OODA Loop

Understand tomorrow, today.

Front Companies Muddy Already Dark Waters of Hostile Cyber Activity

Archive, OODA Original, Security and Resiliency / by

Recently, the Federal Bureau of Investigation (FBI) published an industry advisory outlining the tactics, techniques, and procedures of Emennet Pasargad, an Iran-based cybersecurity company supporting government organizations to help them defends against this company’s potential hostile activities. Earlier, the Department of Justice (DoJ) charged two Iranian nationals with cyber intrusion, fraud, voter intimidation, interstate threats, and conspiracy, the basis for the FBI’s advisory. The FBI highlighted the tactic of conducting reconnaissance on potential targets, using extensive open-source research for leading businesses in various sectors. While research and reconnaissance are necessary precursors to any attack, using a seemingly legitimate front company provides a level of obfuscation for the actors as well as a plausible explanation of researching an organization, such as to make a potential customer pitch for its services, if confronted.

In addition to the aforementioned Emennet Pasargad incident, the DoJ has indicted several individuals linked to tech-related companies involved in several cyber-enabled infractions. Some of the more prominent ones highlight how front companies were used as a screen while others reveal the actors using the companies as a launching point for their activities. While in all of these incidents, enough evidence was eventually discovered to warrant legal indictment, the fact that in it took considerable time to detect is worrisome and a testament to the success of front companies’ involvement in cyber activities. Notable incidents include but are not limited to:

  • China: In 2021, the DoJ indicted four Chinese nationals working with the Ministry of State Security (MSS) for conducting global computer intrusion campaigns that targeted intellectual property and confidential business research. The DoJ alleged that one individual as part of his duties at the now defunct cybersecurity company Hainan Xiandun created malware, conducted intrusion operations, and supervised other company hackers.
  • China: According to one source that investigated Chinese tech companies, throughout the course of its research it found that science and technology companies Boyusec, Huaying Haitai, Antorsoft were fronts for Chinese MSS-sponsored APT activity.
  • China: In 2020, the DoJ indicted three Chinese nationals linked to APT 41 for a series of more than 100 worldwide computer intrusions against public and private organizations. The three individuals worked for Chengdu 404 Network Technology, a front company operation supervised by Chinese officials. The group’s activities have been tracked back as far as 2012, according to one cybersecurity company.
  • China: In 2018, the DoJ indicted a Chinese government-owned company (Fujian Jinhua Integrated Circuit, Co., Ltd, – “Jinhua”.), a Taiwan company (United Microelectronics Corporation), and three Taiwanese individuals for conspiracy to steal trade secrets of an American semiconductor company for the benefit of the state-owned and operated Jinhua.
  • Iran: In 2018, the DoJ indicted nine Iranian individuals working at the Mabna Institute for stealing more than 31 terabytes of academic data and intellectual property on behalf of the Iran’s Islamic Revolutionary Guard Corps. Per the indictment, since at least 2013 these actors conducted a coordinated campaign of cyber intrusions from the Mabna Institute into 144 U.S. universities, 176 worldwide universities, and 47 private sector companies.
  • North Korea: In 2018, the DoJ indicted a North Korean programmer for his involvement in a conspiracy to execute disruptive cyber attacks around the world that resulted in a substantial amount of damage and data loss. The individual was a member of a North Korean government-sponsored hacking team and employed at the North Korea front company Chosun Expo Joint Venture. The Department of Treasure’s Office of Foreign Assets Control also sanctioned the company for its involvement in nefarious activities.
  • Russia: In 2018, the DoJ indicted the Russian-government backed Internet Research Agency for its involvement in sowing discord and spreading disinformation during the 2016 U.S. Presidential election. Per the indictment, the IRA initiated activities in support of its targeting of the elections via influence and disinformation on social media platforms as early as 2014.

The use of front companies to support a nation state’s intelligence interests is not a novel concept, as corporate espionage has been around since at least the 1700s, according to one source. Over the years, front companies have proven pivotal to use as platforms from which to spy on hostile and friendly governments. Cyberspace has further enabled the use of front companies to commit all types of cyber malfeasance. Even if an existing company is not used, building a corporate presence on the Internet is relatively easy, legitimized with social media platforms, followers, and online networking. A prominent global professional social network liked LinkedIn is a goldmine for state activity acting through fake and legitimate profiles seeking to develop sources and/or establish business relations that can be exploited for later gain.

