Ten Alleged Nation-State Cyber-Attacks

Read Time: 7 min.

Nation-state cyber-attacks are no longer rarities. Partly it is 'weapons-testing' and partly it is economic espionage.

We should be clear, however, that not all sophisticated attacks come from governments. The Equifax breach and the Marriott Hotels breach have both been suggested as nation-state hacks – but there is no proof.

In this list of ten major nation-state hacks or incidents over the last nine years, we look at instances where government involvement is universally accepted.

10. Stuxnet

Date: 2010.

Target: Iranian nuclear program.

Attributed to: Probably NSA with possible assistance from Israel.

Attributed by: None - but NSA considered the only source with the necessary capability.

Stuxnet remains the iconic nation-state cyber-attack. It happened in 2010. The perpetrator is unknown, but it is widely believed to have been the NSA with logistical support from Israel. It is believed that these two nations alone had the technical ability to develop and deliver Stuxnet at the time. This is supported by the political intent to disrupt Iran's nuclear program.

Stuxnet was delivered via a compromised laptop belonging to an engineer. This enabled the malware to 'jump' the air-gap between IT and the operational network at the Natanz nuclear enrichment laboratory.

The malware attacked the PLCs that ultimately controlled the Natanz centrifuges used for separating nuclear material. It comprised three primary components: a worm that executes the payload, a link file that executed propagated copies of the worm, and a rootkit used to hide the malware.

False commands delivered by Stuxnet first speeded up and then slowed down the spinning speed of the centrifuges. This stressed the centrifuges to the extent that around 1000 were damaged beyond repair.

9. Wiper attack against Saudi Aramco

Date: 2012

Target: Saudi Aramco

Attributed to: Iran.

Attributed by: McAfee.

The wiper malware known as Shamoon has been used on several occasions over the years. Its first use was almost certainly by Iran against the Saudi oil giant, Saudi Aramco. It was probably as retaliation against U.S. interests in the Middle East after Stuxnet.

In 2012 Shamoon destroyed 30,000 Saudi Aramco office computers. It failed to get into the operations side of the company and did not disrupt production. The wiped computers, however, had to be replaced.

Shamoon spread laterally through the IT network. It overwrote the Master Boot Record, rendering the infected device inoperable. A group calling itself 'Cutting Sword of Justice' claimed responsibility

Shamoon has resurfaced in 2018, again targeting oil and gas companies in the UAE and Saudi Arabia. This time the attacks have been attributed to an Iranian hacking group, APT33. McAfee reported, “The motivation behind the attack is still unclear,” but goes on to say that text from the Quran buried in the new Shamoon variant’s code “might indicate that the adversary is related to another Middle Eastern conflict and wants to make a statement.”

8. Mandiant Exposes the extent of China’s cyber-espionage

Date: 2013.

Target: Companies and organizations around the world.

Attributed to: China’s APT1 hacking group.

Attributed by: Mandiant (now part of FireEye, later supported by U.S. indictments).

This is not focused on one specific incident, but indicates the point at which the world became aware of Chinese state hacking. In a landmark report, Mandiant, now part of FireEye, dubbed a particular group as APT1, and exposed its links to the Chinese government.

It announced, “APT1 has systematically stolen hundreds of terabytes of data from at least 141 organizations, and has demonstrated the capability and intent to steal from dozens of organizations simultaneously.”

It continued, “Our analysis has led us to conclude that APT1 is likely government-sponsored and one of the most persistent of China’s cyber threat actors. We believe that APT1 is able to wage such a long-running and extensive cyber espionage campaign in large part because it receives direct government support.”

Mandiant linked APT1 and the People’s Liberation Army (PLA’s) Unit 61398. This later gained credence when the U.S. Justice Department indicted five members Unit 61398, and charged them with hacking into the networks of Westinghouse Electric, the United States Steel Corporation and other companies.

7. Attack on Sony Pictures

Date: 2014.

Target: Sony Pictures.

Attributed to: North Korean hacking group “Guardians of Peace”.

Attributed by: The US Department of Justice.

The hack against Sony began, as best as we can tell, on November 24, 2014. A group going by the name “Guardians of Peace” (later linked to North Kora’s Lazarus group) stole employees’ private information from Sony Pictures. This data included personal information about the employees and their immediate families - as well as internal communications and corporate information. Numerous unreleased films were also stolen and leaked to movie-sharing websites.

It appears to have been politically motivated, as the Guardians of Peace demanded that Sony not screen The Interview, a comedy movie which heavily mocks the North Korean regime and portrays the death of Kim Jong Un. The US Department of Justice later claimed that the attack was sponsored by the North Korean government.

Lazarus group hacker Park Jin Hyok was indicted by the U.S. government in June 2018 for his role in the Sony hack, the Bangladesh hack, and Wannacry.

6. The OPM Breach

Date: Disclosed in April 2015.

Target: The US Office of Personnel Management.

Attributed to: The Chinese government.

Attributed by: The US government.

In April 2015, employees of the US government Office of Personnel Management (OPM) discovered a data breach affecting 21.5 million current and former employees of the government. Millions of SF-86 forms were stolen, which contained very sensitive personal information, including fingerprints.

The breach was later determined to have stemmed from an attack in November of 2013. OPM discovered the ongoing attack in March 2014, but allowed it to continue for a time for monitoring and counter-intelligence purposes. This may have exacerbated the data breach in the long run.

