Level 3 Communications

Dale Drew

Anatomy of a Nation State Hack

Nation states are working hard to build up their economies and strengthen their key businesses – in some cases by using stolen intellectual property and other valuable information hacked from companies and government agencies around the world.

We know this because we regularly observe their activities. The typical nation state hacking operation involves a fairly complex network of highly trained, highly skilled actors who patiently create malware and other malicious content specifically designed for particular organization.

The bad actors involved in nation state hacking are often enlisted military personnel (government employees) who work regular, every day shifts from eight to five o’clock and typically have been hand-picked for their role in the process because of the particular skills and interests they possess. They commute to work, they complain about their bosses, and they design attacks to bypass some of the most sophisticated security measures in the industry.

Generally, a hack operation begins when someone tells a worker or group of workers on the team that the government needs certain intellectual property in order to make an in-country company more competitive, say for example, in the area of solar energy.

The individual or team then researches companies that operate in that space that might have the sort of information the government is looking for. They identify a number of potential targets; who owns the most intellectual property in the target space (by patents, or investor interest, etc.), and which employees are most involved in those critical information areas, eventually passing this information on to a team – we’ll call them Hack1 – that are experts at finding ways to break into organizations’ or individual users’ systems.

Hack1 analyzes all the possible technical ways to break in. They study the security tools organizations in the solar energy sector are using, find out which weaknesses can be exploited, which individual users are likely to hold valuable information and what attack methods will most likely help the hackers gain access to that information. If no one inside the organization proves to be a good target, the team looks outside, to supply chain vendors or others that might provide a way to get access into the target company.

Hack1 decides whether it makes sense to launch a “smash and grab” attack to gain one-time access to particular data, or go with a persistent-access attack that enables them to gather intelligence over an extended period of time.

Hack1 then passes everything they’ve learned onto another team – Hack2 – that actually launches the attacks as part of an extended campaign by sending out phishing emails and finding methods to gain access to specific systems and files, etc. Hack2 is an extremely sophisticated team that will employ techniques such as getting access to source code for a variety of IT products commonly used by organizations in order to find new exploits the industry hasn’t yet detected. Their goal is to obtain persistent access.

Nation state hacking teams leverage open-source intelligence (OSINT) that’s collected from a variety of publicly available sources. These sources include media outlets such as newspapers, magazines and internet news sites; Web-based communities including social networking sites, wikis and blogs; public information such as government reports, hearings and legislative material; professional and academic documents; and information from the “Deep Web,” content that remains hidden from the majority of internet users. The information helps the hackers build social profiles of people working for a target, as well as the capabilities of that company, by providing insights into what tools, products and vendors the target may use – all of which ultimately give the hackers even more avenues to break into a company.

Once the attackers have what they need in terms of intellectual property, they pass it on to the agencies that originally requested the information. The information can then be passed on to in-country companies for competitive advantages, or used by the nation state to create new capabilities for making access to infrastructure or data easier to obtain in the future.

These hacking initiatives sometimes involve hundreds and even thousands of people, and take many months to complete. The average campaign lasts about 18 months. The efforts are always well organized, and often quite predictable. We are aware of what they are doing, and they are smart enough to know we are aware.

The nation state hacker teams are now so good at what they do that many of the individuals are migrating to organized crime, where they rent their skills to organizations looking to steal valuable information. This has significantly evolved organized crime’s capabilities in the cyberspace, and is making it increasingly difficult to tell the difference between a nation state and an organized crime syndicate.

But by continuing to observe their activities, we can learn the best ways to predict when they will strike and how. This offers the best chance of finding new and more effective ways to protect valuable business data from nation states looking to use that same information to their advantage.


As Chief Security Officer at Level 3, Dale brings 21 years of experience in developing critical global security programs, working in federal/state law enforcement and with Internet service providers (ISP). One fun fact to share is that he has worked for the U.S. Secret Service where he spearheaded Operation Sundevil, the nation’s largest computer crime investigation.