The State-Sponsored Cyberthreat Landscape
There is a global chess match between nation-states, businesses and the various digital assets contained within these organizations. The result is that state-sponsored cyberattacks have emerged as one of the preeminent threats targeting companies today.
Backed by governments and funded with the biggest bankrolls, state-sponsored groups can apply seemingly limitless resources to achieve their malicious objectives in an age when security communities are strapped by tight budgets and a cybersecurity talent shortage.
The frequency and ferocity of these attacks continue to increase. Nation-state attacks increased from 12% to 23% in the past year, according to Verizon’s 2019 Data Breach Investigations Report.
In recent years, large-scale cyberattacks have been attributed to state-sponsored groups ranging from superpowers such as Russia and China to smaller countries such as Iran and North Korea. New battle lines have been drawn across the world, and organizations require the expertise and tools to fight state-sponsored cyberattacks.
The Threat Landscape
World governments are actively investing in building and operating cyber-espionage teams to both protect their national interests and collect IP for their domestic industries. Their goals are to acquire expertise, malicious botnets and cyberattack tools to further advance their craft.
If an organization competes based on its IP in a global marketplace, then it may be a mark for governmental cyberattacks. Certain nations are more direct and public about the domestic industries that they are interested in expanding/growing and even go as far as detailing the types of IP that they are interested in acquiring from foreign corporations.
Take China for example. It’s position paper, Made in China 2025, describes specific industries in which it has a strategic interest in building domestic expertise. The plan lays out a very aggressive goal of producing 70% of the content in the following industries with Chinese enterprises: IT, robotics, green energy and electric vehicles, aerospace, ocean engineering, railroads, power, materials, medicine, and medicine tech and agriculture engineering. These plans require domestic industries in developing countries to acquire massive amounts of new IP to meet this 70% local content threshold.
The Major Players
Here is a breakdown of the five-largest state-sponsored groups that are currently active:
- APT28, also known as Fancy Bear, Pawn Storm and Sofacy, is a cyber-espionage group associated with two Russian military intelligence agency units, Unit 26165 and Unit 74455. This nation-state group is known to have been in operation since 2008 and represents a constant threat to an array of organizations and government agencies allied with Western countries. This group is notorious for different exploits and spear-phishing attacks to deploy customized malware. Once inside a network, the malware compromises, disrupts and influences political agendas around the world. The group targets government elections, the media, sporting events and several global companies.
- The Equation Group is a cyberwarfare and intelligence-gathering unit associated with the Tailored Access Operations (TAO) of the National Security Agency (NSA). This nation-state group has been in operation since 1998, monitoring and infiltrating enemies of the United States, both foreign and domestic. As one of the largest components of the NSA’s signals intelligence (SIGINT) program, this group has the ability to compromise commonly used hardware such as routers, switches and firewalls. In 2016, the Shadow Brokers hacking group announced that it had compromised Equation Group’s toolset containing undisclosed exploits and posted them to GitHub. Exploits contained in the publication included EternalBlue, which served as the basis of the WannaCry attack by the Lazarus Group.
- Lazarus Group, also known as Hidden Cobra, is a cybercrime group associated with the North Korean government. This nation-state group has been in operation since 2009 and is responsible for various attacks over the past decade, including Ten Days of Rain, the 2014 Sony data breach, the WannaCry12 ransomware outbreak and the finance-targeted SWIFT attacks. This group typically relies on spear-phishing campaigns to deploy malicious malware designed to exfiltrate or encrypt user data
- APT1, also known as Unit 61398 and the Comment Crew, is a cyberwarfare organization associated with the Chinese People’s Liberation Army. This nation-state group has been known since 2006 and has been attributed for a number of attacks, including stealing intellectual property and information from U.S. corporations resulting in indictments against five members. This government-backed group focuses on stealing trade secrets and confidential information from corporations across every vertical, with emphasis on manufacturing, engineering and electronics. They accomplish this with spear-phishing attacks, malware and password dumping to gain future access and exfiltrate targeted data.
- APT33, also known as Elfin, is a suspected Iranian-backed cyber-espionage unit that targets government agencies, research firms, financial institutions and engineering companies in the U.S. and Saudi Arabia. The group has been in operation since 2013 attributed for a number of high-profile attacks, including the recent exploitation of the known vulnerability CVE-2017-11774 against U.S. government agencies. Elfin uses a combination of publicly available attack tools and custom malware to target its victims. Like many other nation-state groups, its first stage of attack comes in the form of a phishing email. After the initial compromise, the group downloads additional payloads to further compromise the network and exfiltrate targeted data.