26 July 2016

The Problem with Proxies



When it comes to cyber attacks, one of the biggest problems is correctly determining who, exactly, is attacking you. This is called attribution, and it is extremely difficult, since many sophisticated actors are capable of obscuring or destroying evidence as to who they are. The difficulty of attribution is compounded by the use of proxies to conduct operations. In the arena of international affairs, a proxy is a group that is separate from a state government, but takes actions on its behalf. Some proxies are little more than thinly veiled organs of a state’s security apparatus, while others are completely separate and autonomous organizations that function almost like contractors.

Regardless of how independent they are from the state that utilizes their services, all proxies provide the same basic advantage: clouding the true identity of the attacker. When a proxy conducts a cyber attack on behalf of a government, it is incredibly difficult to definitively link the attack to the government that commissioned it. Additionally, according to Rob Dannenberg, former head of security at Goldman Sachs, “the cyber proxy approach has many advantages, including plausible deniability, relatively low cost, little chance of political blowback, very little legal recourse for the target or victim, and the opportunity for a state actor to reinforce and exercise relationships with non-state actors that could be of use in a future conflict.”

This lack of definite causality grants governments plausible deniability, which in turn gives the attack more flexibility in terms of preventing undue escalation of the conflict itself. Countries like Iran and Russia are able to deny involvement – or, at least, official sanction – and this helps them to prevent cyber attacks from resulting in kinetic responses. While Iran and Russia use proxies extensively in their cyber operations, so too do several other countries with adversarial relationships with the United States. Not coincidentally, these are the same countries that form the top tier of international cyber-actors among nation states – including China and North Korea.


Many groups that act as cyber proxies for nation states tend to be classified as cybercriminals. True cybercriminals are effective proxies since they already have a degree of technical ability, and their services are usually for sale. They benefit from proxy relationships as governments can also shelter these cyberciminals from law enforcement in exchange for services rendered. For example, the Russian Business Network (RBN) is an extremely capable cybercrime group that primarily focuses on web hosting for illicit activities, identity theft, and running botnets. However, it is suspected that RBN was, at least partially, responsible for the cyberattack against Georgia that served as the prelude to an invasion from Russia.

Other groups seem to only engage in criminal activities that align with the agendas of their patron states. The Lazarus Group in North Korea, which was responsible for the Sony Hack and a number of attacks on South Korean banks, and Sandworm, which attacked the Ukrainian power grid in December 2015, both fall into this category. The Lazarus Group has been linked to the North Korean government, but nations are still hesitant to directly blame North Korea for their actions. The degree of cooperation between Sandworm and the Russian government is even less clear. As a result, Sandworm can continue to take actions that serve Russian foreign policy interests in Ukraine without necessarily causing problems for Russia itself.

Alternately, some cyber proxies are trained and supplied in a way that more directly mirrors the way that physical proxy forces are utilized in conventional operations. Iran has made extensive use of proxy groups such as Hezbollah in the physical domain, and it appears to be following a similar pattern with its cyber-proxies. Wherever Iran is fostering physical proxies – such as in Yemen, Lebanon, or Syria – there appear to also be Iranian-backed cyber forces – such as the Syrian Electronic Army, the Islamic Cyber Resistance, and the Yemen Cyber Army. For Iran, this appears to be a natural extension of a skill set that it has been developing for a decade, and they seem likely to continue to foster cyber proxies in order to augment their other proxy forces in the Middle East.

Outside of the more formal bounds of criminal and militant groups, there are also so-called “patriotic hackers.” This type of proxy is arguably one of the best examples of the problems facing accurate attribution of cyberattacks. The barriers to entry for hackers are growing lower all the time, and so governments can plausibly deny carrying out cyber operations by blaming citizen hackers – which are essentially just random citizens who have taken it upon themselves to strike at their government’s enemies through cyberspace. Both Russia and China have claimed that attacks originating from their respective countries were actually the work of patriotic hackers, rather than the government.

The situation is complicated further by the fact that all these categories can sometimes blend into one another as well. Sandworm, for example, has been characterized as both a criminal group and a group of patriotic hackers.

Proxies provide countries with a degree of flexibility that is extremely useful given the currently rising tensions among countries. It seems likely that their use will continue, especially in light of their utility for escalation management. Depending on the type and skill level, proxies can also act of force multipliers and allow adversaries to do more with less. Beyond the geostrategic, increased use of proxies could also allow useful criminal enterprises, like the RBN, to persist – which causes problems for people across the world.

However, no aspect of the cyber domain advances in a vacuum. Even as attackers are working to conceal their identities, defenders are working equally hard to improve attribution. The degree to which proxy use expands, as well as the degree to which their capabilities grow, will depend largely upon how attribution advances in the near future. If countries and companies can be confident in the attribution process, then the utility of proxies will decline. Otherwise, there may be an increase in both proxy attacks – and cybercrime writ large. 

No comments: