Rogue governments are increasingly outsourcing cyberattacks to criminals in the borderless domain of cyberspace to wreak havoc on the U.S. and other nations around the world.
China, Iran, Russia and other foreign adversaries have contracted with hackers, deployed sophisticated spyware technology and used social media platforms as tools to facilitate espionage.
The U.S. and its allies blamed the Microsoft Exchange hack, which compromised tens of thousands of computers, on “criminal contract hackers” working for China’s Ministry of State Security), a senior Biden administration official said.
The Justice Department has indicted four Chinese nationals, including three suspected officers of the Ministry of State Security, in the malicious cybercampaign. The ministry recruits hackers through universities in Hainan and elsewhere in China.
“Not only did such universities assist the MSS in identifying and recruiting hackers and linguists to penetrate and steal from the computer networks of targeted entities, including peers at many foreign universities, but personnel at one identified Hainan-based university also helped support and manage Hainan Xiandun as a front company, including through payroll, benefits and a mailing address,” the Justice Department said.
Chinese Foreign Ministry spokesperson Zhao Lijian posted a message to Twitter rejecting the U.S. and allies’ condemnations as “groundless accusations” and claiming that the U.S. was the “world’s top ‘hacking empire.’”
China is not the only outsourcer of cyberattacks. Facebook said it observed a group of hackers in Iran outsourcing the development of malicious software to several cybercriminal gangs.
Facebook’s Mike Dvilyanski and David Agranovich said Mahak Rayan Afraz, an information technology company in Tehran with suspected links to the Islamic Revolutionary Guard Corps, developed a portion of the malware used by the Iranian hackers leveraging Facebook as part of a “broader cross-platform cyber espionage operation.”
The hackers used custom-created malware tools and shared links to malicious Microsoft Excel spreadsheets that enabled the malware to profile a victim’s machine, Mr. Dvilyanski and Mr. Agranovich wrote on Facebook’s blog last week. Facebook said it found the hackers targeting “military personnel and companies in the defense and aerospace industries primarily in the U.S., and to a lesser extent in the U.K. and Europe.”
Google recently revealed that Russian hackers used LinkedIn messages to target government officials using Apple devices. Google’s Threat Analysis Group identified the hackers as “a likely Russian government-backed actor.” Google said it was the same actor that other cybersecurity professionals linked to a group affiliated with the Russian Foreign Intelligence Service (SVR).
The U.S. government blames the SVR for the SolarWinds hack of computer network management software.
The outsourcing of cybercombat is not limited to governments using academics to spot skilled hackers or commercial businesses staffed with former regime officials. In some instances, authoritarian regimes rely on off-the-shelf tools and technology to monitor and disrupt their targets.
The Israeli tech and spyware firm NSO Group has sold Pegasus, a product that can access a smartphone’s messages, camera and microphone without any action from the user. The Pegasus Project, a collaborative investigation by more than 80 journalists and 17 media outlets from 10 countries, was organized by the news outlet Forbidden Stories. According to the Amnesty International Security Lab, which provided technical support to the Pegasus Project, Pegasus users are conducting widespread and unlawful surveillance.
The technical team said it observed cyberattackers exploiting an iPhone 12 using the newest operating system software available from Apple at the time of the report’s publication.
“The Pegasus attacks detailed in this report and accompanying appendices are from 2014 up to as recently as July 2021,” said Amnesty International’s Security Lab report. “These also include so-called ‘zero-click’ attacks which do not require any interaction from the target. Zero-click attacks have been observed since May 2018 and continue until now.”
The NSO Group has denied accusations by journalists and organizations participating in the Pegasus Project.
“We would like to emphasize that NSO sells [its] technologies solely to law enforcement and intelligence agencies of vetted governments for the sole purpose of saving lives through preventing crime and terror acts,” the NSO Group said Sunday in a statement on its website.
Tracking the builders and users of tools in cyberattacks has proved difficult for the U.S.
The digital presence of cybercriminal gang REvil noticeably diminished last week. REvil’s business model relies on developers and affiliates to deploy cyberattacks, making it difficult for victims to neatly pinpoint their hackers.
A senior Biden administration official said federal agents are watching the darknet to better understand the changes involving REvil but do not expect to turn off cybercriminals’ activity like a light switch.