In December 2020, it emerged that IT firm SolarWinds had been hacked by a nation state adversary believed to be Russia, leading to the compromise of multiple US government agencies.
Thought to have been active since March, the details of the successful supply chain attack were extraordinary. Hackers had stealthily injected an updated version of SolarWinds’ monitoring software with malicious code, which was then installed onto around 18,000 customers’ systems.
Once it had infected customers, the malicious code opened a backdoor, contacting the attackers to let them know the coast was clear to steal sensitive data.
The full extent of the damage caused by the SolarWinds cyber-assault is still not known. Around 50 customers were impacted by the hack, according to Kevin Mandia, CEO of FireEye, which itself reported a breach relating to SolarWinds in December.
Devastating and wide-reaching, the SolarWinds breach shows how nation state cyber attacks can impact businesses as well as governments.
But this type of cyber assault doesn’t just impact software companies: Businesses can be affected across industries. Those targeted by nation states might be part of a supply chain such as defence or military, or “harbour geopolitical or trade intelligence that the adversary finds useful”, says Max Heinemeyer, director of threat hunting at Darktrace.
There can be multiple steps in the process when nation states attack. It often starts with a third party (a business), says Evan Kohlmann, co-founder of Flashpoint. “SolarWinds is a great example. Adversaries wanted a peek into other nation states’ data and they used a business to do just that.”
Covid-19 elevates the risk further, with nation state adversaries increasingly turning their attention to vaccine makers to perform corporate sabotage and theft. Other high-profile targets include financial institutions and critical national infrastructure (CNI) providers such as electricity firms.
However, it would be unwise to think any business is immune. “Nation state attackers go after all sorts of different companies,” says Kohlmann. “Anyone who believes their business is below the level of being targeted by nation state actors is probably being naïve.”
Nation state threat actors
With that in mind, who are the main nation state threat actors businesses should be aware of? As a mass producer of technology, China feels abused by western corporations and values that clash with its own ideology, says Ian Thornton-Trump, CISO at Cyjax. “From the Chinese perspective, any acquisition of intellectual property is fair game if it isn’t properly protected.”
Intellectual property theft is a key part of Chinese espionage efforts, agrees Hank Schless, senior manager of security solutions at Lookout. “They’ve achieved this by placing employees inside organisations to steal as an insider, as well as targeting firms with malware and spear phishing.”
Meanwhile, says Thornton-Trump, Russian cyber operations are less focused on commercial opportunities. “They are highly focused on espionage, advancing Russian foreign policy and domination of surrounding post-Soviet countries.”
Another formidable adversary is Iran, which has diversified its offensive cyber operations over recent years with the help of Russia and China. “Iran is responsible for some of the largest and most destructive cyber attacks specifically targeting Saudi-Arabia,” says Thornton-Trump.
Iran “invests heavily” in cyber capabilities including espionage, ransomware and destructive cyber attacks, he says, adding that “Iranian threat actors have world class capabilities”.
At the same time, North Korea’s cyber-attacks are largely financially motivated as a way to compensate for widespread economic sanctions against the country. Schless cites the example of the Lazarus Group – the government backed North Korean hacker collective behind the infamous WannaCry ransomware attack – which “targets financial institutions and cryptocurrency platforms as a way to steal funds”.
Another less obvious threat is Syria. “The country was destroyed and it has taken part in nation state cyber warfare over the last few years,” says Kohlmann, citing the example of the Syrian Electronic Army. “It started with Facebook pages and defacement campaigns, but all of a sudden it became more advanced, using phishing to compromise bigger targets.”
Covid-19 has increased the opportunities for nation state attackers to target businesses. Recent research by the UK’s National Cyber Security Centre (NCSC) found that over the past year, more than a quarter of cyber incidents involved criminals and hostile states exploiting the pandemic.
During the pandemic, state-backed hackers have exploited vulnerabilities in leading perimeter security platforms – particularly those used to facilitate secure remote access, says Stuart Reed, UK director at Orange Cyberdefense. “As a result of fast implementation and scaling, patches and upgrades are taking far too long, and this problem appears to be getting worse. Hackers have noted this opportunity and pivoted to explore it.”
