Computer Network Exploitation
Core Definition (BLUF)
Computer Network Exploitation (CNE) is the intelligence-collection dimension of computer network operations (CNO): the covert, persistent access to and exfiltration of data from target networks and systems. CNE is distinguished from Computer Network Attack (CNA), which disrupts or destroys, and from Computer Network Defence (CND). CNE is the primary instrument of cyber espionage — the theft of classified government documents, intellectual property, diplomatic communications, and personal data on high-value targets. It operates below the threshold of armed conflict, enjoys substantial legal ambiguity, and is the dominant mode of cyber activity by all major intelligence services.
Operational Cycle
CNE operations follow a recognisable lifecycle that mirrors traditional HUMINT case-officer tradecraft:
- Reconnaissance — passive collection on target network topology, personnel (LinkedIn/social engineering), and vulnerabilities (public CVE databases, dark-web broker markets).
- Initial Access — delivery of a foothold via spear-phishing, watering-hole attacks, supply-chain compromise, or exploitation of unpatched public-facing services.
- Persistence — installation of backdoors, webshells, or modified legitimate tools (living-off-the-land / LOTL) to survive reboots and credential rotations.
- Lateral Movement — expansion across the target network toward high-value assets, often by credential dumping and abuse of legitimate administrative tools (PsExec, WMI, BloodHound).
- Collection and Exfiltration — staging and compression of target data; exfiltration via encrypted channels (often mimicking legitimate traffic to evade detection).
- Cover and Deniability — use of proxy infrastructure (VPNs, compromised third-party servers, bulletproof hosters) to obscure attribution.
CNE vs. CNA — The Intelligence-Attack Divide
The CNE/CNA distinction matters for international law, attribution attribution policy, and strategic signalling:
| Dimension | CNE | CNA |
|---|---|---|
| Primary goal | Collect, not destroy | Disrupt, damage, or destroy |
| Legal status | Analogous to traditional espionage (widely practiced, legally ambiguous) | May constitute use of force under Tallinn Manual analysis |
| Attribution calculus | States prefer deniability; attribution is contested | States may claim self-defence or deterrence; higher escalation risk |
| Detection signature | Designed for long dwell-time, low noise | Designed for kinetic effect, often noisier |
| Reversibility | Passive (to the target); data is copied not deleted | Inherently destructive or disruptive |
Assessment (High): major state actors (US, PRC, Russia, Israel, Iran, DPRK) conduct CNE continuously against each other and third parties; norms treating CNE as equivalent to traditional peacetime espionage are broadly observed in practice regardless of rhetoric. The escalatory threshold is CNA that causes significant material damage — the 2014 Sony hack (DPRK) and the 2015 Ukraine power-grid attack (Russia/Sandworm) are canonical CNA cases; the 2015 OPM breach (PRC) and the 2016–2020 SolarWinds supply-chain compromise (Russia/Cozy Bear) are canonical CNE cases.
Major CNE Actors and Attribution
PRC (APT10, APT41, Volt Typhoon et al.): The dominant CNE actor by volume and strategic ambition. Long-term persistent access campaigns targeting US defence contractors, pharmaceutical firms, universities, and government networks. MCF (Military-Civil Fusion) framework integrates PLA, MSS, and contractor-operated APTs into a national collection architecture. Volt Typhoon (2023– ) represents a doctrinal shift from intellectual-property theft toward pre-positioning in critical infrastructure — CNE as preparation for potential CNA.
Russia (Cozy Bear/APT29, Fancy Bear/APT28, Sandworm): Dual-track: APT29 (SVR-linked) runs CNE-focused campaigns (SolarWinds, Microsoft Cloud, TeamViewer); APT28 (GRU-linked) and Sandworm combine CNE with leak operations and CNA, especially against Ukraine and NATO states.
Iran (APT33/34/35, Charming Kitten): CNE focused on regional governments, opposition figures, and Western policy research institutions; increasingly sophisticated since 2015 but still lags PRC and Russia in dwell-time concealment.
DPRK (Lazarus Group, Andariel): Hybrid CNE-CNA actor blending espionage with financially-motivated operations (cryptocurrency theft, SWIFT fraud) — uniquely revenue-generating.
Key Connections
- Cyber Warfare — broader domain; CNE is the intelligence-collection sub-function
- Advanced Persistent Threat — actor category dominating CNE operations
- Supply Chain Attack — high-leverage CNE initial-access vector
- Military-Civil Fusion — PRC institutional framework integrating CNE with national strategy
- Cyber Capabilities & Tools — malware and tooling used in CNE operations
- People’s Republic of China — dominant CNE actor
- Russian Federation — primary CNE+CNA dual-track actor
- SIGINT — traditional intelligence-collection parallel; CNE as “digital SIGINT”
Sources
- Mandiant / Google Cloud, M-Trends (annual APT report). Confidence: High for TTPs and actor attribution.
- CISA / NSA / FBI joint advisories on specific APT actors (ongoing). Confidence: High for US government technical attribution.
- Tallinn Manual 2.0 (NATO CCD COE, 2017). Confidence: High for the international-law framework distinguishing CNE, CNA, and use of force.
- FireEye / Mandiant, APT1: Exposing One of China’s Cyber Espionage Units (2013). Confidence: High as landmark public attribution report.
- CISA, “Volt Typhoon” advisory (2023, 2024). Confidence: High for the pre-positioning / critical-infrastructure CNE pattern.