Creating an Effective Cyber Espionage Operation

Tuesday, March 15, 2011

Richard Stiennon


The means and tools of cyber espionage are well known and used widely in practice. But has the United States intelligence community put into practice a structured operation to gather both open source and private intelligence and properly analyze and distribute it?

This post proposes one such operational structure. 

The tools and methods are described including the use of custom Trojans, back hacking, infiltration, exfiltration, recruitment, IP signal intelligence, seeding, and poisoning. It describes the scope of the data handling and analysis problem and suggests best practices for sharing and analyzing cyber intelligence. 

Getting actionable intelligence into the right hands, the hardest task of all, is addressed.

“Success depends on sound deductions from a mass of intelligence, often specialized and highly technical, on every aspect of the enemy's national life, and much of this information has to be gathered in peace-time.”                                                                           ~Winston Churchill

Espionage and spy trade craft have been a critical component of waging war for millenia.  Allen Dulles (Director Central Intelligence 1953-61) in The Craft of Intelligence [1] draws the lines from Sun Tsu to the development of the US Central Intelligence Agency which was formed in the shadow of the Cold War.

Today there are hundreds of intelligence services around the globe. The United States maintains sixteen separate agencies that comprise the intelligence community (IC)  which includes the CIA, FBI and services inside the Department of Energy, Drug Enforcement Agency, State Department and the military. The Office of the Director of National Intelligence (DNI) was established in the wake of the 9/11 Commission criticism of the FBI and the CIA and their lack of cooperation.  Its purpose is to ensure that actionable intelligence is available to the President. 

Intelligence gathering and analysis services are faced with a rapidly changing set of challenges, including post Cold War shifts in geo-politics, asymmetric threats from terrorist groups, and the rise of cyber espionage. This paper proposes an organization and methodology for leveraging technology and the Internet to recast the role of espionage and effectively gather and disseminate collected intelligence.

This proposed organization is designed to fit within existing intelligence service structures. It does not replace traditional trade craft but supplements it with the tools and techniques of security practitioners.

Because there is the same requirement to protect sources, agents, and the data they collect a cell structure is required. According to the Washington Post there are over one million people who have security clearances in the United States. Even with striated levels of clearance there are too many participants to have established trust relationships based on who you know. Smaller cells are required with boundaries and controls over the way information is shared between cells and ultimately with the services they are part of.


Fig. 1 The basic cell consists of five elements.

  • Target selection
  • Asset recruitment and maintenance
  • Contextual research and analysis
  • Tool development
  • Penetration agents  

These elements are broken out because they draw on different skill sets and responsibilities. They work together in an iterative process flow described below.

Target selection team

There are millions of potential targets for cyber espionage. Particular individuals, companies, organizations, facilities, or even applications or machines could be valuable assets to infiltrate and compromise with the aim of gathering actionable intelligence.   

Each cell has its own direction be it military, diplomatic, or industrial. They use open source and other resources from within the intelligence communities to determine targets and set information goals. Those goals could be as broad as “determine the status of nuclear weapons development in a particular country”, or as specific as the identity of a foreign spy or the contents of a particular document.  

Asset recruitment and maintenance

Borrowing from observed actions of purported intelligence gathering activities[2] and cyber criminals this team would attempt to compromise computers that would lead to the intelligence assets that had been identified.  The process looks like this:


Individuals within the target organization are sent malware embedded in documents [3] or links to malware embedded in web pages [4]. The malware would be concealed and take advantage of recently discovered (un-patched) vulnerabilities or undiscovered  (zero day) vulnerabilities to infect the target's computing device (desktop, laptop, hand-held) and gain effective control over it. These root kits would be undetectable and achieve persistence by requesting and receiving updates from a dynamic cloud of command and control devices. 

Social networks are another avenue to a target. Rather than infect a target directly one of their friends, associates, or family members is targeted as a first step. The compromised associate is used to induce the ultimate target to click on a link or open an email attachment.

With the help of agents that are physically embedded the malware could be introduced via external storage device, such as a USB thumb drive [5]. Embassy and hotel staff or traditional spies within the target organization could be used for these initial infections.

Wifi and other open wireless networks could be compromised by agents close to the target in a hotel, restaurant, or public space.

Once a machine was infected the intelligence team would make use of it to spread infection throughout the  target organization and to other organizations that are connected [5].  Email can be sent from the owner's account to his or her contacts with similar payloads or links.

