A Survey of Nation State Sponsored Hackers

The darknet is an unpredictable source of both white hat and black hat hackers working to develop malware, toolkits and viruses (MTVs) for any number of reasons - from political hacktivism to cyber crime. In our last few posts, we’ve touched on the various motivations for hacking and the different personas behind it; we now take a closer look at the recent history and current state of one of the hacking communities biggest players: Nation State Actors.

In this day and age, nearly everyone is aware that hacking and leaking the emails of the politically powerful, and their affiliates, is a common offense. Many times, this is perpetrated by hackers who simply oppose various political positions. Hacktivist groups, such as Anonymous, often participate in politically-motivated hacking due to much more nefarious, and arguably widespread, intents and agenda. In response to the Tunisian government limiting access to the internet, Anonymous struck government websites in the country with DDoS attacks and caused the sites to falter and crash. The group released the below letter, illustrating the motives behind the attack.



The political storm surrounding the now infamous Russian hacker known as Guccifer 2.0, who coordinated the release of the emails hacked from servers hosting the Democratic National Committee’s email, is one recent instance of politically motivated hacking.

The U.S. intelligence community clarified through all source intelligence analysis that nation state actors from Russia’s foreign intelligence service and main intelligence agency directly sponsored the team of hackers who carried out the attacks, recruited them in targeted social media campaigns and directed their actions. The state actor hackers probed voter registration databases and used bots and fake stories to make information more damaging – strategically magnifying the effects of these leaks – with the singular goal of directly influencing the outcome of the U.S. election process.

Beyond influencing election results, a state sponsored attack may have direct intentions to further the policies and agendas of the state government. Most noteworthy is the success of China’s military-based cyber team (Unit 61398) which accessed several government controlled (*.mil) and defense contractor domains to collect plans, drawings and key project details for a variety of cutting edge technology programs. This "army" encompassed a variety of organizations from specialized military units, experts from civilian organizations and a number of external entities comprised of hacking-for-hire mercenaries and non-government affiliated personas.  

The volume of websites targeted by Unit 61398 appears to have decreased with the 2015 agreement between then-U.S. President Obama and Chinese President Xi Jinpingdeclaring a mutual agreement to end or “knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information for commercial advantage.” Nevertheless, this agreement has not stopped China from its cyber espionage operations, as the U.S. intelligence community briefed the Senate earlier this year, going on record that “Beijing continues to conduct cyber espionage against the U.S. government, our allies and U.S. companies" 

The allocation of human, technological and financial resources towards nation state cyber efforts is substantial. In 2015, China admitted what had many had long suspected, that it had an “army of hackers” for digital espionage and sabotage. Recent reports indicate that China’s total number of cyber operatives is believed to be in excess of 100,000. 

Because of the covert nature of the Russian government, it is much more difficult to discern the extent of their cyber program. Despite reports that Russia annually spends roughly $300 million on cyber related activities and leverages at least 1,000 cyber operatives, we know Russia regularly sponsors underground cyber criminal organizations across Eastern Europe to support their campaigns.

There is also an element of nationalism woven into nation state hacks that cannot be understated. Take the common practice of including symbolic terminology within each nation's campaigns. Russian cyber campaigns are often referred to with the keyword “BEAR,” perhaps in reference to the well-known internet memes of Putin riding a bear. Significant Russian campaigns include: Cozy Bear, Energetic Bear and Berzerk Bear. Campaigns launched by China often use the keyword “PANDA,” such as Hurricane Panda, Putter Panda and Deep Panda.



After the 2012 U.S.-Israel campaign to sabotage Iran’s nuclear weapons program, Stuxnet, Iran rapidly became a world player in state sponsored hacking and malware development. Iran is believed to have heavily invested in their own cyber capabilities and significantly contributed to the rise of cyber terrorism in the Middle East, with historic support in funding regional terrorist organizations such as Hamas and Hezbollah. There is limited information on the capabilities of Hamas’s cyber team, Gaza Cybergang. A hacking group affiliated with Hezbollah, known as Qadmon or “Kadimon” reportedly cracked security cameras at a Defense Ministry compound in Tel Aviv in early 2016. Groups conducting Iranian sponsored campaigns involve the keyword “KITTEN,” Clever Kitten, Magic Kitten, and most recently, Rocket Kitten.

This climate of competition has created what many consider a cybersecurity "arms race."

Western and NATO member nations, such as the U.S., UK and Germany, have developed cyber teams for intelligence and cyber-defense purposes. However, it is difficult to discern how resources such as funding and people, have been allocated between offensive cyber campaigns and information system security missions. We can only assess based on the bits that we know, such as the fact that the British Army has a team of over 1,000 people dedicated to tackling the propaganda effectively published by terrorist organizations like ISIS through social media.  

We have observed federal agents from U.S. intelligence and homeland security communities active on the darknet, arresting numerous key underground market vendors, such Area51 and DarkApollo, from AlphaBay in August last year. For the last two years, the German Interior Ministry has deployed custom-developed trojans to track suspected citizens’ user chats and conversations on smartphones and PCs.


While espionage is motivated by the intent to learn something, cyber attacks are often leveraged to sabotage a competing or enemy nation, where direct action is taken.

Direction action can include network infiltration to control of a strategic or tactical network, using access for fraudulent purposes, collecting information for leverage such as blackmailing or ransoming data, launching a distributed denial of service (DDoS) to shut down access to government websites and social media and more. In more extreme scenarios, such as a cyber warfare attack, nation state hackers may utilize malware toolkits and viruses to disrupt or disable key infrastructure of the enemy nation, such as power grids or transportation systems. 

The malware tools used for espionage and sabotage are interchangeable and typically refined to best serve their intention. A nation state hacking team would utilize the key tools in any common hacker’s arsenal to gain access to key computer systems with data of interest. They would then establish persistent presence via advanced persistent threats (APT) and remote access tools (RAT) to evade detection and mitigate any IT security measures in place. Once the connection has been established and secured, the hackers would launch an automated data mining program to harvest the data of significance off to a remote server for final dissemination or leverage. There is a high-level sophistication and finesse of the code developed and utilized to evade detection and quickly connect and disconnect from the targeted information system.

Nation state sponsored hackers are one of the hacking community's biggest players. We will continue to monitor these trends as countries continue to move to cyber espionage and outright cyber attack.

Join us as we take a look at how North Korea (DPRK) is using the darknet in our next post.  

Curious about something you've read on our blog? Want to learn more? Please reach out. We're more than happy to have a conversation.