Original article published on the Irregular Warfare Initiative's website.
Editor’s note: This article is part of Project Proxies and Partners, which explores the promises and pitfalls of security cooperation in war, at peace, and in between. We invite you to contribute to the discussion, explore the difficult questions, and help influence the future of proxies and partners. Please contact us if you would like to propose an article, podcast, or event.
In September 2001, operatives for Procter & Gamble were caught diving in dumpsters outside a Unilever facility in Chicago in search of documents and other discarded items containing confidential information about Unilever’s hair care products business. To avoid litigation and the negative publicity that often accompanies such disputes, the companies quietly reached a negotiated settlement where Procter & Gamble agreed to not use any of the information obtained. This early example illustrates the ongoing vulnerability companies face regarding data security. In today’s corporate environment where digital data storage is the norm, companies now have to be wary of not only paper documents but also discarded storage devices like hard drives, USBs, and even old office equipment that might store digital data.
Companies also have to worry about the increasing trend of nation-state-backed hackers trying to infiltrate corporate networks. This is part of a worrying shift in state-sponsored espionage from traditional intelligence gathering primarily targeted toward military and political secrets to the targeting of information held by private firms and other commercial enterprises that perform research and produce innovation critical to national economic growth and prosperity. Perpetrators often aim to use this information to leapfrog rivals’ technological advancements and to gain a competitive edge in the global marketplace. This is emblematic of modern interstate conflict, where the lines between economic, military, and political rivalry are blurred.
In this article, I aim to highlight the rising tendency of states to engage in cyber economic espionage and how cyber proxies—hackers for hire—are playing an increasingly central role in these efforts. Two brief examples illustrate this trend.
In 2017, APT10—a Chinese state-sponsored cyber proxy group believed to be linked to China’s Ministry of State Security—conducted a massive espionage operation dubbed Operation Cloud Hopper. This group is an example of what are known as Advanced Persistent Threat (APT) groups—hackers that engage in prolonged and targeted cyber campaigns against specific entities such as government agencies, companies, or other strategically important targets to steal information, disrupt operations, or spy on activities. In the Cloud Hopper operation, the group targeted managed service providers (MSPs)—companies that manage IT services for multiple businesses. The techniques used included spear-phishing to gain initial access, followed by the deployment of various malware tools to establish persistence and facilitate the exploration and extraction of valuable data.
The operation, distinctive in its scale and focus on commercial secrets rather than traditional military or political intelligence, was global, affecting countries across Asia, Europe, and North America. It spanned a wide range of industries including technology, telecommunications, and pharmaceutical companies. Targeting such a diverse array of industries highlights the strategic nature of the campaign and its aim to gain economic advantages through the theft of trade secrets and other sensitive corporate information.
The SolarWinds hack, identified in late 2020, is another significant incident that, although primarily seen as an intelligence-gathering operation, had substantial implications for economic espionage. This sophisticated attack involved the insertion of malicious code into the software updates of SolarWinds’ Orion platform, a widely used network management tool. Believed to be conducted by Russian intelligence services, this campaign compromised the systems of numerous US government agencies, top enterprises, and technology firms, allowing the attackers to spy on business activities and potentially steal valuable corporate and technology secrets. The breach not only exposed vast amounts of sensitive information but also revealed vulnerabilities in the software supply chain.
The Strategic Use of Cyber Proxies
These high-profile incidents raise important questions about why states choose to use proxy hackers for such operations. Academic researchers who have wrestled with this question suggest that states often use cyber proxies because it allows them to leverage specialized skills, expertise, tools, and capabilities that the proxies have but which might be missing from state intelligence agencies or are prohibitively expensive to develop in-house. The activities of cyber proxies tend to fall in the gray areas of international law and politics, which makes them very appealing to states that want to reap the benefits of the proxy’s activities while avoiding responsibility if the activities are discovered.
