This module is a resource for lecturers  

 

Cyberespionage

 

While there is no single, universal definition of espionage, espionage has been described as a method of intelligence collection: particularly, as a "process of obtaining information that is not normally publicly available, using human sources (agents) or technical means (like hacking into computer systems)" (UK MI5 Security Service, n.d.). Nonetheless, even intelligence collection has "no internationally recognized and workable definition" (Sulmasky and Yoo, p. 637). Quite the opposite, there seems to be almost as many definitions of intelligence as there are experts asked to define the term (for a complete survey of possible definitions see Warner, 2002). As Warner argues definitions of espionage operations generally tend to group themselves in one of two camps: "One follows twentieth-century American military nomenclature and holds that intelligence is information for decisionmakers; it is anything from any source that helps a leader decide what to do about an adversary. The second camp defines intelligence as warfare by quieter means" (Warner, 2009, p. 16; for further information about these camps see, Shulsky and Schmitt; 2002; Warner, 2002; Der Derian, 1992). Lubin (2018) offers a more nuanced definition of espionage operations. He argues that they all encompass the following four elements "(1) the operation involves the gathering, analysis, verification, and dissemination of information of relevance to the decision-making process of a State or States or otherwise serves some State interests; (2) the operation is launched by agents of a State or States, or those with a sufficient nexus to the State or States in question; (3) the operation targets a foreign State or States, their subjects, associations, corporations, or agents, without the knowledge or consent of that State or those States; and (4) the operation involves some degree of secrecy and confidentiality, as to the needs behind the operation and/or the methods of collection and analysis employed, so to ensure its effectiveness" (pp. 206-207).

Cyberespionage involves the use of information and communication technology (ICT) by individuals, groups, or businesses for some economic benefit or personal gain (Maras, 2016; for more information on cyberespionage for economic benefit, see Cybercrime Module 11 on Cyber-Enabled Intellectual Property Crime). Cyberespionage may also be perpetrated by government actors, state-sponsored or state-directed groups, or others acting on behalf of a government, seeking to gain unauthorized access to systems and data in an effort to collect intelligence on their targets in order to enhance their own country's national security, economic competitiveness, and/or military strength (Maras, 2016). While espionage is not a new phenomenon, ICT have enabled illicit intelligence collection efforts directed and/or orchestrated by other countries at an unprecedented speed, frequency, intensity, and scale (Fidler, 2012), as well as a reduction of risks associated with committing espionage (i.e., being caught by the country that is being targeted by the collection efforts) (Ziolkowski, 2013).

Several cyberespionage campaigns have been attributed to advanced persistent threats (or APTs), which refer to "group[s] with both the capability and intent to persistently and effectively target a specific entity" (Maras, 2016, p. 383; see also Lemay et al., 2018). However, APTs do not limit their acts to cyberespionage; they have also engaged in destruction of systems and/or data ( sabotage), and disruption of operations. The primary tactics used by perpetrators of cyberespionage have been identified. These include (but are not limited to) malware distribution, social engineering , spear phishing , and watering hole attacks . For example, a piece of malware known as Flame targeted government computer systems and collected information from its targets, including remotely turning on webcams and microphones of infected systems; taking screen shots of the infected systems' screens; and transferring/receiving data and commands via Bluetooth among others (Bencsáth, 2012). Another form of malware that was similar to Flame, called Gauss, targeted a government for similar purposes (Zetter, 2012). Gauss was designed to harvest data about network connections, drives, and system processes and folders, infect drives with spyware to harvest information from other systems, and relay this information back to a server under the control of those who deployed the malware (Bencsáth, 2012).

Another tool that is predominately used in cyberespionage is social engineering, whereby a perpetrator tricks the target into divulging information or performing another action. A social engineering tactic that has been used in several cyberespionage incidents is spear phishing, whichinvolves the sending of emails with infected attachments or links that are designed to dupe the receiver into clicking on the attachments or links (discussed in Cybercrime Module 2 and Cybercrime Module 13). Perpetrators of a suspected state-directed cyberespionage campaign known as Night Dragon used a combination of social engineering tactics and malware to gain unauthorized access to the systems of global energy companies in multiple countries, and obtain information about their operations (Kirk, 2011). Private companies might be contracted to assist in social engineering attacks. It has now been widely reported that a spyware developer has provided various state actors, from several countries, tools and capabilities necessary to hack into smartphones using tailored text and WhatsApp messages (Brewster, 2018). This trade in intrusion software, which has been used in the past to abuse human rights as well as target journalists and activists, is subject to certain export control regimes but those are criticized as both insufficient and problematic (see e.g. Lin & Trachtman, 2018).

