Idle Threats Or a Harbinger of Things to Come?

According to recent reporting, a suspected nation state hacker group with alleged ties to the Iranian government issued death threats to researchers that had detected their cyber espionage activity.  The researchers were checking a server that they believed to be associated with a specific data breach when they received the message “Stop!!! I Kill You Researcher.”  According to the same report, the server was apparently attached to the attackers’ command-and-control infrastructure.  Active since 2015, the group known as “MuddyWaters” has been observed targeting organizations in Georgia, India, Iraq, Pakistan, Saudi Arabia, Tajikistan, Turkey, and the United States.  Recently, MuddyWaters has been observed targeting oil and gas entities in the Middle East.  Notably, the group is believed to employ “false flag” operations – similar to what was believed to have been done during the recent Olympics – in which it adopted some of the tactics, techniques, and procedures (TTP) of suspected Chinese hackers to obfuscate the group’s true identity.

On the surface, the threat made against the researchers can be viewed as knee-jerk reaction to being tracked by the private sector.  But this does raise the possibility of what hostile actors may resort to in the future.  The private sector computer security has been aggressively investigating the activities of suspected nation states actors since 2004 when the first report published the activities of a Chinese state entity.  Since that time, several subsequent reports have been provided to the public detailing “advanced persistent threat” operations detailing TTPs and targeting that have ultimately been attributed to specific nation state actors.  While the standard public reaction of these governments has been to refute or deny the claims, citing the difficulties in providing adequate evidence that supports attribution, sanctions and alleged retaliatory strikes have been know to occur as a result of these accusations.

The potential of escalatory cyber strikes in response to actions is a real concern and one that has been raised in the press.  One reason the United States, for example, has not retaliated against suspected Russian involvement in the 2016 U.S. presidential election is not knowing how such an adversary may reciprocate any retaliatory strike against its interests.  This is a very legitimate concern, as cyberspace activities are still relatively new, and that nation states around the world are eagerly trying to buy, develop, or acquire an offensive cyber capability.

And this is where thinking may be too narrowly focused.  A state or non-state entity does not have to resort to cyberspace to retaliate against an attack that it has suffered in cyberspace.  It is not a one-for-one arrangement.  Threatening to retaliate in the physical world provides another potential attack vector that needs to be considered.  After all, many of the vendor APT reports that are published often contain the names of those involved in the report – individuals that likely have a footprint on the Internet. These attackers can find out their personal identifiable information and either post it for others to target, or else use it for their own purposes.  Doxxing – or disclosing the PII of victims – has long been a weapon in the hacktivist arsenal.  In 2016, the United Cyber Caliphate published “kill lists” of U.S. military personnel to encourage ISIS sympathizers and lone wolfs to commit acts of violence against them.  Although to date, there is no known attack resulting from disclosures such as this, it bears noting if that may transpire in the future.

Nation states have been suspected of carrying out physical attacks on specific individuals. Recently, a Russian spy is believed to have been poisoned at the behest of the Russian government. In 2017, suspected North Korean agents used poison on Kim Jong Un’s brother at a Malaysian airport. Granted, these attacks weren’t the result of cyber activity, but it does demonstrate that the capability is there if the intent is present.  Giving the fact that Iran is largely considered the world’s leading nation state supporter of terrorism, it has a large network of agents to call upon to target individuals it may view as threatening to their interests.  Iran has been suspected of conducting “assassinations” in the past, a claim that it has denied.

For the time being, this appears to be a one-time threat.  But how nation states respond to cyber attacks and significant cyber incidents can influence on what accused governments may do in response to any retaliation.  Let’s hope that this confluence between cyber space and the physical world remain theoretical and not a harbinger of things to come.

This is a guest post written by Emilio Iasiello