Nation State Threat Actors: Intelligence Services at the forefront of the next war

(To Carlo Mauceli)

NATO has repeatedly reiterated that "a cyber attack targeting one nation is an aggression to all member countries". Article 5 of the Atlantic Alliance, which establishes the right to collective defense, would take effect immediately since NATO considers cyber space a new dimension of armed clashes on a par with earth, sky, air and space.

The incipit is more relevant than ever and gave me the idea, together with the reading of the very interesting book "Cyber ​​War, The Next Ventura War" by Aldo Giannuli and Alessandro Curioni, dedicated to cyber warfare, to take stock of what we are experiencing in this "digital time".

In our day, open warfare is only possible in peripheral scenarios and on condition that the armies of the major powers do not confront each other directly on the ground. Recent history shows that war actions can only be conducted as indirect warfare through the confrontation between minor subjects, each protected by a great power, or in the form of covert or, better still, catalytic warfare, where one subject unleashes a war between two. its competitors, staying in the shadows.

The use of covert forms of warfare must be accompanied by other, more or less covert forms of non-military warfare, such as, for example, political destabilization, economic warfare, sabotage, sanctions, etc. and it must have a certain flexibility, so as to be modulated according to the needs, moment by moment.

It is in this context that cyber war assumes a central and strategic role, subverting, however, in some ways, the traditional hierarchies of power.

We are faced with what is defined Sharp Power, cutting power, which, according to Giannuli, represents the logical development of that Soft Power based on the practices of seduction and cultural influence theorized by the American Joseph Nye in the XNUMXs. The Sharp Power is characterized as a system, not exclusively peaceful, aimed at:

  • influence public opinion through propaganda and information manipulation;

  • penetrate the country's economy by acting on the import / export system and on the main commercial logistic nodes;

  • affect the political choices of the state in question by not hesitating to resort to blackmailing practices.

Leading this conflict system can only be the intelligence services of the various countries.

While the intelligence of the second half of the twentieth century was, for the most part, ideological, the current one moves in a geopolitical and geoeconomic perspective. While the previous strategies had at the center the objective of territorial control, the current one thinks in terms of connection networks.

The enormous data collection requires integration, verification, processing and analysis techniques for which the services have equipped themselves with sophisticated systems based on algorithms and, at times, the results are resold to industrial and financial companies. It is a relapse of that limitless war which has already begun and which will pose dramatic problems especially to democratic systems. Much of the battle will take place right on the field of cyber war.

On 11 May 2017, apparently by circles linked to the North Korean government, it is unleashed WannaCry, a virus that has taken on the characteristics of a worm, that is, a malware capable of self-propagation, which can be deactivated by a sort of emergency code, just like a missile launched by mistake. Almost a month later, he makes his appearance NotPetya; in this case the attack would have been launched by a group close to Russian circles that in the past have struck with others malware the Ukrainian electricity grid.

It's hard to say if the attacks brought by WannaCry and NotPetya can be considered real conflicts. The fact remains that, in both cases, we have had to deal with "state sponsored" organizations that have resorted to military-produced cyber weapons. If the first case is difficult to ascribe, in the second one involved are two countries, Russia and Ukraine, in a state of hostility, which suggests that one can glimpse the characteristics of a new type of war operation with the cyber space that adds to traditional conflict domains: earth, water, air and space.

2017 also marks the borderline between the old business model of malware which had as their objective the single device and the new model it provides malware that attack the entire business organization.

(Figure 1 - Evolution Model Ransomware)

I know I have dwelt a lot but it was necessary to provide you with an introductory framework and define the reference context otherwise it seems that we are talking about science fiction. Now that you have a clear picture of the scenario in which we are moving, we can delve into the topic relating to “state sponsored” organizations and their activities.

Espionage has always existed but what has changed dramatically is the advanced technology that provides nearly every organization with innovative intelligence capabilities. With increasing reliance on technology, cyber espionage wreaks havoc and hinders business development by exploiting cyberspace to secretly obtain confidential information belonging to a government, organization or specific individuals.

The aim is to produce net gains, even though these are clearly illegal practices. The technologies used for secret computer intrusions are both advanced but, very often, already used in the past because they are consolidated.

Who are these organizations? Who are we talking about? Who are they sponsored by?

