Cyber espionage threat landscape, ENISA


In the cyber espionage threat landscape, ENISA believes that cyber espionage is considered both a threat and a motive in the cybersecurity playbook. It is defined as ‘the use of computer networks to gain illicit access to confidential information, typically that held by a government or other organisation’.

In 2019, many reports revealed that global organisations consider cyber espionage (or nation-state-sponsored espionage) a growing threat affecting industrial sectors, as well as critical and strategic infrastructures across the world, including government ministries, railways, telecommunication providers, energy companies, hospitals and banks.

Cyber espionage focuses on driving geopolitics, and on stealing state and trade secrets, intellectual property rights and proprietary information in strategic fields. It also mobilises actors from the economy, industry and foreign intelligence services, as well as actors who work on their behalf. In a recent report, threat intelligence analysts were not surprised to learn that 71% of organisations are treating cyber espionage and other threats as a ‘black box’ and are still learning about them.

In 2019, the number of nation-state-sponsored cyberattacks targeting the economy increased and it is likely to continue this way.

In detail, nation-state-sponsored and other adversary-driven attacks on the Industrial Internet of Things (IIoT) are increasing in the utilities, oil and natural gas (ONG), and manufacturing sectors.

Furthermore, cyberattacks conducted by advanced persistent threat (APT) groups indicate that financial attacks are often motivated by espionage. Using tactics, techniques and procedures (TTPs) akin to those of their espionage counterparts, groups such as the Cobalt Group, Carbanak and FIN7 have allegedly been targeting large financial institutions and restaurant chains successfully.

The European Parliament’s Committee of Foreign Affairs called upon Member States to establish a cyber-defence unit and to work together on their common defence. It stated that ‘the Union’s strategic environment has been deteriorating … in order to face the multiple challenges that directly or indirectly affect the security of its Member States and its citizens; whereas issues that affect the security of EU citizens include: armed conflicts immediately to the east and south of the European continent and fragile states; terrorism – and in particular Jihadism –, cyberattacks and disinformation campaigns; foreign interference in European political and electoral processes’.

Threat actors motivated by financial, political, or ideological gain will increasingly focus attacks on supplier networks with weak cybersecurity programs. Cyber espionage adversaries have slowly shifted their attack patterns to exploiting third- and fourth-party supply chain partners.

Some incidents (2019-2020), cyber espionage threat landscape from ENISA

- South Korean’s Ministry of National Defence announced that unknown hackers had compromised computer systems at the ministry’s procurement office.

- The United States Department of Justice announced a foreign state-sponsored operation with a botnet meant to disrupt by targeting companies in the media, aerospace, financial, and critical infrastructure sectors.

- The Norwegian software firm Visma revealed that it had been targeted by hackers who were attempting to steal trade secrets from the firm’s clients.

- Individuals were caught in the early stages of gaining access to computer systems of several political parties and of the Australian Federal Parliament.

- European aerospace company Airbus revealed that it was targeted by alleged nation-state sponsored hackers who stole personal and IT identification information of many employees.

- Following an attack on Indian military forces in Kashmir, Pakistani hackers targeted almost 100 Indian government websites and critical systems.

- Indonesia’s National Election Commission reported that Chinese and Russian individuals had probed the voters’ database ahead of presidential and legislative elections in the country.

- Foreign hackers targeted several European government agencies ahead of EU elections.

- The Australian Signal Directorate revealed that it had conducted cyberattacks against ISIS in the Middle East.

- The Finish police probed a DoS attack against the web service used to publish the vote tallies from Finland’s elections.

- Amnesty International’s Hong Kong Office announced that it had been the victim of an cyberattack.

- The Israeli Defence Forces launched an airstrike on the Hamas after they unsuccessfully attempted to hack Israeli targets.

- An Iranian network of websites and accounts was allegedly used to spread out false information about United Sates, Israel and Saudi Arabia.

- Croatian government agencies were targeted in a series of attacks by unidentified state-sponsored hackers. The malware payloads were Empire backdoor and SilentTrinity, neither of which had been seen before.

- Libya arrested two men who were accused of working with a Russian ‘troll farm’ to influence the elections in several African countries.

- Several major German industrial firms including BASF, Siemens, and Henkel announced that they had been the victim of a state-sponsored hacking campaign.

- A state-sponsored group allegedly conducted a series of cyberattacks against Egyptian journalists, academics, lawyers, human rights activists, and politicians.

- A state-sponsored hacking group targeted diplomats and high-profile Russian speaking users in Eastern Europe using malware dubbed Attor.

- An Israeli cybersecurity firm was found to have sold spyware used to target senior government and military officials in at least 20 countries by exploiting a vulnerability in WhatsApp.

- A 7 year campaign by an unidentified Spanish-language espionage group was revealed to have resulted in the theft of sensitive mapping files from senior officials in the Venezuelan Army.

- A state-sponsored cyberespionage group allegedly conducted a phishing campaign targeting Chinese government agencies and state-owned enterprises for information related to economic trade, defence issues, and foreign relations.

- The Czech Foreign Ministry fell victim to a cyberattack by an unspecified foreign state.

- A non-state actor targeted the British Labour party with a major DDoS attack that temporarily took the party’s computer systems offline ahead of the national elections.

Mitigation measures

Because of the comprehensive nature of this threat, several of the mitigation measures recommended for other threats in this report could be employed as part of the following baseline mitigation controls:

- Identify mission critical roles in the organisation and estimate their exposure to espionage risks. Evaluate such risks based on business information (i.e. business intelligence).

- Create security policies that accommodate human resource, business and operational security controls to cater for risk mitigation. These should include rules and practices for awareness raising, corporate governance and security operations.

- Establish corporate practices to communicate, train staff in the rules developed.

- Develop evaluation criteria (KPIs) to benchmark the operation and adapt it to upcoming changes.

- Create a Whitelist for critical application services depending on the risk level assessed.

- Assess vulnerabilities and patch the software regularly, especially for systems that are on the perimeter.

- Implement the need-to-know principle for defining access rights and establish controls to monitor misuse of privileged profiles.

- Establish content filtering for all inbound and outbound channels (e.g. email, web, network traffic).