Agriculture in the crosshairs of nation-state sponsored hackers (4/5)

If you want to overcome your adversaries you must know both yourself and your enemies, and fully understand your enemies’ intentions. Hunt & Hackett has observed an discerning increase of activity of Advanced Persistent Threat groups (APTs) in the agricultural sector. In this series of blogs, the threat posed by APTs to agriculture industries is analyzed and it is explained what motives lie behind these cyber-attacks. In this and the previous part of the series, the strategic motives of the most active attacking nations are scrutinized along with their APTs key statistics, continuing with Iran and North Korea.

Iran
The Islamic Republic of Iran has great ambitions for its future. The regime is aiming for regional hegemony while constantly being threatened by archenemies Saudi Arabia and Israel. However, the country is severely restrained by international sanctions imposed due to Iran’s nuclear program. Also, the country is struggling with widespread corruption and bad management. To uphold the theocratic regime and deal with the many external threats to the country, Iran needs internal stability. Instability and domestic unrest would limit the regime’s ability to focus on external threats1. One way to maintain stability is to provide food security for the people. In Iran, this is a rather difficult task. Outdated farming techniques, encroaching deserts, poor quality of seeds used and trading sanctions are all a risk for food security2. Limited by sanctions, Iran has a hard time acquiring the technology and knowledge to modernize the agricultural sector and in doing so providing food security to its population.
Iran has a long history of having to deal with international sanctions. Working in the shadows acquiring what they want abroad is certainly not new to them. Iran has developed a skilled cyber force, responsible for espionage, sabotage and information theft all over the world. There are several academic institutions (e.g. IHU, Mabna Institute, Shahid Beheshti University) in Iran that actively attract cyber talent and develop knowledge for offensive purposes. The Iranians have quite a peculiar system in place for their offensive cyber operations. Around 50 Iranian ‘APT-contractors’ are competing against each other to win offensive cyber contracts put out by the state. The best APTs are granted the contract and only get paid after completing the task. The Iranian regime issues offensive cyber operations to retaliate for international sanctions, but also to acquire technology and knowledge that could assist their modernization efforts3. This strategy fits perfectly in Iran’s history of conducting asymmetric warfare. The agricultural industry forms no exception. Iranian APTs have shown activity in various states targeting the agricultural sector. Additionally, Iran has increased security cooperation with China and Russia. It is deemed likely that the states will share knowledge on their offensive cyber operations4.
 
Iran war flag
 Figure 1 - For Iran, cyber-attacks fit nicely in their history of asymmetric warfare.
 
To outsmart the 13 Iranian APT-groups that are active in agriculture or related industries, Hunt & Hackett tracks and anticipates their TTPs and Tools. Currently, Hunt & Hackett is aware of 168 TTPs and 158 Tools being used by Iranian APTs.

  Key Stats Iran: Agriculture and Related Industries
APTs 13

APT Names

APT33; APT35; APT39; Boss Spider; Cutting Kitten; Fox Kitten; Infy; ITG18; Madi; MuddyWater; Nazar; Sima; Tortoiseshell
Level of Sophistication Medium
Main Motives Espionage; Information Theft
TTPs 168
Tools 158

Table 1 - Key statistics on APTs originating from Iran, and the TTPs and Tools they use in the agricultural and related industries as observed by Hunt & Hackett.

 
North Korea

North Korea has the ambition to become a completely self-sufficient nation. The regime experiences the international community as extremely hostile, mostly thanks to the North Korean nuclear program and the sanction imposed because of it. Agriculture plays a large role in the self-sufficiency plans of the communist nation. However, North Korea has found it very difficult to provide enough food to feed its population. The country has been struck by famine several times in the past, killing millions of citizens. Bad seasonal conditions and even worse centralized management were to blame for the enormous food shortages. Now, due to new economic sanctions and the ongoing pandemic, fear is rising of another deadly famine.


The North Korean regime is going to have to use every resource available to increase yields and modernize their agricultural sector, in order to provide structural food security for the population. Not known to many is that the regime has very capable APTs at their disposal which it is not reluctant to deploy1. North Korea is known to have used APTs to steal secrets and technology from all over the world. North Korean hacker groups SILENT CHOLLIMA and LABYRINTH CHOLLIMA, have been observed to target the agricultural industry, as became apparent in June 2020, when an American company active in the agricultural industry fell victim to the latter APT2. It is assessed that North Korean’s world wide presence will increase because of the mounting pressure of another famine. A sign of their increasing sophistication is that North Korean hackers have already figured out how to overcome the ‘air-gap’, meaning that they have the ability to hack computers not connected to the internet3. Previously, this was a skill only more technological sophisticated nations mastered.

 

North Korea cyber force

Figure 2: Under Kim Jong-Un, North Korea has developed a very capable cyber force.


To deal with the North Korean cyber-threat, it is important to understand how their APTs operate. This is the reason Hunt & Hackett has tracked the TTPs and Tools the have employed in the past. Hunt & Hackett has observed 4 North Korean APT-groups to be active in agriculture or related industries using 133 TTPs and 217 Tools.

  Key Stats North Korea: Agriculture and Related Industries
APTs 4
APT Names APT37; APT38; Kimsuky; Wassonite
Level of Sophistication High
Main Motives Espionage; Information Theft
TTPs 133
Tools 217

Table 2 - Key statistics on APTs originating from North Korea, and the TTPs and Tools they use in the  agricultural and related industries as observed by Hunt & Hackett

 

Sources
  1. https://www.worldbank.org/en/country/iran/overview 
  2. https://smallwarsjournal.com/jrnl/art/islamic-republic-irans-strategic-culture-and-national-security-analysis 
  3. https://www.recordedfuture.com/iran-hacker-hierarchy/
  4. https://securityboulevard.com/2021/04/analysis-of-the-iranian-cyber-attack-landscape/
  5. https://www.crowdstrike.com/blog/how-threat-hunting-uncovered-attacks-in-the-agriculture-industry/
  6. https://www.access42.nl/wp-content/uploads/2020/09/Overwatch-Report-2020.pdf
  7. https://www.nbcnews.com/news/north-korea/watch-out-north-korea-keeps-getting-better-hacking-n849381

 

Keep me informed

Sign up for the newsletter