Known websites of the enemy could be poisoned with malware using cross-site scripting (XSS) or other vulnerabilities. A jihadi recruiting website for instance would yield a target rich visitor community.


Maintaining persistence is an additional task.  Infected machines could be updated, cleaned, or replaced or the communication link to the command and control devices could be broken by network defenses or the elimination of the command and control server.   This team would ensure that a new command and control server could be brought on-line quickly and that the infected hosts would re-establish connection. 

Thanks to the rise of free and popular social networking services this has become relatively easy. The infected machine checks in with a particular Twitter, Facebook, or blog account and reads the web address or IP address of its new command and control server. Email accounts at Gmail or Yahoo can be used in the same way [6].  Stegonography, messages embedded in images on otherwise innocuous web sites, could be used as well.

The operations team responsible for tending the compromised hosts in a particular botnet will also maintain plausible deniability by leaving no traces that implicate the agency or nation they work for.  Command and Control servers would be hosted in the cloud or on compromised hosts belonging to third parties.

They would use circuitous routes for connecting to those servers and all the data regarding the botnet and the exfiltrated information would be encrypted. They would use strong authentication to access the servers and rotate them in and out of service frequently. 


The types of information that can be collected from infected hosts are numerous. 

Machine settings.  A single infected machine in an organization will reveal configurations, applications, and defenses that are in place. That information will help in developing more tailored attacks.

Network scans. The infected machine could be instructed to scan its local network to identify additional targets or to passively log the connections it makes. 

Documents.  The spreadsheets, written documents, diagrams, audio recordings and videos that are stored on the infected host will yield the bulk of the data collected.

Active information gathering. Most laptops and hand-held devices are equipped with microphones and cameras. These can be used to gather information about the owner of the device and eavesdrop on their activities.

Credentials. Username/password pairs as well as stronger credentials can be stolen or sessions snooped on as the user logs in to remote services.

Geo location. The timezone, IP address, and other factors can identify the location of the device and the user. 

Signal analysis.  Even if the actual data cannot be read because it is encrypted, the time, duration, size, and source and destination of network traffic can yield interesting intelligence.

Contextual research and analysis

This is the traditional role of the intelligence researcher. In the cyber espionage cell they would provide the context and knowledge required to pick targets and interpret exfiltrated information. They would have specialized language skills and be expert on the organizations that were targeted. 

Targeted attack

For targets that are not penetrable via the social engineering techniques described above there is a separate team to engage in targeted attacks against networks, routers, servers, and other devices. They would engage in compromising telephone switches [7], PBX's, printers, anything that provided a foot hold and avenue for further attack within the target organization.  

Knowledge of Windows and Unix operating systems,  embedded systems, and vulnerability research are required. Close collaboration with the asset management team would be required to discover network topologies, OS, and configuration of the targets.  Off the shelf and custom developed tools would be used to execute these penetration attacks. 

Tool Development

Each of the component teams of a cyber espionage cell have their own skills and traits.  The tool development team is the most technical and gets down into the bits and bytes of attack methodologies. Given a target system they use their specialized knowledge of its vulnerabilities to device the tools to compromise it. 

They also engage in continuous research to discover unknown vulnerabilities in common applications and operating systems. These zero day vulnerabilities would be archived for future use. Network and memory fuzzing tools would be used to test a wide range of products to discover those vulnerabilities.

We have described a single cell of a cyber espionage operation.  But many countries have many intelligence operations, each with its own focus. Domestic, foreign, military, crime,   and industrial spy organizations are common.  The diagram below (fig 2) depicts how the cell concept would be spread across multiple domains.  

The cell structure is required to allow the sharing of  resources, intelligence, and tools each team is working on while maintaining secrecy in a limited trusted environment.   As noted, each cell works closely and iteratively within itself. The most benefit from information sharing will come from three different components. The tool development teams can most safely share the results of their research or even contribute members to other teams for particular projects.

The implications of a new method of attack against a particular OS or application reveals little about targets. The contextual research teams will have the most outreach to other cells and the larger intelligence community as they are the synthesizers of knowledge about target organizations and need to develop a global picture. The communication between the target selection teams will be the most confidential and will be circumscribed by controls that induce secrecy.

Information Sharing

The Comprehensive National Cyber Security Initiative[8], the President's Cyber Policy Review[9] and numerous proposals for a cyber security strategy have all stressed the need for information sharing between the various branches of the US military, intelligence community, and Department of Homeland Security. 

