Cyber espionage is primarily used as a means of gathering confidential or secret data, trade secrets, or other forms of intellectual property that can be used by an aggressor to create a competitive advantage or sell for financial gain. In some cases, the breach is only intended to damage the victim’s reputation by exposing private information or questionable business practices.
Cyber espionage attacks may be motivated by monetary gain; they may also be deployed in conjunction with military operations or as an act of cyberterrorism or cyberwarfare. The consequences of cyber espionage, especially when it is part of a wider military or political campaign, can lead to the disruption of public services and infrastructure, as well as loss of life.
The most common targets of cyber espionage are large corporations, government agencies, academic institutions, think tanks, or other organizations that possess valuable intellectual property and technical data that could provide a competitive advantage to another organization or government. Targeted campaigns can also be conducted against individuals, such as prominent political leaders and government officials, company executives, and even celebrities.
Cyber spies most often try to gain access to the following assets:
Data and research and development activities
Academic research data
IP, such as product formulas or drawings
Salaries, bonus structures and other confidential information regarding organizational finances and expenses
Customer or client lists and payment structures
Business goals, strategic plans and marketing tactics
Political strategies, affiliations and communications
Most cyber espionage is classified as an Advanced Persistent Threat (APT). An APT is a sophisticated, sustained cyberattack in which an attacker establishes an undetected presence on a network to steal sensitive data over an extended period of time. An APT attack is carefully planned and designed to infiltrate an organization and evade existing security measures for an extended period of time.
Executing an APT attack requires a higher level of customization and sophistication than a traditional attack. Attackers are usually well-funded, experienced cybercriminal teams that target important organizations. They spent a lot of time and resources researching and identifying weaknesses in the organization.
Most cyber espionage attacks also involve some form of social engineering to encourage activity or gather necessary information from the target to advance the attack. These techniques often use human emotions such as excitement, curiosity, empathy, or fear to act quickly or recklessly. By doing this, cybercriminals trick their victims into providing personal information, clicking on malicious links, downloading malware or paying a ransom.
Other common attack methods include:
Waterhole: Attackers can infect legitimate websites that are commonly visited by the victim or people associated with the target with malware, with the express purpose of compromising the user.
Phishing: A hacker targets specific individuals with fraudulent emails, text messages, and phone calls to steal login credentials or other sensitive information.
Zero-day exploits: Cybercriminals exploit an unknown security vulnerability or software flaw before a software developer or a customer’s IT team discovers and fixes them.
Insiders or Insider Threat: A threat actor convinces an employee or contractor to share or sell information or system access to unauthorized users.
Cyberespionage, especially when organized and carried out by nation states, is a growing security threat. Despite a number of charges and legislation aimed at stopping such activities, most criminals remain at large due to the lack of extradition treaties between countries and difficulties in applying international law related to this issue.
This challenge, combined with the growing sophistication of cybercriminals and hackers, leaves open the possibility for a coordinated and advanced attack that could disrupt any number of modern services, from the power grid to financial markets to major elections.
In the context of cyber espionage threats, ENISA believes that cyber espionage is addressed as both a threat and a motive in the Cyber Security Guide. It is defined as “the use of computer networks to gain illegal access to sensitive information that is usually in the possession of a government or other organization.”
In 2019, many reports revealed that international organizations consider cyberespionage (or state-sponsored espionage) to be a growing threat affecting industrial sectors as well as critical and strategic infrastructures around the world, including government ministries, railways, telecommunications providers, energy companies, hospitals and banks.
Cyberespionage focuses on the manipulation of geopolitics, as well as the theft of state and commercial secrets, intellectual property rights, and sensitive information in strategic areas. It also mobilizes economic, industrial and foreign intelligence actors, as well as actors working on their behalf. In a recent report, threat intelligence analysts were not surprised to learn that 71% of organizations view cyber espionage and other threats as a “black box” and are still learning about them.
In 2019, the number of nation-state-sponsored cyberattacks targeting the economy increased, and this is likely to continue.
