What is Cyber Espionage?

Cyber espionage, or cyber spying, is a type of cyberattack in which an unauthorized user attempts to access sensitive or classified data or intellectual property (IP) for economic gain, competitive advantage or political reasons.

Why Is Cyber Espionage Used?

Cyber espionage is primarily used as a means to gather sensitive or classified data, trade secrets or other forms of IP that can be used by the aggressor to create a competitive advantage or sold for financial gain. In some cases, the breach is simply intended to cause reputational harm to the victim by exposing private information or questionable business practices.

Cyber espionage attacks can be motivated by monetary gain; they may also be deployed in conjunction with military operations or as an act of cyber terrorism or cyber warfare. The impact of cyber espionage, particularly when it is part of a broader military or political campaign, can lead to disruption of public services and infrastructure, as well as loss of life.

Screenshot-2024-02-21-at-1.00.48 AM

2024 CrowdStrike Global Threat Report

The 2024 Global Threat Report unveils an alarming rise in covert activity and a cyber threat landscape dominated by stealth. Data theft, cloud breaches, and malware-free attacks are on the rise. Read about how adversaries continue to adapt despite advancements in detection technology.

Download Now

Cyber Espionage Targets

The most common targets of cyber espionage include large corporations, government agencies, academic institutions, think tanks or other organizations that possess valuable IP and technical data that can create a competitive advantage for another organization or government. Targeted campaigns can also be waged against individuals, such as prominent political leaders and government officials, business executives and even celebrities.

Cyber spies most commonly attempt to access the following assets:

  • Research & Development data and activity
  • Academic research data
  • IP, such as product formulas or blueprints
  • Salaries, bonus structures and other sensitive information regarding organizational finances and expenditures
  • Client or customer lists and payment structures
  • Business goals, strategic plans and marketing tactics
  • Political strategies, affiliations and communications
  • Military intelligence

Common Cyber Espionage Tactics

Most cyber espionage activity is categorized as an advanced persistent threat (APT). An APT is a sophisticated, sustained cyberattack in which an intruder establishes an undetected presence in a network in order to steal sensitive data over a prolonged period of time. An APT attack is carefully planned and designed to infiltrate a specific organization and evade existing security measures for long periods of time.

Executing an APT attack requires a higher degree of customization and sophistication than a traditional attack. Adversaries are typically well-funded, experienced teams of cybercriminals that target high-value organizations. They’ve spent significant time and resources researching and identifying vulnerabilities within the organization.

Most cyber espionage attacks also involve some form of social engineering to spur activity or gather needed information from the target in order to advance the attack. These methods often exploit human emotions such as excitement, curiosity, empathy or fear to act quickly or rashly. In doing so, cybercriminals trick their victims into giving up personal information, clicking malicious links, downloading malware or paying a ransom.

Other common attack techniques include:

  • Watering hole: Malicious actors are able to infect legitimate websites commonly visited by the victim or people associated with the target with malware for the explicit purpose of compromising the user.
  • Spear-phishing: A hacker targets specific individuals with fraudulent emails, texts and phone calls in order to steal login credentials or other sensitive information.
  • Zero-day exploits: Cybercriminals leverage an unknown security vulnerability or software flaw prior to discovery and patching by the software developer or the customer’s IT team.
  • Inside actors or insider threat: A threat actor convinces an employee or a contractor to share or sell information or access to the system to unauthorized users.
crowdcast-threat-report-image

2023 Threat Hunting Report

In the 2023 Threat Hunting Report, CrowdStrike’s Counter Adversary Operations team exposes the latest adversary tradecraft and provides knowledge and insights to help stop breaches. 

Download Now

Global Impact of Cyber Espionage

Cyber espionage, particularly when organized and carried out by nation states, is a growing security threat. Despite a rash of indictments and legislation intended to curb such activity, most criminals remain at large due to a lack of extradition agreements between countries and difficulty enforcing international law related to this issue.

This issue, combined with the growing sophistication of cyber criminals and hackers, leaves open the possibility for a coordinated and advanced attack that could disrupt any number of modern-day services, from the operation of the electricity grid to financial markets to major elections.

Cyber Espionage Penalties

While many countries have issued indictments related to cyber espionage activity, the most serious cases usually involve foreign actors in countries that are not subject to extradition. As such, law enforcement agencies are relatively powerless to pursue cybercriminals, particularly those operating abroad.

That said, the investigative groundwork used to support cyber espionage indictments can also be used as the basis for sanctions imposed on a foreign country or company. For example, in the U.S., the Department of the Treasury may use investigative material from indictments to level economic sanctions against a corporation that has known involvement in cyber espionage activity.

