Cyber espionage is a type of cyber attack in which an unauthorised user attempts to gain access to private or sensitive information or intellectual property. The aim is to gain financial gain, business advantage or political advantage.

Topics in our legal advice

What exactly is cyber espionage?

Targeted attacks on foreign computer systems and networks with the aim of intercepting (secret) documents and information are called cyber espionage. Cyber espionage is considered one of the greatest difficulties for IT security experts in current times.

This is because cyber spies use sophisticated tactics to conceal their intrusion and operate unobtrusively.

The attacks are often carried out by cyber spies on behalf of national intelligence agencies. State hackers from China and Russia appear to be the most active, but allegations of cyber espionage against the US have also increased recently.

Similarly, cases of industrial espionage by competitors – possibly by buying cybercrime as a service – and other attacks by criminal organisations without state support are on the rise.

Why is cyber espionage used?

Cyber espionage is often used to obtain sensitive or confidential information, trade secrets or other types of intellectual property that the attacker can use to gain a competitive advantage or sell for profit.

In some circumstances, the compromise is simply intended to damage the victim’s reputation by exposing sensitive data or dubious business transactions.

The subsequent extortion of a large monetary payment, for example in Bitcoin, or otherwise the disclosure of data is also a common practice of criminals.

Attacks on computer networks can be commercially motivated, but they can also be carried out as part of military operations, as cyberterrorism or as part of cyberwarfare.

Cyber espionage has the potential to disrupt infrastructures and public services and cause casualties, especially if it is part of a larger military or political effort.

Targets of cyber espionage attacks

The sustainability of cyber attacks and the selection of targets are blatant attempts to strategically spy on politicians and the federal government. However, cyber espionage attacks also pose a serious threat to the profitability and expansion prospects of businesses.

Large corporations, government agencies, academic institutions, think tanks and other organisations with valuable intellectual property and technical data that other organisations or governments could use to gain competitive advantage are the most common targets of cyber espionage.

Targeted campaigns may also target specific individuals, including well-known politicians, business leaders and even celebrities.

Typically, cyber spies try to gain access to the following sources:

  • Data and activities related to research and development
  • Information from academic studies – intellectual property, such as designs for products or blueprints
  • Salaries, bonus structures and other private financial and spending data of the company
  • A list of clients or customers and payment arrangements
  • Political strategies, connections and communications – business objectives, strategic plans and marketing techniques
  • Military details

How does cyber espionage work?

Normally, cyber spies are so careful that their targets are unaware of the espionage attack. Occasionally, however, they fail to do so and the incidents are made public. For security researchers, this is a unique opportunity to study the course of the attack.

So what do we know from research about how cyber espionage works?

The findings are as follows:

  • Attacks by cyber spies seem to be well organised and can sometimes last for years.
  • The attackers gain unauthorised access to their victim’s system by using social engineering and phishing or by exploiting security holes and actively hacking the system. They then install so-called backdoor programmes to have constant access to the system.
  • Afterwards, they often conduct a network scan. The intruders learn the configuration of the network, the software versions used, etc. The network may not be updated for years.
  • Years may pass before the actual spying begins, perhaps to give the successful intrusion time to sink in.
  • But at some point, the attackers start collecting information. They use data-gathering technologies that look for Word, PowerPoint, Excel and Word files. The backdoor is then used to transmit the data to the attackers’ servers.
  • Sometimes new malware is added that gives the attackers more functional access to the victim’s PC, such as reading and recording keystrokes.

As already explained, the victims usually do not notice any of this. And that is exactly what makes cyber espionage so dangerous: neither the victims of cyber espionage nor the subsequent victims have the opportunity to learn from their mistakes, close the gaps and strengthen their own defences.

Of course, there is also the damage caused by internal knowledge leaks.

Typical methods of cyber espionage

Most cyber espionage is classified as an advanced persistent threat (APT). Intruders use these sophisticated persistent cyberattacks to surreptitiously penetrate a network and steal critical data over an extended period of time.

APT attacks are carefully thought out and designed to infiltrate a specific organisation. They aim to evade current security measures permanently.

APT attacks require more adaptation and skill to execute than traditional attacks. The actors are usually well-equipped, experienced gangs of cybercriminals who target particularly wealthy companies and organisations.

A lot of time and resources are spent researching vulnerabilities before the attack.

Most cyber espionage attacks also involve some form of social engineering to persuade the target to take a certain action or share information that will advance the attack.

These techniques often exploit human emotions such as enthusiasm, curiosity, empathy or fear to generate impulsive behaviour.

They are used by cybercriminals to trick victims into revealing personal information, clicking on malicious links, downloading malware or paying ransom.

Other typical attack methods are

  1. Watering Hole: To compromise an individual, malicious actors can infect real websites that the victim or people associated with the attack target usually visit with malware.
  2. Spearphishing: A hacker targets specific individuals with fake emails, text messages and phone calls to obtain important information or login credentials.
  3. Zero-day exploits: Cybercriminals exploit a known software bug or vulnerability before the client’s IT staff or software developer notices and fixes it.
  4. Insider threats or malicious insiders: A threat actor persuades an employee or contractor to share or sell information or give unauthorised users access to the system.

