Who carries out cyber-attacks and why?
Nation states have been in the news a lot recently, but who are the other cyber threat actors?
Nation states are turning increasingly to cyber warfare to achieve political, economic and military goals. From the point of view of a nation state, not only are cyber-attacks highly cost-effective but also it can be almost impossible to identify the perpetrators, which means they are less likely to trigger military retaliation.
Cyber attacks carried out by nation states are highly sophisticated and operate on a larger scale than most others. In recent years, targets have included government agencies and critical infrastructure. In 2020, US federal agencies fell victim to a major cyber-attack. The incident was widely reported as one of the worst cyber-espionage incidents ever suffered by the US.
One of the best-known cyber-attacks on critical infrastructure took place in Ukraine, in 2015. The power grid attack left nearly a quarter of a million people without electricity, in the middle of winter, for up to six hours.
Many analysts believe the notorious Stuxnet worm was also the work of a nation state. The worm targets critical infrastructure, such as power stations, water plants and industrial units.
Of course, nation states are not the only threat actors. Following are five of the most common.
1. You and your colleagues
Employees are the common factor linking most security breaches, which sometimes are deliberately malicious, but more often than not are down to carelessness. Every day, an office worker somewhere in the world clicks on a link in an unsolicited email and falls victim to a phishing attack.
Other examples of careless behaviour include staff connecting to unsecured networks, particularly on business trips, or using the same password on multiple sites for both work and personal devices. All these actions make it easier for threat actors to gain access to an organization’s network.
“People going about their normal operational duties are the biggest threat,” says IEC cyber security expert Frances Cleveland.
“It’s important to realize that even when you have cyber security implemented and training, you still have to worry about the insider and in particular, the disgruntled employee. She or he has knowledge of the company, passwords and critical power system processes.”
It is one of the reasons why IEC standards take a holistic approach to cyber security. They address not only processes and technology but also people.
2. Lone hackers
Many lone hackers view hacking as a game. Some are motivated by bragging rights. They have been popular characters in movies since 1983’s Wargames, in which a teenage computer buff almost triggers a nuclear conflict.
3. Hacktivists
Hacktivists groups such as Anonymous are driven by social, political or religious beliefs. Government agencies around the world have been targeted by hacktivist attacks to inflict damage or cause embarrassment, rather than to steal data.
4. Petty criminals
Petty criminals specialize in relatively low-risk crimes, such as stealing passwords. Others develop malware to sell to criminal gangs. In 2019, British police arrested a teenager for hacking the cloud accounts of some of the world’s best-known artists to steal and sell their songs.
5. Organized criminals
Organized criminals often have the resources and expertise to undermine even the most advanced cyber security systems. Sometimes they may even be acting on behalf of nation-states.
According to the United Nations, cyber gangs are behind a large number of crimes, such as ransomware attacks, that cause financial, psychological, economic and even physical harm.
Hospitals are frequently targeted in ransomware attacks. Earlier this year, a criminal gang took the US Colonial Pipeline offline, disrupting supplies for several days and causing fuel shortages.
International standards
Using ISO/IEC 27001, helps organizations to manage their information security risks. It covers threats, vulnerabilities and impacts, as well as designing controls to protect the confidentiality, integrity and availability of data and for regulating access to critical information systems and networks.
IEC 62443 was initially developed for the industrial process sector but is being used in an ever-expanding range of domains and industries. Users include power utilities, the healthcare sector and the transport industry. The standard provides advice on implementing a cyber security management framework for cyber-physical systems featuring both IT and OT (operational technology).
The IECQ AP scheme tests and provides certification that the requirements of ISO/IEC 27001 have been met. The IECEE Industrial Cyber Security Programme does the same for standards within the IEC 62443 series.
