Boundaries between cyber-criminals and APTs are becoming blurred (pic: Boris SV/ Getty Images)
An analysis of threat activity and behaviour across 4,400 companies by the Secureworks Counter Threat Unit (CTU) has concluded that any assumption that nation-state-sponsored Advanced Persistent Threats (APTs) are 'dimensionally different' from advanced cyber-crime threats is now fundamentally flawed.
In other words, the boundary between nation-state and cyber-criminal actors is increasingly becoming blurred to the point of being so fuzzy as to be almost irrelevant. Or is it?
Researchers compiling the 'State of Cybercrime Report 2018' (www.secureworks.com) found that a relatively small subset of professional criminal actors is actually "responsible for the bulk of cyber-crime-related damage" and does so by "employing tools and techniques as sophisticated, targeted and insidious as most nation-state actors".
Indeed, the threat actors responsible for developing SamsamCrypt and BitPaymer, which were the most impactful ransomware threats analysed by the CTU researchers, retained them for their own exclusive and targeted use, so sophisticated were they.
Yet simultaneously, nation-state sponsored actors are increasingly using the same tools and techniques as those cyber-criminals.
For example, an analysis of a Gandcrab ransomware campaign against South Korean targets concluded that state-sponsored actors from the Democratic People’s Republic of Korea were responsible. As SC Media UK has reported in the past, GandCrab is a malware-as-a-service resource usually associated with the financially motivated criminal threat sector.
Similarly, earlier this year, a threat actor used an access pathway – that had previously been opened for state espionage use – to deploy a cryptocurrency miner across the same threat environment. This use of a typically criminal threat, cryptocurrency mining, has also been observed by the Secureworks researchers as being used by other state-sponsored espionage groups.
It may be a commonly held belief that the more sophisticated social engineering methodologies, detailed reconnaissance, highly obfuscated malware and highly targeted network intrusions seen in advanced and persistent attacks are the domain of the nation-state actor, but that belief is increasingly being exposed as untrue.
Common cyber sense dictates that the best available tools and techniques to achieve the required attack outcome, be that a nation-state objective or a criminally-minded financial one, will be used regardless of threat actor.
With these boundaries now irrevocably blurred, does it actually matter who the threat actor is? Isn't attribution obsession a threat in and of itself to most organisations if they assume that they are off the state-actor radar?
"Dealing with the impact of any incident is obviously the priority," Mike McLellan, senior security researcher at Secureworks, says. "However, knowing who is attacking you can help understand motivation, which in turn helps you understand things like, is this targeted at me specifically, is the attacker after money or are they after information, and is the attacker likely to have done anything else while they had access to my environment."
By way of example from the report itself, McLellan points to the dropping of a cryptocurrency miner. "If you know that the miner was dropped by a nation-state espionage group, rather than a criminal group, then that would help you infer that perhaps their primary objective was information theft, and the cryptocurrency mining was a secondary action."
Sean Newman, director of product management at Corero Network Security, tends to disagree and told SC Media UK that "one might postulate that a nation-state actor may go to greater lengths with the extent of the damage or disruption they are willing to cause. However, it’s a moot point when any level of damage or disruption is unwelcome."
And Bas Alberts, VP of cyber-security projects at Cyxtera, reminds us that "one of the biggest pitfalls of defensive threat modeling is to make the assumption that you are not 'in scope' for a specific set or class of threat actors, nation-state or otherwise". As a target, you don't get to influence the decision making logic of your attacker, after all.
Suzanne Spaulding, an advisor with Nozomi Networks and a former under secretary at the US Department of Homeland Security, points out that "attribution is important to the government to help better understand the threat picture and inform response decisions" while agreeing that "it's not as obvious why non-governmental entities, like businesses, should care about attribution".
That said, she agrees that knowing the actor "can sometimes help you to better understand what to look for in your network".
And talking of government responses, Paul Bischoff, privacy advocate at Comparitech, reminded SC Media UK that earlier this week some 51 countries signed a pact to secure cyberspace. This pact's final measure states the countries will "take steps to prevent non-state actors, including the private sector, from hacking-back, for their own purposes or those of other non-state actors".
"If such a declaration becomes law, it could determine how enterprises can react to threats from different types of threat actors," Bischoff says. "It's important for lawmakers to take into consideration the blurred line between criminals and nation-state actors so as not to put enterprises at a disadvantage, but also minimise collateral damage."