In particular, attacks on the Industrial Internet of Things (IIoT) sponsored by the nation state and other attackers are increasing in the utilities, oil and natural gas (ONG) and manufacturing sectors.
In addition, cyber attacks by advanced persistent threat groups (APTs) indicate that financial attacks are often motivated by espionage. Using tactics, techniques and procedures (TTPs) similar to those of their espionage counterparts, groups such as Cobalt Group, Carbanak and FIN7 are believed to have successfully targeted large financial institutions and restaurant chains.
The European Parliament’s Foreign Affairs Committee has called on member states to create a cyber defense unit and work together on common defense. It stated that “the Union’s strategic environment is deteriorating… to face multiple challenges that directly or indirectly affect the security of its Member States and its citizens; whereas problems affecting the security of EU citizens include: armed conflicts directly in the east and south of the European continent and unstable states; terrorism – and in particular jihadism -, cyber attacks and disinformation campaigns; foreign interference in European political and electoral processes”.
Attackers motivated by financial, political, or ideological gain will increasingly target vendor networks with weak cybersecurity programs. Opponents of cyber espionage have slowly shifted their attack patterns to use third-party and fourth-party supply chain partners.
– South Korea’s Ministry of National Defense has announced that unknown hackers have breached computer systems at the ministry’s procurement office.
– The United States Department of Justice announced a foreign-sponsored botnet operation aimed at disrupting companies in the media, aerospace, financial, and critical infrastructure sectors.
– Norwegian software firm Visma has revealed that it has been targeted by hackers trying to steal the trade secrets of the firm’s clients.
– Individuals were caught in the early stages of gaining access to the computer systems of several political parties and the federal parliament of Australia.
– European aerospace company Airbus has revealed that it has been the target of suspected state-sponsored hackers who stole the personal and IT credentials of many employees.
– After the attack on Indian military forces in Kashmir, Pakistani hackers attacked nearly 100 Indian government websites and critical systems.
– Indonesia’s National Election Commission said the Chinese and Russians had checked the voter database ahead of the country’s presidential and parliamentary elections.
– Foreign hackers attacked several European government institutions before the EU elections.
– The Australian Communications Authority has revealed it carried out cyber attacks against ISIS in the Middle East.
– Finnish police investigated a DoS attack on a web service used to publish voting results in Finnish elections.
– Amnesty International’s office in Hong Kong announced that it was the victim of a cyber attack.
– The Israel Defense Forces launched an airstrike against Hamas after they unsuccessfully attempted to breach Israeli targets.
– An Iranian network of websites and accounts allegedly used to spread false information about the United States, Israel and Saudi Arabia.
– Croatian government agencies have been targeted by a series of attacks by unidentified government hackers. The malware payloads were the Empire backdoor and SilentTrinity, neither of which were previously available.
– In Libya, two men were arrested and accused of collaborating with a Russian “troll farm” to influence elections in several African countries.
Several major industrial companies in Germany, including BASF, Siemens and Henkel, have announced that they have fallen victim to a state-sponsored hacking campaign.
– A state-sponsored group allegedly carried out a series of cyber attacks against Egyptian journalists, academics, lawyers, human rights activists and politicians.
– A state-sponsored hacker group attacked diplomats and high-ranking Russian-speaking users in Eastern Europe using malware called Attor.
– An Israeli cyber security firm has been found to have sold spyware that was used to attack high-ranking government and military officials in at least 20 countries using a vulnerability in WhatsApp.
– It has emerged that a 7-year campaign by an unidentified Spanish-speaking spy group led to the theft of confidential map files from senior officials in the Venezuelan military.
– A state-sponsored cyber-espionage group allegedly conducted a phishing campaign against Chinese government agencies and state-owned enterprises for information related to economic trade, defense and foreign affairs.
– The Ministry of Foreign Affairs of the Czech Republic became the victim of a cyber attack by an unknown foreign state.
– An NGO launched a massive DDoS attack on the UK Labor Party that temporarily knocked the party’s computer systems offline ahead of the national election.
