Anatomy of a nation-state grade attack
The 2020 Solar Winds attack, believed to have been launched by Russia’s Cozy Bear (AKA APT29), a Russian hacker group reputedly associated with Russian agencies such as FSB and/or SVR, was a nation-state grade attack. It stealthily “trojanized” an update of SolarWinds’ Orion, an infrastructure monitoring and management software platform with wide adoption across the world.
The first stage of the attack consisted of learning and analyzing SolarWinds’ Orion’s code structure and terminology. That information was then used to target the heart of Orion’s Continuous Integration (CI) and Continuous Delivery (CD) pipeline, and the attackers managed to insert and hide a backdoor without triggering any alerts. Such a surgically precise attack is enormously complex, and its success enabled the second stage of the attack, namely targeting SolarWinds customers.
Using privileged access acquired by piggybacking Orion, the attackers started infiltrating high-value targets. This included US and other nations’ government agencies and hundreds of private enterprises, including technology companies that could be used as a starting point to launch even more attacks.
The attack remained hidden for almost a year, a known characteristic of nation-state intelligence-gathering attacks that is leveraged to disrupt entire nations’ or regions’ economies.
The new digital war zone
The digital landscape has become a virtual “war zone” where cyber-criminals and nation-states are intensifying their activities. Three main axes have increased risk factors for cybersecurity:
- The rapid shift to remote working and thereby the exponential widening of the cyber-attack surface.
- The increased availability of nation-state grade attack tools on the darknet.
- The rise in nation-state and nation-state grade attacks, their increased sophistication, and the diversification of their goals and strategies.
It is important to understand the difference between cyber-criminal and nation-state or nation-state grade attacks. There are two main categories to consider – tooling and motivation, the latter being the differentiator.
Tooling: Nation-state-grade attack tools that were once the property of governments are now easily available for purchase on the darknet, increasing the use of sophisticated attack vectors against all types of organizations, including privately owned enterprises, and are used regardless of motivation.
Motivation: Cybercriminals are often financially motivated and their strategy is typically to extract valuable data to use directly (i.e. identity theft), to resell, or to extort funds from the attacked organizations via ransomware. In contrast, Nation-State attackers’ motivations are far more varied, ranging from surveillance, intelligence gathering, intrusion and takeover, degradation, extraction and destruction.
The goals of nation-state cyber-attacks
At times, the above-mentioned motivations come together symbiotically, where nations are now backing financially motivated hackers. The hackers enjoy extremely profitable payloads, while the nations gather a wide range of intelligence or cause disruption. Some nation-state attacks, notably from North Korea, are geared towards immediate financial gain, however the bulk of these attacks have other goals, especially espionage.
- Uncovering business secrets – ranging from intellectual property that can be used to gain economic advantages to commercial exchange information that can be used to ensure a competitive advantage, and strengthening the attacking country’s economy by fine-tuning their commercial strategy.
- Accessing medical information – especially Covid-19 vaccine research, statistics, patient medical records, all useful in gaining an edge in the fight against the pandemic and the race to produce vaccines and cures.
- Uncovering military secrets – espionage has evolved from sending physical spies to targeted countries to obtaining information through cyber-espionage.
- Weaponizing political espionage – using information to manipulate elections, run propaganda campaigns by infiltrating media and social media platforms, and internally spying on dissidents, journalists, and other people or bodies deemed a threat to the State.
- Holding cyber footholds – to attack / degrade / destroy critical infrastructure within target countries should geopolitical tensions escalate.
The majority of businesses are ill-equipped to face nation-state grade attacks, whether they are being targeted by nation-states or “regular” cyber-criminals as they all have easy access to incredibly sophisticated attack tools.
Target industries of nation-state grade attacks
According to a recent British Academic Study, the incidence of nation-state cyberattacks rose by 100% between 2017 and 2020, and enterprises are now nation-states’ most common target. From a tactical perspective, these nation-state grade cyberattacks are evolving, showing a 78% rise in supply-chain attacks, a tendency to stockpile on zero-day vulnerabilities, and an increasing trend of purchasing sophisticated attack tools on the darknet where sales to nation-state actors reach 10 to 15% of the total sales.
- IT organizations – 60% of attacks targeting critical infrastructure
- Commercial facilities – sites that draw large crowds of people for shopping, business, entertainment, or lodging.
- Critical manufacturing – primary metal, machinery, electrical equipment, appliance & component, and transportation equipment manufacturing.
- Financial Services – thousands of depository institutions, providers of investment products, insurance companies, other credit and financing organizations, and critical financial utilities and services that support these functions.
- Defense Industrial Base that covers the worldwide industrial complex enabling research and development, as well as the design, production, delivery, and maintenance of military weapons systems, subsystems, and components or parts, to meet U.S. military requirements.
However, critical infrastructure attacks are a mere 10% of all nation-state threats identified by Microsoft. 90% of the remaining attacks are divided between:
- NGOs (31%), namely advocacy groups, human rights organizations, nonprofit organizations, and think tanks, focused on public policy, international affairs, and security.
- Professional services (31%), specifically U.S. defense contractors and large public affairs, corporate legal, IT, media, and physical security consultancies operating in the United States, Europe, and the Middle East.
- Governmental organizations (13%), particularly diplomatic missions of several European countries, as well as military institutions and national legislatures
- International organizations (10%), with global and regional organizations working on governance norms and human rights and global health as top targets
- IT firms (7%) particularly focused on IT products and service providers
- Higher education (7%) including institutions in the United States, Asia, Europe, Latin America, and the Middle East.
Maturing your security posture to meet the threat of nation-state grade attacks
The good news is that nation-state grade attacks can be detected and responded to quickly enough to limit their impact and devastation.
If the attacker is targeting your industry, but not your company specifically, you can elevate the level of protection by applying known cybersecurity hygiene measures such as:
- Keeping up with known vulnerabilities and applying timely patching and software updates
- Eliminating all insecure default configuration
- Applying detection and prevention techniques.
If a nation-state targets your company specifically, they will likely tailor their attack in ways that bypass these default cybersecurity practices. Preventing such attacks requires experienced security specialists in the field of tackling targeted nation-state grade attacks, a craft that relies on the ability to see the organization from the attacker’s perspective, including HR and third party supply chain avenues.
Your company might be at risk of being specifically targeted for several reasons. For example, if your company is contemplating an M&A, or investing in R&D, or expanding into a new market, or holding data that might be of specific interest to a nation-state attacker and more.
It is highly recommended to apply nation-state grade methodologies while planning your strategies to ensure your organization’s cyber readiness to handle today’s threat landscape and limit the impact that such attacks could have.
For additional information or to schedule a consultation with an advisor please contact us.