Cyberwar, Espionage, and APTs:
Military and intelligence applications
of network attack and defense
The term cyberwar has been misused to promote various agendas. The often abused term "Digital Pearl Harbor" usually indicates that the speaker or writer is hyping something for political reasons, often with little to no understanding of the technology. However, cyberwar is going on, with the U.S., China, and Russia as major players. Denial-of-service attacks have played roles in parallel with physical attacks, and espionage attempts are constant. Let's look at some meaningful information on cyberwar.
The term Remote Access Trojan or RAT was initially popular for describing the advanced threats of the mid 1990s through maybe 2010. The term Advanced Persistent Threat or APT is cited as first being used by USAF Colonel Greg Rattray in 2006, it soon became common for describing precisely targeted threats using advanced techniques and typically lurking unseen for an extended time to extract data, gather intelligence for later attacks, or sabotage systems.
A true APT is very advanced and persistent. They are complex and sophisticated, especially the nation-state-sponsored ones. And they are persistent: analysis has shown that some have been in place undetected for several years.
Some cybersecurity vendors have become very sloppy with the term! Some vendors say "APT" to refer malware that affects a server instead of just desktops. Or, to ransomware that hits a file server instead of just one desktop. Or, worse yet, to anything at all that's more complicated than the standard Windows trojan. Let's not make the cybersecurity jargon any sloppier than it already is!
Lists of APT and major threat groups
Some organizations and individuals are trying to keep track of the names assigned to major threat groups:
Mitre Florian Roth's list MISP Galaxy Adversary Groups
International Conflict on the Internet
National Security Archive
at George Washington University maintains
The Cyber Vault,
a large and growing archive of documents
on various aspects of cyber activities
from the U.S. and foreign governments,
international organizations, and cybersecurity firms.
The Cyber Vault
The RAND Corporation wrote what looks like a good analysis of cyberwar for the U.S. Air Force.
Seymour Hersh wrote a good article for The New Yorker, "The Online Threat: Should we be worried about a cyber war?"
At the 2013 RSA conference a senior PLA colonel said "In the U.S., military espionage is heroic and economic espionage is a crime, but in China the line is not so clear."
I haven't tried to distinguish between conflicts directly between governments (e.g., Stuxnet), between supporters of a government against another government (e.g., Estonia in 2007), and between what might be spinoffs of the PLA conducting espionage against U.S. defense contractors.
As a general trend, attacks out of eastern Europe (Russia, Ukraine, Romania, and Bulgaria are prominent sources) tend to be criminal in nature — stealing financial information, extortion through DDoS or crypto-locker software, and stealing corporate information. Attacks out of China tend to be more focused on industrial and national espionage.
I have tried to divide things by country and put them in time order, as that is complicated enough.
As for things like nation-state threats attacking banks, I don't know how to put that into a category. But it happens!