Increase in cyber attacks

The number of cyber espionage attacks is constantly increasing in the digital age. There are numerous reasons for this:

  1. The anonymity of the internet makes it more difficult to track down the perpetrators and bring them to justice.
  2. In the event of a successful attack, there is extensive and rapid access to huge amounts of data.
  3. For the perpetrators, cyber attacks are a cost-effective method that they can use in real time and with sufficient probability of success.

Cyber espionage attacks are particularly damaging because they often go undetected or are only uncovered after the fact. For example, the attackers create malicious emails that match the victims’ goals or interests so as not to arouse suspicion.

Typical Trojan emails are often used. In some cases, opening the attachment automatically launches a dangerous programme contained in it.

Cyber spies wreak havoc on the economy worth billions of euros

In the field of digital industrial espionage, data is spied on along the entire value chain. This begins with the product idea, continues through research, development, procurement and production and culminates in product marketing.

The German economy suffers an annual loss of at least 50 billion euros, if not more, due to cyber espionage.

What is the state doing to prevent cyber espionage attacks? The main task of counterintelligence is to detect and analyse intelligence-motivated cyber attacks and to take measures to warn potential victims of the threat.

To this end, various federal agencies work together, and since 2011 there has even been a National Cyber Defence Centre (Cyber-AZ). In addition, the Federal Ministry of the Interior has launched the “Initiative Wirtschaftsschutz” (Initiative for Economic Protection), which is primarily intended to protect small and medium-sized enterprises from espionage.

The impact of cyber espionage on the world

A growing security concern is cyber espionage, especially when it comes from state actors.

Due to the lack of extradition treaties between states and the difficulty in enforcing international laws, most criminals continue to operate freely despite numerous indictments and laws designed to stop such activities.

Because of this, and the increasing sophistication of cybercriminals and hackers, there is a risk of a coordinated and sophisticated attack that could affect a range of modern services, including electricity supply, the functioning of financial markets and important elections.

A global cyber war?

State-sponsored cyber espionage continues to be extremely damaging despite all attempts. For: considerable financial resources are indeed allocated and deployed for promising attacks on lucrative or otherwise important targets.

There is a thriving black market for vulnerabilities in software (MS Office, Adobe Reader, Adobe Flash, etc.) and operating systems (Windows, Linux, iOS, etc.) that can be bought and used for cyber espionage attacks.

There is now even talk of a global economic war in the digital space. After the fronts between Russia, China and the USA have hardened for years, even the UN is interested in the topic and has set up a committee for security in cyberspace.

The global effort to control state hacking has reached a dead end.

Penalties for cyber espionage

Although numerous states have filed criminal charges for cyber espionage, the most serious cases usually involve foreign actors in countries that are not obliged to extradite them.

As a result, law enforcement agencies have little ability to prosecute cybercriminals, especially those based abroad.

However, the investigative effort required to support cyber espionage charges can also serve as the basis for penalties against other states or international companies.

For example, the US Treasury Department has the authority to use investigative data from indictments to impose economic sanctions on a company known to have been involved in cyber espionage activities.

Detection, prevention and avoidance of cyber espionage

Cyber attackers and cyber spies are becoming increasingly sophisticated, making it possible for them to circumvent many established cyber security tools and systems. Even though these threat actors are often highly skilled and have access to sophisticated tools, it is not impossible to protect against these attacks.

To help organisations gain a better understanding of threat actors, their attack methods and the procedures they often employ, a range of cybersecurity and information solutions are available.

  1. Service providers: It is critical to work with a world-class cybersecurity firm. Organisations may need support to respond to a sophisticated cyber attack when the unexpected occurs.
  2. Sensor coverage: you can only stop what you can see. The elements that provide security managers with an overall view of the entire environment should be implemented by organisations to ensure that there are no gaps for threat actors to exploit.
  3. Threat intelligence reports provide a clear picture of the actions of threat actors and the methods and tools they use. Monitoring malware families, tracking campaigns and profiling threat actors is made easier with threat analytics. In today’s world, it is more important than ever to know the context of an attack. Simply knowing that an attack has occurred is not enough. Threat data is essential in this situation.
  4. Technical data: Use technical data, such as indicators of compromise, to enrich data in a security information and event management (SIEM) system. This will expand your information base for event correlation and you may be able to identify network events that you would otherwise have missed. Situational awareness is greatly enhanced by implementing trusted signs of compromise across multiple security systems.
  5. Threat hunting: It is more important than ever to understand that an organisation’s reliance on technology has its limits. For many organisations, it is critical to complement the cybersecurity technologies they already have in place with human-led threat hunting around the clock.

Cyber espionage: conclusion and future prognosis

Cyber attacks are now an essential part of intelligence espionage techniques. The digital age also creates new opportunities and avenues for espionage, which poses new difficulties for counterintelligence.

Since 2005, there have been reports of targeted cyber attacks on politicians, companies and the federal government. These take place at a high-tech level and pose a considerable threat to information security there.

For foreign intelligence services, electronic attacks have become an important means of information gathering, serving as a supplement to information obtained from human sources. They have a high probability of success, are inexpensive and can be carried out immediately.

There are no significant political or criminal threats. This issue will become much more explosive as networking and dependence on IT infrastructures increases.

In order to be able to adapt security policy cooperatively to progress, it will therefore continue to be particularly important for affected companies to report cases of espionage or suspicions to the security authorities.