A State Sponsored organization is a government sponsored group that forcefully attacks and gains illicit access to networks of other governments or industry groups to steal, damage or modify information.

What we observe is a variety of behavior patterns that are often, but not always, indicative of the type of attacker and the country of origin. Not being able to develop an essay on the subject, let's try to summarize the characteristics of some of the main players and then highlight the activities developed in the past year.

Intellectual property theft appears to be the main focus of the Chinese Communist Party.

Il Russian CRANE it is more concentrated on aspects related to foreign policy and disinformation campaigns.

The Iranian cyber army he has been particularly engaged in defense activities against attacks aimed at preventing the development and use of nuclear weapons but has also, for some time now, developed offensive techniques so much that he has been held responsible for some of the most harmful cyber attacks against several companies in the last few years.

The cyber attacks of the North Korea they appear to be motivated by both financial reasons and Kim Jong-un's whims. They targeted financial institutions to steal funds through their infamous group Lazarus, which, let's not forget, is alleged to have been responsible for the ransomware attack Wannacry and other well-known IT events.

The Syrian cyber army he has recently focused on hacking mobile communications, trying to stop and suppress opposition to the dictatorial regime.

As you can see, there are multiple reasons for the cyber activities of these groups. What is certain, however, is that the escalation continues unabated and with increasing strength.

Searching the web for reports relating to the types of state sponsored groups and the attempts to attribute them to the various states, I found Microsoft's attribution map particularly interesting, which identifies the activities of the states based on the names of the chemical elements. The following table shows only a few, along with the countries of origin from which the organizations operate, highlighting those that have been the most active in the last year and that have made the most effective use of the tactics described.

(Table 1. Nation State Actors and their activities)


Over the past year, Russian-based groups have consolidated their position as "threat to the global digital ecosystem”Demonstrating adaptability, persistence, significant technical skills and a structure that makes the most of anonymization as well as the use of tools that make them increasingly difficult to detect.

(Table 2 - Russia analysis: Activity and motivations)

Nobel demonstrated how insidious and devastating supply chain attacks can be by compromising the software update code, as in the case of SolarWinds Orion. Although the group has limited follow-on exploitation to around 100 organizations, the malicious code has reached around 18.000 entities worldwide, leaving affected customers vulnerable to further attacks.

NOBELIUM's operating techniques are very different from the simple installation of a malicious backdoor and range from password spraying and phishing to compromising third-party suppliers to create the conditions for perpetrating subsequent attacks.

In May, the organization compromised a U.S. government agency account with a phishing and spoofing mechanism and then sent a phishing email to more than 150 diplomatic, international development and non-international organizations. profit mainly in the United States and throughout Europe presenting itself as the marketing department of the same agency.

Finally, a recent joint alarm by US and British intelligence and law enforcement uncovered a series of brute force attacks that have affected several VPN providers; attacks attributed to APT28, Aka Fancy Bear.

The Russian actors demonstrated adaptive capacities and a deep knowledge of security which allowed them to evade attribution on the one hand and to overcome any defense on the other.

NOBELIUM showed a deep knowledge of the most common software tools, network security systems and cloud technologies, as well as the solutions used by the Incident Response teams, managing to penetrate their operations processes in order to guarantee persistence. A modus operandi very similar to that used by another group of Russian extraction: YTTRIUM.


To the unknowing eye, Iran may seem like a small player, especially when compared to Russia and China. It is true that Iran has not been on the scene for a very long time; however, he was able to demonstrate vast experience and tremendous expertise in application compromise, social engineering, data exfiltration and destruction.

Their usual targets lie in the Middle East. In particular, Israel, Saudi Arabia and the United Arab Emirates represent the main targets. The aim is, above all, to break the Sunni hegemony. They did not miss their presence, however, also in Europe and North America.

This type of asymmetrical conflict provides a convenient, low-cost method of waging cold wars with Iran's political and ideological opponents.

It is very likely that a group linked to Iran and known as RUBIDIUM led the Pay2Key and N3tw0rm ransomware campaigns that targeted Israel in late 2020 and early 2021. The targeting of RUBIDIUM's ransomware campaigns was the sector of Israeli companies operating in the shipping logistics sector. These goals indicate a link with Tehran's strategy of taking revenge on Israeli pressure.

