Threat profileUnited States
The US is globally an unmatched nation when it comes to its cyber capabilities. Furthermore, it has the most developed big-tech and cyber security industry, resulting in having both a strong defense market and intelligence position. Together with the support of advanced capital markets and other stakeholders such as the academic sector, investments in high-tech advancements are higher than in any other nation. In summary, the US can be considered the world's innovation engine when it comes to offensive and defensive cyber capabilities.
- Strategic motives: Espionage, information theft, disruption
- Strategic goals: Maintaining superiority in cyberspace by defending forward and persistent engagement
- Cyber capabilities: ★★★★★
- Number of known cyber operations: ★☆☆☆☆
- Number of APTs: 8
Highly advanced, mature and integrated in intelligence services
The US is considered to be the most advanced cyber power in the world. It has unprecedented cyber capabilities, both on the offensive and defensive side. What makes the US unique in comparison to other nations, is that it has the most developed big-tech, cyber security and defence industries. This results in the US not only having a strong defense market, but also in having a very strong intelligence position and offensive capabilities. This unique ecosystem is supported by advanced capital markets, such as Silicon Valley (venture capital), Private Equity and Wall Street (listed companies). Investments in its high-tech sector are globally unmatched, with high-tech R&D investments being almost twice as large inn-comparison with China. These factors gives the US a unique advantage in that it is being both the big-tech and security innovation engine of which the rest of the world is becoming (increasingly) dependent. However, its critical infrastructure is also more dependent on cyberspace than in any other country, which creates a larger attack surface.
The US has a well-developed set of cyber-related strategies and has also one of the largest budgets for government departments with cyber capabilities (85 billion dollars in 2021). Part of the U.S. cyber strategy is close cooperation with other stakeholders, such as the private sector, as the protection of U.S. critical infrastructure is largely done by the private sector. Another important stakeholder for the US is the academic sector, with collaborations focused on developed key technologies that support the US's cyber capabilities. The way in which the US has created this multi-stakeholder environment of the U.S. government, private sector and academia is unmatched, also in comparison to China. The one exception is arguably Israel, but that operates on a much smaller scale. However, because of the enormous size and complexity of involved government departments, the US is facing difficulties in effectively coordinating all of these actors in order to protect its national security.
The US has multiple departments and agencies with cyber capabilities, amongst them the Department of Defense with military-led cyber capabilities (including the NSA and U.S. Cyber Command), the CIA with civilian-led cyber capabilities and the FBI focused on domestic issues. However, there are only a limited number of examples of U.S.-led operations, as the US is known to be stealthy in its operations. Although there is limited public information on the cyber capabilities of the US, there have been numerous revelations that gave away some indications on the sophistication of the US. The most important revelations arguably came from NSA contractor Edward Snowden (see case 4). In another case, a group which called itself 'the Shadow Brokers' stole and leaked information on the cyber capabilities of Equation Group, a threat actor which assessed to be part of the NSA. Equation Group is known for its extremely sophisticated toolset and stealthy operations. A similar incident happened in 2017, when WikiLeaks published a large dataset containing hacking tools of the CIA, such as malware, viruses, zero day exploits and more. Furthermore, in March 2022, in reaction to the Russian invasion in Ukraine, President Biden released a statement in which he stated that the U.S. government ''will continue to use every tool to deter, disrupt, and if necessary, respond to cyberattacks against critical infrastructure''. This strongly indicates that the US is indeed actively conducting offensive cyber operations against adversaries. However, before the US can act in cyberspace, it has to go through lengthy approval processes. The U.S. Cyber Command has already indicated that such approval processes make it incredibly difficult to respond to malicious cyber activities as it limits its freedom to operate.
