Digital Threat Assessment by the U.S. Intelligence Community

Digital Threat Assessment by the U.S. Intelligence Community

digital attacks thumbThe Worldwide Threat Assessment of the US Intelligence Community is a report produced by the Office of the Director of National Intelligence (DNI). Based on the intelligence received by the DNI from various intelligence agencies in the United States, the report covers a wide range of threats including those that pertain to digital security.

In this article, I will discuss the digital security threats identified in the DNI’s publication. I will specifically examine some of the key threat actors operating in the digital space and identify attack campaigns that affected government agencies and organizations alike.

Nation-States Testing More Aggressive Digital Attacks

In its report, the DNI commits the bulk of its digital threat discussion to nation-states. These types of threat actors aren’t new. As DNI notes in its publication, U.S. intelligence agencies detected state-sponsored attacks against the Ukraine and Saudi Arabia in 2016 and 2017. But the risks posed by nation-state actors are growing.

This threat category owes its evolution in part to the rising number of nation-states with digital attack capabilities. Per the DNI’s report, that number was just one or two states in 2007. Ten years later, it grew to more than 30. That’s not to say every nation-state actor that now possesses digital attack capabilities has a reason to use them. The key point is that they have the means to exert force in the digital space. This development raises the likelihood of at least some nation-states continuing to use digital attacks as what the DNI report terms “a low-cost tool of statecraft.”

Another reason for the growing digital risk posed by nation-states is that some actors are changing the types of online operations they’re willing to conduct. The DNI made this point clear in its threat assessment:

The use of cyber attacks as a foreign policy tool outside of military conflict has been mostly limited to sporadic lower-level attacks. Russia, Iran, and North Korea, however, are testing more aggressive cyber attacks that pose growing threats to the United States and US partners.

Provided below is a summary of how Russia, Iran and North Korea are expected to test more aggressive digital attacks going forward.

Russia

The Director of National Intelligence forecasts in its report that Russia will become “bolder and more disruptive” in its digital attacks. In particular, the report states that Russia will continue its attempts at infiltrating critical infrastructure operated by the United States and its NATO allies by building upon its résumé of digital operations, which includes accusations of having perpetrated the 2015 attack against Ukraine’s power grid. The United States has also blamed Russia for the global NotPetya wiper malware campaign, an attack that started in Ukraine but ultimately spread to and caused hundreds of millions of dollars of losses for big names in the shipping, pharmaceutical, food & beverage and construction sectors. The DNI predicts that Russia will also continue “hack-and-leak” operations, DDoS campaigns, and other offensives.

Iran

According to its intelligence, the DNI anticipates that Iranian actors will use digital operations to position themselves for additional attacks in the future. The report predicts that Iran will specifically seek to inject itself into the networks of the United States and its allies for the purpose of conducting espionage. However, the Director of National Intelligence said that Iran will primarily target Middle Eastern government agencies and organizations with threats like Shamoon, wiper malware which first emerged in 2012 and resurfaced in attacks against Saudi Arabia government agencies and energy companies four years later.

North Korea

The DNI foresees that North Korea will continue to target South Korea and the United States going forward. The report notes that this nation-state has a number of high-profile attacks from which to draw lessons and mold new campaigns. Most notable among these are the global WannaCry ransomware attack in May 2017, a campaign that infected hundreds of thousands of machines in more than 150 countries, and the heist of $81 million from the Bank of Bangladesh in 2016.

Other Notable Threats

Russia, Iran and North Korea aren’t the only threat actors discussed in the DNI’s worldwide threat assessment. The report mentions that the United States continues to identify digital activity from China, though these operations have been less numerous since the United States and China mutually agreed in September 2015 to not steal each other’s intellectual property, classified military information, or businesses’ trade secrets via digital means. The DNI also highlights the ongoing efforts of international criminals to conduct for-profit digital attacks, including ransomware campaigns by which they steal information and then extort U.S. organizations.

Fueling these criminals’ attacks is the growth of crimeware-as-a-service (CaaS), a business model where bad actors can purchase malware as part of a subscription. As noted by threat intelligence provider Recorded Future, it’s not as common anymore for experienced software professionals to develop their own malware in order to target specific systems and organizations. Nowadays, malware authors create packages and sell them inexpensively on underground web marketplaces. This design promotes universal use at the expense of exploit diversity; Recorded Future found that those who develop CaaS products are more likely to tailor their services to fewer vulnerabilities that can affect larger numbers of potential targets. At the same time, many CaaS packages are customizable if not modular in design, allowing attackers to craft their malware payloads and attack campaigns for any target they wish.

Malware a Common Factor

The threat actors discussed in the DNI’s report all have different motivations and goals. Even so, they all share a willingness to use malware to achieve their nefarious ends. Those malicious programs aren’t created equal.

Some are like NotPetya and Shamoon in that they’re advanced threats leveraged by a small number of threat actors, if not a single attacker, for a specific purpose. Others like the CaaS offerings discussed by Recorded Future afford criminals greater flexibility and faster time to market in their malware campaigns. These differences notwithstanding, actors in both threat categories have conducted malware attacks that affected organizations of various sizes. This history indicates that the DNI’s report applies not just to government entities but to enterprises and businesses, as well.

Organizations need to defend against all of those threats if they are to keep their data safe. Of course, doing so isn’t easy given the variety of malware in circulation. Enterprises need a solution that’s flexible enough to protect them against custom malware and CaaS products.

Here at Lastline, we provide our customers with advanced AI-driven network security that helps them to tilt the odds in their favor and acts as a force multiplier on their existing digital defense efforts. By leveraging AI in network traffic analysis, threat remediation, alerting, and reporting as well as data collation with validation against known threat data, Lastline makes it possible for security teams to stay on top of the emerging threat landscape and redirects the time they previously spent on repeated, mundane tasks to more effective threat hunting and mitigation workflows. Learn more.

Andy Norton

Andy Norton

Andy has been involved in cyber security best practice for over 20 years, specializing in establishing emerging security technologies at Symantec, Cisco and FireEye. In that time, he has presented threat and intelligence briefings for both Bush and Obama administrations, The Cabinet office, the Foreign and Commonwealth office, SWIFT, Swiss National Bank, Prudential Regulation Authority, the Bank of England, The Hong Kong Monetary Authority and NASA. Returning to Europe from Asia in 2011, he has spent the past 5 years helping many of the FTSE 250 companies measure, manage and respond to cyber incidents.
Andy Norton