Gone are the days when nation-state-grade cyberattacks were the exclusive activity of state actors against state targets. Today, the situation has shifted. State actors still dominate nation-state-grade cyberattacks, but increasingly, non-state attackers purchasing nation-state-grade cyberattack tools on the Darknet, are also leading cyberattacks against private enterprises and even targeting private citizens.
The trend for attacks by aggressive nation-states, notably Iran, China, and Russia, disturbingly jumped from 20% to 40% in 2022, according to the annual Microsoft Digital Defense Report (MDDR) released this November. This jump is primarily due to the Russian-Ukraine War of 2022, as Russia launched multiple nation-state-grade cyberattacks on Ukraine’s critical infrastructures and its allies, like the USA. At the start of the invasion, Russian hackers shut down around 70 Ukrainian government websites and directed users instead to alarming messages to prepare for the worst. Ukraine is continually improving its cyber security as the risk of exposure to critical cyberattacks remains high as the war continues.
Enterprises consider themselves safe from nation-state-grade attacks, but as we’re seeing, they are now in the crosshairs of government and private attackers. JBS, a meatpacking company, fell victim to Russian ransomware. The company had to shut down and paid a reported $11 million to get all its data back. Today, all enterprise companies should consider themselves a target to nation-state-grade attackers and take steps to implement robust security protection – or stay at risk to the growing band of threat actors who put business continuity at risk.
Nation-state-grade cyberattacks over the last two decades
The nature of cyberattacks is evolving. While every state uses cyber tools to spy on other states, the most dominant offenders, China, Russia, Iran, and North Korea, especially since demonstrating their most aggressive missile testing, have been the most drastic to date. Here’s a brief overview of their notable cyberattacks.
One of the first recorded uses of a cyber offensive was the spring 2007 Cyber Attacks against Estonia. Amid a dispute between Russia and Estonia regarding the relocation of a Soviet-era war monument, a raid of cyberattacks against Estonian websites erupted. Hackers sent a massive wave of spam and automated requests to the servers of Estonian banks, media outlets, and government institutions, crashing them and crippling the Estonian economy.
The nature of the attack relied on an extensive network of participants worldwide and made it impossible to pin the attack on the Russian government. Nonetheless, we widely attributed it to Russia. Since the early attacks, nation-state-sponsored cyber offenses have evolved in motivation and sophistication over the last two decades.
| Month, Year | Motivation | Description | Attributed to |
| April 2007 | Disruption | A wave of attacks on Estonian banks, media outlets, and government bodies | Russia |
| August 2008 | Disruption | A wave of attacks on South Ossetian, Georgia, and Azeri websites during the Russo-Georgian War | Russia |
| June – August 2008 | Information gathering | Internal data exposure from the McCain and Obama campaigns in the lead-up to the 2008 elections | China |
| Several months in 2008 | Information gathering | Turla threat group penetrates US Military assets | Russia |
| April 2009 | Theft | Hackers stole data on the Pentagon’s Joint Strike Fighter project | China |
| August 2009 | Disruption | Hackers shut down the services of Twitter and Facebook in Georgia to commemorate the 1st anniversary of the Russian Invasion. | Russia |
| 2009 – 2010 | Information Gathering and theft | Operation Aurora targeted dozens of critical infrastructures of international organizations | China |
| 2009 – 2011 | Information gathering | ‘Night Dragon’ attacks, designed to extract sensitive data of at least 71 organizations, including the UN and International Olympic Committee | China |
| August 2014 | Disruption | Attack against Israel’s Internet infrastructure during the Israel – Gaza operation | Iran |
| February 2014 | Disruption | Attack against Sands Casino and billionaire casino magnate, Sheldon Adelson | Iran |
| 2014-2017 | Information gathering | Ongoing cyberattacks and spying on multiple organizations including, Lockheed-Martin | China |
| April 2015 | Disabling infrastructure | Massive power outage for 12 hours in Turkey | Iran |
| March 2016 | Election interference | “Fancy Bear” threat group interfered in 2016 USA presidential election, aiming to boost Trump’s candidacy and interfere with the results | Russia |
| December 2015 | Disabling infrastructure | Hackers took control of a Ukrainian power station, locking controllers out of their own systems and shutting down power to more than 235,000 homes. | Russia |
| Several months in 2016 | Election Interference | Attempt to interfere with the German election | Russia |
| September 2017 | Information gathering/Theft | Hackers breached data of Equifax – compromising 148 million Americans personal information
|
China |
| June 2017 | Nuclear deal interference | Attack on British parliament compromising the email accounts of 90 parliament members | Iran |
| May 2020 | Information gathering/Theft | Attack on EasyJet – compromising the personal information of 9 million customers | China |
| March 2020 | Information gathering/Theft | Hackers targeted SolarWinds by deploying malicious code into a software update used by thousands of organizations, including government agencies worldwide | Russia |
