Three years ago, a survey conducted by Tripwire during Infosecurity Europe 2018 revealed that almost all of the study’s participants expected the incidence of nation-state cyberattacks to rise in the next 12 months. Many respondents forecast that nation-states would shift from targeting government entities towards private organizations and critical infrastructure instead.
Respondents also thought that government-sponsored criminals’ motives would evolve from simple espionage to causing direct harm. It’s now 2021, and, looking at media headlines, it is obvious that those predictions were correct. Between 2017 and 2020, the world has seen a 100 percent jump in nation-state cyberattacks, and many of these attacks targeted small and midsized businesses, not government agencies.
However, there’s something that the study’s participants got wrong: their level of preparedness for these types of cyberattacks. Back in 2018, more than two-thirds of respondents to the survey said they feel confident in their ability to defend against nation-state cyber threats.
Yet, the rising tide of successful government-sponsored attacks suggests otherwise. Earlier this year, for example, France accused Russia of attacking a number of French organizations, including the airliner manufacturer Airbus and the steel and mining company ArcelorMittal.
Germany similarly blamed Iranian hackers for targeting German companies. However, these are high-profile examples. As government-sponsored attackers do their best to hide their links to nation-states, the vast majority of such attacks are underreported.
Still, whether they’re tasked with stealing industrial or government secrets, disrupting critical infrastructure, launching disinformation campaigns, or something else entirely, one thing is certain: the scope and sophistication of threat actors working on behalf of governments are growing at an alarming rate. Until a cyber peace treaty is established (if it ever is), it is up to organizations to defend against them.
In an Economist Intelligence Unit study that looked at executives from the U.S., Asia-Pacific, and Europe, 80 percent of leaders said they worry about their organization being hit by a government-sponsored attack, a fear that has grown significantly over the last five years.
Rather than going exclusively after government agencies, nation-state-sponsored threat actors increasingly target European businesses to advance national interests.
After analyzing more than 200 cybersecurity incidents linked to nation-states since 2009, the University of Surrey study mentioned above concluded that regardless of their size or sector, businesses are the most common target for these kinds of attacks. Other targeted sectors are cyberdefense, media and communications, government bodies and regulators, and critical infrastructure. Accordingly, most businesses now see state-sponsored attacks as a significant threat.
Even organizations that don’t seem like likely targets for foreign adversaries could be affected. That is because not all organizations attacked may be direct targets — some are “stepping stones” for attacks or collateral damage.
Government-sponsored cybercriminals have no scruples when it comes to infecting thousands of businesses to reach one or two specific targets. Worryingly, in many cases, victims may not even know their systems have been infiltrated.
That is because nation-state attackers rarely make a lot of noise following a successful attack. Research suggests that most are intent on listening rather than stealing, which allows them to quietly remain in their victims’ networks for years or sometimes even decades in order to retain access to sensitive information.
Unlike hackers driven purely by profit, state-sponsored attackers’ motives can be many and varied. These could include things like manipulating elections, gaining negotiation leverage, and obtaining trade, military, or medical secrets as well as information about dissidents.
The COVID-19 pandemic also presented a new window for cyberattacks against supply chains. One such attack, which targeted companies in 14 countries, aimed to disrupt the COVID-19 vaccine supply chain last year and was so well-calibrated it was more than likely carried out by nation-state threat actors.
In fact, supply chains are a popular target among government-sponsored attackers. Since 2019, attacks on supply chains have increased by 78 percent, with the infamous SolarWinds attack affecting at least six EU agencies.
A new concept known as “hybridization” — where cybercriminals attack assets with both physical and digital components — has also emerged lately. Attacks on critical infrastructure, such as an energy plant, fall within this category.
Unfortunately, because they are typically carefully planned and often employ sophisticated, custom-made weapons, state-sponsored attacks are inherently more challenging to defend against. It doesn’t help that unlike profit-driven cybercriminals, who tend to go after targets that are the easiest to hack, nation-state actors often have unlimited patience and can go after tough targets repeatedly until they get in.
However, what makes protection even more difficult is that the way that nation-states execute their attacks is changing. Nation-states now buy tools and even services from financially motivated cybercriminals.
Roughly 10 percent to 15 percent of cyberweapons on the dark web are sold to “atypical” customers that appear to be stockpiling tools like zero-day exploits — a favorite among government-sponsored threat actors. Nation-states are also adopting approaches that were originally the territory of for-profit hackers, like DDoS and SQL attacks.
As a result, the lines between nation-states and cybercriminals have blurred. By leveraging the tools and skills of for-profit adversaries, foreign governments can not only save time and money on training and development but, perhaps more importantly, also hide behind financially motivated cybercriminals or even other states, shaking off blame entirely for devastating attacks and making the process of attribution nearly impossible. The direct result of this is that nation-states feel more confident in launching ever-bigger and more aggressive attacks.
The University of Surrey study predicts that we are now “closer to ‘advanced cyberconflict’ (ACC) than at any point since the inception of the internet.” With enterprises the main target for government-sponsored cybercriminals, no European organization can sit by idly hoping that increasingly sophisticated attacks will bypass them.
Rather, establishing a preventative strategy and putting up proactive defense should be a priority for every business going forward. Patch management, zero-trust network access, and employee cybersecurity training are good places to start, but organizations should also employ defensive tools like Morphisec Guard, which integrates seamlessly with Windows Defender AV, to monitor and protect endpoints against zero-days, fileless attacks, and other evasive malware.