How to Recognize and Mitigate State-Sponsored Attacks
The Washington-based Center for Strategic and International Studies (CSIS) maintains and publishes a list of significant state-sponsored cyber attacks that have occurred from 2006 to the present. While five incidents were reported in all of 2006, and 12 in 2007, 39 events have already been reported in the first five months of 2019. In the chart below, which summarizes all incidents since 2006 according to perpetrators and targets, we see that the biggest offenders are China, Iran, North Korea, and Russia, while the most popular victim by far is the United States.
In this article, we explore the motivations behind state-sponsored attacks, how they can be detected, and what measures can be put in place to mitigate the risk.
Why Nation-States Perpetrate Cyber Attacks
Sovereign countries have a variety of motivations for mounting cyberattacks. However, there are some common themes.
Economics
There are many examples of countries stealing intellectual property, trade secrets, and other economic assets as a shortcut to economic growth. Although the attack vectors today may be more sophisticated, this is not a new phenomenon. According to State sponsored cyber attacks, a report prepared by the Swedish Security & Defense Industry Association (SOFF), the total factor productivity gap between West and East Germany when the Berlin Wall fell was ~6% less than it otherwise would have been, thanks to East Germany’s vigorous economic espionage throughout the Cold War.
Today, according to the same SOFF report cited above, one out of five enterprises in Europe and the U.S. consider state-sponsored cyber economic espionage as the most serious threat to their businesses. Indeed, in a list of 288 state-sponsored cyber attacks aggregated by the Council on Foreign Relations, almost half targeted private entities. In August 2017, President Trump initiated an investigation into Chinese state-sponsored cyber activities related to tech transfer, IP, and innovation that support China’s strategic economic development goals. As recently as April 2019, the multinational pharma company Bayer announced that it had fended off an attack by Chinese hackers trying to steal highly sensitive intellectual property.
Theft
From a Carnegie Endowment for International Peace report published in March 2019 on financial cyber attacks, we learn that close to 25% of such attacks reported since 2007 (23 out of 94) were most likely state-sponsored. Recently, we have seen countries like Iran and North Korea sponsoring cybertheft hacks in order to mitigate the damage caused by economic sanctions.
Three examples are:
- Accenture’s 2018 Cyber Threatscape Report identified at least five ransomware attacks that were sponsored by Iran purely for the money.
- In January 2019, state-sponsored North Korean hackers stole $10 million through an attack on the Bank of Chile’s ATM network.
- In 2018, the victim was India’s Cosmos Bank, when North Korean hackers successfully pulled off a cyber-robbery of close to $13.5 million.
Sabotage
With so many aspects of our lives dependent on online networks, it is no wonder that nation-states often seek to disrupt and sabotage civil life through cyber attacks. What easier way is there to wreak havoc than bringing down critical infrastructures and other essential services?
Some of the most disruptive cyber attacks in recent years are believed to be state-sponsored. Wannacry, which brought down the U.K. healthcare system (among other targets), is attributed by many cyber experts to North Korea. In 2015 and 2016, hackers suspected of acting on behalf of the Russian government repeatedly disrupted the Ukrainian power grid. The NotPetya cyberattack in 2017 heavily targeted companies in the Ukraine and is attributed to the Russian government. Most recently (March 2019), Symantec attributed the cyber theft of medical records from Singapore’s health system — including information linked to the prime minister — to a state-sponsored group called Whitefly.
Grudges
Thanks to Edward Snowden and his exposure of the National Security Alliance’s extensive and virtually unsupervised surveillance activities, we have all become acutely aware of how governments around the globe harness cyber techniques to identify, monitor, and curtail so-called “dissidents,” such as activists, journalists, members of opposing political parties, and so on.
A recent example is when the Hong Kong office of Amnesty International was subjected to an Advanced Persistent Threat (APT) attack in March 2019. From an analysis of the infrastructure used to mount the attack, forensic experts have linked it to the Chinese government .
Espionage
Last, but certainly not least, cyber attacks have added a whole new dimension to the age-old practice of countries stealing military secrets and other sensitive information from each other. The ubiquity of the Internet has opened up vast new opportunities for espionage and theft of intellectual property. There are countless recent examples of this; perhaps the most infamous are the thefts by Chinese Red Army hackers of plans and design secrets for advanced U.S. military aircraft, including the Boeing C-17 Globemaster, Lockheed Martin F-22 Raptor, and Lockheed Martin F-35 Lighting II.
How to Identify a State-Sponsored Attack
Sometimes, state-sponsored attacks are high-profile, with the perpetrators flaunting their cyber prowess and ability to mount or ward off threats. In general, however, state actors tend to engineer low-profile attacks that are difficult to detect. Moreover, they are usually careful to cover their tracks. For example, Chinese Red Army hackers have been known to “launder” stolen files by moving them through multiple foreign countries (at least one of which is hostile to the U.S.), before finally depositing them on servers they control (usually near Hong Kong and Macau).
