Cyber attacks have very few costs compared to traditional military operations. In addition, they are generally easier to carry out and anonymity ensures that there are far fewer consequences for the hackers. These are among the reasons why state-sponsored hacking is a frequently used tool among the world's intelligence agencies in modern digital warfare.
Hackers employed by the state
States may employ hackers directly through their military and government agencies. They may also fund them indirectly. This makes it easier for the state to deny their involvement if a hacking attack is discovered. It can also reduce the diplomatic impact that hacking attacks can have.
State-sponsored cyber attacks can be, for example:
- Spying: Identifying corporate secrets, new technologies, confidential political information, etc.
- Attacks on critical corporate infrastructure: This can damage corporate systems and IT defences.
- Dissemination of misinformation: Misinformation can be very effective in disrupting or changing political opinion in a state, influencing elections, inciting resentment against governments or individuals or improving/worsening public opinion of certain political parties.
- Testing the capabilities of enemies: Sometimes the only goal is to test the capabilities of a state's enemies to see how well they are prepared for cyber attacks.
Cyber attacks have become a significant part of modern hybrid warfare. Hybrid warfare can involve conventional military operations, cyber attacks, disinformation and support for local separatist groups. Such tactics have recently been used on a large scale, for example by Russia against Ukraine or the United States.
When did state-sponsored hacking begin?
The first time hacking was used as a military weapon is credited to Stuxnet in 2009, which was allegedly created by the US and Israel in a collaboration to destroy the Iranian nuclear programme.
Stuxnet was a government-produced malware code designed to attack the PLC units of an Iranian nuclear power plant that controlled the centrifuges for uranium enrichment at the Natanz nuclear facility in Iran.
Stuxnet reportedly destroyed 20% of Iran's nuclear centrifuges.
Hard to detect, easy to deny
Of course, states are not the only actors behind cyber attacks. Criminal hackers, hacking groups and terrorists bear just as much responsibility in state-sponsored hacking. Because state-sponsored hackers are well-funded, well-equipped and well-trained, state-sponsored cyber attacks are not easy to detect.
And even if cyber attacks are detected, it can easily appear that other actors were behind the attack. It can be very difficult to prove that a state is behind a cyber attack. This makes cyber attacks an effective and relatively risk-free option for states to use.
Criminal or ethical hackers?
There are different types of hackers, defined by their motivations and goals. Criminal hackers, also called black hats, hack illegally and use malware, phishing and other techniques to carry out their cyber attacks. These are hackers who break into the systems of companies or authorities without permission. They can carry out data theft, online espionage or collect sensitive information.
Ethical hackers, also known as white hats, use their hacking skills for good. This may be working for governments, public bodies or large companies where the hacker is employed to access, test and challenge security systems to find flaws or vulnerabilities. In other words, a white hat hacker is used as an indirect defense against other, criminal hackers, the black hat hackers.
The hackers who engage in state-sponsored hacking can be perceived in different ways, depending on who is referring to them.
For example, most state-employed hackers are in principle ethical hackers, white hats, in the eyes of their state, but criminal hackers, black hats, in the eyes of their victims.
Russia takes first place
A survey conducted by Microsoft in 2021 shows that Russia was behind most of the state-sponsored hacking during that year.
Russia accounted for 58% of global state-sponsored hacking attacks, mostly targeting government agencies and think tanks in the US, followed by Ukraine, the UK and European NATO members.
Russian state-sponsored hackers increased their success rate to 32% in 2021, compared to 21% in 2020.
China, meanwhile, accounted for fewer than 1 in 10 state-sponsored hacking attacks, according to Microsoft, but managed to break into targeted networks or systems 44% of the time.
Ransomware attacks are a growing threat
The study also found that ransomware attacks are a serious and growing threat, and US organisations or governments are the biggest target, exposed to morethan three times as many ransomware attacks as the second most affected country. Ransomware attacks are almost always financially motivated.
Excluding ransomware attacks, state-sponsored hacking is mainly about intelligence or data gathering - whether the purpose is for national security or commercial or strategic advantage. Therefore, state-sponsored hacking is generally tolerated by governments.
Notorious state-sponsored hacking groups
State-sponsored hacking groups are generally referred to as "advanced persistent threats" (APTs) by IT security researchers. Some states assign them a number, others have different naming conventions, e.g. Iran calls many of their state-sponsored hacking groups "kittens".
This means that state-sponsored hacking groups often have different names for different countries or authorities.
Known groups that carry out state-sponsored hacking include Cozy Bear (Russia), Lazarus Group (North Korea), Double Dragon (China) and Helix Kitten (Iran).
State-sponsored hacking against Denmark
In Denmark, the Center for Cybersecurity (CFCS), a national IT security authority under the Defence Intelligence Service, focuses on national threats, including state-sponsored hacking and espionage.
Each year, CFCS produces a report on cyber threats to Denmark, including threat assessments.
In 2021, CFCS assessed the threat from cyber espionage as very high. They assessed that foreign states can and will attempt to steal valuable information from Denmark.
In the report, they wrote, among other things, that "particularly interesting targets in the field of foreign and security policy are subject to sustained interest from state actors. Concrete incidents and ongoing attack attempts repeatedly underline this assessment" (Cyber Threat to Denmark 2021).
However, the CFCS assessed that the threat from destructive cyber attacks against Danish authorities and companies is low. Several states have the resources to carry out destructive cyber attacks, but it is less likely that they actually intend to carry out destructive cyber attacks against Denmark.
About the author
Sofie Meyer is a copywriter and phishing aficionado here at Moxso. She has a master´s degree in Danish and a great interest in cybercrime, which resulted in a master thesis project on phishing.