Skip to content ↓ | Skip to navigation ↓

The web is yet again awash with talk of state-sponsored espionage by our intellectual cyber-nemesis, the People’s Republic of China, following reports of a long term breach of defense contractor QinetiQ.

Although nearly everything and anything APT-related these days seems to point to China as the uber-culprit, there is a compelling alternative argument being made for the notion that Espionage-as-a-Service (EaaS) may actually be the driving force behind these high profile incidents.

Briefly, it was reported this week that the hacker group Comment Crew is behind the QinetiQ breach – the same group identified earlier this year in a report issued by security provider Mandiant, who accused the hackers of being part of People’s Liberation Army (PLA) Unit 61398 and dubbed “APT1”.

It does not take much imagination to surmise that China is engaged in espionage against the U.S., just as it is no surprise that the U.S. similarly engages in espionage against China. That’s pretty much indisputable.

The question remains though, that given that accurate attribution in the ether of cyberspace is nearly impossible, should we assume that any and all APT operations aimed at high-value targets are the result of state-sponsored espionage? Should we assume even that the majority are? Some think not.

spySecurity researcher/instructor/consultant J. Oquendo of EFENS!VE Security Strategies just happened to pen an intriguing piece on EaaS and sent it to me the day before the QinetiQ story broke, proving once again that timing is everything.

Oquendo argues that corporate espionage for a profit is being confused with, or generally just lumped in with, state-sponsored hacking operations, thus further providing cover for the real actors as vendors and the media repeatedly launch into Jan Brady-esque tirades of “China, China China!” every time a high-profile breach is announced.

In the article, Oquendo describes what a typical state-sponsored operation might look like, involving “matters of persistence” in which the actors seek to remain undetected in order to maintain access to the targeted network and exfiltrate data over the long term.

“There is little room for error when it comes to being discovered, which means any group partaking in this activity is going to be extra cautious about identifiers. No country wants to be paraded in front of the United Nations after being caught with their hands in the cookie jar,” Oquendo said.

Oquendo describes EaaS operations as more of a pay -to-play model which is quite different from historical corporate espionage, where one competitor is targeting another, and much more similar to that of a state-sponsored operation.

“Imagine a group of individuals targeting as many companies as they possibly can in the hopes of selling that data to as many competitors as possible. This makes more financial sense for a criminal. Unlike the traditional corporate espionage model, this new EaaS model targets all,” Oquendo said.

How can we tell state-sponsored from EaaS? The independent actors tend to be a little careless, Oquendo asserts, and are more likely to leave clues behind.

State actors would most likely have the advantage of working directly with highly trained forensics and counter-forensics teams in order to minimize any possible evidence of their activities.

Furthermore, if an EaaS operation is discovered, the group simply moves on to other targets, as there is no implied necessity to maintain access to any specific entity, as would be the case for a nation-state monitoring an adversary.

Oquendo, an accomplished hacker and offensive security instructor, and his fellow researchers decided to look more carefully at the evidence Mandiant had provided in their APT1 report to see if the state-sponsored conclusion the company offered was sound.

Mandiant released multiple domains in the report, and Oquendo’s team performed their own analysis to try to “determine who the culprits were, where they came from, and so forth.” Their findings “differed completely from the picture painted by Mandiant.”

spy2“What I discovered was a group with a foothold in the travel and tourism industry as a whole,” Oquendo wrote. His team cross-referenced the domains with a database of registry information maintained by the Chinese government.

“There were hundreds (more around the 1,200 range) that were ALL (every last one of them) associated with the travel and tourism industry. I began matching up these ‘APT’ (according to Mandiant’s report) domains with a group of businesses,” Oquendo continued.

“This is what I believe this Straggler Group is. It is a group focused on targeting business(es) from all countries in the hopes of stealing information to re-sell it to their local counterparts. I am certain this group operates in this fashion, and I am also certain there are dozens, maybe even hundreds of these groups worldwide,” Oquendo contends.

So, just a wild theory, or is there something to this?

