Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

Russia-Ukraine War Raising the Awareness of Nation-State Attacks

The Russian invasion of Ukraine has heightened government and business awareness around the reality that nation-state cyber threats pose. 

To cover all the implications of the threat posed by nation-state actors and the groups they sponsor, Trustwave SpiderLabs researchers offered their thoughts on the war's impact.

The general notion is the Russian invasion of Ukraine was not accompanied by any significant cyberattacks. Is that true?

SpiderLabs: There has been a misconception regarding whether cyberattacks have played a role in the Russia-Ukraine war. There were, in fact, major cyberattacks immediately following the invasion of Ukraine; they just haven't been successful yet, at least as far as we know.

We should also take a minute to refine the definition of what comprises a "major cyberattack." Typically, a sophisticated attack isn't one that simply sends and then executes a malicious payload. Yes, that happens, and yes, it can be devastating for a company or utility. Still, a truly major attack is one that lurks in multiple network locations, waiting for a specific moment to rear its ugly head. The backbone of any really nasty cyberattack is when it propagates through networks with the attacker, hoping this process lasts for a long time resulting in the malware spreading widely through its victim. 

Who are the main nation-state players in the cybersecurity/cyberwarfare landscape?

SpiderLabs: China, North Korea, Iran and Russia round out the most prominent players. 

What are their aims?

SpiderLabs: Many nation-states don't operate like the United States in that they have a specific agency, the NSA, that works on cyber defense and attacks. 

Other nation-states instead employ hacker groups or collectives by either sponsoring them with money and equipment, or working out a deal, i.e., if you don't attack us, we will let you do whatever you want, but you're going to give us any zero-day vulnerabilities that you find and help us execute targeted attack plans. 

In many cases, this allows the nations to have "plausible deniability" and place the blame on "groups of rogue hackers" while still being able to attack other nations. 

A threat group's aim depends on whether you're looking at the sponsored group or the host nation. Most sponsored groups are in it for the money and to find information. Typically, the group turns the stolen information over to the nation-state in question, effectively turning the information into more money. 

To put it simply, a nation-state is generally looking to steal intellectual property, information, or shut something down. A state-sponsored group usually will try and execute on anything that can make money.

A nation-state is typically interested in IP theft – a factor behind many of China's cyberattacks. Also in the mix for a nation-state are attacks geared toward gaining political leverage over an adversary and striking critical infrastructure with malicious intent. However, trying to decipher a nation-state's true aim is difficult due to the ever-evolving political structure of the world on any given day.

 


18493_ams-ukraine-briefing-webinar-cover
WEBINAR

Russia-Ukraine Crisis – Defending Your Organization from Geopolitical Cybersecurity Threats

As the geopolitical stage becomes increasingly tumultuous, organizations across the globe need to be in a heightened state of alert regarding their cybersecurity. Watch this session as our security experts share their commentary and advice in response to potential state-sponsored attacks from Russia.

 


What are the risks to businesses and which organizations are more likely to be targeted? 

SpiderLabs: I know this is a common refrain in cybersecurity circles, but the statement is true. It's not if the attacker will get in; it's when. 

When a nation-state targets businesses or organizations, it is usually just a matter of time before a breach takes place, unless the target has an excellent security team and has been practicing solid cyber defense. Unfortunately, a nation-state just has too many resources.

Because a successful attack is likely, the most important aspect of an organization's defensive posture should be how quickly it can locate the attackers and mitigate the attack's effects. If an organization's security isn't great, then the attacker will gain access to valuable data and then most likely lock down your systems and hold you for ransom to make additional money.

When it comes to which businesses are higher on an adversary's hit list, it varies. But take China, for example. Anything that China feels can give it an advantage in manufacturing is likely a target. 

If your company has something a nation-state could benefit from by stealing or destroying, you could be a target. For example, suppose your organization has money, information in the form of PII, customer data, supply chain logistics information for high-value customers, or anything that could help piece a puzzle together for the attacker to better copy, steal, or destroy – a nation-state attacker will likely target your organization.

The other important angle for companies to remember is the threat vector does not always come through the Internet. There are insider threats and the physical aspect to maintaining security.

