SC-114: Harvest-Now-Decrypt-Later Quantum Attack¶
Operation PATIENT CIPHER
Actor type: Nation-state (suspected APT-SAPPHIRE, synthetic designation) Dwell time: 428 days of passive capture Primary impact: 14 months of encrypted traffic archived for future cryptanalytically relevant quantum computer (CRQC) decryption -- estimated 2.8 TB captured, including 47 long-lived signing keys, 12,000+ OAuth refresh tokens, executive email Detection source: Anomalous cross-border fiber tap discovered during colocation facility audit Status: Active mitigation -- PQ migration underway
Executive Summary¶
PATIENT CIPHER is a harvest-now-decrypt-later (HNDL) operation. The adversary does not need to decrypt today. They only need to store today what they intend to decrypt in 5-15 years when cryptographically relevant quantum computers can break RSA-2048 and ECC P-256 via Shor's algorithm.
Between 2024-12-01 and 2026-02-01, APT-SAPPHIRE operated a passive tap on an IXP-adjacent fiber link serving corp.example.com. They captured:
- TLS 1.2 handshakes where ephemeral keys were not enforced (ECDHE fallback to RSA key exchange in 11% of sessions).
- IKEv2 VPN handshakes using DH Group 14 (2048-bit MODP).
- SSH handshakes to jump hosts using RSA-2048 host keys unchanged since 2018.
- Long-lived encrypted payloads: S/MIME email, encrypted backups in transit, code-signing artifacts.
The HNDL threat model
The attacker's patience is the attack. No intrusion detection system alerts on passive optical taps. No SIEM query flags traffic that was never decrypted. Detection requires physical layer awareness, crypto-agility telemetry, and threat modeling that assumes tomorrow's quantum adversary.
Environment¶
| Asset | Value |
|---|---|
| Target tenant | corp.example.com |
| External TLS terminator | edge.corp.example.com (203.0.113.10) |
| VPN concentrator | vpn.corp.example.com (203.0.113.12) |
| Executive mail gateway | mx1.corp.example.com (203.0.113.14) |
| Code-signing service | sign.corp.example.com (203.0.113.16) |
| Colocation facility | ix-east.example |
| Tap location (adversary) | upstream peer fiber at ix-east.example |
| Capture volume | 2.8 TB (pcap + extracted ciphertext) |
ATT&CK Mapping¶
| Tactic | Technique | ID | Evidence |
|---|---|---|---|
| Collection | Adversary-in-the-Middle | T1557 | Passive optical tap at IXP |
| Discovery | Network Sniffing | T1040 | 14 months of captured TLS/IKE/SSH handshakes |
| Collection | Data from Local System | T1005 | Extracted ciphertext from capture archives |
| Resource Development | Acquire Infrastructure: Physical | T1583.008 | Lawful intercept hardware placement |
| Defense Evasion | Impair Defenses: Impair Command History Logging | T1562.003 | Passive -- no endpoint logs generated |
| Collection | Archive Collected Data | T1560 | 2.8 TB stored to offline media for future decryption |
Timeline¶
Phase 1 -- Infrastructure Acquisition (2024-11-04 to 2024-11-28)¶
- 2024-11-04 -- APT-SAPPHIRE front company "Meridian Optics LLC" signs colocation contract at ix-east.example under cover of research project.
- 2024-11-19 -- Passive optical splitter installed on fiber serving corp.example.com edge. Split ratio 95:5, insertion loss 0.4 dB, below OTDR detection threshold of the target's optical monitoring baseline.
- 2024-11-28 -- Capture hardware activated. First 72 hours are calibration only.
Phase 2 -- Sustained Capture (2024-12-01 to 2026-02-01)¶
- 2024-12-01 00:00 UTC -- Full capture begins. 14 months continuous.
- Q1 2025 -- Weekly rotation of capture media to offline archive via diplomatic pouch channel.
- 2025-06-15 -- Target rotates edge certificates (annual). APT-SAPPHIRE captures the rollover, including CSR transmission.
- 2025-09-02 -- Target completes partial TLS 1.3 migration on public-facing services. Internal VPN and mail still on TLS 1.2 / IKEv2 with non-PQ groups.
- 2025-11-14 -- Target enables HSTS and certificate transparency monitoring. No impact on passive adversary.
Why HSTS and CT did not help
HSTS prevents downgrade at the client. CT detects rogue certificate issuance. Neither addresses a passive adversary who simply records the legitimate handshake and ciphertext.
Phase 3 -- Targeted Boost Operations (2025-10 to 2026-01)¶
During executive travel windows, APT-SAPPHIRE performed bandwidth-priority capture:
| Window | Target | Captured |
|---|---|---|
| 2025-10-12 to 10-19 | CFO board prep | 11 GB mail, 3 signing operations |
| 2025-11-03 to 11-05 | M&A diligence | 47 GB TLS to dataroom.example |
| 2026-01-18 to 01-24 | CEO APAC travel | 22 GB VPN |
Phase 4 -- Discovery (2026-02-01)¶
- 2026-02-01 09:40 UTC -- IX facility performs 18-month physical audit. Technician notices unlabeled patch panel with cable routing inconsistent with documented lease.