Another element that emphasizes the sophistication of U.S. cyber capabilities, can be found in cooperative operations with other active nations in cyberspace. In the Stuxnet attack for example (see case 1), the US allegedly created an extremely sophisticated piece of malware in a joint collaboration with Israel, with the goal of destroying the centrifuges in a Iranian nuclear power plant (therewith delaying Iran's nuclear program). The US is known to tap into undersea internet cables on a large scale (case 2). In the Belgacom hack (see case 3) , it has been reported that the US provided the sophisticated Quantum Insert technology that enabled the UK's GCHQ to obtain initial access at telecommunications provider Belgacom. Lastly, the US has multiple strategic partnerships, such as through the Five Eyes, which also contributes to the US having an incredibly strong intelligence position.
CASE 1: Operation Olympic Games (2010)
In 2010, extremely sophisticated malware called Stuxnet was discovered on computers within a nuclear plant facility in Natanz, Iran.  The malware was designed to target (SCADA) systems in the industrial environment. After the malware was activated, the nuclear centrifuges started to continuously changing speed, eventually breaking the centrifuges. It is believed that the malware was built by the USA in collaboration with Israel, with the purpose of destroying the centrifuges in the nuclear power facilities and therewith delaying Iran’s nuclear program.
CASE 2: The long-Standing Practice of Undersea Cable Tapping
NSA leaks reveal that governments are probing "the Internet's backbone".  More than 550,000 miles of flexible undersea cables about the size of garden watering hoses carry all the world's emails, searches, and tweets. Together, they shoot the equivalent of several hundred Libraries of Congress worth of information back and forth every day. The US has a long history of tapping undersea cables to tap directly into the Internet’s backbone.  To give context to the scale of information gathering, a subsidiary program for these operations - Tempora - sucks up around 21 million gigabytes per day and stores the data for a month. The data is shared with NSA, and there are reportedly 550 NSA and GCHQ analysts poring over the information they've gathered from at least 200 fiber optic cables so far.
Strengths, weaknesses, opportunities & threats
- Most sophisticated cyber capabilities in the world
- Well-developed set of cyber-related strategies
- Large budget for strategy execution by government departments with cyber capabilities
- Close cooperation with private and academic sector
- Mature high-tech, cyber security and defence sectors in combination with strong capital markets fuelling investments in R&D
- Multiple government departments and agencies with sophisticated cyber capabilities
- Difficulties in effective coordination between stakeholders due to large size and high level of complexity
- Lengthy approval processes for offensive cyber operations that delays cyber responses
- Developing cyber capabilities through cooperation with the private and academic sectors
- Maintaining strong global intelligence position through multiple strategic partnerships
- Maintaining superiority in cyberspace by investing in emerging cyber-related technologies (e.g. artificial intelligence and quantum computing)
- Disrupting adversaries' opportunities by defending forward and persistent engagement
- Large attack surface as its critical infrastructure is largely intertwined with cyberspace
- Continuously under attack from both nation states and non-nation states actors
Interactions with other nations
Historically, the US has been a global hegemon, with an unrivaled position of military and economic power. However, since the end of the Cold War, this order has been shifting, with countries such as China challenging the US as global power. Specifically, the US is engaged in a battle with China over the status of global (economic) hegemony. Relations between the US and the Russian Federation are also tense. This tension is more historically rooted in ideological differences (capitalism vs. communism) and nowadays focused on countering western influence in which the US is a major player. Iran can be considered another rival of the US. Iran strongly opposes U.S. hegemony, whilst the US is a strong proponent of limiting Iran's nuclear program. This tension has therefore and not unsurprisingly increased in longstanding sanctions against Iran. A country that the US also experiences as a threat is North Korea. This can be traced back to expansion of North Korea's nuclear weapon program, which has resulted in the US imposing a long list of sanctions as well. Finally, the US also has many (western) partners and alliances around the globe, such as the Five Eyes and NATO. This results in the US having an unprecedented global intelligence reach.
Controlling your cybersecurity risks
Activities of the US are centered around defending national interests. In order to defend these interests, the US is continuously monitoring adversaries moves and is actively disrupting their infrastructures. Furthermore and characterizing for the US is the focus on maximizing its intelligence position. If that is not attainable, it is able to execute highly sophisticated and targeted attacks.