Such attacks often resemble corporate espionage -- finding someone with gambling debts who is an engineer with access to data and paying that person $10,000 to exfiltrate data. Or a nation-state actor may just walk into a facility and take photos of a process or procedure, parts or machinery, etc. This type of attack is real and happens more often than people want to acknowledge. 

How should your cybersecurity strategy reflect the current landscape?

SpiderLabs: The best strategy for defending against nation-state threats is to take a holistic approach to security, being prepared, and having a plan. 

As we just discussed, organizations must realize that security doesn't simply stop at an external firewall or networks – it goes well beyond that to all aspects of security – including physical. 

Organizations should conduct frequent security testing, employee awareness training, and performing Red Team exercises to ensure that any gaps in their security posture are found and filled. These exercises must be conducted consistently and not just on an annual or quarterly basis; they must be consistent.

What does the future hold? 

SpiderLabs: The entire world of "hacking," whether white, grey, or black hat, always comes back to escalation and the old game of whack a mole. Until we come up with an evolving AI-like machine learning defense matrix that can constantly attack itself, find flaws, and fix them, it really is going to be more of the same.

Unfortunately, most companies don't truly practice holistic security or even have a good handle on what is needed and how to implement it. 

Some companies look at security simply as a cost that doesn't show a return – similar to life insurance. 

When in reality, it's much more like health insurance. When done properly, it is worth every penny. That is what the future should hold because nation-state attacks and nation-state-sponsored attacks grow in number every day and are becoming more and more sophisticated. 

What's the risk of a nation-state launching a major cyber-attack similar to NotPetya?

SpiderLabs: There is a massive risk of a nation-state launching a major cyberattack similar to NotPetya. In fact, it's almost a guarantee. When a nation-state tool like NotPetya is released, it has officially "entered the wild." 

Every criminal, cybersecurity researcher, "script kiddie," and wannabe hacker will try to get their hands on it and weaponize it for their use. 

This situation is dangerous for many reasons.

The cyber warfare landscape differs from a real-life battlefield. In a shooting war, when an adversary comes out with a new weapon, it can take months or years of engineering, manufacturing, and delivery before you can copy and use that weapon. In the cyber world, adversaries can copy tactics and techniques to leverage the weapon on the same day. Nation-state attacks simply put new weapons in every criminal's hand every time they drop a new zero-day or exploit like NotPetya.

However, the risk of an attack with a specific tool created by a nation-state on your specific company isn't what you should be worried about. It's the fallout from that attack. It's what happens after that tool is weaponized. Every nation-state is now using it, every hacker collective, every state-sponsored group. They all now have that tool and will throw it at anyone with information or money.

Which nation poses the most significant risk?  

SpiderLabs: Hands down, China is the most significant risk for IP and information theft. 

Russia is typically more politically and financially driven, and many of its attacks are from financially motivated government-sponsored groups. Again, it's not about Russia targeting major organizations. Trying to understand the political and economic drivers behind a nation is near impossible, especially when those drivers are mixed with a sponsored group that is money-driven. 

Pure capability, however, overwhelmingly resides with China, partially due to the massive state-sponsored groups they have relationships with and the foothold in manufacturing. Back doors galore have been found in Chinese manufactured computer components. They often don't need to hack any organizations; we've already let them right in.  

In the end, what poses the most significant threat is an organization's lack of installing real holistic security, and the basic understanding that every weapon released is another weapon others will use. 

Latest Trustwave Blogs

Trustwave Named a Representative Vendor in 2024 Gartner® Market Guide for Co-Managed Security Monitoring Services

Trustwave has been named a Representative Vendor in Gartner just released the 2024 Market Guide for Co-Managed Security Monitoring Services. Gartner estimates that there are more than 500 vendors who...

Read More

Navigating Security Risks and Innovations in the Hospitality Industry

As technology has become available, the hospitality industry has focused on making the most out of innovations such as contactless services and eco-friendly practices.

Read More

Frost & Sullivan: Trustwave MDR Growth Will Exceed Industry Average

The security analyst firm Frost & Sullivan positioned Trustwave as a leader and top innovator in its research on the MDR market landscape, noting its innovative, industry-leading cloud-native Fusion...

Read More