- 2026-02-01 11:22 UTC -- OTDR trace on the fiber in question shows anomalous back-reflection signature consistent with a passive splitter.
- 2026-02-02 03:00 UTC -- Facility quietly isolates the splitter. Hardware preserved. FBI and affected tenants notified.
- 2026-02-02 08:00 UTC -- corp.example.com begins emergency cryptographic incident response.
Detection Queries¶
KQL -- TLS handshakes with RSA key exchange (quantum-vulnerable)¶
NetworkHandshakeLog
| where TimeGenerated > ago(30d)
| where Protocol == "TLS"
| where CipherSuite has_any ("TLS_RSA_", "_RSA_WITH_")
| extend QuantumVulnerable = true
| summarize SessionCount = count(),
UniqueClients = dcount(ClientIp),
SampleClients = make_set(ClientIp, 10)
by ServerName, CipherSuite
| where SessionCount > 0
| order by SessionCount desc
KQL -- IKEv2 negotiations with non-PQ DH groups¶
VpnHandshakeLog
| where TimeGenerated > ago(14d)
| where Protocol in ("IKEv2", "IKEv1")
| extend IsPostQuantum = iff(DHGroup in ("31", "32", "33", "kyber-ml-kem"), true, false)
| extend IsWeakGroup = iff(DHGroup in ("1", "2", "5", "14"), true, false)
| summarize Sessions = count(),
WeakSessions = countif(IsWeakGroup),
PQSessions = countif(IsPostQuantum)
by Concentrator, bin(TimeGenerated, 1d)
| extend WeakPercent = todouble(WeakSessions) * 100.0 / Sessions
| where WeakPercent > 0
| order by WeakPercent desc
SPL -- Long-lived certificates approaching HNDL risk threshold¶
index=pki sourcetype=certificate:inventory
| eval age_days = (now() - strptime(not_before, "%Y-%m-%dT%H:%M:%SZ"))/86400
| eval remaining_days = (strptime(not_after, "%Y-%m-%dT%H:%M:%SZ") - now())/86400
| eval hndl_risk = case(
key_algo=="RSA" AND key_size<3072 AND remaining_days>365, "HIGH",
key_algo=="ECDSA" AND key_size<384 AND remaining_days>365, "HIGH",
key_algo=="RSA" AND key_size<3072, "MEDIUM",
1==1, "LOW")
| where hndl_risk IN ("HIGH", "MEDIUM")
| table subject issuer key_algo key_size age_days remaining_days hndl_risk
| sort - remaining_days
SPL -- Passive tap physical anomaly (optical link budget)¶
index=network sourcetype=optical:otdr
| stats latest(insertion_loss_db) as current_loss
earliest(insertion_loss_db) as baseline_loss
by link_id
| eval loss_delta = current_loss - baseline_loss
| where loss_delta > 0.3
| lookup link_inventory link_id OUTPUT facility carrier tenant
| table link_id facility carrier tenant baseline_loss current_loss loss_delta
Indicators of Compromise¶
Physical and cryptographic IOCs
Unlike most scenarios, PATIENT CIPHER has limited digital IOCs because the primary attack surface is physical.
Physical IOCs¶
| Indicator | Description |
|---|---|
| Passive optical splitter | 95:5 split, insertion loss 0.4 dB, unmarked |
| Patch panel | Cable routing from cage 4B-17 not on facility floor plan |
| Shell company | "Meridian Optics LLC" -- registered 2024-10-01, no prior operations |
Synthetic cryptographic IOCs¶
- TLS sessions using
TLS_RSA_WITH_AES_128_GCM_SHA256to edge.corp.example.com (should not occur post-2024 policy). - IKEv2 proposals accepting DH Group 14 on vpn.corp.example.com.
- S/MIME messages signed with RSA-2048 keys unrotated since 2018.
- SSH host key
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC(2048-bit) on jumpbox.corp.example.com.
Network IOCs¶
| Indicator | Value | Notes |
|---|---|---|
| Upstream ASN (benign target) | AS64500 | corp.example.com transit |
| Capture node peer (adversary) | AS64501 | Meridian Optics LLC |
| Adversary staging IP | 198.51.100.88 | Out-of-band management for capture hardware |
Containment and Eradication¶
Immediate (T+0 to T+72h)¶
- Rotate every long-lived secret that traversed the capture window:
- All code-signing keys (issue new, revoke old, re-sign artifacts).
- All OAuth refresh tokens older than capture start.
- All VPN pre-shared keys.
- Executive S/MIME keys.
- Revoke and reissue all TLS certificates that were active during capture.
- Assume compromise of every secret encrypted with RSA-2048 or ECC P-256 that traversed the link.
Near-term (T+1w to T+90d)¶
- Emergency TLS 1.3 enforcement across all services. Disable RSA key exchange.
