The Russian invasion of Ukraine has heightened government and business awareness around the reality that nation-state cyber threats pose.
To cover all the implications of the threat posed by nation-state actors and the groups they sponsor, Trustwave SpiderLabs researchers offered their thoughts on the war's impact.
The general notion is the Russian invasion of Ukraine was not accompanied by any significant cyberattacks. Is that true?
SpiderLabs: There has been a misconception regarding whether cyberattacks have played a role in the Russia-Ukraine war. There were, in fact, major cyberattacks immediately following the invasion of Ukraine; they just haven't been successful yet, at least as far as we know.
We should also take a minute to refine the definition of what comprises a "major cyberattack." Typically, a sophisticated attack isn't one that simply sends and then executes a malicious payload. Yes, that happens, and yes, it can be devastating for a company or utility. Still, a truly major attack is one that lurks in multiple network locations, waiting for a specific moment to rear its ugly head. The backbone of any really nasty cyberattack is when it propagates through networks with the attacker, hoping this process lasts for a long time resulting in the malware spreading widely through its victim.
Who are the main nation-state players in the cybersecurity/cyberwarfare landscape?
SpiderLabs: China, North Korea, Iran and Russia round out the most prominent players.
What are their aims?
SpiderLabs: Many nation-states don't operate like the United States in that they have a specific agency, the NSA, that works on cyber defense and attacks.
Other nation-states instead employ hacker groups or collectives by either sponsoring them with money and equipment, or working out a deal, i.e., if you don't attack us, we will let you do whatever you want, but you're going to give us any zero-day vulnerabilities that you find and help us execute targeted attack plans.
In many cases, this allows the nations to have "plausible deniability" and place the blame on "groups of rogue hackers" while still being able to attack other nations.
A threat group's aim depends on whether you're looking at the sponsored group or the host nation. Most sponsored groups are in it for the money and to find information. Typically, the group turns the stolen information over to the nation-state in question, effectively turning the information into more money.
To put it simply, a nation-state is generally looking to steal intellectual property, information, or shut something down. A state-sponsored group usually will try and execute on anything that can make money.
A nation-state is typically interested in IP theft – a factor behind many of China's cyberattacks. Also in the mix for a nation-state are attacks geared toward gaining political leverage over an adversary and striking critical infrastructure with malicious intent. However, trying to decipher a nation-state's true aim is difficult due to the ever-evolving political structure of the world on any given day.
Russia-Ukraine Crisis – Defending Your Organization from Geopolitical Cybersecurity Threats
As the geopolitical stage becomes increasingly tumultuous, organizations across the globe need to be in a heightened state of alert regarding their cybersecurity. Watch this session as our security experts share their commentary and advice in response to potential state-sponsored attacks from Russia.
What are the risks to businesses and which organizations are more likely to be targeted?
SpiderLabs: I know this is a common refrain in cybersecurity circles, but the statement is true. It's not if the attacker will get in; it's when.
When a nation-state targets businesses or organizations, it is usually just a matter of time before a breach takes place, unless the target has an excellent security team and has been practicing solid cyber defense. Unfortunately, a nation-state just has too many resources.
Because a successful attack is likely, the most important aspect of an organization's defensive posture should be how quickly it can locate the attackers and mitigate the attack's effects. If an organization's security isn't great, then the attacker will gain access to valuable data and then most likely lock down your systems and hold you for ransom to make additional money.
When it comes to which businesses are higher on an adversary's hit list, it varies. But take China, for example. Anything that China feels can give it an advantage in manufacturing is likely a target.
If your company has something a nation-state could benefit from by stealing or destroying, you could be a target. For example, suppose your organization has money, information in the form of PII, customer data, supply chain logistics information for high-value customers, or anything that could help piece a puzzle together for the attacker to better copy, steal, or destroy – a nation-state attacker will likely target your organization.
The other important angle for companies to remember is the threat vector does not always come through the Internet. There are insider threats and the physical aspect to maintaining security.
Such attacks often resemble corporate espionage -- finding someone with gambling debts who is an engineer with access to data and paying that person $10,000 to exfiltrate data. Or a nation-state actor may just walk into a facility and take photos of a process or procedure, parts or machinery, etc. This type of attack is real and happens more often than people want to acknowledge.
How should your cybersecurity strategy reflect the current landscape?
SpiderLabs: The best strategy for defending against nation-state threats is to take a holistic approach to security, being prepared, and having a plan.
As we just discussed, organizations must realize that security doesn't simply stop at an external firewall or networks – it goes well beyond that to all aspects of security – including physical.
Organizations should conduct frequent security testing, employee awareness training, and performing Red Team exercises to ensure that any gaps in their security posture are found and filled. These exercises must be conducted consistently and not just on an annual or quarterly basis; they must be consistent.
What does the future hold?
SpiderLabs: The entire world of "hacking," whether white, grey, or black hat, always comes back to escalation and the old game of whack a mole. Until we come up with an evolving AI-like machine learning defense matrix that can constantly attack itself, find flaws, and fix them, it really is going to be more of the same.
Unfortunately, most companies don't truly practice holistic security or even have a good handle on what is needed and how to implement it.
Some companies look at security simply as a cost that doesn't show a return – similar to life insurance.
When in reality, it's much more like health insurance. When done properly, it is worth every penny. That is what the future should hold because nation-state attacks and nation-state-sponsored attacks grow in number every day and are becoming more and more sophisticated.
What's the risk of a nation-state launching a major cyber-attack similar to NotPetya?
SpiderLabs: There is a massive risk of a nation-state launching a major cyberattack similar to NotPetya. In fact, it's almost a guarantee. When a nation-state tool like NotPetya is released, it has officially "entered the wild."
Every criminal, cybersecurity researcher, "script kiddie," and wannabe hacker will try to get their hands on it and weaponize it for their use.
This situation is dangerous for many reasons.
The cyber warfare landscape differs from a real-life battlefield. In a shooting war, when an adversary comes out with a new weapon, it can take months or years of engineering, manufacturing, and delivery before you can copy and use that weapon. In the cyber world, adversaries can copy tactics and techniques to leverage the weapon on the same day. Nation-state attacks simply put new weapons in every criminal's hand every time they drop a new zero-day or exploit like NotPetya.
However, the risk of an attack with a specific tool created by a nation-state on your specific company isn't what you should be worried about. It's the fallout from that attack. It's what happens after that tool is weaponized. Every nation-state is now using it, every hacker collective, every state-sponsored group. They all now have that tool and will throw it at anyone with information or money.
Which nation poses the most significant risk?
SpiderLabs: Hands down, China is the most significant risk for IP and information theft.
Russia is typically more politically and financially driven, and many of its attacks are from financially motivated government-sponsored groups. Again, it's not about Russia targeting major organizations. Trying to understand the political and economic drivers behind a nation is near impossible, especially when those drivers are mixed with a sponsored group that is money-driven.
Pure capability, however, overwhelmingly resides with China, partially due to the massive state-sponsored groups they have relationships with and the foothold in manufacturing. Back doors galore have been found in Chinese manufactured computer components. They often don't need to hack any organizations; we've already let them right in.
In the end, what poses the most significant threat is an organization's lack of installing real holistic security, and the basic understanding that every weapon released is another weapon others will use.