Paul Prudhomme at IntSights considers the threats from state sponsored hackers.
State-sponsored cyber attacks have been a common and regular method of attack for many years, and countries such as Russia, China, Iran, and North Korea are often at the forefront of media attention when cyber attacks against another state occurs. But it is not just government agencies or national organisations that are targeted by these types of attacks.
Often, state-sponsored threat actors target private businesses in order to achieve a political, diplomatic, intelligence, military, or economic objective. As such, an organisation’s security team should not assume that political neutrality or the lack of an obvious government or national security nexus makes them irrelevant as targets to such actors. In fact, many commercial organisations have data and infrastructure that state-sponsored actors seek to compromise in order to achieve their end goal.
In order to fully understand the risks associated with the information they own; businesses need to understand the reasons behind why they become desirable targets for Nation-State attackers. Below, I list some of the industries that may fall victim to a nation-state attack and why the private businesses operating within these industries are desirable targets, as well as what can be done to help prevent attacks such as these.
Gaining access to government information
The most obvious reason for foreign governments to target commercial organisations is to obtain information on their government clients for diplomatic, military, or intelligence purposes. For example, U.S. and European defence contractors are important targets for state-sponsored Russian, Chinese, Iranian, and North Korean actors that seek information on U.S. and European armed forces. The recently revealed Russian breach of SolarWinds, which enabled supply chain compromises of U.S. government agencies, also demonstrates that providers of technology products and services to governments can become targets if their compromise would yield access to their government clients.
However, governments are not the only targets of foreign intelligence services. Those intelligence services also collect information on individual citizens of targeted countries for a variety of purposes, including human intelligence (HUMINT) operations. HUMINT operations involve the targeting and recruitment of citizens with access to information that these intelligence agencies seek, including – but not limited to – government and defence employees. Ingesting compromised PII from commercial organisations in many different industries into searchable databases can facilitate these HUMINT operations.
The most well-known example of a PII breach for such purposes is the state-sponsored Chinese attack on the U.S. health insurance provider, Anthem. Cross-referencing the protected health information (PHI) from the Anthem breach with the related breach of the U.S. Office of Personnel Management (OPM), would have enabled Chinese intelligence analysts to identify U.S. citizens that had both access to classified information and financial vulnerabilities, from healthcare costs that might have made them vulnerable to recruitment as HUMINT sources. PHI is particularly valuable to intelligence services for the same reason that it is particularly valuable to criminals: the large amount of detail that it contains.
Targeting critical infrastructure
State-sponsored actors may also compromise commercial organisations responsible for critical infrastructure in order to disrupt the societies and economies of targeted countries. The governments that sponsor them may seek to use this capability if and when a diplomatic or military confrontation gives them a reason to use it as a weapon.
This also includes the targeting of telecommunications providers and technology companies. State-sponsored actors seek to compromise their infrastructure to enable the collection of Signals Intelligence (SIGINT) on their customers, in the form of their phone and internet communications, and therefore gain information on an individual’s whereabouts.
State-sponsored Russian, Chinese, and Iranian actors have targeted telecommunications and technology companies for such purposes. For example, in late 2019, Chinese state sponsored hackers hacked into telecommunication providers in Turkey, Kazakhstan, India, Thailand, and Malaysia as part of a large-scale espionage campaign to track minority groups and VIPs traveling between Central and Southeast Asia. The aim of this was part of a wider espionage campaign on ‘high value’ individuals, but the targeting and tracking of minorities, such as Uighur Muslims has become a priority for China who see this group as a threat. Therefore, this particular method is used to track and locate individuals who are seen as a threat against Chinese society.
State-sponsored Iranian and North Korean actors also seek to compromise foreign intellectual property, but for the purpose of circumventing sanctions, rather than to expand their economic power. Sanctions against Iran and North Korea make it difficult or impossible for them to obtain many foreign products and services. These actors accordingly seek to obtain foreign intellectual property for the purpose of import substitution, enabling them to produce domestic copies of foreign products. For example, sanctions have devastated the Iranian aviation sector, leading state-sponsored Iranian actors to target foreign aerospace and aviation companies to steal what they cannot obtain legitimately.
Of course, many of these attacks often have an economic and financial advantage where the attackers and the nation stand to benefit financially from such attacks. COVID-19 itself has been the subject of attacks since the outbreak at the beginning of 2020 and notably, Russia was at the forefront of media attention in July when news outlets started reporting that Russian state-sponsored hackers were responsible for the failed attempt at stealing COVID-19 vaccination research from UK organisations. The nation to first succeed at developing a vaccine to treat a world-wide pandemic of course stood to gain huge financial and reputational benefits.
State-sponsored North Korean actors differ because they are the only ones known to target foreign businesses, such as banks, for the financial benefit of their government. Other state-sponsored actors in China and Iran may also attack foreign businesses for financial gain, but these attacks are generally without authorisation and for personal gain, rather than that of their governments. For example, members of the Chinese APT41 target video game companies for profit, but it appears that they conduct those attacks on the side for their own benefit.
Understanding the cyber threats
Commercial organisations should seek to understand which state-sponsored actors are most likely to attack them so they can enhance their defences against such attacks. Many state-sponsored actors target specific industries and/or specific geographic areas in order to achieve their objectives. Cyber threat intelligence can help commercial organisations determine which state-sponsored threats are most likely to affect them on the basis of their industry and/or geography. It can also highlight which specific types of information and infrastructure these actors are most likely to target, so that security teams can enhance the defences of those specific targets, such as with encryption or network segmentation.
Cyber threat intelligence can also shed light on the tactics, techniques, and procedures (TTPs) of state-sponsored actors. These TTPs may vary considerably from one country to another, or even from one group to another within the same country. Security teams should ensure that their defences cover the TTPs of the groups most likely to attack them. Indicators of Compromise (IOCs) and other technical countermeasures for specific groups can further help to reduce the risk of a breach.
By understanding the risks associated with the industry in which their business resides, security teams and business leaders will be better placed to understand how to prevent state-sponsored attacks. This will not only protect the integrity of the business and the personal information the individual business holds, but it will also protect their own nation from others looking to achieve their political, diplomatic, intelligence, military, or economic objectives.
Paul Prudhomme is Cyber Threat Intelligence Advisor at IntSights. He previously served as a leader of the cyber threat intelligence subscription service at Deloitte and as an individual contributor to that of iDefense. Paul previously covered cyber issues as a contractor in the US Intelligence Community. He specialises in the coverage of state-sponsored cyber threats, particularly those from Iran. Paul originally served as a linguist and cultural advisor and speaks multiple languages, including Arabic. He has a Master’s degree in History from Georgetown University and is also a certified scuba diver and an award-winning amateur underwater photographe
Main image courtesy of iStockPhoto.com