Cyber Privateering Complicates Attack Attribution

The injection of sophisticated malware into SolarWinds software was attributed to Russian Intelligence. An unrelated attack, made possible by exploiting a vulnerability in SolarWinds software, is being attributed to Chinese hackers. Periodically, other breaches are attributed to North Korean and Iranian hackers.  However, nations do not often admit to being behind hacking activities.

As cybercrime and other hacking activities have grown in prevalence, private and public security experts have been tracking bad actors who are responsible for attacks. Over the years, the focus has shifted from organized crime to government entities.  Although it is difficult to know for certain exactly who is behind attacks, many companies have become more likely to credit attacks to nation-state actors. The Radware Global Applications and Network Security report from early 2020 reported that, in 2019, 27% of companies believed they were attacked by a foreign power. In many cases, it is convenient to blame foreign intelligence groups for cyberattacks, but the issue is more complicated.

More than likely, many attacks are perpetrated by a buccaneer. Not a Tampa Bay Buccaneer, but a modern-day cyber privateer. Privateering was most prevalent in the 17th and 18th centuries. At that time, the major maritime powers would sanction, by providing a “Letter of Marque and Reprisal,” the looting of certain foreign merchant ships. In this way, one of the powers could attack another without “showing the flag.” The proceeds were then shared between the privateers and the government. An interesting footnote – some of these enterprises had investors. There was a fine line between outright piracy and sanctioned privateering.

For interesting information on the difference between pirates and privateers, check out this article.

Cyber Privateering

Cyber privateering operates the same way.  Governments, or even, in some cases, private entities, make deals with professional hackers. The sponsor provides their “independent contractor” with a list of information they are willing to pay for. The cyber privateer will make a special effort to retrieve that material so they can collect payment, and will keep whatever else they are able to acquire. The only constraint placed on the cyber privateer is that they will not ply their trade against the sponsoring country (or other designated entity or entities).

Benefits of Cyber Privateering

Cyber privateering is a win-win situation for the players.  There are a number of benefits for both sides that sustains this ecosystem.

  • Cost Benefits: Similar to the commercial gig economy, a pool of attackers become available for hire.  Governments use privateers as a cost-effective alternative to building out a large hacking organization. The sponsoring government does not need to pay to recruit, train and maintain a large number of employees. The government, instead, uses their resources to develop offensive tools and programs which can be used by the privateers.
  • Improved Targeting and Competition: By making it known that certain information is valuable, companies can lead more people to work to collect that data. Multiple cyber privateers will be vying to collect the bounty.
  • Known Market: The cyber privateer benefits from having a specific market for their stolen goods. Knowing you have well-paying customers waiting is much more profitable than speculative cybercrime activities.
  • Protection: Sponsors of cyber privateers will shield their privateering assets. This can be accomplished by reduced cooperation with criminal investigations or denying extradition. However, this protection can be revoked should the privateer violate the admonition against attacking your patron.
  • Deniability: Since privateers are flying the “Jolly Roger,” it is easy for a nation to deny involvement should an operation be exposed. Nation-state involvement might be suspected, but is hard to prove. Spain, for example, knew who the English privateers were, centuries ago, but they did not go to war with England. Instead, the Spanish focused their energies on catching individuals.

Cyber Privateering Examples

The reality is cyber privateering isn’t a new phenomenon. It has been going on for some time, but is more noticeable now.  One of the first examples was exposed by Cliff Stoll in The Cuckoo’s Egg.  Affiliated members of the German Chaos Computer Club were arrested in 1989 for hacking into U.S. government and corporate computers, and allegedly selling their booty to the KGB.

The massive Yahoo! account breaches in 2013 and 2014 were allegedly perpetrated by a gang paid by the Russian Federal Security Service. One member of the gang, who lived in Canada, was arrested and extradited to the United States. Three others, whom the FBI believe were involved, are still free and living in Russia.

Additionally, the denial-of-service attack against Estonia, the cyberattack on Georgia, and the Shamoon malware attack against Saudi Aramco were probably perpetrated by cyber privateers working at the behest of a foreign government.

Future is Bright for Cyber Privateers

The rise in cyber privateering has corresponded with the expansion of the internet and e-commerce. Just as the gold in Spanish galleons drove the expansion of Caribbean piracy and privateering, the value of information available in digital form has made cybercrime and digital privateering much more lucrative. Social media, cloud computing and remote work is making it easier to ply the trade.

Cyber privateering is a way for smaller players to leverage a large infrastructure.  The continuous development of sophisticated hacking tools, the growth of hacking-as-a-service and ever-expanding value created by the internet will likely lead to more cyber privateering.

Featured eBook
Managing the AppSec Toolstack

Managing the AppSec Toolstack

The best cybersecurity defense is always applied in layers—if one line of defense fails, the next should be able to thwart an attack, and so on. Now that DevOps teams are taking  more responsibility for application security by embracing DevSecOps processes, that same philosophy applies to security controls. The challenge many organizations are facing now … Read More