Because of the pervasive nature of this threat, some of the mitigations recommended for other threats in this report can be used as part of the following basic controls:
– Identify critical roles within the organization and assess their exposure to espionage risks. Assess such risks based on business intelligence (ie, business intelligence).
– Create security policies that address human resource, business, and operational security controls to mitigate risks. They should include rules and practices for raising awareness, corporate governance and security.
– Establish a corporate practice of communication, train the staff in the developed rules.
– Develop KPIs to benchmark performance and adapt to future changes.
– Creation of a whitelist for critical software services based on the assessed level of risk.
– Assess vulnerabilities and patch software regularly, especially for systems that are on the perimeter.
– Implement a need-to-know principle to determine access rights and establish controls to monitor abuse of privileged profiles.
– Set content filtering for all incoming and outgoing channels (e.g. email, internet, network traffic)
This timeline captures significant cyber incidents. We focus on cyber-attacks against government agencies, defense and high-tech companies, or economic crimes with losses over a million dollars.
August 2023: Unnamed hackers took X, formerly known as Twitter, offline in several countries and demanded that owner Elon Musk open Starlink in Sudan. The attackers flooded the server with traffic to block access for more than 20,000 people in the US, UK and other countries.
August 2023: Cybercriminals allegedly sell a stolen data set from China’s Ministry of State Security. According to the criminals’ post about the sale, the full data set allegedly contains the personal information of approximately half a billion Chinese citizens and “secret documents.”
August 2023: Chinese hackers attack the US military’s intelligence procurement system along with several Taiwanese organizations. Attackers targeted high-bandwidth routers to steal data and create hidden proxy networks on target systems.
August 2023: Ukrainian hackers claim to have breached the email of a senior Russian politician and leaked medical and financial documents, as well as communications that allegedly link him to money laundering and sanctions evasion plots.
August 2023: Ecuador’s national election agency said cyber attacks from India, Bangladesh, Pakistan, Russia, Ukraine, Indonesia and China caused difficulties for absentee voters who tried to vote online in the last election. The department does not specify the nature of the attacks.
August 2023: Suspected North Korean hackers attempted to compromise joint US-South Korean military exercises to counter a nuclear threat from North Korea. Hackers launched several email phishing attacks on a war simulation center during the exercise.
August 2023: Bangladesh shuts down access to central bank and election commission websites after warning of a planned cyber attack by an Indian hacker group. According to a statement from the central bank, the shutdown was intended to prevent a cyberattack similar to the 2016 incident in Bangladesh, when hackers stole nearly $1 billion.
August 2023: Belarusian hackers have been targeting foreign embassies in the country for nearly a decade, according to new reports. Hackers disguised the malware as a Windows update to trick diplomats into downloading it onto their devices.
August 2023: Chinese hackers obtain the personal and political emails of a US congressman from Nebraska. The hackers took advantage of the same Microsoft vulnerability that gave them access to emails from the State Department and the Commerce Department.
August 2023: Iranian cyberspies are targeting dissidents in Germany, according to German domestic intelligence. Spies use fake digital personas tailored to victims to build a relationship with their targets before sending a malicious link to a credential harvesting page.
August 2023: The State Security Service of Ukraine (SBU) claims that Russia’s GRU is trying to deploy special malware against Starlink satellites to collect data on the movements of Ukrainian troops. SBU officers discovered malicious software on Ukrainian tablets that were seized by the Russians before being recovered by Ukrainian forces.
August 2023: Russian hackers launched ransomware against a Canadian government service provider, compromising the data of 1.4 million people in Alberta. The organization paid the ransom and claimed that very little data was lost.
August 2023: A Canadian politician is the target of a Chinese disinformation campaign on WeChat. The attack contained false allegations about the politician’s race and political views. The Canadian government sees the attacks as retaliation for criticism of China’s human rights policies.
August 2023: The Canadian government has accused a “highly sophisticated state-sponsored Chinese actor” of hacking a prominent Canadian federal research agency.
August 2023: Russian military intelligence attempted to hack the combat information systems of the Armed Forces of Ukraine. Android tablets, which the Ukrainian military uses to plan and organize combat missions, became the targets of the hackers.
