact that many government hackers will attempt to make their attacks look like those launched by “freelance” hackers, and by the fact that many governments (including Russia) employ external hacking groups in order to retain deniability.
This has become known as the “attribution problem”. Working out who launched an attack sounds simple enough, but a fundamental concept in cybersecurity and digital forensics is the fact that it is sometimes extremely difficult after a cyberattack to definitively name a perpetrator. Hackers have a lot of technical tools at their disposal to cover their tracks. And even when analysts figure out which computer a hacker used, going from there to who used it is very difficult.
When the Obama administration placed blame for the 2014 Sony Pictures hack on North Korea, for example, much of the security community agreed with the consensus, but there was also some prominent skepticism. Part of this was because Obama did not disclose that the US had the direct ability to spy on North Korean internet activity before and during the attack on Sony. These details were later reported by the New York Times. But inconsistent access to full evidence can make it difficult for individuals and civilian security firms to vet government attributions.
This said, there are some organizations that can help you to perform attribution analysis. One of these is FireEye’s Advanced Practices Team, who use white hat methods to investigate the source of attacks and let you know if you’ve been targeted by a government.
What are the Security Risks of Government Hacking?
If you work as part of a security team at a commercial organization, it might seem that the world of international espionage would be a minor concern. That is definitely not the case.
Cyber vulnerabilities of any kind, whether for law enforcement purposes, security testing, or any other purpose, should not be taken lightly. From a technical perspective, hacking information, communications, or technology (ICT) resources without the consent of the user/owner is always an attack, regardless of its motivation. Attacks can damage a device, system, or an active communications stream, or leave them in a less secure state. This significantly increases the risk of future breaches, potentially causing harm to all users of the system.
More specifically, there are many dangers of government hacking, and these apply even to commercial organizations:
- Exploits can be stolen, leaked, or replicated. Even government entities with the highest levels of security have been compromised. For example, the ShadowBrokers group hacked the U.S. National Security Agency and publicly exposed the agency’s EternalBlue zero-day exploit, and the Italian security firm Hacking Team was hacked in 2015.
- Any exploit, regardless of its origin, can be re-purposed by criminals or nation-state actors to attack innocent users. The Petya/NotPetya ransomware (based on EternalBlue) caused real-life consequences such as delays in medical treatment, suspension of banking operations, and disruption of port services.
- Commercial hacking teams do not only sell their services to the “good guys”. In 2019, security researchers discovered that the software from the NSO Group, an Israeli cyber intelligence firm used by many government agencies, had been used to covertly hack into the WhatsApp accounts of journalists and activists to surveil their communications.
- One target can turn into many. While ideally, by design, government hacking is intended to be targeted and surgical, hacking techniques and exploits, even if intended for only one target, can also be used against a great number and variety of devices or software. In addition, exploits can also be used by countries for other purposes, and notably to engage in cyber-attacks or cyber warfare by various advanced persistent threat actors (APTs) that are often state-aligned. Possibly the most famous example of an APT is the Stuxnet virus that we mentioned above: though this virus was designed to destroy Iranian nuclear centrifuges, it then spread around the globe (well beyond the intended target) affecting millions of other systems.
- Weaknesses in computer systems are discovered by attackers all the time. Keeping a weakness secret (to exploit it later) won’t prevent it from being discovered by others. For example, for the Android operating system, the rediscovery rate for high and critical severity weaknesses is as much as 23% within a year.
- Crossing jurisdictions. There is also the risk of inadvertently infiltrating or tampering with a foreign nation’s networks or systems — an act that could be regarded as an attack against the nation, its interests, or its citizens, with the associated political, economic and potential cyber-attack consequences. It also may encourage some countries to pursue a sovereign Internet approach.
What Is The Government Doing to Stop Hacking?
In the USA, there is government support available to help you identify and defend yourself against government hacking. The central agency charged with this task is CISA, part of the US Department of Homeland Security. This agency frequently issues alerts that detail current security issues, vulnerabilities, and exploits. You can sign up to receive these technical alerts in your inbox.
CISA reports are offered at various levels of technicality:
- Current Activity Provides up-to-date information about high-impact types of security activity affecting the community at large.
- Alerts Provide timely information about current security issues, vulnerabilities, and exploits.
- Bulletins Provide weekly summaries of new vulnerabilities. Patch information is provided when available.
- Analysis Reports Provide an in-depth analysis of a new or evolving cyber threat.
While this support is certainly useful, you should not rely on it to prevent all types of attacks. Specifically, CISA cannot help you to avoid insider threats, and there is typically a delay between a threat being discovered and it becomes the subject of an alert. For this reason, you still need to perform your own threat modeling, and factor in the likelihood of government-sponsored attacks into this.
3 Sample Government Hacking Cases
Over the past few years, the government has increasingly turned to hack as an investigative technique. Specifically, the Federal Bureau of Investigation (“FBI”) has begun deploying malware: software designed to infiltrate and control, disable, or surveil a computer’s use and activity. This approach has led to the government having to defend its activities against charges that it has overstepped its authority. The legality of these techniques is still a gray area, but here are the key decisions from recent cases:
United States v. Feldman
UNITED STATES DISTRICT COURT EASTERN DISTRICT OF WISCONSIN; Jan 19, 2015; Case No. 13-CR-155 (E.D. Wis. Jan. 19, 2015)
The government charged defendant Jeffrey Feldman with receiving and possessing child pornography. Defendant filed motions to compel discovery regarding the computer program (“RoundUp”) used by law enforcement to initially detect the alleged presence of child pornography on his computer, and to suppress the evidence gathered pursuant to a subsequently obtained search warrant, arguing that the warrant application failed to establish probable cause and that the affiant misled the issuing magistrate.