| 2020 – 2021 | Disruption | Multiple attacks against prominent Israeli targets | Iran |
| 2019 – 2021 | Political discord | 5-million attacks on Taiwan per day | China |
| January 2021 | Information gathering/theft | Attack on Microsoft Exchange servers that affected at least 30,000 global organizations and potentially added a back door to all infected systems | China |
| May-June 2021 | Information gathering/theft | Multiple attacks against Indian airlines and suspicion of spreading to other airlines | China |
| Several months in 2021 | Election interference | Attacks targeted German politicians in the lead uplead-up to the election | Russia |
| May 2021 | Disruption | US-based beef, pork, and poultry plants were shut down by ransomware | Russia |
| May 2021 | Information gathering/theft | Colonial Pipeline ransomware attack | Russia |
| January 2022 | Political discord | A wave of attacks on Ukraine government websites | Russia |
| April 2022 | Political Discord | Hacking cartel carried out wave of cyber-attacks on the Ministry of Finance of Costa Rica,
crippling tax collection and export systems |
Russia |
| June 2022 | Information gathering/Theft | $100 million crypto theft from a cryptocurrency exchange platform | North Korea |
| July 2022 | Political Discord | A wave of attacks on Albanian government websites | Iran |
| July 2022 | Information gathering/Theft | Ransomware attacks on healthcare facilities in Kansas and Colorado | North Korea |
| August 2022 | Information gathering/theft | Series of attacks against Taiwanese websites and media | China |
What are the goals of the rising numbers of nation-state grade attacks?
Nation-state-sponsored cyber-attacks have moved from spying on target states to targeting infrastructures like water and energy supplies, IP theft, and data breaches to gain economic advantages. Cryptocurrency, confidently secured on the blockchain, was successfully stolen in a major cyber-attack attributed to North Korea. To bypass western sanctions, North Korea has been trying to hack the blockchain currency and made away with $100 million from a popular exchange platform during the first nine months of 2022.
Media manipulation to influence a target state’s political landscape is another leading motivational trend in cyber-attacks. China, whose attacks are mostly for stealing IP and technology, deployed malware on Taiwanese media, government, and company websites after the USA’s Speaker of the House, Nancy Pelosi, visited Taiwan in early August 2022. Ultimately, motivation can evolve into threats of destruction of an entity, and the range of potential targets continues to grow.
Governments are now investing in cyber espionage and civilian cyber defense
What’s most concerning is that state-funded in-house cyber spying and cyber-penetration are increasing with the emergence of private sector offensive actors (PSOAs), skilled individuals selling their offensive cyber knowledge to the highest bidders, including governments.
This has led to several government initiatives to protect its networks, such as the US Homeland Security “State and Local Security Improvement Act,” which directly gives $500 million to protect State and local government networks.
The rising availability of nation-state-grade tools
Over the last decade, Nation-state-grade cyberattack tools have become increasingly available on the Darknet and, as of late, at affordable prices. Sales received a significant boost in 2016/2017 when classified NSA and CIA hacking tools leaked to the web, which included:
- UNITEDDRAKE – an NSA mass-surveillance and espionage tool
- HIVE – a CIA malware designed to send untraceable exfiltrated information to CIA servers and receive new instructions from CIA operators
- Weeping Angel – targeting IoT devices such as smart TV for spying purposes, and
- UMBRAGE – used to run false flag operations
Soon after the leaks, social media followed, and tutorials on how to use the classified tools were even on YouTube (even though YouTube terminated these accounts swiftly but only after a few thousand views and downloads).
With affordable access to advanced nation-state-grade tools, non-state attackers and cybercriminals are now in competition with state attackers. Any private enterprise can be a potential target for a nation-state-level cyberattack.
What should we do about these threats?
An effective approach to defending against advanced threats involves combining simulated attacks, such as penetration tests and red team/blue team exercises, with organizational defenses. This allows governments and businesses to respond to nation-state level threats in real-time without disrupting productivity. The approach takes into account an organization’s specific vulnerabilities and attack surface, as well as its business needs, to determine the impact of each risk on operations and potential financial losses. This information is used to calculate a risk tolerance score. When the risk tolerance threshold is reached, the organization must take decisive action to address the unsustainable risks.
To effectively defend against cyber threats, it is essential for organizations to have a clear and prioritized cybersecurity plan. This means identifying and addressing the vulnerabilities that pose the most immediate risk to business operations first, while also addressing less pressing issues in a timely manner. By following a structured and prioritized approach to cybersecurity, organizations can better protect themselves against a range of threats.
Get in touch with one of our experts for a consultation on cyber defense planning.