August 2023: The UK Electoral Commission reveals that Russian hackers breached the commission’s network starting in August 2021. They obtained information on tens of thousands of British citizens by gaining access to the commission’s email and file-sharing system.
August 2023: North Korean hackers breached the computer systems of a Russian missile developer over a period of five months in 2022, according to a new report. Analysts were unable to determine what information they may have obtained or viewed.
July 2023: China claims the earthquake monitoring system in Wuhan was hacked by “American cybercriminals”. Chinese state media claim that a backdoor capable of stealing seismic data was inserted into the program.
July 2023: Pro-Russian cybercriminals disrupted the Kenyan eCitizen service for several days. Kenya’s Ministry of Information, Communications and Digital Economy claimed that no data was lost or accessed.
July 2023: Hackers linked to Russia attacked Ukrainian government services, such as the Diya app, using malware and phishing attacks. The main targets are Ukrainian security and defense services.
July 2023: Trinidad and Tobago’s Ministry of Justice suffers a DDoS attack that disrupts court operations across the country. The ministry said the outages, which began in late June, are believed to be related to the same attack.
July 2023: New Zealand’s parliament is cyberattacked by a Russian hacking group. The group said their attack was in retaliation for New Zealand’s support for Ukraine, such as its assistance in training Ukrainian troops and sanctions against Russia. Hackers have temporarily shut down the New Zealand Parliament, Parliamentary Counsel Office (PCO) and Legislation websites due to a DDoS attack.
July 2023: Russian hackers attack twelve government ministries in Norway to gain access to sensitive information. Hackers took advantage of a vulnerability in a software platform used by ministries.
July 2023: A South Korean government-linked institution falls victim to a phishing scandal that results in a loss of 175 million won, reportedly the first phishing incident against a South Korean government-run public organization.
July 2023: Chinese-linked hackers infect a Pakistani government app with malware. A state bank and a telecommunications operator were also targets of the attack.
July 2023: Chinese hackers breached the emails of several prominent US government officials at the State Department and the Department of Commerce through a vulnerability in Microsoft’s email systems.
July 2023: Russian hackers attack scores of participants at the latest NATO summit in Vilnius. Attackers used a malicious copy of the Ukrainian World Congress website to attack participants.
July 2023: A Polish diplomat’s announcement to buy a used BMW was defaced by Russian hackers and used to attack Ukrainian diplomats. Hackers copied the leaflet, included malware and distributed it to foreign diplomats in Kyiv.
June 2023: A group believed to be linked to the private military corporation Wagner hacked a Russian satellite communications operator serving the Federal Security Service (FSB) and Russian military units. The attack followed Wagner’s attempt to rebel against President Vladimir Putin over the war in Ukraine.
June 2023: A Pakistani hacking group penetrates the Indian military and education sector in the group’s latest wave of attacks on Indian government institutions. The hack is the latest in a series of targeted attacks by the group that have intensified over the past year.
June 2023: Pro-Russian hacktivists attacked several European banking institutions, including the European Investment Bank, in response to Europe’s continued support for Ukraine. Hacktivists used a DDoS attack to disrupt EIB.
June 2023: Several US federal government agencies, including those at the Department of Energy, were breached in a global cyberattack by Russian-linked hackers. Cybercriminals have discovered a vulnerability in software widely used by agencies, according to a US cybersecurity agent.
June 2023: An Illinois hospital becomes the first medical facility to publicly cite a ransomware attack as the primary reason for its closure. The attack, which took place in 2021, permanently undermined the institution’s finances.
June 2023: Pro-Russian hackers attacked several Swiss government websites, including those of the parliament, federal administration and Geneva airport. The DDoS attacks coincide with preparations for the virtual speech of Ukrainian President Volodymyr Zelenskyi before the Swiss parliament.
June 2023: Since 2018, North Korean hackers have posed as tech workers or employers to steal more than $3 billion, according to new reports. According to US officials, the money was used to finance the country’s ballistic missile program.
June 2023: Ukrainian hackers claim responsibility for an attack on a Russian telecommunications company that provides critical infrastructure for the Russian banking system. The attack took place in conjunction with Ukraine’s counteroffensive.
