Any way you look at it, 2020 was a crazy year. From the coronavirus outbreak to the U.S. presidential elections, the year held many eccentricities. And prowling behind the many changes that overcame our lives were new trends of cyberattacks and security threats, often backed by nation-state actors.
In the tense political and economic climate, state-backed actors used every possible means to gain leverage over their rivals. And in the midst of the chaos, every individual and organization can become a victim or collateral damage in the context of bigger conflicts.
Here’s a glimpse of where we are and how organizations can protect themselves going forward.
The disaster of supply chain hacks
Late in 2020, network management software supplier SolarWinds became the beachhead of a massive supply chain attack. Hackers, allegedly state-backed, breached SolarWinds’s servers and planted malware into the software updates the company was sending out to its 17,000 clients, which included many government agencies, cybersecurity firms, telecommunication companies, and Fortune 500 businesses.
The foothold allowed the attackers to hack and steal pertinent information from many of these targets. While the natural target for a nation-state actor would be government agencies, this attack reminded us once again that government-backed hackers are very much interested in stealing information from commercial entities as well. According to a Microsoft report, 44% of the targets included software firms, IT services, and equipment providers; and 18% were financial institutions, health organizations, telecommunication companies, and national security-related firms.
According to Microsoft, the SolarWinds attack was not an instance of “‘espionage as usual,’ even in the digital age. Instead, it represents an act of recklessness that created a serious technological vulnerability for the United States and the world. In effect, this is not just an attack on specific targets, but on the trust and reliability of the world’s critical infrastructure in order to advance one nation’s intelligence agency.”
Microsoft also warned that while this particular attack appears to focus on the United States and many other democracies, it also provides a powerful reminder that “people in virtually every country are at risk and need protection irrespective of the governments they live under.”
In fact, this is not the first massively disastrous supply chain attack. In 2017, MeDoc, a Ukrainian supplier of accounting software, became the vessel of another state-sponsored supply chain attack, this one attributed to Russia, which spread the destructive Petya ransomware to hundreds of thousands of computers from more than a thousand organizations in dozens of countries.
The security pandemic
Topping the list of eccentricities in 2020 was the COVID-19 pandemic, which changed our lives in many ways. But while the virus outbreak brought the physical world into a quasi-halt and shut down many sectors, the digital economy saw a huge boost. From remote working to online streaming, e-commerce, and Zoom conferences, our physical activities were replaced by their online counterparts. And every new change trailed its own set of security challenges and new grounds for state-backed hackers to compete.
In October, at the beginning of the new academic year, an alleged Iranian hacking group targeted several universities in Europe and the U.S. with a massive phishing campaign. Given that many universities are running virtual training programs due to COVID-19 protocols and are more reliant on digital communications instead of in-person meetings and classes, the hackers had a greater incentive and fewer barriers to target them.
Similar cases have happened throughout the year, with state-backed hackers taking advantage of widespread remote working practices taking place under insecure home IT infrastructures that bad actors have exploited to steal sensitive employee and corporate information.
Interestingly, data on COVID-19 vaccine research also became an area of fierce competition between nation-states. In this case, the victims became pharmaceutical companies and research labs carrying out research on the vaccine. Among the targets was Pfizer, whose vaccine data were leaked online after hackers broke into the systems of the European Medicines Agency (EMA), an agency responsible for evaluating, monitoring and supervising new medicines introduced to the EU.
Research from Microsoft showed that at least three nation-state actors were involved in cyberattacks against seven prominent companies involved in COVID-19 vaccine research. The main methods of attack included “password spray and brute force login attempts to steal login credentials,” and “spear-phishing lures for credential theft.” The attackers posed as recruiters, health professionals, and WHO officials.
The bigger picture
Throughout 2020, state-sponsored hackers used off-the-shelf tooling and open-source penetration testing tools at an unprecedented scale to carry out cyberattacks and hide their tracks, according to Accenture.
Other security experts have warned of the rise of “private sector offensive actors” (PSOA), which are commercializing cyber threats and, like mercenaries, are renting their capabilities to, among others, governments. One such company, the NSO Group, has reportedly been involved in more than 100 abuse cases. The growing market for PSOAs, estimated to have become a $12 billion economy, has provided governments with an attractive option to buy tools and talent when they can’t build them in-house.
And the Center for Strategic and International Studies has compiled a report of dozens of state-backed cyberattacks that have gone under the radar in 2020 while the high-profile attacks have been grabbing the headlines. The victims run the gamut of private and public, small and large organizations.
The key takeaway is, every organization, person, and device, can get caught up in the cyber-crossfire between nation-states. And it is more pertinent than ever that every enterprise adopts key measures that will enable it to protect itself against the constantly changing landscape of cyberwarfare.
Some key protective measures
Given the key bottlenecks that have recently resulted in organizations falling victim to state-sponsored cyberattacks, here are three things that enterprises can do to dramatically improve their security:
Zero-trust security: In today’s world, where the lines between cloud and on-premise assets are fast blurring, it is harder than ever to determine what is inside or outside an enterprise’s network. Many organizations that previously relied on perimeter defense have allowed threat actors to slip through their defenses when they moved to cloud or hybrid models because they didn’t understand the security dynamics of the new architecture. With zero-trust security policies, no trust is granted to any actor or device whether inside or outside their network perimeter, and all permissions must be granted at each stage based on identity verification and access management. Zero-trust policies ensure that company assets are secure regardless of network architecture.
Network segmentation: With so many devices and users running on enterprise networks, keeping track of everything and spotting malicious activity can become very difficult. Malicious actors often cover their tracks by blending their activity into the masses of traffic that already exists. Segmentation divides a network into smaller parts. It can improve network performance, but it is also a good practice for improving security. By controlling which parts of an enterprise network have access to others, you can prevent security incidents in one section from spilling into others. It will also give you better visibility into the activity that takes place within the network and will help you in finding and rooting out malicious behavior.
Passwordless authentication: If there’s one thing that most security incidents share, it’s credentials. From phishing to keylogging to password spraying and other types of attacks, attackers are constantly looking for ways to bypass authentication. When the only thing protecting a corporate account is a password, it’s only a matter of time before a brute-force attack breaks through the portcullis or a careless employee gives away the key to the castle. Passwordless authentication technologies secure accounts by removing passwords, the one thing that makes them insecure. With passwordless technology becoming easier to use, easier to implement, and more affordable, there’s no reason for enterprises to stick to old, insecure methods.