A further tactic used to gain unauthorized access to the target is a watering hole attack, which is "an attack whereby a cybercriminal monitors and determines the websites most frequented by members of particular organization or group and infects those sites with malware in an attempt to gain access to its networks" (Maras, 2016, p. 382). For instance, the modification of the "Thought of the Day" widget on the Forbes website, a US financial information and news magazine, made a watering hole attack targeting common users of the site, particularly individuals in finance and defence, possible (Peterson, 2012; Rashid, 2012).  

Furthermore, insiders, those who are already part of the organization, company, or agency the perpetrators want to gain access to, are also utilized to conduct or facilitate cyberespionage. These individuals can intentionally or unintentionally disclose confidential or sensitive information to countries or others linked in some way to foreign countries as part of their intelligence collection efforts (CERT Insider Threat Center, 2016).

Cyberespionage has been made possible by the numerous hacking tools that are widely available online. These tools include exploits (e.g., zero day - that is, previously unknown vulnerabilities exploited once identified - or those that can penetrate systems and bypass firewalls) and implants (e.g. backdoor, secret portal used to gain unauthorized access to systems, or a remote access tool or RAT). Since 2016, a group known as Shadow Brokers has been releasing hacking tools (Peterson, 2016; Newman, 2018). One of these involves an exploit of a Windows vulnerability (i.e., EternalBlue), which was part of the WannaCry ransomware that targeted and caused harm to healthcare, transportation, and other systems around the globe (Greenberg, 2017; Graham, 2017).

The Convention on Cybercrime of the Council of Europe requires signatory States to adopt legislation to criminalize illegal access to computer systems, networks, and data and interception of communications data, among other cybercrimes (see Cybercrime Module 2 on General Types of Cybercrime and Cybercrime Module 3 on Legal Frameworks and Human Rights). Indeed, countries have national laws that criminalize these and other forms of cybercrime that could be used in collection efforts and espionage. In addition, some countries have a general criminal prohibition on espionage (e.g., in Germany, § 94-99 of the German Penal Code; in China, Articles 110-111 of the Chinese Criminal Law); these laws have been used to indict perpetrators of cyberespionage. These indictments often do not lead to successful prosecutions unless the perpetrators who conducted cyberespionage are physically located in the prosecuting country and/or in a country that cooperates with the prosecuting country (Maras, 2016). This is owed in part to the fact that the spying country is unlikely to extradite the perpetrators to face trial, nor assist in their investigation. As a result, national criminal indictments against foreign nationals for cyberespionage are often designed to publicly identify a state's role in alleged cyberespionage and initiate diplomatic negotiations with the country or region whose nationals allegedly engaged in this act and the country they targeted.

It is important to note that our "contemporary global security system", is dependent upon a "reliable and unremitting flow of intelligence to the pinnacle elites" (McDougal, Lasswell & Reisman, 1973). As such certain forms of state-sponsored cyberespionage are not only inevitable in international affairs but may also form part of States' generally accepted rights and obligations (Lubin, 2018). Indeed, certain experts view that "extensive State practice of conduction espionage on the target State's territory has created an exception to the generally accepted premise that non-consensual activities attributable to a State while physically present on another's territory violate sovereignty. They emphasized, however, that this exception is narrow and limited solely to acts of espionage" (Tallinn Manual 2.0 International Law Applicable to Cyber Operations, p. 19). Drawing the line between legitimate and illegitimate forms of cyber espionage is subject to growing scholarly debate. Libicki (2017), for example, has proposed that state practice is moving in the direction that certain forms of theft of intellectual property will be prohibited if used to advance one's corporate competitive edge (pp. 3-4).

 
Next: Cyberterrorism
Back to top