At the end of 2020, the group PHOSPHORUS conducted a phishing campaign against politicians by posting links to nuclear-themed articles that directed victims to a credentialing site. This attack is closely linked to relations between Iran and the US on the 2015 Iran nuclear deal from which Trump came out in 2018, thus returning to impose new sanctions on the Islamic Republic with the aim of weakening it and pushing it to go down again to pacts with Western countries.

It is no coincidence that PHOSPHORUS refined its targeting and escalated attacks when nuclear talks resumed in Vienna last April.

(Table 3 - Iran analysis: Activity and motivations)

(Figure 2 - Iran: Flow of a typical PHOSPHORUS compromise from spear phish)


With so many threat actors at their disposal, given the recently announced geopolitical and strategic goals, it would be foolish to assume that China is not ramping up and evolving its operations. As we have seen in the 2020 attacks, China has used established techniques but also a novelty in the use of ransomware, injected by exploiting the hardware of the systems.

In the last year, threats made by Chinese actors have targeted the United States to obtain information about the policy, particularly affecting those government entities that implement foreign policies in Europe and in Latin American countries. To accomplish their mission, they exploited a number of previously unidentified vulnerabilities for various network services and components.

Among the best known groups, I mention two:

  • HAFNIUM, the group responsible for the Microsoft Exchange Server data breach of 2021. The attack on the email system dates back to March and is one of the most devastating in recent years, so serious that in the United States President Biden has directly affected it. It was one of the most sophisticated attacks since it took place remotely, without the need for credentials, making private data usable by anyone, with the possibility of being exposed to ransomware attacks;

  • APT27, Aka Emissary Panda, a group responsible for attacks on gaming companies using ransomware and aimed at financial extortion. It was not the first time that this actor operated in this way, so much so that several other companies, in the same period, had undergone cryptomining activities.

(Table 4 - China analysis: Activity and motivations)


Another extremely active state, if we consider the size and resources of the country compared to other states, is North Korea.

The vast majority of North Korean targeting was directed at specific personnel, and the selection of these targets was likely made on the basis of the likelihood that they could help North Korea obtain diplomatic or geopolitical information not publicly available.

The main North Korean groups, THALLIUM, ZINC, OSMIUM e CERIUM they focused on diplomatic officials, academics and think tank members from around the world.

Most of those targeted were from three countries: South Korea, the United States and Japan. However, North Korean actors have also targeted academics and think tank officials in Europe and even China and Russia, countries generally regarded as North Korea's friends. 

The attention to diplomatic or geopolitical intelligence has probably been driven by Pyongyang's eagerness to have information relating to the international situation. The diplomatic goal was particularly pursued both during and immediately after the US elections. North Korea's strong interest in gathering information was probably also due to the need to have answers to the following questions:

  • Will the international community continue to rigorously enforce sanctions against North Korea?

  • How does covid-19 change international dynamics?

  • What will the new US administration's policy towards North Korea be and how will the three-way US-South Korea-Japan partnership pursue that policy?

COVID-19 was also at the center of several attack campaigns that Korean-based groups have carried out against pharmaceutical companies. In November 2020, ZINC and CERIUM targeted pharmaceutical companies and vaccine researchers in several countries likely to gain an advantage in vaccine research or to gain insight into the state of vaccine research in the rest of the world. 

Finally, North Korea has also used extremely sophisticated methods of social engineering never seen before. In January last year, ZINC targeted security researchers with a campaign to create fake profiles that appeared to belong to real security companies and researchers, by generating fake websites.

(Table 5 - North Korea analysis: Activity and motivations)

The situation in the west

War, whether conventional or not, is done in two and from what emerges, however, it seems that this is not the case. In fact it is so and the reasons are, basically, two:

  1. Over the past decade, the US has been the main target of increasingly sophisticated and dangerous cyber attacks. The reason for this is instinctively traced back to the characteristics of the US in the eyes of hacker groups around the world. For these subjects the USA represents a very large surface to attack and, at the same time, a not indifferent prospect of gain, economic and information / intelligence. Suffice it to say that in 2020 the US was the target of cyber attacks 23,6% more than any other nation in the world. We can say that what has been said can be seen in the effects of the attack on Microsoft's Exchange email servers in the spring of 2020. The hacker attack in question instantly made about 250 thousand companies that used Microsoft's service vulnerable, on premise and non-cloud, for emails. The extent and complexity of the attack made it necessary to activate the complete US cyber defense apparatus. A system that certainly constitutes an avant-garde in the sector compared to many other countries but which also presents significant critical issues. Even if in cyberwarfare the US has a particularly developed offensive and defensive "firepower", this force does not guarantee the supremacy of cyber space or control of the "cyberpower" and, consequently, there is no cyber hegemonic power. Nonetheless, there is no doubt that the United States represents a power in the conduct of the cyber conflict.

