The digital world is a confusing place, what with all of its technical jargon like “cyber-attack”, “threat-space” or “tweating”. And most of the news from, what can only be described as a Digital War-zone, never makes it into mainstream media.  There is a lot happening, especially these days. Which has kept most private intelligence agencies incredibly busy. Your only experience with this war-zone might be the occasional stray email promising wealth, love, or a larger undercarriage, but it’s hardly ever the worst of it. While some might bite the bait and lose a couple of grands, the larger operations carried out spans over years and target international corporations, public services or governmental or military sites containing classified information. And the reason for it all is as varied as the corns of sand in the beach.

This is what we call a “Threat-space”. It basically means that everything is a target, but, the reasons for each potential attack, and the main goal of said attack, is different for every target. For example, someone attacking the digital assets of, say, an oil company is more likely to be hacktivists or radical environmentalists motivated by publicity or causing harm. While someone attacking the servers of an aerospace company or a financing house could be competitors looking for an edge or organized criminal organizations looking for information to sell. Similarly, someone attacking the servers of conference halls or hotels could be another nations intelligence services searching for specific persons.

The point is, while the nature of the attacks and the methods used are pretty much the same, the real challenge lies in uncovering the motivations of the attack and to identify the perpetrators. Which becomes harder and harder as major operations become more complex and the tools are more sophisticated.

For instance, a group of hackers originating from china, or at least Chinese servers, had spent a considerable amount of time from 2009-2014 breaching into sites and hotels hosting international defense conferences and conventions. They later scoured the web and social media to cross reference lists of guests and attendees in order to create a list of targets. They have since been behind a number of attacks, mainly in the form of spear-phishing against governmental officials from the US, UK, EU, Israel, Japan, Switzerland and so on. And these spear-phishing attacks have been successful.

Sure we all know not to trust those shady emails in bad english supposedly from your bank asking for your private information. But by gathering a wast amount of information, and cross referencing when two targets where at the same convention, they managed create emails and messages tailored to each target and any other person they may have encountered on the conventions. A complete stranger claiming to work for your local bank is obviously a nefarious individual, an email from a colleague you shook hands with at a recent seminar however is easy to fall for. Which made the operation incredibly effective.

Private Intelligence agencies like Insight Partners and FireEye still uncover traces of information stolen or members related to the aerospace industry or western military falling for newly made phishing emails. And western official channels are on a regular basis revealing new pieces of information stolen. In particular the US which has been the main target of the Chinese cyber-attacks lately.

The most recent revelation of information lost was this august from the Pentagon whose systems had been breached with entire archives being stolen, earlier this summer it was the OPM Hack where the information on roughly 22 million current and former government employees were compromised. Before that again it was the US Gas Pipelines systems that got breached. And yet again before that a number of health insurance firms like Anthem Inc. and healthcare service providers Premera Blue Cross was breached with wast amounts of information stolen. And before that again a number of service provider firms like electrical companies, telecom, broadband and cable companies have all been breached between 2011-214. Not to mention systems related to the pharmaceutical industry, warehouses, car rentals and more. Even the white house and joint officials at the pentagon have been targeted by the attacks.

The targets listed here are just a tiny fraction, in fact its been over 600 attacks from Chinese sources since 2010, and the information stolen has been more about corporate advantage than militarily motivated, with plans and product information on new computer systems, electrical cars, pharmaceutical drugs, appliances and more being stolen. In addition to attacks on military contractors like Lockheed Martin and similar. The strongest attacks have been in California, the US high-tech state. And by strongest i mean the most numerous. Cyber security companies, anti-virus, firewall programmers, google, AOL, apple, Microsoft and more have all been targeted in the California attacks.

600 successful cyber-attacks in five years.
600 successful cyber-attacks in five years.

And this is all very serious, but i would like to pay a little more attention to the user information stolen. The OPM, or Office of Personnel Management hack contained information about security clearances, social security numbers, personal information, living history and so on. In other words, it would give you a pretty clear picture of how someone were doing financially, where they are living and whether or not they may have access to classified information. Then you have the breaches into health insurance firms and the healthcare service providers. The information stolen here would give a very clear picture of someones health, whether or not they, or someone in their family, had any serious illnesses or in need of expensive medical treatment. You combine this information with the personnel files from the white house, the pentagon and various defense contractors, and you could easily end up with a very detailed lists on any persons who have access to important persons or information, who are in a compromising situation, a situation an outside influence promising money or medical assistance, could exploit, and you suddenly have the ultimate tool for deep level espionage.

Now why is this worrisome? Well, while much of the information stolen is not a matter of national security, such sensitive information is still stored on computer systems and closed networks which connects a building like pentagon, while not being connected to the internet. In other words, if you can access one of these computers you could get access to highly classified information in theory. In fact, someone already did something similar in 2008 when an infected USB drive was used in a military base in the middle east to spread a sophisticated worm across the military systems, and reaching as far as computers inside the pentagon. While the computers at pentagon containing sensitive information is disconnected from the internet these days, they are still connected to a local intranet, meaning all you need to do the same is someone on the inside.

Lets imagine a man named Johnson. Johnson is a mid-level governmental employee with a low-level security clearance. He has a loving wife, high school sweethearts who stuck through the hard times, two wonderful kids and he spends his nights dreaming of retirement. But he also has quite a bit of debt, a mortgage to pay and his wife has recently been diagnosed with a serious form of cancer. The medical costs turns out to be astronomical and his insurance policy doesn’t come through. Imagine then, what such a man would be willing to do for a large sum of money? Perhaps even the promise of advancing in his career would be enough to motivate such a person? It has certainly worked in the past, the old KGB used to hunt down persons in desperate situations and recruit them for money or the promise of a life in wealth inside the soviet union. And these operations were carried out in France, Indonesia, the US and Australia to mention a few.

This brings us back to “Threat-space”. Previously the number of threats to the Pentagon as an example, would be hacking attempts, terrorist attacks or being infiltrated by a foreign intelligence operative. But with all this stolen information in the hands of someone else, the “Threat-space” has changed radically over the last five years. And it all started with someone hacking into the booking system of a hotel.

People breaching a hotels booking systems are more likely to be simple pranksters, someone testing their skill, or from personal experience, looking for someones cheating spouse. For what appears to be a foreign intelligence agency to break into a hotels booking system was something nobody could have expected, their “Threat-Space” simply didn’t include this.

Just as previously the Pentagons “Threat-space” was pretty static. Guns and bombs weren’t likely to change very much, and burly Russians with thick accents are pretty easy to spot in a crowd. But having your friend and coworker whom you have known for thirty years to suddenly turn spy, well now, that’s something hardly anyone can anticipate.