Part 2: Understanding State-Serving Adversaries

My previous post explained the rationale for better understanding adversaries. In this post I will provide an overview of one type of adversary. Subsequent posts will examine a few others.

Adversaries who conduct espionage against a target organization are the subject of this post. Some intelligence professionals label these adversaries as "state-sponsored." Although that is often true, I prefer to think of these adversaries as "state-serving." They are meeting the needs of a foreign intelligence service (FIS), or perhaps the national agencies or decision-makers who task the FIS to gather intelligence or take more aggressive actions at a later date. In some cases these state-serving groups are FIS operatives themselves, while in other cases they are fulfilling FIS needs or operating according to FIS training and tactics.

The state-serving adversary operates against target organizations to collect intelligence valued by the FIS and by extension the foreign state. Actions beyond intelligence collection involve preparing the battlespace for "cyber war," although thus far those sorts of actions appear exceptionally rare. Intelligence professionals call collecting intelligence "computer network exploitation" (CNE), but they label inflicting physical damage via the network "computer network attack" (CNA). A real-life example of CNE includes Flame and Duqu; Stuxnet is an example of CNA.

The nature of the mission means that this type of adversary is likely to value persistent access to the target. Few FIS taskings involve acquisition of only a single piece of information at a discrete point in time. Rather, once a state identifies a target organization as being of interest, that target will likely remain of interest for the medium or long term. This translates into intrusions that may persist for months or years.

Because the state-serving adversary is often state-sponsored, they typically have access to funding and resources not known to some other intruders. This sort of adversary will either develop novel means to penetrate and persist against a target, or will be able to request or purchase new tools and techniques to achieve their goals. A hallmark of a disciplined adversary, however, is to only use the level of "force" required to accomplish the mission, only escalating when the minimum fails to get the desired result. This is the true definition of "advanced," because it means the adversary knows how to properly deploy resources against a target.

Victim organizations suffering the attention of state-serving actors are likely to find themselves fighting protracted campaigns, to the extent that the target even knows that they have been compromised. Because the data that these foes steal, or the systems they penetrate, are not exploited in an open marketplace (for money or fame), victims find it a challenge to properly scope the impact of state-serving intrusions. Third-party notification is the most popular means of identifying a state-serving compromise, with the intelligence-focused teams in the Federal Bureau of Investigation, the Naval Criminal Investigative Service, or Air Force Office of Special Investigations being the bearers of bad news.

In the next two blog posts I will discuss other types of adversaries, namely "self-serving" and "public-serving."