The US is continuously under attack from a growing plethora of actors, ranging from nation states, to organized criminal groups and hacktivists. Specifically, attacks that the US currently identifies as most imminent are focused on undermining U.S. democracy (e.g. election interference and disinformation), intellectual property theft and disrupting U.S. critical infrastructure. The US therefore sees cyberspace as a way to defend it national interests. A way in which this can be achieved, is by aiming to maintain its superiority in cyberspace. Part of this ambition is investing in emerging technologies that are relevant to developing its cyber capabilities, such as artificial intelligence and quantum computing.
More specifically, it uses the principles of 'defending forward' and 'persistent engagement' to pursue these goals. Forward defense and persistent engagement are characterized by continuously monitoring adversaries moves and actively disrupting their infrastructures instead of waiting until they try to attack. Therefore, the relationship between the US and its adversaries can be seen as a persistent adversary relationship. A persistent adversary relationship is characterized by an actor who has the motivation, resources and capabilities to inflict harm upon adversaries for a long period of time, whilst at the same time having a stronger motivation to resist any threats as result of it’s actions. In this case, the US has the means and incentives to continuously disrupt adversaries' infrastructure, trying to deny them possibilities to conduct attacks against the US.
Other activities of the US are motivated by wanting to maximize its intelligence position. The Snowden revelations for example showed how the US made use of the new intelligence gathering possibilities that cyberspace has created (see case 4). Furthermore, the US has a long track record of directly tapping into undersea internet cables in order to gather all the data that flows through (see figure 1). Strategy behind this method is to ensure that it has access to all kinds of intelligence, so that it can immediately access it when it is needed. This characterizes the US in comparison to other nations: it is focused on information superiority and if that is not attainable, it is able to execute targeted attacks. This explains to some degree the relatively low, but extremely sophisticated and targeted number of publicly known cyber-attacks by the US.
CASE 3: Operation Socialist (2012)
2012 marked the year in which Belgium's largest telecommunications provider at the time, Belgacom, noticed some first anomalies in its network. In June 2013, it indeed became clear that the network of Belgacom had been infected with one of the most sophisticated pieces of malware seen to this date. Specifically, the Edward Snowden leaks revealed that it was the UK's GCHQ (British intelligence service) who was behind the attack, in an operation dubbed 'Operation Socialist'. The goal of the intrusion allegedly was to bypass the increasing encryption standards in order to maintain its intelligence position. Furthermore, Belgacom functioned as an important 'hub' in the European telecommunications network, therewith containing a lot of information on targets travelling in Europe. Next to that, Belgacom's reach went beyond Europe, as it hosted communications lines to international partners in the Middle East and North Africa. This reach was another reason why Belgacom was such an attractive target. It enabled the GCHQ to target telecommunications networks in countries such as Iran, Russia and Syria.
CASE 4: Snowden revelations (2013)
In 2013, Edward Snowden disclosed an extraordinary amount of classified documents on the inner workings of the American National Security Agency, or NSA. Snowden revealed the NSA's data collection programs, with the most widely known one being PRISM (large-scale sharing of communication data between the NSA and U.S. telecommunications companies). Furthermore, it became clear that not only the NSA had been analyzing unprecedented amounts of metadata, but that the UK’s GCHQ has been doing the same thing in its TEMPORA program. The revelations also showed that the NSA was actively interfering with communications of targets in cyberspace. It ran multiple QUANTUM-programs, focused on hacking into targets’ communications, aiming to gather intelligence or to sabotage them. All in all, the Snowden revelations demonstrated how cyberspace has revolutionized intelligence gathering possibilities and how the US actively made use of these new possibilities.