“Obviously, I agree with [Oquendo]. I’ve been saying for years that much of the cyber espionage that we see is not done by a state but by mercenary hacker crews who, in turn, find buyers for the data that they’ve stolen,” said Jeffrey Carr, founder and CEO of Taia Global

Carr is one of the principle organizers of the upcoming Suits & Spooks conference, which seeks to bring together members of the U.S. intelligence community and security experts from the private sector.

“I think that’s particularly true for APT1 and Oquendo’s article does a great job of describing one such network. I’ve received a confidential Russian government report which also describes independent hackers engaging in an EaaS style operation who steal and sell intellectual property to various buyers,” Carr continued.

Jeff Bardin, Chief Intelligence Officer for Treadstone71 who has decades of experience in the intelligence game agrees that EaaS operations have been around for years, and they don’t receive the level of attention they deserve.

“As [Oquendo] says in the beginning, nothing new here. This is basically cyber mercenaries who are apolitical and just are in it for monetization,” Bardin said. “History is full of examples and Hollywood even more so. EaaS has been around for years, just not necessarily identified as such.”

“Human cyber espionage is the main function. Some of these functions can be automated to some degree but the EaaS model is just like the human model in my view. Find someone with unique human capabilities and they perform espionage as a service for you,” Bardin, explained.

Even though Oquendo did not publish any direct evidence of the travel and tourism industry threats he discovered, he is not alone in identifying these industries as being key factors in the data breach game.

“In regards the travel industry that Oquendo documented, I’m aware of at least one organization whose executive may have been a victim of just such a group,” Carr offered.

“His calendar and email had been accessed 3 weeks before a trip to China. While he was asleep in his hotel room, his laptop was accessed via the hotel’s WiFi connection. The encryption was bypassed, the hard drive was copied, the AV was turned off and the logs were erased for a 20 minute time period,” Carr said.

hacker3“We call it Advanced Persistent Threat, which is just a misnomer for cyber espionage and the many facets thereof. People and organizations call it that since they really don’t know what espionage really is. Now they are starting to get an understanding of espionage, yet the identification and awareness is much like finally realizing what the waves were from, long after the boat has gone by you,” Bardin explained.

Was this a state-sponsored operation or was the executive in question the victim of organized cybercrime? Again, attribution is tough, and the risk is always high that an attacker may even attempt to leave false clues as to their identity or agenda to throw investigators off their trail.

So is Oquendo saying that reports of China engaging in organized espionage activities against Western business targets are incorrect? Not really. He is merely arguing that we should not be so quick to jump to the ‘China’ conclusion, as we may be missing the big picture and fail to see the forest for the trees.

“There is hardly a lack of articles related to the Chinese government hacking everything but the kitchen sink,” Oquendo said. “This is not to say that the Chinese government is innocent, quite the contrary, this is simply stating: ‘Hey, you may be looking at your data the wrong way.”


Images courtesy of ShutterStock

Tripwire University
  • No such thing as APT. Advanced – AV doesn't pick it up and why should it. It is cyber espionage not malware. Vendors have latched onto this as a method to sell more stuff that does not address the issue of clandestine cyber HUMINT as espionage. Once the data collection, production and analysis has been completed, then a payload can be determined for the target. Could be multiple payloads that lead to additional intel collection, data exploitation, and/or sabotage non-inclusively.

    Persistent since humans are behind it and they are given specific targeting packages to execute until the mission is complete (if ever). Persistent since both the vendors and adversaries establish a money flow away from the target.

    The problem with calling it APT is that it is mislabeled from the beginning and if you mislabel it, you most likely don't understand it. If you don't understand it, there is little you can do to prevent it from happening. (Goes back to the cyber janitor blog.
    Cyber mercenary services are as old as the hills. This is just the cyber manifestation of historical activities.

    • Agreed – rarely anything advanced, most often preys on the weak human element. Why not just call them targeted attacks if they are coordinated and concerted efforts, else it's usually just opportunistic ops aimed at the lowest hanging fruit…