Mark Loman, director, engineering for next-gen technologies, Sophos
Mark Loman, director, engineering for next-gen technologies, Sophos

The current threat landscape is evolving in a way never seen before. From sophisticated ransomware that re-infects long after a ransom is paid, to the emergence of personal IoT attacks. The shape, size, and methods of cyber-attacks are growing in complexity, and frequency.

However, one of the more concerning cyber trends we are seeing is the rise of technical cyber-attacks against states and societies.  

These attacks are political in nature, and the methods of these state-sponsored hacking attacks are quite different to common cyber-crimes, which typically target a person or business. When it comes to nation state attacks, the precise goals go beyond monetary gain.

When countries attack

The objective of most cyber-attacks falls into two categories –financial gain or intelligence gathering. More often than not, nation state attacks, such as the recent ones you've probably seen in the news, are about intelligence. Organisations will likely use this information to anticipate or manipulate future or current events,to sway public perception in their favour. This valuable information could include anything from personally identifiable information (PII) to government intelligence – both of which could be a risk to national security if it was to fall into the wrong hands.

The most recent and shocking example was the reported cyber-attack on the World Anti-Doping Agency (WADA). WADA recommended banning all Russian athletes during the 2016 Rio Olympics, once it was revealed that the Russian government covered up doping use at the 2014 Winter Games in Sochi. Naturally, many Russian's took offence to this, and in September 2016, the WADA confirmed that they had been targeted by a Russian espionage group, “Fancy Bear”, or APT28. In retaliation, Fancy Bear released medical details and Olympic records of top American athletes, and threatened to release more. These American doping accusations were later proven as incorrect, or that these athletes had therapeutic use exemptions (TUEs) that allowed them to use certain medications, but the questions still remained of how and why Russian intelligence was able to get their hands on such sensitive information.

How did it work?

Using targeted spear-phishing tactics and a specially created International Olympic Committee account for the attack, the crooks were able to delve deep into WADA's systems, retrieve sensitive information and distribute the material wider. What is more concerning is that it's likely this attack wasn't just in retaliation to WADA's doping usage report at the 2014 Olympic Games. It's likely it was also conducted to convince the people of Russia that doping “scandals” are not just a Russian problem, but a worldwide one. 

Although attribution can be tricky - with attacks being re-routed through different countries, or paying other criminals in different regions to execute attacks - the cyber-attack against WADA had a consistent use of Russian language in its malware code. Not only this, but the malware compile times corresponded with business hours of Russia's major cities, including Moscow and St. Petersburg – so in this instance we can be fairly certain where it came from.

Another interesting element of this attack is that, unlike the usual data stolen by cyber-criminals, the intelligence gathered in this instance was most useful to governments – which has raised a great deal of speculation about who was really behind the attack. Fancy Bear is known to have also executed similar cyber-attacks against the German parliament in 2014, the US Democratic National Committee in 2016, as well as attempts to influence Dutch and French elections this year.

These attacks highlight how all nations should be wary, and any organisation that holds some sort of valuable information, such as intellectual property, or runs a strategic infrastructure, should be prepared for the possibility of a state-sponsored attack.

Nation state attackers vs the common cyber-criminal – what's the real difference?

Common cyber-criminals use more wide-ranging and large-scale malware distribution tactics, such as exploit kits, which are distributed out to hundreds, if not thousands, of targets. Whereas nation state cyber-criminals will spend much more time and resources meticulously executing an attack, making it far more targeted.

Fancy Bear does not stand alone in this nation-state arena. Other examples of groups caught up in cyber-espionage include Buckeye, also known as APT3. Buckeye and common cyber-criminals share some strikingly similar tactics such as exploit kit vulnerabilities; however, the difference is Buckeye will be much more diverse in its approach when utilising the vulnerability.

For example, let's take the infamous Angler exploit kit. Buckeye's tactics share some interesting similarities with Angler, including heap-based buffer overflow in Adobe Flash Player 18.0.0.160, using corrupted vector to read/write outside intended boundaries, and creates a return-oriented programming (ROP) to bypass a data execution prevention.

Although there is one vulnerability – these are two very different exploits.

When a common cyber-criminal utilises the Angler exploit kit they will have ROP chain on the heap, not the stack, and will employ a Stack Pivot exploit technique to start the ROP chain. With APT3, however, no Stack Pivot is necessary, as the ROP chain is on the stack – as well as having critical ROP gadgets call-preceded to bypass stack-based ROP mitigations. Although both of these will be going after the same type of vulnerability, the coding and methods between the two are completely different as are intentions and styles of the exploitation. 

Fighting in the future

As nation state attacks continue to rise, so will the tension between nations. We are already seeing this between Russia and the Ukraine. Today war is about more than a battlefield - it's often online. With state-sponsored attackers already being responsible for power outages in the Ukraine, and French television stations throughout the last few years, there are clearly no signs of them slowing down.

Groups like Fancy Bear are using these types of attacks to stay one step ahead of western countries, and as time goes on, these nation-state hacks will increasingly become more targeted and specific, and definitively confirming responsibility will continue to be a struggle. Its vital western countries are prepared and able to defend against these attacks sufficiently.

Contributed by Mark Loman, director, engineering for next-gen technologies, Sophos

*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.