None of these proposals have been specific about how information sharing is to be accomplished without creating a counter productive  environment of insecurity and mistrust. An effective cyber espionage activity requires secure and effective information sharing along the following lines. 

Effective information sharing occurs when all parties trust the other members of their community.  When trust does not exist barriers, both technical and bureaucratic, are thrown up. This proposal leverages compartmentalization and secure channels to share information as well as borrowing from the academic tradition of conferences to introduce parties to each other and build that level of trust.


For each sub-discipline of the cyber espionage cell their would be a coordinating committee comprised of members from each cell. The coordinating committees would schedule regular in-person and on-line meetings between their respective teams where information would be presented and the audience, in addition to getting to know the speakers, would interact and share expertise. Proceedings would be published and made available to all of the cells.  

All cell members have already been through each organization's vetting process of background checks to obtain their security clearances.  The in-person meetings establish a level of trust and the assurances that future communications are trusted. There is a marked difference in trust between the casual on-line identity presented in digital forums and the real life experience of meeting and interacting with someone. Future communications build on that trust. It is only with trust that the type of collaboration needed for an effective inter-agency intelligence community can grow.

Each community would share a secured on-line forum.  Strong encryption and network defenses would protect the infrastructure while strong authentication would ensure that the identity of each participant is well known. Each participant's digital key would be easily available if a private communication is desired between any two members. Private channels are needed to limit distribution of critical “eyes-only” data, tools, and intelligence. As with any on-line system activity monitoring would alert on unusual behavior to prevent abuse of the system by its members. 

Oversight and management

Each cell receives its directions and management from within its own agency. Funding, goals, recruitment, and reporting all flow through the traditional intelligence agency structure with no need to disrupt or create massive change in day to day operations.  The members of the cyber cells are specialists with delimited duties. They are not called on to engage in field operations and don't encroach on those career paths.  They may create tasks for field operations personnel but those directions must come from outside the cell. 

Data dissemination

Perhaps the most difficult task for a cyber espionage effort is data analysis and dissemination. The results of the cyber cell's activity will yield mountains of information.  Reducing, correlating, checking and getting  information into the right hands is a task that calls for good tools and good communications. 

While some tasks such as correlating IP addresses, local times, and common elements can be automated much of the data has to be manually linked. The analysts must sift through  possibly terabytes of information and link elements based on relevance, identity, and potential connection to a particular target. Business intelligence (BI) tools can assist this process.

Once cataloged and in a data base along with the links an analyst can query the information and drill down to answer particular questions. A query could take the form of “show me all emails between two individuals” or “show me all information about a particular weapons system.”  

More commonly an analyst will use the database to generate  reports on particular topics. Data related to military command operations will have to be treated real time so that the latest intelligence can quickly be routed to those that need a real-time picture of developing situations.  Ultimately, the team members are going to need to understand the importance of their discoveries so that they can be dispatched quickly.


The emergence of a new data rich domain, the Internet and all the resources attached to it, has given rise to the need for a new form of organization to harvest intelligence from that domain.  By organizing in cells in each traditional branch of intelligence there is a better chance of quickly achieving maximum potential for the gathering of actionable intelligence is a timely manner. Creating a process for each cell to communicate with its counterparts in other agencies will lead to effective information sharing and continued ability for the intelligence community to achieve its objective.


[1] Dulles, Allen W. The Craft of Intelligence. Lyons Press (April 1, 2006)

[2] Information Warfare Monitor. (2009). Tracking GhostNet: Investigating a Cyber Espionage Network.

[3]Frankel, Glenn. 18 Arrested in Israeli Probe of Computer Espionage. Washington Post, May 31, 2005

[4] Stern, Henry. Cisco Security Tracks LinkedIn Spam Attack

[5] Lynn, Willima J. Defending a New Domain, The Pentagon's Strategy. Foreign Affairs September/October 2010.

[6]Deibert, Ron, Rohozinski, Rafal. Shadows in the Cloud April 6, 2010.

[7] Prevelakis,Vassilis. Spinellis, Diomidis The Athens Affair. How some extremely smart hackers pulled off the most audacious cell-network break-in ever IEEE Spectrum. July 2007

[8] The Comprehensive National Cybersecurity Initiative.

[9] Cyberspace Policy Review March 19, 2009

Cross-posted from ThreatChaos

Possibly Related Articles:
Enterprise Security
malware Espionage Cyber Warfare infection Intelligence Target
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.