Rogue governments are increasingly outsourcing cyberattacks to criminals in the borderless domain of cyberspace to wreak havoc on the U.S. and across the world.
China, Iran, Russia and other foreign adversaries have contracted with hackers, deployed sophisticated spyware technology, and used social media platforms as a tool to facilitate espionage.
The U.S. and its allies blamed the Microsoft Exchange hack that compromised tens of thousands of computers on “criminal contract hackers” working for China’s Ministry of State Security (MSS), according to a senior Biden administration official.
The Justice Department also has indicted four Chinese nationals, including three alleged MSS officers, in the malicious cyber campaign that recruits hackers through various universities in Hainan and elsewhere in China.
“Not only did such universities assist the MSS in identifying and recruiting hackers and linguists to penetrate and steal from the computer networks of targeted entities, including peers at many foreign universities, but personnel at one identified Hainan-based university also helped support and manage Hainan Xiandun as a front company, including through payroll, benefits and a mailing address,” said the Justice Department.
Chinese Foreign Ministry spokesperson Zhao Lijian rejected the U.S. government and its allies’ condemnations as “groundless accusations” in a message posted to Twitter that accused the U.S. of instead being the “world’s top ‘hacking empire.’”
China is not the only malicious actor outsourcing its cyber efforts. Facebook said it observed a group of hackers in Iran outsourcing the development of malicious software to several different cybercriminal gangs.
Facebook’s Mike Dvilyanski and David Agranovich said that Mahak Rayan Afraz, an information technology company in Tehran with alleged links to the Islamic Revolutionary Guard Corps, developed a portion of the malware used by the Iranian hackers leveraging Facebook as part of a “broader cross-platform cyber espionage operation.”
The hackers used custom-created malware tools and shared links to malicious Microsoft Excel spreadsheets that enabled the malware to profile a victim’s machine, Mr. Dvilyanski and Mr. Agranovich wrote on Facebook’s blog last week. Facebook said it found the hackers targeting “military personnel and companies in the defense and aerospace industries primarily in the U.S., and to a lesser extent in the U.K. and Europe.”
Similarly, Google recently revealed that Russian hackers used LinkedIn messages to target government officials who used Apple devices. Google’s Threat Analysis Group identified the hackers as “a likely Russian government-backed actor,” which Google said was the same actor that other cybersecurity professionals have linked to a group affiliated with the Russian Foreign Intelligence Service (SVR) that the U.S. government blamed for the SolarWinds hack of computer network management software.
The outsourcing of cyber combat is not limited to governments using academics to spot skilled hackers or commercial businesses staffed with former regime officials. In some instances, authoritarian regimes rely on off-the-shelf tools and technology to monitor and disrupt their targets.
The Israeli tech and spyware firm NSO Group has sold a product called Pegasus that can access a smartphone user’s messages, camera, and microphone without any action from the victim, according to the Pegasus Project, a collaborative investigation published on Sunday that was produced by more than 80 journalists and 17 media outlets from 10 countries organized by the news outlet Forbidden Stories.
Widespread and ongoing unlawful surveillance is being conducted by those using Pegasus, according to Amnesty International’s Security Lab, which provided technical support to the Pegasus Project.
The technical team said it observed cyberattackers exploiting an iPhone 12 using the newest operating system software available from Apple at the time of the report’s publication.
“The Pegasus attacks detailed in this report and accompanying appendices are from 2014 up to as recently as July 2021,” read Amnesty International’s Security Lab report. “These also include so-called ‘zero-click’ attacks which do not require any interaction from the target. Zero-click attacks have been observed since May 2018 and continue until now.”
The NSO Group has denied various allegations included in the reports of the journalists and organizations participating in the Pegasus Project.
“We would like to emphasize that NSO sells [its] technologies solely to law enforcement and intelligence agencies of vetted governments for the sole purpose of saving lives through preventing crime and terror acts,” said NSO group in a statement on its website on Sunday.
Tracking who is building and using the tools in cyberattacks has proven difficult for the U.S.
Last week, the cybercriminal gang REvil’s digital presence noticeably diminished. REvil has used a business model that relies on developers and on affiliates who deploy cyberattacks, which can make it difficult for victims to neatly pinpoint their attacker.
According to a senior Biden administration official, federal agents are watching the dark web to better understand the changes involving REvil but they do not expect to turn off cyber criminals’ activity like a light switch.