On 2 April 2021, CNN published a story describing certain actions undertaken by the likely Russian actors reportedly responsible for recent supply chain compromise activity that affected multiple parts of the U.S. government. Specifically, those actors allegedly targeted the user and email accounts of Department of Homeland Security (DHS) threat hunters — likely as a means to provide an early warning and intelligence feedback loop to enable the actors to escape detection for as long as possible. That story elaborated on an earlier piece from CyberScoop. If these press reports are true, I feel this behavior implies something about such actors:
For the sake of argument, let’s hypothesize that these reports are accurate (even though I honestly don’t know if they are). If you already have deep and persistent access to a target organization, it’s not hard to dump the victim’s active directory database and Crtl+F for distros that contain phrases like “hunt” or “SOC” or “cybersecurity” to find specific individuals — you don’t even need LinkedIn! So, then the potential for insight here is derived not from the actors’ ability to target these individuals, but rather their choice to do so.
When undertaking a cyber espionage operation, each line of activity initiated after an intrusion begins raises an actor’s potential for being detected. Tautologically speaking, if an actor’s initial activity doesn’t get them caught immediately, then the most likely thing that will burn them is deviating off of their core kill chain. The farther an actor strays inside a network, the more risk they incur. Thus, if an actor’s intention is the collection of specific information on a given network, targeting that network’s defenders early on in the operation is a double-edged sword: it may provide an early warning system, but it stills amounts to additional activity that in itself raises the likelihood of detection — not least of which because that activity is being directed against individuals responsible for interdicting malicious actors.
In my experience, most state-nexus actors early on in an operation would rather go for low-hanging fruit to generate fallback access mechanisms rather than risk detection by attempting to watch the watchers. Some state-nexus actors, however, take a very counterintelligence-oriented approach to operations. This tends to occur when an actor’s explicit goal is not immediate acquisition of specific information, but rather is wide-ranging and persistent access over the long term. In their minds, to safeguard continuing access — which is their operational raison d’être — they need that eye on blue team personnel not just as an early warning mechanism, but also to inform any counter-defensive moves necessary to forestall or otherwise complicate an incident response. Herein lies the insight: actors that choose to accept the risk of acquiring blue team surveillance are likely after long-term access rather than fulfilling immediate collection requirements, and actors that can pull this off tend to be mature, disciplined, and counterintelligence savvy.
During the course of knocking this perspective around with someone smarter than myself, we arrived at a neat metaphor: Harry Potter and his invisibility cloak. Let’s say Harry is our threat actor, and his goal is to get into Professor Snape’s office to get the answers to an upcoming Potions exam. Harry’s inside Hogwarts already and is moving to Snape’s office under his invisibility cloak. At this point, there are two primary ways Harry could get caught:
- Something unexpected happens (e.g., someone bumps into Harry; he makes a mistake that draws attention, like sneezing; Mad-Eye Moody is patrolling the halls and sees through Harry’s cloak with his magic eye; etc.)
- He’s caught doing something (e.g., someone sees Harry when he reaches out of the cloak to open a door, move something out of his way, takes something, etc.)
In either case, if Harry is disciplined, the latter case is the more likely scenario of him getting caught…but it’s also really the point of using the cloak to begin with. When he sticks part of his body outside the cloak for any reason, Harry really needs to make it count because that’s when he’s at his most vulnerable to detection. In terms of tradecraft, Harry wants to reach out from the cloak as few times as possible and he wants to avoid putting himself in proximity to people who might be on the lookout for anything abnormal unless absolutely necessary. There are some surprisingly clean parallels to cyber operations here:
- Someone bumping into Harry is analogous to a lucky blue teamer happening to catch something in the network that just seems “off”.
- Harry making a mistake that draws attention is similar to an actor having an OPSEC failure or getting snagged in a technical detection.
- Mad-Eye Moody’s eye can be seen as akin to threat intelligence being used to correlate indicators of compromise.
But it all comes back to Harry knowing that sticking his arm out is the period of greatest danger during his hijinks, because that’s when he’s taking himself outside the parameters of what should be generally safe for him. And it would be exponentially more risky to do so in the vicinity of Mad-Eye Moody, the guy whose eye can see through invisibility cloaks!
The imperfection of this example is that Harry already has persistent access to Hogwarts by virtue of being a student and his risk of loss of general access (i.e., expulsion) is comparatively low. For Harry, it makes operational sense to limit the scope of his individual hijinks inside the grounds and it’s an unnecessary risk to try and acquire some kind of visibility into the school’s security when he already has basic tools to defeat it as long as he’s disciplined in how he uses them.
Things look very different if you’re a Death Eater team tasked by Voldemort to develop persistent access to Hogwarts so as to achieve long-term visibility on multiple, co-located, high-value targets like Harry and Professor Dumbledore. In that situation, the end goal — a state of continuing access, rather than the immediate acquisition of specific data — also carries perpetual risk of detection. To mitigate that risk both at the early and later stages of an operation, it would naturally behoove the Death Eaters to be able have some kind of insight into what Hogwarts security — like Mad-Eye — is up to.
From the outside, Hogwarts is a pretty hard target. To attempt such an operation, the Death Eaters involved would need extremely disciplined OPSEC and to have an intimate understanding of what and who they are going up against before ever mounting the intrusion. And they should know the risks associated with getting any closer than absolutely necessary to those tasked with keeping them out, especially the paranoid ex-cop with a magical eye. So if the Death Eaters are to have any chance at success, they need to be — like I said before — mature, disciplined, and counterintelligence savvy.
In the Death Eaters’ case, given their goal, targeting blue assets for surveillance makes sense but requires some serious Dark Arts skill to pull off. But for Harry, it’s a task that more than likely exceeds his capabilities — not to mention his core operational requirements — and fundamentally amounts to a deviation from discipline that puts him at extreme hazard of getting caught.
Unless Hermoine’s doing his CONOPS for him. Then maybe he has a shot.
Acknowledgements: My thanks to the anonymous friend who helped develop this idea, without whom this blog wouldn’t have been written.