Protecting against nation state attacks
As the threat grows, it’s important to take action to prevent state sponsored cyber-attacks. For some companies, surviving the impact of this type of cyber-assault simply isn’t possible, says Amanda Finch, Chartered Institute of Information Security CEO.
This is partly because fines that come in the wake of an attack can be “crippling”, she warns, adding: “The incident can lead to a loss of confidence from investors and stakeholders. Being cut off from financial resources can stall a company into inactivity, and even cause a collapse.”
To protect themselves, organisations need to construct threat models to drive their cyber threat intelligence (CTI) collection plan, says Thornton-Trump.
At the same time, Thornton-Trump says, a firm’s CTI team should be equipped to analyse threat actor activity against the organisation’s security controls. “Knowing what a threat actor may use to target the organisation and applying that knowledge can provide a massive defensive advantage.”
He explains how the ultimate goal of a CTI program is to understand key mistakes, exploits or unfortunate circumstances that have occurred in the past. “This information can be used to prevent similar attacks on the organisation.”
Gavin Knapp, head of SOC and cyber defence at Bridewell Consulting says it’s “vitally important” that businesses use threat intelligence to move from a “reactive” to a “proactive” security stance.
Among the benefits, Knapp says threat intelligence can enhance security functions such as vulnerability management, incident response, third party and supply chain risk, brand protection and physical security. “Threat intelligence can benefit security operations by expediting the detection and ultimately facilitate the disruption of a threat actor’s kill chain targeting the business.”
However, there are also challenges in threat intelligence gathering, partly because of the wide scope of attacks now possible. The quality of threat intelligence relies heavily on the data, Schless warns.
“Large datasets allow threat intelligence researchers to navigate the complex web of interconnected cyber-crime campaigns. Lots of organisations have strong threat intelligence that focuses on more traditional endpoints and threat types, but that isn’t enough. To get the full picture, you need to be able to cross reference that with data from mobile devices, which represents a completely different landscape.”
And more widely, Finch says more defined approaches to security must be put in place, “both at a national and an enterprise level”.
In the UK, Finch says, it’s vital that national agencies, such as the NCSC, “collaborate with and provide guidance to businesses of all sizes to help defend against these attacks”.
“It simply isn’t realistic to expect every company, particularly small ones, to withstand targeted attacks fuelled by extensive cyber resources from the likes of the Chinese, North Korean or Russian governments without any support. A joint approach is the best for survival.”
There is already some help in the regulatory space, with laws such as the EU NIS Directive and the proposed Digital Operational Resilience Regulation advancing policy objectives for resilience, says Stewart Room, global head of data protection and cyber security at law firm DWF.
Investing in the basics
But it’s also important to start from a strong foundation. Finch advises investing in the ‘basics’ in security, such as cyber hygiene, patching, controlling user access and firewalls. “Companies should also ensure that cyber security training is prioritised. State-sponsored attacks will likely be highly sophisticated and it’s crucial staff are equipped with the skills and knowledge to defend against this.”
Phishing is still the essential ingredient in many high-profile cyber attacks. Taking this into account, says Kohlmann, there are clear steps a business can take to mitigate the threat, such as user training and ensuring two-factor authentication is in place.
But Kohlmann also warns that “no amount of firewalls will block every effort by a nation state”.
“If you are a sizeable business, you have a responsibility to protect yourself and your employees and customers. You can put up walls, but unless you know where adversaries are coming from, you can never protect yourself.
With this in mind, Kohlmann thinks it is smarter to try and understand the vector of attack: “How do they try to get in, what exploits are they using? Instead of trying to fix every hole, focus on those things.”
There is no doubt that the nation state threat is growing, but perhaps what’s most concerning is that the SolarWinds breach demonstrates how easily any firm can get caught up in this type of cyber assault. Room says these recent breaches “reveal a deeply troubling flaw in our systems of cyber security”.
Kohlmann concurs: “Recent days show businesses have as much to lose as nation states. The vaccine-related attacks we have seen during Covid-19 show how a widening variety of private organisations can be targeted in this unseen battle.”