In light of recent geopolitical events, there is heightened concern of espionage, nation state attacks and hacktivism. In 2019, there was a 42% increase in cyberattacks attributed to foreign governments. Cyberattacks tied to cyberwar, or geopolitical conflict, increased from 19% in 2018 to 27% in 2019. Companies in North America reported even higher nation-state attribution, at 36%.
These are not new concerns, but today attacks have increased in prevalence and sophistication and as a result, have become major threats for organizations today. What is the difference between each of these threats and how can businesses protect against them?
What is Cyberespionage?
Cyberespionage is the act of stealing sensitive data or intellectual property (IP) for competitive advantage or economic benefit. The key to cyberespionage is being covert and undetectable allowing cybercriminals to maintain a foothold in a target’s network for long durations. Often hackers stealthily enter networks and remain undetected for years. World governments operate cyberespionage teams to both protect their national interests and collect IP for their domestic industries. They hack public-sector databases and leak information from government agencies. The IP Commission estimates that counterfeit goods, pirated software and stolen trade secrets cost the U.S. economy $600 billion annually.
An example of a cyberespionage group is APT28, also known as Fancy Bear. This Russian military intelligence nation-state group is known to have been in operation since 2008 and is notorious for different exploits and spear-phishing attacks to deploy customized malware. Once inside a network, the malware compromises, disrupts and influences political agendas around the world. The group targets government elections, the media, sporting events and global companies.
What is Cyberwarfare?
When one nation-state penetrates another nation’s networks for the purposes of causing damage or disruption, this is cyberwarfare. Nation-state cyberwarfare hackers target government agencies, critical infrastructure and industries known to contain sensitive data or property. Hackers look for any data that will benefit their country’s economy and strengthen both key business and military strategies. These attacks can shut down critical national infrastructures like energy, transportation, military contractors and government operations.
Typically, attackers use sophisticated techniques that interrupt business operations, leak confidential information and generate massive data and revenue loss. State-sponsored groups often create and leverage custom attack vectors by incorporating previously undiscovered software vulnerabilities, called zero-day attacks. These zero-day attacks are not volumetric or detectable. Typically, zero day attacks are extremely complex, multi-vector and often encrypted. Security experts have “zero days” to react and must address instantly. These advanced attacks are often referred to as advanced persistent threats (APTs). Nation-state attackers also rely heavily on spear-phishing attacks to compromise a specific user and capture credentials. Once a user is compromised, attackers look to escalate privileges and deploy malware designed to compromise more users on the network and exfiltrate data.
An example of cyberwarfare organization is APT1 which is associated with the Chinese People’s Liberation Army. This government-backed group focuses on stealing trade secrets and confidential information from corporations across every vertical, with emphasis on manufacturing, engineering and electronics. They accomplish this with spear-phishing attacks, malware and password dumping to gain future access and exfiltrate targeted data. In fact, the US Department of Justice indicted 5 alleged members of APT1, for attempted hacking of intellectual property secrets in the nuclear, solar and metal industries in the US.
What is Hacktivism?
Hacktivism activities have increased in recent months, expressing social and political agendas via cyber-protests.
Hacktivists use technology to promote a political agenda or a social change. Unlike espionage, which is performed covertly, hacktivists want to be seen. Hacktivists use the same techniques as other hackers, yet when they disrupt services, their goal is to make everyone aware of their cause.
Hacktivist tactics include website defacements to change the visual appearance of a website. Similar to graffiti, hackers change the website’s “wall” to protest and reflect the hacktivist’s message. Hacktivists also use DDoS to make a website or network unavailable to its intended users by disrupting services to the Internet. Sometimes called a virtual sit-in, the goal is draw to attention to a certain geo-political agenda.
Anonymous, LulzSec, Lizard Squad, Syrian Electronic Army and Chaos Computer Club are examples of hacktivists. These groups have intimidated corporations, government agencies and other institutions by knocking these entities' websites offline for a period of time.
How to protect your organization?
This a very tense time for the cybersecurity industry. With the recent ramp-up of cyberespionage, cyberwarfare and hacktivism, how can organizations head off digital conflict and protect themselves?
Cyberattacks are not going away, this is not news. However, what is new is the rising threat of state sponsored cyberattacks on enterprises. Today 20+ countries are aggressively building cyberattack organizations with the most sophisticated attack technology. Advances in artificial intelligence and high-speed networks like 5G are providing new gateways for cybercriminals to attack the geopolitical landscape. Enterprises don’t have the talent or expertise to fight government agents. It is neither advisable or practical for every Fortune 1000 business to try to match the security defense capabilities of nationally funded cyberattacks. Enterprises cannot spend enough money individually to have the state of the art automated defenses or hire enough security engineers to fight cyberattacks in real time.
However, from a strategic perspective, organizations need to be vigilant and prepared. They can start by:
- Subscribe to intelligence feeds that identify the latest tools and attack vectors
- Hire a managed security vendor and/or security expertise to help support you
- Keep up to date on security trends, subscribe to intelligence feeds, identify the latest tools and attack vectors
All organizations need to improve their cybersecurity and harden their networks when it comes to critical infrastructure. However, we can’t expect any security technology and best practices to prevent all future cyberattacks. Therefore, a big focus needs to be on mitigating attacks when they occur and building robust systems with backups that can be recovered quickly from serious cyberattacks.
From a tactical standpoint, organizations can:
- Make sure your portal software, as well the rest of the software on your organization is up to date and well patched
- Obtain proper DDoS protection against attacks which does not rely on static signatures but can diagnose and put in place real time mitigation of new never seen before zero day attacks.
- Obtain a proper Web-Application-Firewall protection, to prevent application level attacks on your website and other public services. Make sure your solution offers not only a negative security model, which statically disallows certain traffic, and a positive security model which can determine what is good safe traffic which can be allowed securely.
- Ensure you have automation/machine learning built into your security solution that can analyze normal traffic within an enterprise and very accurately determine anomalous traffic which should be challenged or blocked.
- Coordinate with law enforcement if you suspect you are facing a state sponsored attack. Organizations that should be on high alert include those in the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors. Keep abreast of government warnings, current security issues, vulnerabilities, and exploits through alert systems such as the National Cyber Awareness System.
Today personal and professional lives have blended together due to IoT devices such as smartphones, tablets, virtual assistants, etc. Bring Your Own Device (BYOD) to work has expanded the enterprise attack surface. It’s common for BYODs to integrate to Dropbox, Slack, Salesforce and Workday, Slack, Salesforce and others.
Organizations need to train their employees and offer best practices such as:
- Educating staff on phishing scams, DDoS attacks, etc. Leverage training and safety tips from nonprofits such as the National Cyber Security Alliance that provide valuable resources on How to Stay Safe Online.
- Not opening any attachments without confirming the attachment came from a trusted source. The U.S. Department of Homeland Security has some good security tips on opening up email attachments.
- Using best practices for password protection such as two-factor authentications so that security is maximized.
- Keep all software updated. Turn on auto-updates on your phone and laptops – don't wait to apply them. Educate your employees on the value of frequently updating software and have your IT organization build a communication program to remind employees.
- Do not conduct any non-work-related activity while connected to the network – fantasy football, signing your kid up for soccer, etc. Start by educating employees and if necessary implement a next gen firewall for the to block non-work-related sites.
It is up to every individual in all organizations to take ownership of their cybersecurity hygiene to make sure the company is not exploited. Nation state attacks will continue to escalate. The best way for organizations to protect themselves is through education, awareness and through the adoption of best security practices and technology. Nation state hackers are looking for the easiest way in, let’s make it difficult for them to find the door.