From the article, it sounds like they just looked at old incident reports and said "yup, these two are 'sophisticated,' they could be the NSA/GCHQ."
Its a little disturbing that the "sophisticated" attacks they detected don't really sound all that sophisticated. Is spoofing an email and sending a PDF/Office exploit really considered sophisticated? While its a step above the most basic script-kiddie type stuff, that isn't unreasonable for even normal pentesting to do, and I wouldn't consider it an indicator of a nation-state attacker at all. Even if the attack was using 0-day in the attachment viewer, its not unheard of for malware kits to employ similar techniques.
It definitely says something that those attacks were at least partially successful against systems Gemalto thinks could have resulted in the theft of sensitive crypto keys.
> Is spoofing an email and sending a PDF/Office exploit really considered sophisticated?
Generically, no, but the details can vary widely. If the email looks exactly like an internal email, and appears to come "from" someone the target knows, and the content references processes, info, or idioms common to that company or person, then that would be pretty darn sophisticated. Not technologically (an email is an email, after all), but socially.
From the technology side, the specifics of the exploit, and what the malware tries to do in the PC/network after the spear phish succeeds, can also indicate varying levels of sophistication. If the spear phish contained a zero-day OS exploit (previously unknown vulnerability), that would be pretty darn sophisticated.
I have no knowledge of the particulars of Gemalto--just speaking generally about how a spear phish attempt might be evaluated.
Is spoofing an email and sending a PDF/Office exploit really considered sophisticated?
Maybe. I'd say a targeted email, using a believable, researched sender address and relevant contents, would be fairly sophisticated. It would certainly be way more effective than the bulk 'please pay this generic invoice' exploits that I get spammed with.
Spear phishing, as its nicknamed? If something is sophisticated enough to work, don't knock it!
There's no fundamental difference between the basic techniques used by malicious hackers, organised crime, pentesters or nation-state adversaries doing offensive "cyber-operations" (ugh): the only big difference is the budget (time, personnel, money), how likely they are to get away with it, and how aggressive they are.
Its a little disturbing that the "sophisticated" attacks they detected don't really sound all that sophisticated. Is spoofing an email and sending a PDF/Office exploit really considered sophisticated? While its a step above the most basic script-kiddie type stuff, that isn't unreasonable for even normal pentesting to do, and I wouldn't consider it an indicator of a nation-state attacker at all. Even if the attack was using 0-day in the attachment viewer, its not unheard of for malware kits to employ similar techniques.
It definitely says something that those attacks were at least partially successful against systems Gemalto thinks could have resulted in the theft of sensitive crypto keys.