Hybrid Threats in the 21st century: The Case of Cyber Espionage

Hybrid warfare involves traditional and non-traditional means of subverting an enemy, incorporating the use of military force, political and economic pressure, proxies, extremist groups, and disinformation campaigns among other tactics. One medium which provides countless opportunities and is increasingly used for hybrid campaigns is cyberspace. 

The online world is expanding at a pace both impressive and worrying. In 2022, the number of devices connected to the Internet – the Internet of Things (IoT) – stood at 14.4 billion, almost twice the world’s population. The digitisation of virtually every aspect of our socio-economic space, both in the public and private sector, brings countless opportunities for automation and optimization; however, if this trend is not followed by a strengthening of the security of these devices, it renders users – including state actors – more vulnerable to a plethora of risks. 

The security of data and intellectual property is one of the most critical issues that stem from this situation. Digitization of state archives and communication between and within state agencies as well as storage of classified data and trade secrets on online databases pose significant risks to the public and the private sector alike. With the continued development and increasing reliance on cloud services, data and intellectual property security will only become more crucial. It is estimated that by 2025, 100 zettabytes will be stored in cloud services, or 100 trillion gigabytes of data. For that reason, one of the most notorious yet overlooked hybrid threats is cyber espionage, massively used first by the US following the September 11 attacks under the programme Total Information Awareness (TIA). This term refers to the use of cyber means to obtain unauthorised access to, monitor, and collect sensitive data stored or transmitted electronically, usually to influence or gain a competitive advantage over a rival state, even in peacetime.

Methods of data interception

The modus operandi of cyber spies can take many forms. The most direct way of intercepting data is through fibre optic cable tapping. Western intelligence agencies like the US National Security Agency and the British GCHQ are known for tapping into undersea optical cables, allowing them to intercept millions of communications every day.  Usually, however, access to a target’s data requires infiltrating their local network, which can be done in multiple ways. Hackers may, for example, try to identify potential vulnerabilities in the software run by the devices connected to networks. As the number of IoT devices connected to the network increases, so does the likelihood that the software of at least one of them will have an unpatched vulnerability. These vulnerabilities, or flaws in the software’s code, may be then taken advantage of by an exploit – a carefully crafted program that triggers a response unanticipated by the software’s developer – to gain access to the network. Nowadays, a thriving grey market has emerged where zero-day exploits (exploits that the software manufacturer is not yet aware of) can be bought and sold for hundreds of thousands of dollars, depending on whether prior access to the network is needed (local exploit) or not (remote exploit) and whether the software in question is widely used.

Yet, despite all efforts to secure a network, it is often human error, if not insider threat, that allows the initial access – according to the 2022 Data Breach Investigations Report, 82% of breaches involved a human factor, notably when credentials of an employee with network access are compromised.  Phishing messages remain one of the simplest methods of password theft, but hackers often resort to more complex social engineering tactics to deceive their targets into giving up their login information. These include scareware (sending fake virus alerts and offering a program to "fix" the issue), impersonating colleagues or superiors through fake social media accounts, or tailgating (entering a physical area without authorisation to access its network), to name a few. In some cases, however, even “brute force” attempts to crack users’ weak passwords may be enough.

Initial network access is usually the first step. Unlike other forms of cybercrime, espionage typically involves maintaining persistent access to a system in order to extract data over an extended period, often spanning several months. That is because, besides collecting information stored on local or online databases, spyware often monitors the continuous use of a device, collecting keystrokes – including from smartphone touch screens by analysing fingers’ motion data – and mouse movement, webcam footage, GPS location, or capturing screenshots. The hacker groups responsible for these prolonged network infiltrations are typically referred to as Advanced Persistent Threats, or APTs, although their activities often go beyond passive espionage. The difficulty of detecting and mitigating cyber espionage lies in its passive nature; if no suspicious activity is being carried out, the intruder may remain unnoticed in the system for months. 

Motivations behind cyber espionage 

The hybrid nature of cyber espionage stems from the many economic, political, and geopolitical implications and numerous advantages it can bring to intelligence agencies. Of course, cyber spying is far from a monopoly of the state. In fact, industrial espionage by a company against its competitor often takes place in the cyber dimension. However, this profit-driven spying, accounting for most cyber espionage incidents, does not in itself meet the criteria for hybrid warfare. This changes when critical industries of another state are targeted, and when the attacker is state-affiliated. Intellectual property theft allows countries with fewer resources or R&D capabilities to bridge the gap between their respective industries. 

One particularly sensitive case involves intellectual property theft against defence contractors. A recent example would be the 2018 theft of US Navy plans by hackers allegedly linked to the People’s Republic of China, notoriously accused, alongside Russia, Iran, and North Korea, of cyber espionage against Western countries. Since defence markets are a monopsony, with the state as the only domestic buyer, espionage against them directly jeopardises the national security of the state. When weapon blueprints and other highly sensitive information are stolen or leaked, it can have a profound impact on the targeted state's military capabilities and narrow the military technology gap between opposing forces. This can result in a loss of strategic advantage and compromise the state's ability to effectively defend itself or project its power. 