May 2023: Belgium’s cyber security agency linked Chinese-sponsored hackers to a spearfishing attack on a prominent politician. The attack comes at a time when European governments are increasingly ready to challenge China over cybercrime.
May 2023: Chinese hackers breach communications networks at the US outpost in Guam. Hackers used legitimate credentials, which made them difficult to detect.
May 2023: Chinese hackers attacked government ministries and government offices in Kenya, including the office of the president. It seems that these hacks were aimed at obtaining information about debts owed to Beijing.
May 2023: An alleged Russian state group targeted government organizations in Central Asia. The group uses previously unknown malware, and the attacks have focused on stealing documents.
May 2023: An unknown group hacked targets in both Russia and Ukraine. The motive for the attacks was surveillance and data collection,
May 2023: A Russian-linked hacker launched a botched cyberattack on Ukraine’s commercial truck border control system via a phishing campaign
April 2023: Hackers linked to Sudan launched a DDoS attack on Israel’s Independence Day, shutting down Israel’s Supreme Court website for several hours. Israel’s cyber authorities reported no major damage to network infrastructure. The hackers claimed to have also attacked several other Israeli government and media sites, but these attacks could not be confirmed. The group has been active since at least January 2023, attacking critical infrastructure in northern Europe and is believed to be religiously motivated.
April 2023: NSA cyber agencies reported evidence of Russian ransomware and supply chain attacks against Ukraine and other European countries that provided humanitarian aid to Ukraine during the Ukraine war. There were no signs of these attacks on US networks.
April 2023: Iranian state-linked hackers attacked critical infrastructure in the US and other countries in a series of attacks using previously unknown customized malware. The hacking group has been active since at least 2014, conducting social engineering and espionage operations that support the interests of the Iranian government.
April 2023: In January 2023, Recorded Future published a report on data theft attacks on South Korean research and academic institutions. The report identified Chinese-speaking hackers. Researchers believe it is a hacktivist group motivated by patriotism towards China.
April 2023: Mandiant researchers attribute a software supply chain attack on the 3CX Desktop App to hackers linked to North Korea. Upon investigation, Mandiant discovered that this attack used a vulnerability that was previously implemented in 3CX software. This is Mandiant’s first detection of a software supply chain attack exploiting vulnerabilities from a previous software supply chain attack.
April 2023: Chinese hackers have been targeting telecommunications service providers in Africa in an espionage campaign since at least November 2022. Researchers believe the group has been attacking human rights and democracy advocates inside the country, including nation states, since at least 2014. access from telecommunications providers, the group collects information including keystrokes, browser data, audio recordings and data capture from individual targets on the network.
April 2023: A Russian-linked threat group launched a DDoS attack against Canadian Prime Minister Justin Trudeau, blocking access to his website for several hours. The timing of the operation coincided with a meeting between the Canadian government and Prime Minister of Ukraine Denys Shmyhal, suggesting that the operation was in retaliation.
April 2023: Hackers linked to North Korea wage an ongoing espionage campaign targeting defense industry firms in Eastern Europe and Africa. Kaspersky researchers believe that in 2020, the hacker group shifted its focus from financially motivated coin mining attacks to espionage.
April 2023: Researchers discover Israeli spyware on the iPhones of more than 5 journalists, opposition politicians and an NGO worker. Hackers first compromised targets with malicious calendar invites. The origin and motives of the hackers are unknown.
April 2023: Ukraine-linked hacktivists attacked the email of the head of the Russian GRU Unit 26165, Lt. Col. Serhii Oleksandrovych, releasing his correspondence to a volunteer intelligence analysis group. The stolen data contained Alexandrovych’s personal information, the unit’s personal files, and information about Russian means of cyberattacks.
April 2023: Hackers linked to North Korea targeted people with knowledge of North Korean politics in a phishing campaign. Hackers posed as journalists, soliciting interviews with targets, inviting them to use embedded links to plan and steal their credentials. The amount of information stolen and the number of targets are unknown.