Research

Hard to Verify Claims of Hacking Go Both Ways

Written by Reflare Research Team | Feb 1, 2023 6:26:00 PM

Cyber espionage tends to morph into an issue of national pride. Anyone in the cyber security sector will tell you that there are a lot of attacks out there which go unreported for fear of receiving reputational retaliation by issuing unprovable blame.

First Published 10th March 2020  |  Latest Refresh 1st February 2023

With great power comes great perception management.

4 min read  |  Reflare Research Team

We live in interesting times

The contributions of cybersecurity becoming ever more present in the role of geopolitical conflict (for both defence and attack). This report will not (yet) look at the specific happenings of the current time. Instead, we will use a case study to identify the underlying methodologies and the dynamics of how hackers can use ambiguity as a politically strategic weapon, and why this occurrence feels counterintuitive to readers in the west.

United States x China - an example

Some time back, the Chinese government made an official demand for an explanation to the US government regarding a number of alleged hacks against Chinese public and private targets, including research institutions, government branches, ISPs, and energy providers among others.

Beijing-based cybersecurity firm Qihoo published allegations claiming that they had discovered evidence of a CIA-led hacking effort against Chinese targets going back at least 13 years. The exact evidence is - as always in these cases - not available.

The fact that many of the CIA’s hacking tools were leaked back in 2017 as part of the so-called Vault 7 leak may aid researchers in identifying attacks but it also means that almost everyone currently has access to said tools.

Naturally, as we keep pointing out, it is almost impossible to prove to a high standard that a hack was performed by a specific actor. Public allegations of this kind are usually driven as much by political interests as by the data available.

Did the CIA do it?

We need to break this question down into two parts.

Did the CIA hack into these specific targets that Qihoo has uncovered? No one can tell for sure.

Did the US hack into any Chinese targets? Most likely yes.

If leaks from Prism to Vault7 have shown us anything over the past years, it is that almost all governments are in the systems of almost all other governments.

It would be very surprising if the US (through the CIA or other agencies) did not have a foothold in at least some of China’s critical infrastructure. The same goes for Germany, North Korea, Brazil, and any other country we could continue randomly picking.

At this time, cybersecurity trend analysis, incident reports, government statements like this one, the continuing research into election interference across the globe, and the daily flow of news about breaches caused by state actors firmly support our working assumption that the overwhelming majority of countries are hacking one another in some capacity.

Why does this feel “wrong”?

The above question may only make sense to our western readers as biases and implied assumptions are often region-specific. Most of us know that biases exist and many of us are aware that we personally must be holding some of them.

But try as you might, it is almost impossible to identify a bias until it runs into conflicting information. Of course, everyone technically knew about the western countries’ hacking efforts from leaks and everyone knew on an abstract level that espionage has always been a part of international relations. But since all the reports we usually see point in one direction - namely attacks from China, Russia, and North Korea - an unconscious bias can quickly form. This story feels off because it contradicts said bias.

Beware your own bias

To defend against an opponent, you must understand the opponent and you must also understand yourself. One example of this not being the case is the lax security standards employed by many organisations that have few digital assets of monetary value but many of political value.

If one were to assume that all attackers are after direct monetary gain, then there would be no need to secure such networks well. While this might have sounded crazy not so long ago, from a 2022 perspective, biases are now beginning to shift. And if historical evidence to support the new reality is needed, the breaches during the 2016 US election cycle provide us with good examples of such mindsets.

Likewise, if you assume that your own team - be it company, group, government, country, or else - is not engaging in offensive security, then any defensive measure taken by an adversary will look like offensive preparation.

This is why it is so critical to make sure that your perception of the world is accurate and why chances to challenge our own biases are invaluable tools. Additionally, take stock of the biases and assumptions of your IT security team members and colleagues around you, and factor these in as you think about the role you play in securing your organisation's assets.

Summary

In order to secure yourself and your organisation, it is valuable to have an accurate perception of the world. Unfortunately, as social animals, it is almost impossible for us to do so. Stories like this one - even when leaving the veracity of the specific claims in doubt - allow us to identify and challenge our assumptions. This, in the end, can help make us more accurate, and therefore more secure.