Welcome to the first installment of our Threat Actor Profile series where we analyze the main categories of actors that represent a threat to your organization. This series is designed for executives. Because we understand the unique roles and responsibilities of executives and corporate leadership, we’re focused on cyber risk as an enterprise risk—and help explain it without getting lost in the weeds. Our first threat actor group is Nation State Actors.
Threat Actor Profiles: Nation State Actors
Out of all the threat actors, nation state actors are the most sophisticated, capable, and have access to the greatest resources. Nation state actors are government-sponsored, although their government ties may be covert. Their efforts are mainly focused on other governments’ information, but they can also target foreign companies and businesses.
For example, since 2008, thousands of U.S. companies have been targeted by attackers with ties to the Chinese government. Nation state actors spy on American companies in an effort to steal their proprietary information, making use of a low risk, high reward class of attack. Espionage does not damage computer systems, making it incredibly difficult to detect. Indeed, it’s not uncommon for espionage campaigns to be discovered years after the initial intrusion took place. No company, no matter its industry or size, is immune from an attack by nation state actors, because all organizations have valuable data – from trade secrets and recipes, to source code and national security secrets. Even companies that take the utmost care to protect their data can become victims.
The following case study details a company that understood its risks, but still underestimated a sophisticated adversary. Although the American Superconductor case is over a decade old, it’s an important one to cover as it highlights two important things:
- Intellectual property is greatly sought after by the adversary. Nation states can, and will, seek your IP in order advance its own national objectives.
- Be aware of your entire attack surface. Business partnerships such as Joint Ventures, can present great dangers if you aren’t careful with your data. And even when you take all precautionary measures to prevent a cyber incident, the human factor continues to be a difficult dimension to manage.
The American Superconductor Case
American Superconductor (AMSC) is a Massachusetts-based energy technology company that specializes in designing superconducting wire and developing wind turbine controls. In 2005, after China passed several clean energy laws, the company saw an opportunity and expanded business operations to China. AMSC collaborated with a small Chinese firm called Sinovel, which was partly owned by the Chinese government. While Sinovel designed and manufactured the wind turbines, American Superconductor wrote the code that made them operational.
Daniel McGahn, the CEO of AMSC, wasn’t naïve or uninformed about the risks of doing business in China. He understood that the Chinese government was inclined to steal IP and had successfully reverse engineered cutting-edge technologies developed by foreign companies.
As a preventative measure, AMSC kept its code completely separate from the Internet, and utilized a secure encryption protocol to protect the code while it was running on the turbines. Additionally, AMSC restricted access to the code to a handful of people in the company – only the employees who needed the code to do their jobs could view it, deploying a common security control known as “Need to Know.”
The Chinese government was not deterred by these carefully laid obstacles. Using old school spycraft techniques, they were able to convince an Austria-based employee, Dejan Karabasevic, to hand over the full source code. They managed to turn Karabasevic into a double agent using flattery, gifts, and a $1.7 million contract.
By the time AMSC realized the incident had occurred, it was too late; once intangible assets like information are stolen, there is no way to undo the damage. A team of engineers noticed an unreleased version of the code running on a Sinovel turbine. Eventually, the details of the insider threat were discovered during an internal investigation. Karabasevic confessed to Austrian authorities, but only spent one year in prison. Meanwhile, Chinese authorities refused to investigate the theft of American Superconductor’s IP, forcing the company to (unsuccessfully) sue Sinovel for damages in civil court.
Unfortunately, the story (and the espionage) did not end there. The Chinese had access to the foundation of AMSC’s business – its crown jewels – and the company continued to be targeted, including its legal strategy for the upcoming lawsuit against Sinovel. Computer forensics firm CrowdStrike was later able to conclusively determine who had conducted the attack. CrowdStrike identified Chinese military Unit 61398, a group that specializes in targeting North American private companies.
Despite the overwhelming forensic evidence implicating the Chinese military such as in this case, the U.S. government continues to be reluctant to take action against aggressive nation states to avoid conflict escalation.
Lessons Learned
American Superconductor was decimated by the incident. The company estimates that its total losses amounted to well over $1 billion. To keep the business afloat, two-thirds of the company – 600 employees – were laid off. Today, the company is struggling to rebuild, in part because it must now compete against its own product.
In terms of cybersecurity best practices, American Superconductor seemed to do everything right. It knew that its IP was both valuable and vulnerable, so the company implemented multiple layers of technical controls to mitigate its risks. However, the company failed to account for one disloyal employee – and one unscrupulous employee was all that the Chinese needed to launch its operation. Good cybersecurity is as much about vulnerabilities in people as it is about vulnerabilities in technology.
Nation State Actors: Powerful and Willing
The American Superconductor case also illustrates the extreme lengths some adversaries are willing to go to perpetrate their attacks. The capabilities of nation state actors are hard to overestimate. They benefit from a centrally organized structure and possess vast resources, making them the most sophisticated adversaries that your organization can encounter. Any organization can become a target of a nation state actor, in part because the interests of states are not limited to financial goals. They have larger goals in mind, including projecting power, protecting their own national security, and gaining a strategic advantage in the global economy.
China’s robust cyber strategy has affected thousands of U.S. companies and government agencies– American Superconductor is just one casualty. All companies should be aware of the threats posed by nation states. Consider these three actions to protect your enterprise against nation state actors.
Executive Actions and Considerations
- Understand your risk profile by identifying which threat actors could target you and why. Pay special attention to the organizations in your industry that have been attacked, how the incident occurred, and how the organization responded.
- Exercise proper due diligence during employee hiring. This involves extensive background research and vetting during the hiring process, as well as appropriate employee behavior auditing and routine managerial check-ins. As AMSC learned the hard way, insider threats are the hardest to detect and have the potential to do the most damage. The concept of cybersecurity job rotation is a common security best practice reduces the chances of collusion and fraud.
- Know how and when to reduce your risk. Risk can be transferred to a third party, by purchasing a service such as cyber insurance. Be aware, however, that certain activities should be avoided altogether; these are activities that have a high likelihood of occurring and produce a large negative impact.
When constructing a risk management strategy, companies must consider not only highly technical threats, but also more traditional attack types, such as espionage. Merging these two attack types makes for a comprehensive strategy. To learn more about how to build and execute a risk management strategy, join us as our Cyber Resolve seminar in NYC on May 1. Prefer private training for you and your fellow members of the C-Suite? Contact us. We’ll bring the education to you.