United States APTs
Advanced Persistent Threats (APTs)
Tactics, Techniques & Procedures (TTPs)
Hunt and Hackett currently tracks 8 US APTs. Note that this is a small dataset and that anomalies in the data appear larger than they actual are. Despite the statistical significance being lower in this case, on a general level it adequately illustrates how Hunt & Hackett's Threat Diagnostic System works and on the country level it still does give context on the focus of the US in cyberspace. Specifically, the data supports the notion that the US primarily uses cyberspace by defending forward against adversaries, which includes countries such as Iran, China and Russia (see figure 1). The targeting of Belgium can be traced back to the earlier explained Operation Socialist (see case 3), where Belgacom functioned as an important hub within Europe, but also towards the Middle East and North Africa. The focus on Sweden can be connected to the NSA’s interest in Sweden’s National Defense Radio Establishment, or FRA. In 2008, the FRA got the mandate to intercept all communications in and out of Sweden and the reason why this was of interest to the NSA, is because it facilitated a large percentage of Russian communications. As a result, the NSA could collect intelligence on Russian high-profile targets.
Figure 1 - targeted countries by US APTs
Anomalies are based on differences between the US and the rest of the actors in the dataset. In other words, anomalies indicate to what extent the US has a larger focus on certain countries or sectors when compared to all the actors that Hunt & Hackett tracks. From figure 2, it becomes clear that the US has a relatively large focus on countries in the Middle East. This supports the notion that the US is largely involved in Middle Eastern affairs, focusing on diplomatic engagement, conflict management and economic and military stability.
Figure 2 - anomalies in the data compared to the global threat landscape (observed countries)
Looking at the sector focus of the US, the focus on sectors such as technology, government, defense and political can be explained by two primary motives. On the one hand, the US is continuously working on monitoring and disrupting adversaries' infrastructures, as part of its forward defense and persistent engagement strategy. On the other hand, the US wants to maximize its intelligence position, resulting in it focusing on strategic targets containing a lot of intelligence relevant to the US.
Figure 3 - targeted sectors by US APTs
Looking at the anomalies in targeted sectors (see figure 4), both aviation and aerospace stand out. An explanation for the focus on aviation can be found in the Snowden revelations. In documents released by Snowden, evidence was found on the NSA intercepting signals that were sent from satellites to ground stations that are connected to the GSM network, in program called 'Thieving Magpie'. By intercepting such signals, the travel movements of a target could be identified, as well as other mobile device and potentially individuals onboard the same aircraft. The released documents showed that the focus initially was directed at flights in Europe, the Middle East and Africa, but that the program was expected to go global the next year. The Snowden revelations also showed the interest of the US in aerospace. Documents revealed how the NSA had been monitoring Israeli military drones by intercepting signals sent by the drones to satellites in space. As a result, the NSA was able to track the locations of the drones, see their video footages and even watch what the drones were targeting. Documents also revealed that the US was able to watch the video feed of an Israeli F-16 fighter jet.
Figure 4 - anomalies in the data compared to the global threat landscape (sectors)
This profile aims to describe the cyber power of the US from a threat intelligence perspective. For a geopolitical angle of the cyber power of the US, see the chapter on the US from IISS’s research paper called 'Cyber Capabilities and National Power: A Net Assessment' (downloadable as PDF) on https://www.iiss.org/blogs/research-paper/2021/06/cyber-power---tier-one.
- IISS. Cyber Capabilities and National Power: A Net Assessment.
- Sergio Caltagirone, Andrew Pendergast & Christopher Betz. The Diamond Model of Intrusion Analysis.
- Russia’s Westpolitik and the European Union
- Hu, M. (2015). Taxonomy of the Snowden Disclosures. Washington and Lee Law Review, 72, Washington & Lee Legal Studies Paper No. 2016-5. https://ssrn.com/abstract=2730245
Our articles covering US threats
From Hunt & Hackett experts
Kennissessies: de digitale dreiging, oplossingen en ervaringen in de land- en tuinbouwsector
The SolarWinds attack: A contrarian view and lessons learned
Lights can go out: Espionage & disruption in the energy sector
All hands on deck: Attackers have entered the maritime industry
Agriculture in the crosshairs of nation-state sponsored hackers