As the recent Verizon Breach Report showed, cyber-espionage has risen significantly in the past year – and not just in political campaigns. Nation-states are now firing in all directions, with public and private companies from a wide spectrum of industries suffering intensive attacks. To an extent, the recent “WannaCry” and “NotPetya” attacks could also be viewed as nation-state efforts to disrupt and test cyber weaponry.
What are the reasons behind the recent escalation of state-affiliated cyber espionage against non-political targets, what does it mean, and how can companies protect themselves?
Why do nation-states attack non-military entities?
Nations have been using espionage since the dawn of history to understand the motives and capabilities of their friends and enemies. During the Cold War, the US and the Soviet Union were engaged in an ongoing battle for global supremacy that required them to obtain each other's secrets. These were not limited to “national” secrets (like the blueprints of new weapons systems) but also included economic and even academic data.
The emergence of the Internet and the evolution and adoption of digital systems has enabled espionage to shift into the online world. This has been going on for several decades now (Ex-NSA Head: Chinese Hacking is ‘The Greatest Transfer of Wealth in History'). However, in the last couple of years we're sensing a shift in the way nation-states act in relation to private corporations. More and more companies seem to be attacked by nation-states for no obvious reason. But nation-state hackers work in an organised manner; there is always some logic and motivation behind their target selection.
The key motivators for nation-state hacking include:
Hacking is perceived by some nations as a legitimate way to “close the technology gap” with wealthy nations. It is thus not surprising that nation-state hackers work hard to obtain lucrative IP in the fields of electronics, pharma and weaponry, and transfer it to their native industries for the creation of competing products.
Nation-states have a myriad of political objectives, from tarnishing exiles to helping a specific candidate win an election. Hacking civilian entities, political parties and non-governmental organisations is a means to this end.
Infrastructure/ foundation for future ops
Since most government and military entities use commercial products for their IT security, nation-states hack into security companies so they can later use stolen information to launch more serious, military-style attacks.
Moving up the supply chain
In western countries, governments, the defence industry and even the military itself rely on the civilian supply chain. Nation-states leverage this fact by targeting companies in the chain that have weak cyber-security. This allows them to gain a foothold and move up the supply chain until a larger, more valuable entity is breached. Though no details are available, this is most likely how Lockheed-Martin was breached and the blueprints of the F-35 fighter jet were stolen and leaked to China.
Masking other attacks
Launching a single attack on a single target leaves no doubt about the origin and motivation of the attackers. But launching seemingly unrelated attacks, on multiple targets may very well hide the true motivation of the one attack that matters. For example, the recent “WannaCry” attack might have been a smokescreen for other activities that have not yet come to light.
In order to maximise “plausible deniability,” nation-states often operate through rogue hacking groups, semi-military outfits and downright cyber-criminals who are enlisted ad-hoc for specific missions. These outfits are comprised of ambitious individuals that simply cannot overlook a lucrative target once they encounter it. They have been known to hack the odd corporation they find in their path for no obvious reason. In cases like this, the victimised companies are just collateral damage.
Why is this happening now?
The goals and motivations of nation-state hackers has not changed. What seems to have shifted is the mindset and capability of the attackers. Putin's Russia in particular seems totally unfazed by international pressure and conducts information-warfare operations nearly in the open. This trigger-happy approach coupled with the improvement of cyber-weapons (some of them stolen from other nation-states) means that these attacks happen more often and have greater impact.
What tricks are they using to sneak past cyber-security?
Regardless of the public perception, nation-states generally use ordinary cyber-crime methods to achieve their goals. Their main penetration vectors are via spear phishing emails and social engineering. The goal of these techniques is to covertly insert a malicious payload into the organisation. Traditional cyber-security solutions are unable to detect these sorts of attacks because they rely on signatures, which is of course anticipated by hackers who disguise their activity to appear benign. New and unfamiliar attack methods can only be detected by new technologies such as machine learning, which enables organisations to process huge amounts of data in a very short time, identify abnormal activities, and raise the alerts.
It is recommended that organisations first cover their bases by deploying perimeter, network and endpoint security solutions, and then take their operations one step further by “hunting” for adversaries in their network, using myriad means such as syslog analysis, threat intelligence and behavioural analytics.
According to a March 2017 report by Trend Micro, European and US businesses now see cyber-espionage as the greatest threat to their security. The research, which surveyed 2,402 enterprise IT decision makers across Europe and the US, shows cyber-espionage topping the list of largest security concerns for 2017, followed by targeted attacks (17 percent) and phishing (16 percent).
This offers some hope for the future, since it shows that awareness of this threat is finally on par with the risk itself. However, awareness alone is not sufficient to mitigate these threats; decisive action must be taken. Businesses must deploy the latest security technologies and put manpower in place to support it. Once an organisation has committed to such a strategy, it cannot remain complacent, but must continue investing to maintain the security edge and keep the cyber spies at bay
Contributed by Alex Vaystikh, CTO, SecBI