Why Hackers Are Getting into the Espionage-as-a-Service Business

Espionage is typically connected with organizations backed by the governments of nation states. However, more private hacker groups are entering the scene.


26 February 2015

Why Hackers Are Getting into the Espionage-as-a-Service Business

In general, espionage is a term we generally connect with organizations backed by the governments of nation states around the globe. In recent years, however, more private hacker groups are entering the scene — and for a good reason.

Let’s consider the recent Sony hack, surely it was one of the most media covered attacks in history. However, the cost is currently estimated at about $100 million. It is by no means a small number (for Sony at least), but neither is it a big one. For comparison, consider the price of research and development of classified military technology, where in some cases, the price can climb into high billions of dollars. These numbers dwarf any of the publicly disclosed figures for most data breaches we hear about on the news.

The high price of the target data is precisely the reason for these mercenary hacker groups to enter the business of Espionage-as-a-Service (EaaS). According to a recent report by Taia Global, “These mercenary hacker groups range from small groups with little funding to specialty shops run by ex-government cyber intelligence agents to highly financed criminal groups who use similar if not identical tactics to nation state actors … The low risk of discovery, frequent misattribution to a nation state, and growing demand of their services ensures that the EaaS threat actor will flourish in the coming 12 to 24 months.”

Most Targeted Sectors

One of the most lucrative targets for these hackers-for-hire appears to be the aerospace and defense industries. Not just because the field is extremely competitive, but also due to the exceedingly restrictive export regulations. Other industries, however, are targeted as well.

A recent case of The United States of America v. SU BIN provides unprecedented insight into the workings of this type of operation. According to the complaint, this operation has been allegedly running at least since the year 2010. Although the precise mechanics of these types of operations are not fully understood, the above criminal complaint by the FBI sheds some light on how they are believed to work.

The United States of America v. SU BIN - Wall Street Journal

Su Bin is a businessman and an owner of the Beijing Lode Technology Company Ltd. — a cable harness equipment company founded in 2003 that serves the aerospace industry. Because of relationships gained through his business, Su Bin was allegedly able to do precisely what his company’s slogan, ironically, claims: track the world’s aviation technology.

Once the target was identified (a specific company and technology), Su Bin would allegedly contact his two accomplices — professional hackers. Once the hackers would apparently obtain the target technology, Su Bin would supposedly search for a buyer, if he didn’t have one already. These would not necessarily be from China as one of the intercepted emails allegedly revealed. The hacker group apparently collaborating with Su Bin is extremely well funded and exceedingly skilled, which made them easy to appear as state-backed attackers.

EaaS attacks are comprised of five stages:

  1. Target: EaaS groups start by identifying targets, followed by searching for a buyer. Sometimes a buyer may request specific technology.
  2. Reconnoiter: EaaS actors must identify vectors and high value technology that the buyers will pay premium for.
  3. Infiltrate: Even organizations with a very high level of security can be infiltrated. This can be usually done through social engineering tactics such as spear phishing, compromising a vendor, or even getting employed at the target company.
  4. Exfiltrate: These hackers typically have a long (persistent) access to the victim networks and thus, have plenty of time to figure out ways to exfiltrate large amounts of data without detection.
  5. Sell: Buyers are typically not hard to come by. As long as this type of “acquisition” costs less than in-house R&D, a deal can be struck.

A unique aspect of this type of attack is a specific knowledge of the target technology. Allegedly making people like Mr. Su Bin excellent brokers, as well.

Compared to many state-sponsored espionage operations, these EaaS groups do not conduct widespread espionage. Instead they focus on specific targets. For this reason, it is easier to identify potential buyers (especially when it comes to very specific high-tech) and conduct counter reconnaissance, which is one of the few ways a company can prepare for an attack. Since this is a relatively new phenomenon, however, there is an extremely limited number of solutions at this point.

What are strategies to protect intellectual property in shared outside environment? Security and governance processes and policies are the foundation required, but companies also need tools in place to support enforcement of those procedures, including:

  1. Information Rights Management (IRM): There are enterprise file sharing applications available on the market; using one that enables IRM to be applied to a file, and can also be easily used by recipients is key. Removing plug-in requirements is one way to ensure easy adoption of IRM. These types of IRM solutions offer the capability to enable the document owner to monitor document access and revoke participant access at any time — ensuring greater security and control over content.
  2. Email Communication Encryption: Email communication encryption is often combined with IRM, where users could not only encrypt messages, but also provide life cycle management of self-retention, including specification of actions of that message, such as forwarding, printing, or copying.
  3. Data Loss Prevention Solutions (DLP): DLP can also provide a way of controlling content, since many of these solutions encrypt a message and only allow viewing of it within a specified third party portal provided by sender. These are often combined with IRM, especially with new marketed solutions.

EaaS may never be completely eliminated, but the technology and processes now exists for organizations to better protect themselves against risks and threats.



Ondrej Krehel

Ondrej Krehel

Ondrej Krehel, CISSP, CEH, is the founder and principal of LIFARS LLC, an international cybersecurity and digital forensics firm. He’s the former Chief Information Security Officer of Identity Theft 911, the nation’s premier identity theft recovery and data breach management service. He previously conducted forensics investigations and managed the cybersecurity department at Stroz Friedberg and the Loews Corporation.