For instance, despite suspicions and probable cause, the lack of concrete, publicly-disclosed evidence explicitly linking China and Russia to the Cloud Hopper and SolarWinds operations respectively allowed them to deny involvement, thereby avoiding international sanctions, retaliatory cyberattacks, and other diplomatic consequences. Even when criminal indictments are issued for cyber espionage operations, they typically target individual hackers or the organizations directly involved, rather than the states that sponsor them. This separation enables the state sponsors to maintain a façade of non-involvement and continue their cyber operations under the veil of secrecy.
Proxies also serve another very important function: they can help states hide their true cyber capabilities from their adversaries. Even if state intelligence agencies have the necessary tools, capabilities, and personnel to successfully execute a cyber operation, it might still be beneficial to use cyber proxies so that adversaries do not become aware of these capabilities.
This is an important benefit for states that wish to maintain strategic ambiguity in cyberspace as norms in the cyber realm continue to develop. For example, Fancy Bear—a cyber proxy affiliated with Russian military intelligence (GRU) that uses sophisticated tactics and techniques—has been concretely linked to the hacking of the Democratic National Committee (DNC) during the 2016 US presidential election. However, direct attribution to the GRU remains circumstantial rather than definitive. This potentially allows the GRU to mask its true cyber capabilities.
How States Manage Their Cyber Proxies
States employ a variety of models in their relations with their cyber proxies. For example, the United States uses nontraditional cyber proxies such as defense contractors and security companies like Lockheed Martin and BAE Systems, whose software products, personnel, and services are often employed in the infiltration, degradation, or destruction of adversary computer systems. It maintains a close relationship with these proxies, allowing for strict oversight and control over their targeting choices and operational techniques. Conversely, countries like Iran and Syria tend to maintain more operational distance from their proxies, offering material and ideological backing in exchange for the proxies’ commitment to targeting designated firms, political foes, and other entities.
Russia maintains an even larger separation from its proxies, often refraining from direct guidance and allowing them free rein regarding targets and methods. In many cases, the only link between the proxy and Russian authorities is that they willingly turn a blind eye to the activities of the proxy despite having the capacity to crack down. This raises the intriguing possibility that some of these hacker groups may be acting as proxies of the Russian state without even being aware of it.
Putin and senior Kremlin officials frequently express admiration for these “patriotic” hackers while denying any knowledge of their activities. Putin has asserted that “Hackers are free people, like artists … ” so if they are patriotically minded will “ … do what they see as their part to fight Russia’s enemies.” In this way, the Russian government can deny knowledge of these proxies while reaping the benefits of their activities without admitting the involvement of government agencies.
Traditional Intelligence vs Economic Espionage
Regardless of whether states use government agents or proxy hackers for cyber operations, the logic that once guided traditional espionage—where information flowed from those who had it to those who needed it—does not appear to apply when it comes to economic espionage. In a recently published research paper, I show that contrary to earlier beliefs, countries with similar economic structures and technological capabilities are more likely to engage in economic espionage against each other (as opposed to those with dissimilar structures and capabilities). The reason? The stolen information is more applicable and immediately beneficial to the perpetrator. For example, it is of little use to steal technology to manufacture solar panels if you do not have factories and a technically capable workforce that can profitably leverage that information.
By focusing on rivals with similar economic structures and technological capabilities, perpetrators can refine their competitive strategies and enhance their own industrial and technological bases. Importantly, this strategy is less about filling gaps in knowledge and more about advancing in an already closely contested field. This dynamic has a profound policy implication for the likely future of interstate conflict: as states continue to develop and closely guard their technological innovations, the arena of interstate rivalry is likely to shift increasingly towards more covert forms of conflict.