Still, there are certain cyber attack characteristics that have come to be associated with state sponsors. For example, they tend to be sophisticated in terms of the type and volume of traffic, type of attack, and systems they go after. They are clearly well-funded and unlikely to be the work of an individual, or even a splinter group. These skilled cyber criminals have the resources to mount APTs that typically start by inserting malware through email, network, application, or other vulnerabilities. Once the network is compromised, the malware probes for and leverages additional vulnerabilities in order to exfiltrate data or otherwise take control of backend systems. Evidence of the attack is often removed after the breach, but the network remains compromised and subject to additional breaches at the cyber criminal’s convenience.
Of particular concern lately is invisible malware that is fileless and hence very difficult to detect. The malware may reside in memory only, or in your BIOS or firmware. A prime example is a virtual rootkit that boots before the OS and creates a VM for the malware that cannot be detected by security software running on the OS. These rootkits are difficult to install and tend to be used only by state-sponsored attackers.
Can State-Sponsored Attacks be Mitigated?
In April 2013, Cambridge University Press published the Tallinn Manual on the International Law Applicable to Cyber Warfare, which was written by an international group of ~20 experts. A non-binding document, the Tallinn Manual clearly considered disruptive state-sponsored cyber attacks as equivalent to armed attacks (i.e., acts of war to which target states could respond in self defense). Version 2 of the Tallinn Manual, published in February 2017, extended coverage of the international law governing cyber warfare to peacetime regimes, addressing topics such as human rights and the law of air, space, and sea.
But can legislation and litigation mitigate state-sponsored attacks? It’s very unlikely. The very nature of the attacks implies a disregard for international law, and, as noted above, it is difficult to conclusively prove that any given attack was sponsored by a sovereign state. Even in cases where the targeted country has clear, conclusive evidence identifying the perpetrator of an attack, the responsible nation has usually denied it.
Therefore, victims often resort to diplomacy and open accusations as a way of decreasing state-sponsored attacks. Some examples include:
- In October 2018, the U.S., the U.K., and the Netherlands took the unprecedented step of publicly accusing Russia of violating international law in a series of global cyber attacks that disclosed sensitive personal information, shut down essential services, and interfered with the U.S. presidential election in 2016. Seven people were charged in the U.S. and put on the FBI wanted list.
- In the same year, the Swedish report on state-sponsored cyber attacks (already cited above) published detailed descriptions of cyber attacks that have been attributed to the Chinese government.
- In March 2018, the U.S. Department of Justice indicted nine Iranians for state-sponsored cyber crimes related primarily to scientific espionage. The FBI is seeking to bring them to trial.
But even this efforts are usually unsuccessful. Even when a nation signs an agreement to curtail its hostile activities (as China did with the United States in 2015), there’s no guarantee that it won’t renege on the agreement and start launching widespread attacks on others again (as China did in 2018).
Therefore, the only realistic way to mitigate the effects of state-sponsored cybercrime is to harden the security postures of potential targets. (And today, “potential targets” includes basically any organization with a reasonably-sized web presence.)
Hardening measures should include decrypting and inspecting SSL traffic, deploying a next-generation WAF, using Ipsec VPNs to better isolate and secure data, diligently monitoring and auditing access to sensitive data, and training employees in security best-practices.
These are all very important, but the last one (training employees) might be the most vital of all. Over and over again, we’ve seen that an organization’s employees can be its largest security vulnerability. (As this article is being written, the City of Riviera Beach in Florida just paid $600,000 to end a ransomware attack. This was the result of one employee clicking a malicious link in an email.) The first line of defense against many threats — for example, phishing and spear phishing attacks — is employee awareness and vigilance. Education and frequent refresher training are mandatory.
How Reblaze Can Help
Of course, internal employee training can improve your security posture against some forms of threats, but it does nothing against others — such as attacks on your APIs and web applications. For effective web security, a traditional WAF is no longer enough. Your organization needs a next-generation WAF, such as Reblaze’s cloud-based platform which scrubs all incoming traffic before it reaches your network.
Reblaze deploys each customer’s web security platform in a unique Virtual Private Cloud, located near the protected network (which provides near-zero latency), and dedicated to that customer’s use alone (which eliminates multi-tenancy vulnerabilities). Reblaze uses advanced technologies such as machine learning, behavioral analysis, and real-time analytics to defend web assets from even the most sophisticated and persistent threats. Try out Reblaze or schedule a demo to see how it can help you protect your network from all attacks, including those perpetrated by governments.