  2. The approval of the new Cyber ​​Defense Policy, defined as “Comprehensive”, was presented as a necessity, given the escalation of ransomware and other attacks that have targeted critical infrastructures and democratic institutions. Already in the previous NATO summit, also held in the Belgian capital in 2018, it was decided that "individual allies can consider, when appropriate, the attribution of malicious cyber activity and respond in a coordinated manner, recognizing that attribution is a sovereign national prerogative". The previous wording, in addition to not mentioning the particular category of "armed attack", left the Member States the mere faculty to independently assess the attribution of any attacks and react accordingly. However, the known difficulties in ascertaining the responsibility profiles in the case of cyber operations, especially if of suspected state origin, have made this possibility difficult to apply. Although the new policy is not available, the content of the final press release is clear the will to keep the defensive nature of the Alliance intact: while providing the opportunity to respond by any means to any cyber threats, it does not push for the development and use of cyber offensive capabilities. All this is due to the fact that cyber attacks can have unpredictable impacts not limited to individual targets, and because their use, in addition to being able to cause an escalation, would make the exploited vulnerabilities known and, therefore, impossible to reuse the same methods. employees.

Attacks never stop

2021 was another terrible year from the point of view of cyber attacks and it is in this scenario, as we have seen, that the cyber war develops which is increasingly aimed at disabling the websites and networks of government bodies or and, even more dangerous, it can disrupt or disable essential services, damage infrastructures and their networks, steal or modify confidential data, disable financial systems and even decide the outcome of a superpower presidential election.

In recent years, cyber warfare has become one of the most effective forms of warfare, used with the intent of inflicting damage on those who preside over governments and economies deemed harmful; this type of wars do not involve heavy costs like those in which conventional weapons are adopted.

The secret nature of cyber warfare takes us back to the era of espionage during the cold war. The superpowers and not just them are upping the ante as ordinary people sit back and reflect on how lucky they are to live in relatively peaceful times, especially in the West.

Cyber ​​weapons have a devastating destructive capacity. And the problem is that it is not at all easy or quick to identify and counter them.

The modern world revolves around information technology, to which it has entrusted and on which its existence totally depends: whoever manages to alter it will win the cyber wars of the future, but at what price for the affected populations and governments?

These are questions that I don't know how to answer. What I know and what I hope is that everyone should take a step back to safeguard that world that was given to us to be able to live in peace and that everyone is able to understand that technology is really, as the Pope says, a gift. of God.


(PDF) Soft power: the origins and political progress of a concept (

Do you know the history of WannaCry? To find out what's behind the most famous malware. - YouTube

The story of NotPetya, the most devastating cyber-attack in history (

Lazarus Group, HIDDEN COBRA, Guardians of Peace, ZINC, NICKEL ACADEMY, Group G0032 | MITER ATT & CK®

Microsoft Digital Defense Report OCTOBER 2021

The hunt for NOBELIUM, the most sophisticated nation-state attack in history - Microsoft Security Blog

Fancy Bear - Wikipedia

APT29, NobleBaron, Dark Halo, StellarParticle, NOBELIUM, UNC2452, YTTRIUM, The Dukes, Cozy Bear, CozyDuke, Group G0016 | MITER ATT & CK®

RUBIDIUM threat group - Cyber ​​Security Review (

N3TW0RM ransomware emerges in wave of cyberattacks in Israel (

Iranian state hackers switch to ransomware -

DearCry Ransomware and the HAFNIUM Attacks - What You Need to Know (

APT27 - Cyber ​​Security Review (

Kimsuky APT continues to target South Korean government | 2021-06-09 | Security Magazine

ZINC attacks against security researchers - Microsoft Security Blog

PowerPoint Presentation (