The glowing green cursor blinked on a terminal, a near steady heartbeat in the pin drop silence of a darkened office. The year was 1996, and cyberspace as we know it now was still in its infancy. In the shadows of the Pentagon’s networks, something sinister had just slipped through. The threat didn’t crash the system or cause alarms to buzz; instead, it slipped through the back door like a near invisible ghost, unfolding a skeleton key that shouldn't have existed. Moonlight Maze didn’t come for a visit. It was here to stay.   

For nearly three years, the breach bled the American defense establishment dry. From the sterile labs of NASA to the high-security vaults of the Department of Energy, thousands of files were vacuumed and moved halfway around the world. This wasn't a bored basement dwelling teenager or a lone-wolf thief looking for a credit card number. This was a surgical, timed and targeted state-sponsored extraction. The targets couldn’t have been more precise: encrypted military communications, classified hardware schematics, and the literal maps of the nation’s most sensitive infrastructure.

When the FBI finally began tugging at the visible threads in 1999, they didn't find a simple out of place virus. They found a masterpiece of state-backed espionage. The hackers had created and utilized a relay of compromised university servers to mask their trail. Investigators were led on a digital chase that hopped across continents and time zones. This event marked the birth of a new kind of warfare that the world hadn’t seen before. A harmless PC operated by a citizen or a random forgotten server in a datacenter was now the frontline.

Moonlight Maze, as this group was subsequently called, didn't just break the rules of security; it rewrote them and inspired many similar actors in its wake. It was the first true and documented instance of an Advanced Persistent Threat (APT), heralding the arrival of ghost wars fought in the digital realm.

Playing the catch-up game

The defenders were months, if not years behind then. Things haven’t changed much. Even though evolutionary pressure on defenders and attackers are more or less at par today, the diversity of threat actors, easy availability of tools and growing number of targets have all contributed to the emergence of a new breed of APT groups who are patient and more persistent than ever before.

Since the 90s, APT groups have relied almost entirely on state funding for their operations. Generous pay packages for employees, unmarked and unaccounted budgets and less accountability for their actions were all hallmarks of APT actions. But something changed when the pandemic struck in the early part of the decade. On the one hand, budgets and operations were downsized and on the other some of the states had to focus on spending on building and sustaining military hardware in conflict zones. Even those states that were not directly impacted had to invest more in maintaining a deterrent posture to prevent adversarial states from getting ideas. As the funding slowed, APT groups started looking elsewhere for financial support and this is where many state intelligence agencies started studying the North Korean APT funding model to get alternative funding ideas and approaches.   

What is the North Korean APT funding model?

North Korean APT groups such as Lazarus are not depended on the state for funding. Instead, they are a revenue center AKA a revenue generating unit for the North Korean government. Each APT group in North Korea is given a revenue target in addition to regular targets for hacking. Groups like Lazarus are experts at moving large amounts of cryptocurrency across the world. Lazarus is a known Bitcoin wallet hacking entity with extensive knowledge and experience in this arena.

This hybrid operational model has proven to be highly effective and rewarding for North Korea, leading to a consistent year-over-year expansion of their APT groups' mandates. On similar lines, prominent Chinese threat actors, most notably APT 41, have also adopted this playbook, frequently blending state-directed missions with financially motivated operations to generate revenue whenever the opportunity arises.

As the frequency of global conflicts continues to escalate, intelligence agencies have a growing strategic incentive to permit and even encourage APT groups to self-fund operations through illicit cyber activity. This 'offset' model allows states to maintain advanced offensive capabilities while minimizing direct budgetary strain and preserving plausible deniability. Such an approach also eases the monetary pressure on the agencies and the APT groups.

In the last two days since the Iranian APTs, especially MuddyWater returned to active operations, we have seen them target financial institutions in the US. This could be construed as an attempt to cause an economic injury or could be an attempt to siphon money into the coffers of MuddyWater and its handlers. MuddyWater may widen its attack on various global targets in the days to come and some of these attacks may be financially motivated.

Revenue generation maybe integrated into the core operational mandates of APT groups in the day to come. So why have intelligence agencies not used revenue generation as a core operational objective till now?  Here are a few reasons:

· Widespread use of this model may lead to employees of APT groups diverting the stolen funds into their own accounts

·  More functional autonomy may make groups question decisions

· Being fully focused on revenue generation may take attention away from core operations

This could be another evolutionary trajectory for APT groups. A mixed path involving a few campaigns focusing on monetary gains and a few that are focused on data exfiltration will be the way forward. The addition of a financial layer to the operational motivations of APT actors will complicate the threat landscape and may even impact the TTPs. That’s for another blog post. Stay tuned.

Further reading and OT security checklists and KPI trackers

Speak to an OT security expert from Shieldworkz.

Book a free, no-obligation demo.

Additional resources

NERC CIP-015-1 Compliance Checklist and KPI Tracker
Insider Threat Protection Checklist
Guide to Defensive Stance for Companies in the Middle East