Gone are the days where nation-state-grade cyberattacks were the exclusive activity of state actors against state targets. Today, the situation has shifted. Nation-state-grade cyberattacks are still dominated by state actors, but increasingly, non-state attackers purchasing nation-state-grade cyberattack tools on the Darknet, are also leading cyberattacks against private enterprises and even targeting private citizens.
Over the last year, we’ve seen nation-state attacks from Russia, China, and Iran that may be laying the groundwork for future exploitations. The Microsoft Exchange Server, which impacted over 30,000 global organizations, has companies combing through their networks looking for anything that might provide a backdoor into their system that can be exploited.
Over the last year JBS meatpacking company, a commercial business, found itself shut down by Russian ransomware and paid a reported $11 million to get its system back. Enterprises that once considered themselves to be safe from nation-state grade attacks are now finding themselves in the crosshairs of government and private attackers.
We’ve reached a point where every enterprise needs to consider itself a target and implement robust cybersecurity protection. Otherwise, they are exposed to a dangerous and growing band of threat actors who put business continuity at risk.
Nation-state-grade cyberattacks over the last two decades
Major nation-state-grade cyberattacks of the 21st century
Though most states today are guilty of using cyber tools to spy on other states, we will focus on the biggest offenders, China, Russia, and Iran, and look at how the nature of their cyberattacks is evolving.
One of the first recorded uses of a cyber offensive targeting both public opinion and civil infrastructure leading to state-wide disruption was the spring 2007 Estonia attack. Triggered by the removal of a Soviet-era war memorial monument, that attack consisted of a combination of offensives between April 27 and May 18, 2007. It crippled Estonian banks, media outlets, and government bodies through massive waves of spam and automated online requests that swamped servers and crashed services.
The nature of the attack, which relied on an extensive network of participants globally located, made it impossible to pin the attack on the Russian government, nonetheless, it is widely assumed they were behind that attack.
From attacks that have been directly identified as nation-state-sponsored cyber attacks, we can see an evolution in both motivation and sophistication over the last two decades.
|2007||Disruption||A wave of attacks on Estonian banks, media outlets and government bodies||Russia|
|2008||Disruption||Russia/South Ossetian, Georgia, and Azeri websites attacked during Russia/Georgia war||Russia|
|2008||Information gathering||China accessed internal data from both the McCain and Obama campaigns in the lead-up to the 2008 elections||China|
|2008||Information gathering||Turla worm penetrates US Military assets||Russia|
|2009||Theft||Hackers broke into the Pentagon’s Joint Strike Fighter project||China|
|2009||Disruption||Hackers shut down the services of Twitter and Facebook in Georgia to commemorate the 1st anniversary of the Russian Invasion.||Russia|
|2010||Information Gathering and theft||Operation Aurora targeting dozens of critical infrastructure||China|
|2009-2011||Information gathering||‘Night Dragon’ attacks, designed to extract sensitive data||China|
|2014||Disruption||Attack against Israel’s Internet infrastructure>||Iran|
|2014||Disruption||Attack against Sands Casino||Iran|
|2014-2017||Information gathering||Discovered in 2021, enabled spying on companies including Lockheed-Martin||China|
|2015||Disabling infrastructure||Massive power outage for 12 hours in Turkey||Iran|
|2016||Election interference||“Fancy Bear” interfering in Trump’s elections, aiming to boost his candidacy and interfere with the results||Russia|
|2015||Disabling infrastructure||Hackers took control of a Ukrainian power station, locking controllers out of their own systems and shutting down power to more than 235,000 homes.||Russia|
|2016||Election Interference||Attempt to interfere with the German election||Russia|
|2017||Information gathering/Theft||Equifax – theft of up to 147 million American citizen’s PI – presumed to hold economic value in developing AI tools||China|
|2020||Information gathering/Theft||EasyJet – PI of 9 Million EasyJet customers||China|
|2017||Nuclear deal interference||Attack on British parliament compromised email accounts of 90 MPs||Iran|
|2020-2021||Disruption||Multiple attacks against prominent Israeli targets||Iran|
|2021||Political discord||5-million attacks on Taiwan per day||China|
|2021||Information gathering/theft||Microsoft exchange servers attack that affected at least 30,000 global organizations and potentially added a Chinese back door to all infected systems||China|
|2021||Information gathering/theft||Multiple attacks against Indian airlines which is suspected of spreading to other airlines||China|
|2021||Election interference||Attacks targeted German politicians in lead up to election||Russia|
|2021||Disruption||US-based beef, pork and poultry plants were shut down||Russia|
|2022||Political discord||Ukraine government websites attacks||Russia|
|And the list goes on.|
The growing range of motivations behind nation-state-sponsored cyber attacks has serious implications both for states and private enterprises. Nation-state-sponsored cyber attacks have moved from purely spying, to actual theft of database or IP to gain economic advantages. As they are increasingly readying themselves to evolve from spying to interfering and disrupting and, ultimately, to destroying, the range of potential targets now covers every walk of life.
