The Rise of Nation-State Adversaries Marks a New Frontier for Cybercrime

Written by: Izzat Najmi Abdullah, Journalist, AOPG

While it is no secret that cybercrime (also known as “e-crime”) is on the rise, what is surprising is the sharp uptick in attacks launched by nation-state adversaries.

When compared to common cybercriminals, nation-state actors are on a whole different playing field. They have substantial support—usually from the government—and typically go after geopolitical entities. What’s more, aggressive nation-state threat actors or Advanced Persistent Threat (APT) groups have taken notice of the success of high-profile, destructive cyberattacks on operators of Critical National Infrastructure (CNI) and are gradually turning them into valuable weapons for hybrid warfare.

Data gleaned from Microsoft telemetry and published in Redmond’s third annual Microsoft digital defence report shows that attacks targeting CNI have increased from 20% to 40% of all nation-state attacks in the past year.

Nation-State Attack vs. Ordinary Cyber Attack—What’s the Difference?

As the name suggests, nation-state attacks are carried out by state-affiliated or state-sponsored actors, consisting of teams of highly trained government-employed hackers armed with extensive resources and support. Trade or military secrets, critical infrastructure, and large-scale disinformation or propaganda campaigns are typical objectives of nation-state actors. Often, they have a nationwide reach and are protected from domestic persecution thanks to their “official” status.

According to Scott Jarkoff, Director of CrowdStrike’s Strategic Threat Advisory Group for Asia Pacific/Japan and Europe, the Middle East, and Africa, the Bears of Russia, the Pandas of China, the Chollima of the Democratic People’s Republic of Korea, and the Kittens of Iran are the “Big Four” of nation-state adversaries. This group of foreign enemies is linked to a specific government and operates as a form of political espionage.

“When considering what drives these groups and what keeps them operational, we can safely assume that espionage or IP theft is at the heart of their activities. Pandas from China focus most of their IP theft efforts in this arena. They do other things, but this is their primary mode of operation,” Scott said.

National-level attackers typically carry out attacks with these goals or motivations:

• Nationalistic ideals. Some government-sponsored hackers believe they are engaging in cyber warfare on behalf of, or for the good of, their nation.
• Monetary gains. Besides being a way to make money from illicit activities, such cybercriminals typically receive lavish rewards from their governments.
• The absence of liability. People in their country can usually get away with anything if it serves the country’s interests, even if it is illegal.
• Conducting offensive operations in cyberspace. Cyberspace is often said to be the new frontier for political geography and warfare. Through cyber attacks, nation-state actors can remotely target another country’s key infrastructure in order to cripple its economic, military or political systems.
• Surveillance and espionage. With the necessary tools, resources and skills, nation-state actors can easily monitor targets of national interest or steal highly sensitive information, even military data, from anywhere in the world.

A classic case of espionage is said to have been conducted during the Russia-Ukraine war, with data allegedly stolen from Russian defence contractors and published by a Ukrainian newspaper. The perpetrators were purportedly Russian hackers affiliated with an anti-Putin movement. The attacks on a Ukraine power grid, widely attributed to Russian state actors, is an example of an attack targeting CNI. (Read more on significant cyber incidents from 2021 to 2022 here.)

Scott noted that although nation-state actors’ primary motivation is either to “show” nationalism or conduct espionage, some of their actions are directly influenced by what Scott calls “financial gang”—organisations, like governments, mafias and the aristocrats, that have accumulated immense wealth. For example, even though North Korea’s Chollima mostly conducts economic espionage, it also resorts to cyber attacks to add to the government’s coffers, especially in response to the various sanctions imposed on the country.

The Escalating Cyber Threat

As new adversaries have surfaced, the 2022 threat landscape has become more cluttered—and more dangerous. Currently, CrowdStrike Falcon Intelligence is monitoring over 170 distinct cyber threats. Some notable new threats, according to the 2021 Global Threat Report, include:

• Interactive infiltration attempts detected by CrowdStrike Falcon OverWatch remain dominated by financially driven e-crime activity. Nearly half (49%) of all hacking incidents were traced back to financial gangs.
• Attackers in Iran deploy ransomware and “lock-and-leak” disruptive information operations, where victim data is encrypted and then leaked through actor-controlled personas or companies.
• By 2021, threat actors with ties to China had taken the lead in exploiting vulnerabilities and were shifting their focus to internet-connected devices and services, like Microsoft Exchange. CrowdStrike Falcon Intelligence discovered 12 vulnerabilities in 2021 that were exploited by actors with a Chinese nexus.
• Cozy Bear, a threat group with ties to Russia, has shifted its focus from traditional IT infrastructure to cloud service providers in an effort to use the security gap between the two. Additionally, Fancy Bear encourages a higher volume of credential-harvesting strategies, such as broad-based scanning and phishing websites designed specifically for individual victims.
• In an effort to keep illicit money generation going during economic disruptions induced by the COVID-19 outbreak, the Democratic People’s Republic of Korea (DPRK) has focused on cryptocurrency-related companies.
• Doppel Spider and Wizard Spider e-crime actors have both utilised Log4Shell as an entry point for their ransomware campaigns. Potential Log4Shell exploitation prior to the end of 2021 was also linked to state-nexus actors including Nemesis Kitten (Iran) and Aquatic Panda (China).

The 1:10:60 rule

In light of the foregoing, what steps can today’s organisations take to lessen the impact of state-sponsored cyber attacks? Scott stated that a mature process that can rapidly and effectively detect, respond to and avoid attacks is essential against sophisticated attackers. If you want to effectively battle advanced cyber threats, CrowdStrike recommends that your company follow the 1:10:60 rule.

• Safeguard your home in under 1 minute by quickly identifying intruders.
• Learn to identify and assess dangers in less than 10 minutes.
• Eliminate the threat and seal off the area in under 60 minutes.

It is more likely that the adversary will be eliminated before the attack extends from its initial entry point in organisations that satisfy the 1:10:60 benchmark, reducing the impact and future escalation of the attack. Investing in enterprise-wide deep visibility and automated analysis and remediation tools is essential to tackling this challenge head-on, as they help reduce friction and improve responders’ ability to comprehend risks and act swiftly.

“You should evaluate the efficacy of your current security measures with a dispersed workforce and then add any necessary extras to beef up your defences. It will be months before APAC is back to normal but cybercrime will always be a concern. You will be in the best position to thwart an assault if you put in the time today to learn about how threats are changing,” said Scott.

Do Not Pay the Ransom

Nation-state attackers are becoming such a menace and are showing no signs of slowing down. Additionally, they appear to be weaponising ransomware more and more. Worse, these nation-state attackers are not only encrypting or locking data anymore but they are also leaking the data now. So, if the victim does not give what the threat actors want, they will likely leak confidential information.

Dire as the situation may be, Scott advises organisations in all industries: Do not pay the ransom. Paying the ransom, Scott explained, is only “emboldening other adversaries to conduct ransomware tech because there are victims out there that are going to pay.” But if organisations do not pay up, there will be less incentive for threat actors to conduct a ransomware attack.

Then again, organisations have plenty of threats to worry about other than ransomware, and nation-state attackers are more than capable of carrying out all of them. It is an unfortunate and dangerous reality—one that will necessitate a greater emphasis on cybersecurity, both from the vantage point of individual organisations and the governments governing them.