While intelligence agencies will undoubtedly continue to leverage front companies to support intelligence operations, cyberspace has lowered the bar for the creation of such entities to do just that. One reason for this is that the tech boon has made it relatively simple for new and previously unknown computer company startups to suddenly appear. There is a ravenous appetite for new and advanced technology capabilities from both the private and public sector alike creating opportunities for states or enterprising companies to use these fronts for not-so-above-board purposes. After all, the best front company would be one that is able to show a genuine track record, using its legitimacy to obfuscate its nefarious activities on the side. If caught, the company could assign blame to rogue individuals moonlighting for their own profit.

What’s clear is that cyberspace’s “gray” world is close to surpassing “white” and “black” counterparts. This may explain more incidents where companies are selling services and products that often walk the fine line of being legitimate but could be used adversely depending on the customer’s intent. It would also make attributing these activities to a particular government even more difficult. The case of Su Bin is a prime example of an espionage group stealing information and looking for a buyer rather than being directed by a customer. In this case, Su Bin was involved in a “years-long” conspiracy to hack into major U.S. defense contractors using his company set up to serve the aviation market as a front to help identify valuable military aviation technology. While the information stolen was sold to China, it would have easily been valuable to other adversarial and friendly nations, as well.

While setting up front companies has become easier in cyberspace, sloppy mistakes can raise red flags. Take for example, the situation with Haidan Xiandun. It incorporated in 2011 with registered capital and actively recruited technological talent, promoting itself as a “fast-growing high-tech information security company.” Yet the company’s address had no website, and the address was a floor at the library, and shared the same registrant as a handful of other companies in the Hainan province. Unsurprisingly, Haidan quickly disbanded before the DoJ indictment.

We shouldn’t count on the same mistakes being made particularly as state-driven cyberspace activities continue to refine themselves. The aggressive cybersecurity market and cybersecurity vendors surveilling the global scene has helped raise awareness on nation state threats. It has also forced states to re-examine how they operate, which will likely lead to improved operational security practices. This will include how front companies are set up and used, particularly if they divvy their activities between legitimate, state-driven, and entrepreneurial. Just when organizations think that attribution has become easier, the dark waters of cyberspace have only become further muddied.

Related Reading

Black Swans and Gray Rhinos

Now more than ever, organizations need to apply rigorous thought to business risks and opportunities. In doing so it is useful to understand the concepts embodied in the terms Black Swan and Gray Rhino. See: Potential Future Opportunities, Risks and Mitigation Strategies in the Age of Continuous Crisis

Explore OODA Research and Analysis

Use OODA Loop to improve your decision making in any competitive endeavor. Explore OODA Loop

Decision Intelligence

The greatest determinant of your success will be the quality of your decisions. We examine frameworks for understanding and reducing risk while enabling opportunities. Topics include Black Swans, Gray Rhinos, Foresight, Strategy, Stratigames, Business Intelligence and Intelligent Enterprises. Leadership in the modern age is also a key topic in this domain. Explore Decision Intelligence

Disruptive/Exponential Technology

We track the rapidly changing world of technology with a focus on what leaders need to know to improve decision-making. The future of tech is being created now and we provide insights that enable optimized action based on the future of tech. We provide deep insights into Artificial Intelligence, Machine Learning, Cloud Computing, Quantum Computing, Security Technology, Space Technology. Explore Disruptive/Exponential Tech

Security and Resiliency

Security and resiliency topics include geopolitical and cyber risk, cyber conflict, cyber diplomacy, cybersecurity, nation state conflict, non-nation state conflict, global health, international crime, supply chain and terrorism. Explore Security and Resiliency

Community

The OODA community includes a broad group of decision-makers, analysts, entrepreneurs, government leaders and tech creators. Interact with and learn from your peers via online monthly meetings, OODA Salons, the OODAcast, in-person conferences and an online forum. For the most sensitive discussions interact with executive leaders via a closed Wickr channel. The community also has access to a member only video library. Explore The OODA Community

About Emilio Iasiello

Emilio Iasiello has nearly 20 years’ experience as a strategic cyber intelligence analyst, supporting US government civilian and military intelligence organizations, as well as the private sector. He has delivered cyber threat presentations to domestic and international audiences and has published extensively in such peer-reviewed journals as Parameters, Journal of Strategic Security, the Georgetown Journal of International Affairs, and the Cyber Defense Review, among others. All comments and opinions expressed are solely his own.