This evolution suggests that except in a few instances, traditional forms of diplomacy and military confrontation may give way to an irregular warfare landscape where subterfuge and indirect aggression increasingly become the norm. In particular, states with similar economic and technological capabilities will increasingly find themselves not only competitors in the global marketplace but also clandestine rivals in a continuous struggle for technological supremacy. This scenario necessitates a reevaluation of national security strategies to prioritize cybersecurity and intelligence in anticipation of these less overt, but equally impactful forms of conflict.
In addition, diplomatic relations will likely become more complicated, as states may publicly adhere to norms of peaceful coexistence and cooperation while privately engaging in aggressive cyber operations. This combination of open cooperation with covert aggressive cyber tactics can strain international trust and cooperation, potentially leading to a more fragmented international system where states are increasingly wary of their counterparts’ intentions.
Confronting Economic Espionage and the Use of Cyber Proxies
If the United States is to respond effectively to the emerging risk posed by the use of state-sponsored cyber proxies, it needs a better understanding of how to mitigate their use and activities. In a research paper, I gathered new data on over 100 hacker groups around the world and their state sponsors to examine which accountability mechanisms are effective in mitigating the use of cyber proxies. My research indicates that the use of proxies is rare in states that have robust domestic accountability mechanisms. This is particularly true in countries where citizens can hold their elected leaders accountable for actions carried out by cyber proxies through vertical accountability mechanisms such as elections and other democratic practices. In contrast, trying to curb the use of cyber proxies using horizontal accountability mechanisms such as congressional and regulatory oversight bodies is significantly less effective.
These insights have important policy implications aimed at addressing the issue of cyber proxies. Firstly, they suggest that pressure from citizens and civil society organizations could be effective in reducing reliance on cyber proxies in countries where vertical accountability structures are effective. One practical way to implement this is to increase the number of attributions of cyber operations to proxies and their state sponsors. The act of attributing cyber attacks to state sponsors, even when the evidence is not concrete, could prompt pressure from citizens and civil society groups for governments to desist from such operations, potentially deterring future attacks.
Additionally, my findings imply that reliance on policies that predominantly aim to combat the use of cyber proxies through regulatory and other state oversight mechanisms are ineffective. For instance, despite numerous international agreements aimed at curbing state-sponsored cyber activities like the 2015 agreement between the United States and China to refrain from cyber-enabled theft of intellectual property for commercial advantages, activities attributed to Chinese state-sponsored actors have continued unabated.
With regard to economic espionage, my research holds important lessons for US national cybersecurity policy. For example, the current US National Cyber Strategy emphasizes building a resilient cyber infrastructure, deterring adversaries, and promoting American prosperity by fostering a secure cyberspace that supports US national interests and economic growth. While the strategy recognizes the importance of international cooperation, it primarily focuses on deterring adversarial actions through strength. It does not sufficiently capitalize on the important finding that the primary economic espionage threats are likely to come from nations with similar technological advancements and economic profiles. This includes perennial rivals China and Russia but also allies like France, Germany, and Britain. Given the tendency for similar economies to target each other in economic espionage activities, the US could refine its strategy by fostering deeper, more targeted intelligence-sharing partnerships with countries that are at similar levels of technological and economic development.
As technological advancements reshape the contours of international relations, understanding the strategic calculations that drive states to engage in cyber economic espionage and to use proxies is increasingly crucial. This is important not only to secure states’ economic interests but also to preserve international peace and stability in an increasingly interconnected world.
William Akoto is an Assistant Professor of Global Security in the Department of Foreign Policy & Global Security at American University’s School of International Service. His research is primarily focused on examining how states leverage cyber and other emerging technologies in the pursuit of national security objectives. Details of his past, current, and forthcoming research projects are available on his website at willakoto.com.
The views expressed are those of the author(s) and do not reflect the official position of the Irregular Warfare Initiative, Princeton University’s Empirical Studies of Conflict Project, the Modern War Institute at West Point, or the United States Government.
If you value reading the Irregular Warfare Initiative, please consider supporting our work. And for the best gear, check out the IWI store for mugs, coasters, apparel, and other items.