Today, with Russian troops poised to strike Ukrainian targets, experts predict a large increase in cyber attacks. Any enterprise within a country that sells weapons to Ukraine or steps in to defend that country from attack will likely find itself fending off volleys of attacks on its network.
Governments are now investing in cyber espionage and civilian cyber defense
Another worrying aspect of the cyber-espionage and cyber-offensive trends is the parallel growth of state-funded in-house cyberspying and cyber-penetration tooling improvement and the emergence of private sector offensive actors (PSOAs), modern-day mercenaries selling their offensive cyber knowledge and skills to the highest bidders, including governments.
This resulted in initiatives such as the US Homeland Security “State and Local Security Improvement Act” that frees a federal budget of $500 million dedicated exclusively to securing State and local government networks.
What are the goals of the rising numbers of nation-state grade attacks?
The motivations behind nation-state-grade cyber attacks have evolved from simply spying, focusing on gaining military and diplomatic advantage to covert infiltration maneuvers. Their goals range from information gathering, IP theft to gain economic advantage, manipulation of media and social media to influence political landscape – or even generate civil unrest, laying malware capable of disrupting or disabling civilian infrastructures such as water or energy supplies. And the list goes on.
The rising availability of nation-state grade tools
At the beginning of the 21st century, nation-state-grade cyberattack tools were owned and operated exclusively by states. Over the last decade, those tools have become increasingly available on the Darknet for worryingly affordable prices.
This trend received a major boost in 2016/2017 with the leak of classified NSA and CIA hacking tools. These leaked tools include offensive and spy tools such as:
- UNITEDDRAKE – an NSA mass-surveillance and espionage tool –
- HIVE – a CIA malware designed to untraceabley send exfiltrated information to CIA servers and receive new instructions from CIA operators
- Weeping Angel – targeting IoT devices such as smart TV for spying purposes, and
- UMBRAGE – used to run false flag operations
In the aftermath of those leaks, downloadable tutorial videos on how to use those leaked tools were posted even on such readily available platforms like YouTube (which led to the subsequent termination of the associated YouTube accounts but only after a few thousand views and downloads.)
Armed with access to such advanced nation-state grade tools, non-state attackers’ offensive capabilities often rival state attacks, turning any private enterprise into a potential target for a nation-state level cyberattack.
Tools that can relatively easily and inexpensively be obtained on the Darknet, are now available to cyber criminals, enabling them to launch nation-state-grade attacks; this turns any organization into a potential target.
Protecting virtual assets, as well as connected physical assets, now requires a combination of strategies. Maintaining a high level of cyber hygiene, as outdated systems are most vulnerable is the first step. It is also necessary to analyze the risk based on attackers’ potential motivations while considering the increased availability of nation-state-grade offensive tools. Security teams have much to do if they plan to mitigate such attacks.
Get in touch with one of our experts for a consultation on cyber defense planning.