Beyond its use in stealing intellectual property, cyber espionage can also be utilised as a means to monitor the geopolitical strategies of another state and interfere in its national politics. This can involve accessing confidential government communications, surveilling the online activity of civil servants such as diplomats and politicians, including heads of state, gathering intelligence on defence capabilities, or attempting to manipulate public opinion through disinformation campaigns. One of the most notorious consequences of spying on the domestic politics of other states is electoral interference. The 2016 US Democratic National Committee email leaks, purportedly carried out by Russian APTs Cozy Bear and Fancy Bear linked to the national intelligence agency GRU, represent a striking illustration of this phenomenon. In these instances, cyber espionage acts as a precursor to more disruptive covert actions.

States are well aware of the strategic advantage cyber espionage can bring. In fact, data collection by cyber means has become a staple element of national intelligence agencies around the world. For example, the US technical intelligence body National Security Agency (NSA) employs roughly 30,000 people and is said to be the largest employer of mathematicians in the world. One of the most advanced malware used for espionage and attributed to the NSA’s Tailored Access Operations unit (TAO) was Flame, which the US has used to spy on multiple Middle Eastern countries throughout the past decade. Its most controversial use involved a more than two-year-long spying campaign against Iran’s oil ministry and main export terminal, collecting information that was then used to launch a wiper attack in 2012, erasing data from the organisations’ network and disrupting the country’s oil industry. Only after the malware  was discovered following the oil terminal incident was a “kill switch” activated, effectively erasing any trace of the virus from over 1,000 infected devices in Iran and beyond. 

This kill switch, often added to the more advanced malware, is just one of the reasons why it is so difficult to find enough forensic evidence to attribute a cyber espionage campaign to a particular state. States can easily avoid the consequences of their actions by invoking plausible deniability, distancing themselves from the sponsored proxy groups. In many cases, the culpability of states in cyber espionage is only proven through leaks of sensitive state documents. These leaks, notably the 2013 Snowden leaks, can reveal many more worrying trends regarding cyber espionage.  As the classified documents revealed, the extensive use of cyber espionage by the US following the 9/11 attacks extended to its allies like Germany’s then-Chancellor Angela Merkel. Otherwise, the increasing commercialization of spyware, as illustrated by the NSO Pegasus, implies that these tools may become more and more accessible and adept at penetrating security measures over time. In authoritarian regimes like Ethiopia, UAE, or Saudi Arabia, Pegasus has made spying on human rights activists, lawyers, and the domestic opposition easier than ever before.

Prevention and mitigation recommendations

Protecting information systems from cyber espionage is a challenging task, and it is unlikely that any network will ever be completely secure. However, there are numerous preventive and reactive measures that both states and businesses can consider implementing. While some measures are specific to countering espionage, many others can be extended to provide broader protection against various cyberattacks.

No company or agency can be safe without a comprehensive cybersecurity strategy addressing different types of cyber threats. There exist numerous frameworks companies could follow to reduce their exposure to cyber risks such as cyber espionage. The two most important international standards are ISO 27001 and ISO 27002, created by the International Organization for Standardization. The former stipulates requirements for managing cyber risks through an Information Security Management System (ISMS), providing necessary guidelines and policies for asset protection. The latter is a collection of guidelines and best practices for the implementation of an effective ISMS. In the US, the go-to model is the National Institute of Standards and Technology (NIST) Cybersecurity Framework. It emphasises the division of cyber risk management into the following segments: 1) identification of equipment, software, and data; 2) protection of the network; 3) detection of intruders; 4) planned response to the crisis; and 5) recovery after the attack. The European Union has its own cybersecurity certifications framework, introduced by the EU Cybersecurity Act, which aims to strengthen and harmonise the cyber risk management systems across the member states. 

In the case of cyber spying, regardless of the framework chosen, espionage risk exposure of different sectors and positions within an organisation needs to be carefully evaluated. To limit access to sensitive data to only those employees who need it to perform their duties, it might be necessary to redefine the authorisation policy. Regardless of the position in the company, however, all employees should receive security education about the dangers of social engineering attacks and the necessity of strong password protection and multi-factor authentication. More generally, the cybersecurity team must ensure that the software running vulnerable systems is regularly patched, and authorise network access only to a limited number of limited trusted critical third-party applications.

As previously mentioned, simply gaining access to a network is not enough for hackers to be able to monitor all the information. As a result, the impact of espionage campaigns can be reduced even if the attackers manage to bypass the network's security measures. Organisations should consider using an advanced encryption method to render the contents of the most sensitive documents inaccessible to unauthorised users even if the files themselves get compromised. Finally, given that espionage activities tend to occur over extended periods, regular monitoring for unusual network traffic is essential.