Well-known Cyber Spy Stories

While some cyber spies play a legitimate role within the intelligence community, most well-known examples serve a more nefarious purpose. Here are some prominent examples of cyber spies at work:

Aurora

One of the most well-known examples of a cyber espionage breach dates back to 2009. The issue was first reported by Google when the company noticed a steady stream of attacks on select Gmail account holders, which were later found to belong to Chinese human rights activists. After disclosing the attack, other prominent companies, including Adobe and Yahoo, confirmed that they too had been subject to such techniques. In all, 20 companies admitted to being impacted by this cyber espionage attack, which exploited a vulnerability within Internet Explorer. The security flaw has since been addressed.

COVID-19 Research

More recently, cyber espionage has focused on research efforts related to the COVID-19 pandemic. Since April 2020, intrusion activity targeting coronavirus research has been reported against U.S., U.K., Spanish, South Korean, Japanese and Australian laboratories; this activity was conducted on the part of Russian, Iranian, Chinese and North Korean actors.

For example, one cyber espionage breach was discovered by CrowdStrike in the second half of 2020. Our Falcon OverWatch™ team uncovered a targeted intrusion against an academic institution known to be involved in the development of COVID-19 testing capabilities. The malicious activity in question was attributed to Chinese hackers, which gained initial access by way of a successful SQL injection attack against a vulnerable web server. Once inside the victim environment, the actor compiled and launched a web shell that was used to perform various malicious activities largely focused on information gathering and collection.

Nation-State Actors

As noted above, many of the most advanced cyber espionage campaigns are coordinated by well-funded, state-based threat actor teams. Prominent nation-state actors and well-known cyber espionage groups include:

PIONEER KITTEN is an Iran-based hacking group that has been active since at least 2017 and has a suspected nexus to the Iranian government. In late July 2020, an actor assessed to be associated with PIONEER KITTEN was identified as advertising to sell access to compromised networks on an underground forum. That activity is suggestive of a potential attempt at revenue stream diversification on the part of PIONEER KITTEN, alongside its targeted intrusions in support of the Iranian government.

FANCY BEAR (APT28, Sofacy) uses phishing messages and spoofed websites that closely resemble legitimate ones in order to gain access to conventional computers and mobile devices. Operating since at least 2008, this Russia-based attacker has targeted U.S. political organizations, European military organizations and victims in multiple sectors across the globe.

GOBLIN PANDA (APT27) was first observed in September 2013 when CrowdStrike discovered indicators of attack (IOAs) in the network of a technology company that operates in multiple sectors. This China-based cyber espionage group uses two Microsoft Word exploit documents with training-related themes to drop malicious files when opened. Targets are mostly in the defense, energy and government sectors in Southeast Asia, particularly Vietnam.

HELIX KITTEN (APT 34) has been active since at least late 2015 and is likely Iran-based. It targets organizations in aerospace, energy, financial, government, hospitality and telecommunications and uses well-researched and structured spear-phishing messages that are highly relevant to targeted personnel. It commonly delivers a custom PowerShell implant through macro-enabled Microsoft Office documents.

Cyber Espionage Detection, Prevention and Remediation

The growing sophistication of cyber attackers and cyber spies has enabled them to bypass many standard cybersecurity products and legacy systems. Although these threat adversaries are often highly advanced and can leverage complex tooling in their operations, defending against these attacks is not a lost cause. There are many cybersecurity and intelligence solutions available to assist organizations in better understanding the threat adversaries, their attack techniques and the tradecraft they regularly employ.

    • Sensor Coverage. You can’t stop what you don’t see. Organizations should deploy capabilities that provide their defenders with full visibility across their environment, to avoid blind spots that can become a safe haven for adversaries.
    • Technical Intelligence. Leverage technical intelligence, such as indicators of compromise (IOCs), and consume them into a security information and event manager (SIEM) for data enrichment purposes. This allows for added intelligence when conducting event correlation, potentially highlighting events on the network that may have otherwise gone undetected. Implementing high-fidelity IOCs across multiple security technologies increases much-needed situational awareness.
    • Threat Intelligence. Consuming narrative threat intelligence reports is a sure fire method for painting a very vivid picture of threat actor behavior, the tools they leverage and the tradecraft they employ. Threat intelligence assists with threat actor profiling, campaign tracking and malware family tracking. These days, it is more important to understand the context of an attack rather than just knowing an attack itself happened, and this is where threat intelligence plays a vital role.
    • Threat Hunting. Understanding technology will only get organizations so far is more important now than ever before. Many organizations will find the need for 24/7, managed, human-based threat hunting to accompany their cybersecurity technology already in place
    • Service Provider. Partnering with a best-of-breed cybersecurity firm is a necessity. Should the unthinkable happen, organizations may require assistance responding to a sophisticated cyber threat.

Kurt Baker is the senior director of product marketing for Falcon Intelligence at CrowdStrike. He has over 25 years of experience in senior leadership positions, specializing in emerging software companies. He has expertise in cyber threat intelligence, security analytics, security management and advanced threat protection. Prior to joining CrowdStrike, Baker worked in technical roles at Tripwire and had co-founded startups in markets ranging from enterprise security solutions to mobile devices. He holds a bachelor of arts degree from the University of Washington and is now based in Boston, Massachusetts.