Nation-State Attacks: Motivations & Consequences

The motivations and resulting consequences of state-sponsored cyberattacks are as far ranging as the geographies from which they originate. Nation-state hackers target government agencies, critical infrastructure and any and all industries known to contain sensitive data or property. Typically, they strike via sophisticated techniques that interrupt business operations, leak confidential information and generate massive data and revenue loss.

Part of the onus falls on corporations. All too often, public and private organizations unwittingly leave sensitive, monetizable data, such as intellectual property (IP), unprotected, making cyberattacks a high-stakes, low-risk venture for nation-states.

Costly Impacts

Of all the primary impacts from state-sponsored attacks, one of the worst is the loss of IP. The compromise of IP can be one of the most crippling results of a state cyberattack for a business — with the results reverberating for decades. The IP Commission estimates that counterfeit goods, pirated software and stolen trade secrets cost the U.S. economy $600 billion annually. For example, in recent years, Iran was charged with stealing $3.4 billion in scientific data from almost 8,000 professors at 320 universities.

Take the manufacturing industry for example. Remarkably, 94% of all cyberattacks currently aimed at the manufacturing industry are motivated by espionage, usually with the intent to steal trade secrets, according to the Swedish Security & Defense Industry Association (SOFF). According to the same research, 10 years ago, security researchers typically spent 90% of their time looking into criminal campaigns, such as botnets, Trojan horses, etc. Today, researchers spend the same amount of time investigating nation-state attacks aimed at stealing secrets and/or sabotage.

[You may also like: The State-Sponsored Cyberthreat Landscape]

Recent state-sponsored threats also leverage cyberattacks to influence elections worldwide. While manipulating elections is not new, using cyberattacks to alter them is, and the collateral damage resulting from a breach and the subsequent release of sensitive information can have a far-reaching impact. These operations are typically complex, lengthy campaigns designed to influence voter behavior by releasing sensitive information at crucial times.

For example, in July 2018, a United States federal grand jury filed indictments against Russian military intelligence officers for their alleged role in interfering with the 2016 U.S. presidential election. These indictments include gaining unauthorized access to the computers of U.S. entities involved in the 2016 elections and staging the release of the ensuing stolen documents to influence the election.

Lastly, military/national defense goals are also impacted. In particular, smaller nation-states seeking to gain military parity with larger countries will rely on cyberattacks to level the playing field. In addition to launching cyberattacks to steal sensitive defense information, they will orchestrate for-profit cyberattacks to fund defense budgets.

In September 2018, the Department of Justice announced criminal charges against Park Jin Hyok, an alleged member of a North Korean government-backed hacking team known as Lazarus. This group is known for the creation of the malware used in the 2017 WannaCry ransomware attack, the theft of $81 million from Bangladesh Bank and several other attacks on the financial services industry, all with the goal of funding North Korea’s defense programs.

Modus Operandi

Unlike hackers, state-sponsored groups often create and leverage custom attack vectors by incorporating previously undiscovered software vulnerabilities, called zero-day attacks. These advanced attacks are why state-sponsored cyberthreats are often referred to as advanced persistent threats (APTs).

In recent years, the cybersecurity community has found itself vexed by a handful of attacks that could not be easily pinned on a single group. This is mainly due to an overlap in tactics, techniques and procedures (TTPs). This uptick in unidentifiable incidents suggests that state-sponsored hacking groups have enhanced their ability to deceive researchers as to which group is responsible for an attack.

[You may also like: Protecting Enterprises From State-Sponsored Hackers]

Covertness is key, which makes attributing government-backed attacks difficult and complex. State-sponsored actors rarely make a lot of “noise” or cause sufficient disruption to warrant suspicion or trigger detection. This allows these cybercriminals to maintain a foothold in a target’s network for longer durations, as their objective is to remain persistent to retain oversight of communications or access sensitive data. For example, they will often plant persistence mechanisms (hidden malware) throughout a victim’s network, which may go untouched or dormant for years.

These groups do not attack indiscriminately, but when they do, each of them attacks with a specific purpose. They are methodical and surgical. Using various intelligence-gathering techniques and exploits, they will often access and live-monitor sensitive data on a targeted network. The aerospace/defense, government and financial sectors and utility/energy companies are the most common targets, but all industries can fall into the cross-hairs of a state-sponsored group due to specific types of sensitive data/IP that they possess and/or geopolitical events.