Nation State Cyberespionage: Iran and North Korea

The nation state threat posed by Iran and North Korea is very real. Both have evolved into formidable adversaries for both government and industry. When confronted with the knowledge that either of these country’s intelligence apparatus has their crosshairs ranged in on a country or company, there isn’t an infosec team that doesn’t belt themselves in for a bumpy ride.

Iran

Iran uses its cyber capabilities to support their foreign policy, circumvent sanctions, monitor dissidents and cause geopolitical rivals to invest heavily in defense of their critical infrastructure.

The number of entities that have been singed by the Iranians is sobering in its depth and reach. Saudi Arabia has identified Iran as the No. 1 regional threat.  Saudi foreign minister Abel al-Jubeir was unambiguous at the Munich Security Conference when he stated, “Iran is the only country that has attacked us repeatedly and tried to attack us repeatedly. In fact, they tried to do it on a virtually weekly basis.” He noted the Saudis are taking steps to protect their data and train their “people in order to be able to engage in offensive operations.”

Iran successfully cyberattacked Aramco in 2012, which resulted in 30,000 computers being wiped and Aramco’s operations paralyzed. Along that same vein, in late-September 2017 FireEye issued an assessment pointing the finger at Iran for its active targeting of Western and Saudi aerospace and petrochemical firms. The FireEye assessment identified the Iranian group APT33 as having successfully engaged in economic espionage.

Need more evidence? Symantec identified Iranian cyber group “Chafer” as conducting cyberespionage operations against a plethora of countries’ infrastructures. Israel, Jordan, United Arab Emirates, Turkey and Saudi Arabia have all experienced the unwelcome touch and feel of the Iranian Chafer group. Symantec noted the group targeted “airlines, aircraft services, software and IT services companies serving the air and sea transport sectors, telecoms services, payroll services, engineering consultancies and document management software. Outside of the Middle East, Symantec has also found evidence of attacks against one African airline and attempts to compromise an international travel reservations firm.”

Then we have security firm CrowdStrike, which noted Iranian organizations were successfully engaging in cyberespionage against dissidents, NGO’s, think tanks and political activists. The number of companies fingering Iran for cyberespionage continues to grow.

We’re not done yet. The folks over at Siemens Energy issued a report indicating that 60 percent of companies see their operational technology at risk within the Middle East’s oil and gas sector. “In 75 percent of cases those questioned had experienced at least one security compromise resulting in confidential information loss or operational disruption in the OT environment in the last 12 months.” While Siemens isn’t pointing the finger at Iran or any other specific entity, the attacks are consistent with that which is being seen by others in the cybersecurity realm.

North Korea

When one thinks of North Korea (DPRK), one can’t help but think about its missile program and the geopolitical gamesmanship which is taking place post-Olympics. When will the next missile be tested? The DPRK uses its cyber-talents primarily for two purposes: to monetize criminal activity to fill the national coffers and to engage in cyberespionage and disruption operations.

No doubt, Sony is still smarting from the sting of the DPRK Lazarus Group cyberteams gaining access and compromising Sony’s internal infrastructure. The Sony experience was a wake-up call to the West.

North Korea, which was known to attack South Korean entities with regularity, was stretching its wings and its capability. Sony found itself in the crosshairs of the DPRK regime because it dared to create a satire featuring the DPRK and its leader(s).

More recently, FireEye has noted an increase in the activities of a group it identifies as APT37, also known as the Reaper organization. APT37 was seen to be targeting Japan, Vietnam and the Middle East. The sectors from which information was being harvested include chemicals, electronics, manufacturing, aerospace, automotive and health care. The group’s tactics, according to FireEye, demonstrate an ability to engage in social engineering at a sophisticated level indicative pre-attack surveillance. Approaches were refined to specific targets.

Cyberespionage is Here to Stay

It’s long been said that the internet has created a dimension all its own upon which nation states will operate in their interests and counter to the interests of others. The successes enjoyed by both North Korea and Iran should send a message to all governments that the price of admission to the cybermilieu is not insurmountable and investment in cyberoffensive and defensive capabilities is in order.

One may speculate the activities in the Middle East being attributed to Iran and North Korea are refinements of technique, style and technology and that the infrastructure of the United States and other western nations is the future target of Iran and the DPRK.

Christopher Burgess

Christopher Burgess

Christopher Burgess (@burgessct) is a writer, speaker and commentator on security issues. He is a former Senior Security Advisor to Cisco and served 30+ years within the CIA which awarded him the Distinguished Career Intelligence Medal upon his retirement. Christopher co-authored the book, “Secrets Stolen, Fortunes Lost, Preventing Intellectual Property Theft and Economic Espionage in the 21st Century”. He also founded the non-profit: Senior Online Safety.

burgesschristopher has 186 posts and counting.See all posts by burgesschristopher