- IKEv2 PQ hybrid where supported (Kyber + DH hybrid key exchange).
- Certificate lifetime reduction from 365 days to 90 days.
- SSH host key rotation on all jump hosts, with Ed25519 keys.
Long-term (T+90d to T+3y)¶
- Post-quantum migration. Follow NIST PQC standards (ML-KEM, ML-DSA, SLH-DSA). Prioritize HNDL-exposed services first.
- Crypto-agility infrastructure. Build the capability to swap algorithms without application code changes.
- Physical layer monitoring. Continuous OTDR baseline monitoring on all transit fiber.
Lessons Learned¶
What failed
- Threat model did not include passive adversaries.
- TLS 1.2 with RSA fallback allowed in 11% of sessions for legacy compatibility.
- Long-lived secrets (code-signing, S/MIME) used quantum-vulnerable algorithms.
- Physical layer assumed trusted; no OTDR baselining.
- No crypto-agility -- algorithm changes required application rewrites.
What worked
- PKI inventory was current, enabling rapid mass-rotation.
- IX facility audit cycle eventually exposed the tap.
- Incident response plan existed for cryptographic emergency.
Recommendations¶
- Adopt HNDL threat model. Any secret you would not want an adversary to read in 2035 cannot be sent today using RSA-2048 or ECC P-256 without hybrid PQ.
- Mandate ephemeral key exchange. TLS 1.3 only, no RSA kx, no TLS 1.2 fallback.
- Shorten everything. Credential lifetimes, certificate lifetimes, key lifetimes.
- Physical security is cyber security. Fiber path audits belong in SOC scope.
- Crypto-agility is the control. Design for algorithm substitution from day one (see Ch32).
Cross-References¶
- Ch31 -- Network Security Architecture
- Ch32 -- Cryptography Applied
- Ch24 -- Supply Chain Attacks -- shell company supplier compromise
- SC-094 -- Wireless Evil Twin -- related passive adversary
- SC-101 -- Firmware Supply Chain -- related physical-adjacent attack
Purple Team Exercise Hook¶
Recommended linked exercise: PT-202 "HNDL Exposure Hunt" -- blue team inventories all secrets with quantum exposure greater than 10 years, red team simulates capture, purple team scores crypto-agility maturity.
Appendix A -- Secret Exposure Tiering¶
Not every secret deserves the same urgency. Use the following tiering to prioritize PQ migration:
| Tier | Description | Example secrets | Target migration |
|---|---|---|---|
| T1 Critical | Secret confidentiality matters greater than 10 years | Classified data, M&A diligence, healthcare genomic data | 12 months |
| T2 High | 3-10 year confidentiality | Executive email, financial records, IP/trade secrets | 18 months |
| T3 Medium | 1-3 year confidentiality | Contract negotiations, HR data | 36 months |
| T4 Low | Minutes to months | Session cookies, ephemeral tokens | 60 months |
A CRQC breaking RSA-2048 is estimated by NIST and industry forecasts in the 2030-2040 window. Tier-1 secrets encrypted today with RSA-2048 should be considered effectively already lost.
Appendix B -- Post-Quantum Migration Checklist¶
Inventory phase¶
- Enumerate every TLS server and cipher suite policy.
- Enumerate every VPN endpoint and IKE proposal.
- Enumerate every code-signing key, length, algorithm, and rotation age.
- Enumerate every SSH server and host key.
- Enumerate every document-signing key (PDF, S/MIME, CMS).
- Build CBOM (Cryptographic Bill of Materials) per CycloneDX crypto-asset schema.
Policy phase¶
- Disable RSA key exchange for TLS (require ECDHE at minimum).
- Require TLS 1.3 where feasible.
- Require IKEv2 DH Group 19/20/21 minimum, plan for hybrid PQ.
- Ban new issuance of RSA-2048; require RSA-3072 or ECC P-384 minimum for transition keys.
Deployment phase¶
- Pilot hybrid PQ (classical + Kyber/ML-KEM) on internal TLS.
- Extend to VPN concentrators.
- Deploy ML-DSA for code signing.
- Monitor interoperability, latency, and size impacts.
Validation phase¶
- Sweep captured pcaps (synthetic) for any residual quantum-vulnerable handshakes.
- Red-team the environment for crypto downgrade opportunities.
- Re-baseline optical links OTDR signatures.
Appendix C -- Physical Layer Defense Tactics¶
- Redundant OTDR probes at fiber entry/exit of critical links.
- Quarterly automated link-budget baselining with 0.2 dB alarm threshold.
- Physical audits of IX colocation cages at 12-month intervals.
- Background check requirements on facility staff with cage access.
- Tamper-evident seals on patch panels and splice enclosures.
- Consider MACsec or IPsec-over-everything to push trust boundary beyond the physical layer.
Scenario classification: Educational -- synthetic nation-state. All names, IPs, ASNs, and credentials are synthetic per Nexus SecOps safety rules.