The judge, in this case, found a lack of materiality where the defendant was charged with receiving and possessing child pornography based on a search of his computer and not the use of the government’s software.
The United States v. Paul
UNITED STATES DISTRICT COURT FOR THE NORTHERN DISTRICT OF ILLINOIS EASTERN DIVISION; Dec 6, 2016; No. 11-cr-580-2 (N.D. Ill. Dec. 6, 2016)
On April 23, 2009, the defendant signed a proffer letter and began cooperating with the government’s investigation, providing information concerning both his and others’ roles in fraudulent billing practices at his chiropractic clinics.
However, prior to being sentenced, however, Defendant filed, on May 5, 2015, a motion to withdraw his guilty plea and dismiss the indictment against him. Insofar as the motion alleged that the Defendant had a grant of immunity or deferred prosecution from the government and should not have been indicted, because the investigatory methods used in the case were illegal. Nevertheless, the Court denied the Defendant’s motion to withdraw his guilty plea.
United States v. Michaud
UNITED STATES DISTRICT COURT WESTERN DISTRICT OF WASHINGTON AT TACOMA; Jan 28, 2016; CASE NO. 3:15-cr-05351-RJB (W.D. Wash. Jan. 28, 2016)
Mr. Jay Michaud, a resident of Vancouver, Washington, was charged with receipt and possession of child pornography. The charges against Mr. Michaud stemmed from Mr. Michaud’s alleged activity on “Website A,” a website that, according to the FBI, was dedicated to the advertisement and distribution of child pornography. Website A was created in August of 2014, and by the time that the FBI shut the site down, on March 4, 2015, Website A had over 200,000 registered member accounts and 1,500 daily visitors, making it “the largest remaining known child pornography hidden service in the world.”
As part of the investigation into the case, the FBI hacked and took control of this website. While controlling Website A, the FBI sought to identify the specific computers, and ultimately the individuals, accessing the site, by deploying a network investigating technology (“NIT”) that “cause(d) an activating computer—wherever located—to send to a computer-controlled by or known to the government, network-level messages containing information that may assist in identifying the computer, its location, [and] other information[.]”
However, following a complaint from the defendant, the judge found that the way in which this investigation was performed did “not directly address the kind of situation that the NIT Warrant was authorized to investigate,” and the case was struck down.
How to Deal with These Types of Attacks
Here at Varonis, we’ve helped many companies protect themselves against government hacking and espionage. Over the decades, we’ve come to realize that there are a few key principles that inform and underpin the best defenses against them. In this section, we’ll explain what these are.
Know Your Adversary
Any successful defense starts with research. All cybersecurity employees in all organizations should take the time to familiarize themselves with the most active state-sponsored actors. You should pay particular attention to actors who are known to have successfully stolen data, and who are known to be backed by states. These include Charming Kitten and Fancy Bear.
There are plenty of resources available to help you in this regard. The Department of Homeland Security in the USA frequently publishes analyses of the most active hacking groups. SBS also produces profiles on the most dangerous state-sponsored actors, which is a great place to start assessing your risk profile.
You should also subscribe to threat intelligence feeds so that you (and your security software) know which domains, servers, and malware strains are being actively deployed. This intelligence should then be incorporated into your threat detection system.
Focus on Your Data
Most state-sponsored actors are after critical data. Take for instance the recent attempt by the Russians to steal COVID-19 vaccine research. While you shouldn’t ignore endpoint and identity management, you should recognize that IP is often the biggest target for government-backed hackers.
Protecting your data means knowing where your critical data lives, and who has access to it. It also means being able to detect when something suspicious is happening. Our DatAlert system has been built to give you precisely this capability.
Do Red Team Exercises
As we’ve recently pointed out, Red Team exercises can be a very effective way of identifying security flaws in your organization and fixing them.
In the context of government-sponsored hacking, Red Teamingoffers several benefits when used in conjunction with other threat analysis techniques. Red Teaming can:
- Identify the risk and susceptibility of attack against key business information assets;
- Simulate the techniques, tactics, and procedures (TTP) of genuine threat actors in a risk-managed and controlled manner;
- Assess your organization’s ability to detect, respond and prevent sophisticated and targeted threats;
- Encourage close engagement with internal incident response and blue teams to provide meaningful mitigation and comprehensive post-assessment debrief workshops.
A Final Word
A decade ago, government hacking was largely the concern of cybersecurity analysts working for government agencies. In recent years, however, these attacks have become much more frequent, and much more dangerous. Whichever type of organization you work for, you need to be aware of government hacking, and how to protect your systems against it. In addition, a thorough knowledge of government hacking is now an essential skill for anyone looking to build a cybersecurity career.
In this guide, we’ve given you an introduction to the topic and shown you some key ways to protect yourself.
Rob Sobers is a software engineer specializing in web security and is the co-author of the book Learn Ruby the Hard Way.