Russia, China, Iran and North Korea: These four nations come up often when discussing the top threats facing the United States. These nations also possess advanced cyber capabilities, which are used for achieving a competitive economic advantage, sowing discord, raising money and a whole host of other reasons.

Kevin Mandia, CEO at cybersecurity firm FireEye, broke down these threats and the tactics of each nation in cyberspace during an August 15 keynote at DoDIIS Worldwide 2017 in St. Louis.


Mandia explained that he first responded to a Chinese-attributed breach back in the late 1990s while he was still in the military. The breach occurred at a university. While China’s hacking was not new, per se, Mandia said he discovered for the first time that China had a division of labor among their hackers.

Hackers, he said, were using a still-active account from a former Chinese foreign national who attended the university. The hackers logged in and validated the user ID and passphrase. This process continued as the hackers moved from one user ID to the next once one was compromised. All the user IDs and passphrases were different, Mandia said, meaning they had division of labor in which one set of hackers would test the accounts and another team would to go in and steal things based on the access.

China has since changed dramatically, he said.

Mandia said they were locked into China from about 2004 to 2015 observing over 80 companies compromised in the U.S. every month by military units or contractors in China.

However, since the infamous agreement minted between the Obama administration and the Chinese government not to steal economic information from private companies, Mandia said Chinese-attributed breaches among the private sector is down from 80 a month to under five based on the infrastructure they’re observing the Chinese on.


Russia is a different story, Mandia said.

Harkening back to his time in the military, Mandia said Russia’s modus operandi was if they were caught — and if one is any good in cyberspace, they can tell when they’ve been caught on someone else’s network — they would leave, preventing any observation of their behavior.

The Russians followed these rules of engagements for two decades, Mandia said, but four things changed between 2015 and 2016 in their behavior.

First, they stopped disappearing once discovered. Responding to a breach at a government agency in August 2015, Mandia said he was surprised they didn’t leave. The Russians knew they were being watched as the cyber first responders were installing software.

The Russians also seemed to be mathematical with their malware placement using a different type on every 10th machine.

Second, the Russians stopped doing counter forensics. Mandia couldn’t say why they stopped, but offered conjecture that they started on a scale where it wasn’t sustainable, adding that counter forensics is a manual process involving deleting a directory on the infected system that houses their tools and other materials.

Third, the Russians broadened their targeting. Two groups in particular started to compromise professors on college campuses stealing emails of those known to be anti-Putin. Mandia said he’d seen the Chinese do this but he felt the Russians usually played fair in espionage stealing intellectual property for weapon systems but always doing it in a way that was .mil v. .mil or .gov v. .gov. This new behavior was a change in the game for the Russians, he added.

Fourth, they began doxing or stealing documents and leaking them. While the Russians were doing this in 2014 in European elections, this was a new tactic in 2016 against the U.S.

Similarly, Mandia noted how the free press in the U.S. puts it at a disadvantage to respond tit for tat against Russian hacking and meddling in the election. U.S. journalists cover high-profile hacks and doxes, reading emails, publishing materials and spreading it.

“If we hacked Putin’s email and posted it, what do you think would happen to him? Nothing. It’s totally asymmetrical,” Mandia said.

Lastly on Russia, he noted that the infrastructure the Russian government uses to attack U.S. companies and other nations happens to be a shared infrastructure with Russian criminals making attribution very frustrating.

North Korea

North Korea is hard to predict and their infrastructure is much smaller than China’s or Russia’s, Mandia said.

Expounding on North Korea’s unpredictability and bizarre tactics, he noted telltale signs that they were behind the SWIFT global financial messaging system breaches recently, but their behavior to make money is different from other breaches such as the Sony Pictures hack.

Mandia noted that he doesn’t think there are any rogue hackers in North Korea that might muddy the attribution waters as he estimates only seven or eight IP address in the entire country.


Iran has increasingly stepped up its game in the cyber world. Mandia said the first time he responded to them was 2008 after he had left the government for the private sector and he didn’t even know it was the Iranians. Some of his connections still in the government tipped him off that they were engaged with the Iranians, adding Iran was not very good back in 2008.

They’re a lot better now, he said, as they’ve had years of operational experience and showing signs of real cyber capability.


Mandia also threw in Vietnam, explaining that FireEye has exposed 13 different breaches attributed to the Vietnamese government. These cases highlight the asymmetry in cyberspace as a nation like Vietnam can get in the game.

There’s nothing simple about the breaches they’re doing, he said. They’re showing good language skills, good spear-phishing skills and good malware skills.

Mark Pomerleau is a reporter for C4ISRNET, covering information warfare and cyberspace.

More In DoDIIS