After the better part of a decade chasing adversaries around the Internet, there are a few things I know to be true about targeted intrusion actors operating in the interests of various nation states. These actors are rational and generally predictable; they’re working hard every day, like the rest of us. They tend to work normal business hours in their local time zone with few exceptions, and they don’t typically work on weekends. Like everyone else, they usually take off official holidays and come back refreshed and ready to work after the break. It’s always a tremendous relief when the Chinese New Year or National Day occur because things tend to slow down or completely stop around those events. Chinese operators aren’t the only players out there; similarly, our friends in Russia don’t typically work on Orthodox Christmas and other official holidays, and we can certainly count on our Middle Eastern adversaries to work Sunday to Thursday. A few weeks ago, I was alerted very early on a Saturday to intrusion activity tied to a known Chinese actor. I was initially very puzzled -- they don’t work on Saturdays -- but a quick look at the holiday calendar revealed that particular Saturday was actually following the National Day celebration, and as such it was designated a special working day.
Conversely, there are lots of times we know adversaries are going to be very active. Some of these events unfold without much notice and quickly make headlines. Two incidents involving commercial airliners come to mind. As these events occur, we often see intrusion actors engage or change behavior to collect intelligence surrounding various aspects of those world events. Over the summer, we observed the DEEP PANDA adversary change their targeting during an active intrusion in response to an unforeseen event involving the Islamic State (IS) capturing an Oil Refinery in Iraq. As provocations occur between states, we often see targeting of organizations and business in neighboring states and interests; this is generally how the provocateur can assess the impact of their provocations from a political/economic perspective.
This is especially evident in the recent case of the Haiyang 981 oil platform that was thrust into disputed territory between Vietnam and China. During the few months of this standoff, there was an eruption of targeting against various maritime, political, and business interests in Southeast Asia. This activity, which CrowdStrike associates with various Chinese intrusion operators, was likely used to provide decision makers with accurate assessments of what organizations were doing in response to the situation. This could involve learning about shipping navigation changes, official statements and positions, and even investment strategy. These situations are generally not predictable by the defender/intelligence analyst, and as such, these situations will be responded to.
There are some situations, however, that we can plan for; one such event is the G20 summit. The Group of 20 is a forum for the governments and central banks of the largest economies in the world to come together to address matters concerning international finance. The membership of the G20 includes 19 states and the European Union. It was created 1999, and since 2008 they have conducted eight Leaders' Summits in varying locations around the world. Without fail, adversary activity targeting the G20 summit escalates around the meeting. This activity encompasses all manner of motivation; in 2013, several adversaries, including NUMBERED PANDA and TEMPER PANDA, used G20-themed spear phish lures to entice would-be victims into opening malicious documents that delivered remote access toolkits. In 2012, regional actors operating under the banner of Anonymous conducted website defacements against what was viewed as the world’s most powerful meeting despite continuing poverty worldwide. The attacks are not purely conducted in the faceless ether of the Internet; at the G20 summit in St. Petersburg, reports of souvenir pouches containing USB memory sticks with malicious software surfaced from attendees.
Next weekend (November 15-16) the G20 will again meet, this time in Brisbane, Australia. The upcoming summit occurs in the specter of continuing acts of electronic aggression conducted by various adversaries with motivations including intelligence collection, disruption, and potentially even more sinister intentions. The CrowdStrike Intelligence Team routinely looks towards these remarkable world events as opportunities to provide our customers with the ability to peer around the corner. In the intelligence domain, this generally manifests as a threat assessment.
A threat assessment starts with knowing that an event is going to occur, and then with respect to what has previously happened around that event and what we know to be the current threat environment, various scenarios are considered. We assign a likelihood of such events occurring and associate them with the scenarios. In the Cyber Threat Intelligence space, we typically see indicators and analysis of breaches delivered as intelligence, and those nuggets of information are very useful for defensive purposes, but they cannot be used to drive decisions.
Using threat intelligence to drive decisions such as what defensive measures should be taken, what contingencies should be considered, and the all-important what if? with these questions in mind, we have decided to release a threat assessment (one that has been available to our customers for some time) to the general public. This assessment considers various threats to the event and its attendees such as espionage, hacktivism, physically enabled attacks, protests, and even domestic terrorism. The goal of releasing this assessment is to allow organizations to begin to consider how threat intelligence can drive business and/or enterprise decisions proactively before something occurs by incorporating intelligence such as this report with business requirements.
For additional guidance on how to incorporate threat intelligence into business decisions/enterprise defensive posture, or for more information about CrowdStrike products and services, please contact us at intelligence@crowdstrike.com.