US officials blamed the Chinese government for the attack. Former Director of National Intelligence James Clapper told a Washington intelligence conference in June 2015 that China is the leading suspect. In August 2017 Chinese national Yu Pingan was arrested in connection with the incident.

5. Ukraine power distribution disrupted

Date: December 2015.

Target: Ukraine’s power grid.

Attributed to: Russian hacking group Sandworm.

Attributed by: The US cyber-intelligence firm iSight Partners.

This is a world first as a successfully executed cyber-attack aimed against a power grid. In December 2015, thirty power substations across the Ukraine were compromised, and approximately 230,000 people were left without electricity for up to six hours.

This was a sophisticated and multi-stage attack that involved spear phishing first to gain access, and DDoS attacks on call centers to restrict information. The attacks were traced to a Russian hacking group known as Sandworm. It was pointed out that the attacks were in line with Russian state interests, but not clear whether Moscow explicitly endorsed or backed them up.

This is the typical Kremlin approach. Faced with universal acceptance that Moscow had been behind the Democratic National Convention hacks leading up to the 2016 U.S. presidential election, president Putin suggested it could have been private ‘patriotic’ Russian citizens.

4. Bangladesh Central Bank Heist

Date: February 2016

Target: Bangladesh Central Bank.

Attributed to: North Korea’s Lazarus group.

Attributed by: Kaspersky Lab (and numerous security firms).

Lazarus is the collective name for a number of North Korean government-sponsored hacking groups (known to the U.S. government as Hidden Cobra). Of the two main groups, one is primarily tasked with attacking South Korean institutions, while the other engages in financial crime around the globe. It is believed the proceeds are used to bolster the heavily sanctioned economy.

The Bangladesh theft involved first compromising the bank’s systems, and then sending genuine SWIFT money transfer demands to retrieve funds from its New York Federal Reserve Bank account.

Lazarus attempted to steal $1 billion. However most of the demands were blocked and it managed to steal $81 million. This was quickly transferred to the Philippines to be laundered through the casino systems.

The attack has been attributed to Lazarus by numerous security firms. Kaspersky Lab wrote, “This paper is the result of forensic investigations… and strongly links the tools used to attack systems supporting SWIFT to the Lazarus Group’s arsenal of lateral movement tools.”

3. Cloud Hopper campaign targeting worldwide MSPs

Date: Disclosed in April 2017

Target: Managed Service Providers (MSPs) across the world.

Attributed to: APT10 and The Chinese Ministry of State Security.

Attributed by: All five of the Five Eyes.

The so-called Operation Cloud Hopper campaign involved supply-chain attacks. Managed service providers (MSPs) were targeted in order to gain access to their client companies.

The attacks started with spear-phishing. Once the MSP was breached, client credentials were stolen. These credentials then provided access to the clients' networks. Data of interest from the clients was located, compressed, sent back to the MSP, and then exfiltrated.

The process is in direct accordance with China's attempts to steal intellectual property from western nations. The motivation is China's economic plan to close the gap between it and the West.

In April 2017, PwC UK and BAE Systems published a report attributing the campaign to Chinese hacking group APT10. It said they gained “unprecedented potential access to the intellectual property and sensitive data of those MSPs and their clients globally.”

In December 2018, all five of the Five Eyes nations associated APT10 with the Chinese government. The U.S. went further and indicted two APT10 hackers, Zhu Hua and Zhang Shilong, for their involvement in Cloud Hopper and other APT10 attacks around the world.

2. Worldwide WannaCry outbreak

Date: May 2017.

Target: Unknown, spread across the globe.

Attributed to: North Korea.

Attributed by: All five of the Five Eyes nations.

All five of the Five Eyes nations have attributed the initial WannaCry outbreak to North Korea. While appearing to be a ransomware attack, its decryption was faulty – effectively making it a wiper. The motivation remains unclear. There has even been a suggestion that the intent was to manipulate the price of Bitcoin on a massive scale. This would fit with North Korea's Lazarus group remit to 'steal' money.

WannaCry was the first major malware campaign to use the NSA-leaked EternalBlue exploit. It was a worm that spread rapidly to vulnerable computers (Microsoft had already released a patch for the underlying vulnerability). Roughly 200,000 computers in 150 countries were hit by the ransomware/wiper. Further spread was inhibited by the discovery of an internal kill-switch. However, since it is a worm, it is likely to exist on the internet, occasionally resurfacing, for many years

1. NotPetya – the most costly attack in history

Date: 2017

Target: Global cyber-attack, but initially targeting Ukraine.

Attributed to: Russia.

Attributed by: The UK and US governments.

NotPetya uses the NSA-developed EternalBlue backdoor exploit. The virus encrypts files on the infected system, demanding a fee in Bitcoin to make them usable again. But there is no decryption, making this attack a wiper attack.

The malware was introduced to Ukraine's leading accountancy software developed by M.E.Doc, and downloaded as an M.E.Doc update. Its ability to spread from computer to computer using the NSA's leaked EternalBlue exploit together with the Mimikatz password finder meant it spread also to global firms operating in Ukraine; and from them around the globe.

The ultimate financial damage from NotPetya is reckoned to be in the billions of dollars. Although the malware went on to spread worldwide, 80% of NotPetya’s initial infections occurred in Ukraine. The outbreak occurred on Ukraine’s Constitution Day, a national holiday, potentially indicating a politically-motivated cyberattack. The US and UK both officially blamed the Russian government for the attack, though the Kremlin denied the allegations, saying that Russian businesses were also victims of the ransomware.