In the field of cyberspace operations, most attack or exploitation operations are remote, i.e. they are carried out using technologies that allow the hostile actor not to be physically close to its target: access via VPN, a malicious email or link that installs an implant in the victim, a remote vulnerability that is successfully exploited, etc. But a small percentage of operations require a physical approach between the hostile actor and its target: these are proximity operations, also called Sneaker Operations or CACO (Close Access Cyberspace Operations).
When not everything was connected to the Internet, proximity operations were almost the only way to access the target’s systems or information; to steal information you had to place a bug or a camera by sneaking into a building at night, modifying a supply chain or placing yourself in a building across the street from the target’s premises, to give a few examples. Some of the signals intelligence acquisition actions required this proximity, and this proximity obviously implied a significant risk of being neutralized, with all the implications that this neutralization can have. Some well-known examples of proximity operations for signals intelligence acquisition involve (allegedly) the French DGSE implanting bugs in the business seats of Air France flights between Paris and New York, the Soviets (allegedly) giving a Great Seal with an implant to the US ambassador to the USSR, or Germans and Americans (allegedly) manipulating Crypto AG cipher devices in Operation Rubicon.
But there comes a time when we have so many things connected to the Internet that we can carry out complete attack or exploitation operations over the network, remotely, without physically exposing ourselves to being neutralized – or at least exposing ourselves less. For this reason, proximity operations are beginning to lose prominence to remote operations: in the cyber field, remote operations are the most common, as opposed to operations that require physical proximity. Among many other benefits, remote operations entail fewer risks for the actor executing them and, as we have said, in most cases they meet their objectives.
However, in some cases remote operations are unlikely to be successful, are excessively complex or simply cannot be addressed from a technical point of view. It is in these cases that proximity operations can come into play. As we have said, proximity operations are those that require physical proximity to the target. The proximity can be human, through an operator, or mechanical, through a device that physically approaches the target, such as a UXV.
Compared to remote operations, proximity operations have hardly been analyzed by industry and the scientific community. There is hardly any technical literature describing or discussing them, and of course the information coming out (voluntarily) from intelligence services regarding their capabilities is nil. However, it is public – thanks to Snowden’s papers – that the US NSA has capabilities to conduct proximity cyber operations (e.g., COTTONMOUTH or HOWLERMONKEY require some proximity to be implanted), that it executes these operations (e.g., through the TAREX program), and that it collaborates with other agencies in the US community to conduct such operations (e.g., within the Sentry Osprey program or through the Special Collection Service).
And if publicly available information regarding proximity capabilities in cyberspace is scarce, that available about the proximity operations themselves is even less so. The only such operation to see the light of day was the one conducted by the Russian GRU in The Hague against the Organisation for the Prohibition of Chemical Weapons in 2018. This operation was neutralized by Dutch intelligence and its details publicly exposed by the director of the MIVD.
In addition to intelligence services, groups linked to cybercrime also have proximity capabilities, and the provider companies themselves we also offer physical audit services involving proximity actions (what is called black team). Not as common or in demand as remote services, but necessary at times.
The two elements that define proximity operations in cyberspace are the hostile actor’s approach to its target and the technical device used for the action (bug or implant). The approach has three fundamental characteristics: the relationship between hostile actor and target (intruder or insider), the transport used for the action (human or mechanical) and the point where the engagement is executed (supply chain or operation). For its part, the artifact also has three fundamental characteristics: the type of implant (hardware, software or no implant), the proximity to the target (direct or close) and the interaction with the target (passive or active). With these elements we can characterize proximity operations in cyberspace and also proximity operations aimed at signal intelligence acquisition.
This simple characterization of proximity operations, or proximity actions in general, is not particularly contemplated in MITRE ATT&CK, where there is also no emphasis on tactics or techniques that can be addressed with proximity actions. MITRE ATT&CK only cites some particular techniques that involve or may involve proximity: for example, “Hardware Additions” for initial access or “Exfiltration Over Physical Medium” for the case of exfiltration. Although this lack of focus on proximity operations by the main reference when identifying hostile tactics and techniques (and their countermeasures) may have a logical explanation, and that is that it is more likely to be a victim of a remote operation than of a proximity operation, as they are not referenced in this framework, some organizations will not consider them among their threats and therefore will not deploy safeguards to mitigate them.
To summarize, a proximity operation is, as its name suggests, one that requires a certain proximity between hostile actor and target: a hostile actor accessing the target’s facilities to deploy a router, that same actor breaking the supply chain to deploy that same router, that same actor using a UAV to compromise a target’s WiFi… Nowadays we have a very high level of connectivity, which favors the success of remote operations and therefore reduces the number of proximity operations. Nevertheless, these exist, some are publicly known, and different actors (services, criminal groups, companies…) have capabilities to develop them when they are evaluated as the best option.
Finally, a curiosity about proximity operations: the concept of “proximity” is not defined anywhere (or I have not found it). What is “proximity”? Direct contact? A meter? A kilometer? Without going into formalisms, we can define “proximity” as the physical distance between a hostile actor and its target that allows the target to detect or neutralize the hostile actor. Although usually this distance is in the order of meters, with mechanical transport mechanisms, for example, with a drone, this distance can be increased to kilometers.