▀█▀ █░█ █▀▀ █▀▀ █░█ █▀█ █ █▀█ █░█ █▀ █▀▀ ▄▀█ █▀ █▀▀ █▀█ █▀▀ █▀█ █░█ █▀▄ █ █▀▄▀█ █▀▀ █▄░█ ▀█▀ ▄▀█ █▀█ █▄█ ░█░ █▀█ ██▄ █▄▄ █▄█ █▀▄ █ █▄█ █▄█ ▄█ █▄▄ █▀█ ▄█ ██▄ █▄█ █▀░ █▀▄ █▄█ █▄▀ █ █░▀░█ ██▄ █░▀█ ░█░ █▀█ █▀▄ ░█░ █▀█ █▀▀ █▀█ █▀ █ █▀ ▀█▀ █▀▀ █▄░█ ▀█▀ ▀█▀ █░█ █▀█ █▀▀ ▄▀█ ▀█▀ █▀ █▀▀ ██▄ █▀▄ ▄█ █ ▄█ ░█░ ██▄ █░▀█ ░█░ ░█░ █▀█ █▀▄ ██▄ █▀█ ░█░ ▄█
▒▒▒▒ Article 001 ▒▒▒▒
THE CURIOUS CASE OF RUDIMENTARY PERSISTENT THREATS
Introduction
In the academic and policy discourse surrounding cybersecurity, much attention is paid to Advanced Persistent Threats (APTs), which are often state-backed and highly sophisticated. This focus has led to a relative neglect of a potentially consequential class of actors: Rudimentary Persistent Threats (RPTs). This essay seeks to formally introduce the concept of RPTs, delineate their characteristics, and explore their strategic significance, with a particular emphasis on their vulnerability to Human Intelligence (HUMINT) recruitment.
Rudimentary Persistent Threats (RPTs) are actors in the cyber domain who exhibit persistence in their activities but lack the technical sophistication commonly associated with APTs. Unlike APTs, RPTs are not usually directly state-sponsored but can be co-opted or leveraged by states to achieve strategic objectives. Their motivations are diverse and can range from ideological beliefs to financial incentives or even personal vendettas.
The hallmark of RPTs is their persistent engagement in cyber activities, albeit without the advanced technical capabilities often seen in APTs. They typically operate without the benefit of extensive financial or technical resources. Instead, they rely on open-source tools and known vulnerabilities to achieve their objectives. The motivations behind RPT activities can be multifaceted, including ideological beliefs, financial gains, or personal grievances.
+-----------+------------+
| TRANSIENT | PERSISTENT |
+------------+-----------+------------+
| ADVANCED | | APT's |
+------------+-----------+------------+
|RUDIMENTARY | | RPT's |
+------------+-----------+------------+
Strategic Utility
The relatively low operational costs of RPTs make them an attractive option for states looking to achieve strategic goals without the financial and political risks associated with APTs. The often ambiguous affiliations of RPTs provide states with a layer of plausible deniability, reducing the risk of diplomatic or military repercussions. In conflict scenarios, RPTs can serve as a force multiplier, augmenting a state's existing cyber capabilities and complicating an adversary's defensive calculus.
There are some real-world examples that can provide valuable insights into the dynamics of Rudimentary Persistent Threats (RPTs) and their interactions with nation state actors (terrorist states entities included!). Below are some instances that illustrate these relationships:
Russian cybercrime gangs, such as the group behind the GameOver Zeus botnet, have been implicated in various criminal activities ranging from financial fraud to the distribution of ransomware. While these groups primarily have financial motives, there is evidence to suggest that they have been co-opted or at least tolerated by the Russian government for state objectives. In some instances, these groups have targeted geopolitical rivals of Russia, turning their criminal enterprises into activities that serve broader strategic objectives.
One theory to explain this relationship is the "protection racket" hypothesis, where the state offers these cybercrime gangs a degree of protection from prosecution in exchange for services. This arrangement allows the state to leverage the existing capabilities of these gangs for strategic purposes, such as cyber espionage or even sabotage, without having to invest in developing these capabilities themselves.
Other examples include:
Ardit Ferizi, a hacker from Kosovo, provided the Islamic State with personal information of U.S. military personnel. Ferizi was not a sophisticated actor but was leveraged by a more organized and well-resourced entity (ISIS) for a strategic objective. His case is a prime example of how RPTs can be co-opted by larger organizations or states for specific goals. Ferizi was eventually arrested and extradited to the United States, where he faced charges for his activities.
During the Russo-Ukrainian conflict, Pro-Ukrainian groups like the Ukrainian IT Army, Belarusian Cyber Partisans, and the Ukrainian Cyber Alliance have engaged in activities against Russian targets. These groups are not as advanced as state-sponsored APTs but have been (allegedly) effective in their objectives, such as leaking sensitive information. There's speculation that these groups have received some level of state support, making them an example of RPTs being leveraged for state objectives.
Susceptibility to HUMINT Operations
One of the most intriguing characteristics of RPTs is their susceptibility to HUMINT operations. Given their diverse motivations and less formalized operational structures, RPTs become prime targets for intelligence agencies. The MICE model suggests that individuals are motivated by Money, Ideology, Coercion, or Ego. RPTs, with their diverse motivations, are susceptible to at least one of these factors. For instance, financially motivated RPTs could be enticed with monetary rewards, while ideologically driven RPTs could be co-opted through shared objectives or causes. The FOG model, which focuses on Fear, Obligation, and Guilt, can also be applied. States could instill fear of repercussions, create a sense of obligation through shared goals, or induce guilt to compel RPTs to collaborate.
+------------------------------------------------------+
| HUMINT RECRUITMENT CYCLE |
+--------+----------+-----------+-----------+----------+
| SPOT > ASSESS > DEVELOP > RECRUIT > HANDLE |
+--------+----------+-----------+-----------+----------+
There are two additional techniques that could provide to be of value:
The "dangling" technique involves an intelligence officer posing as a like-minded individual or as someone who can offer something of value to the target. The objective is to attract the target into a relationship that can then be exploited for intelligence-gathering or operational purposes. In the context of RPTs, an intelligence officer could pose as another cyber actor who shares the same ideological beliefs or financial motivations. Once trust is established, the RPT could be persuaded to collaborate on joint operations, which in reality, serve the strategic objectives of the state conducting the dangling operation.
In "false-flag recruitment," the intelligence officer poses as a representative from an organization or cause that the target already supports or believes they are working for. The objective is to mislead the target into providing intelligence or operational support. For RPTs, this could mean an intelligence officer posing as a member of a hacktivist group or another state's cyber unit. Given that RPTs often have diverse motivations and may not be as well-versed in counterintelligence techniques, they could be more susceptible to false-flag operations.
Both dangling and false-flag recruitment offer states a dual advantage. First, they allow for the recruitment of RPTs without exposing state involvement, maintaining a level of plausible deniability. Second, these techniques can be tailored to the specific motivations of the RPT, whether it's ideology, money, or some other factor, thereby increasing the likelihood of successful recruitment.
Conclusions
The use of RPTs offers states a cost-effective and low-risk option to achieve specific cyber objectives. It also presents a unique challenge for defense and attribution, as these groups blur the lines between criminal actors and state-sponsored activities. This relationship underscores the need for a more nuanced understanding of the cyber threat landscape, where non-state and state actors can exist on a continuum rather than in distinct categories.
Article 002 - Framework for Assessing RPT's Technical Sophistication (F.A.R.T.S)