How to Spot a Nation-State Cyber Attack

How to Spot a Nation-State Cyber Attack

Kory Underdown
July 28, 2022

Over the last decade, cybercrime evolved from solo attackers to full-scale organized crime, commercialized business, and even weapons of war. Governments across the globe have watched cyberattacks increase dramatically and struggle continuously to deal with these threats. From cyber espionage to cyber terrorism, cybercriminals now pose a significant threat to national security and public safety.

Government organizations are not the only targets of these high-profile incidents. Though only a fraction of total criminal activity, state-sponsored hacking attacks target private businesses and the public sector. These attacks can be particularly harmful because their goal isn’t necessarily monetary gain but political or military objectives.

How would you distinguish between a cyberattack performed by a nation-state and a commercially motivated attack?

Knowledge is Power

Unfortunately, many organizations cannot differentiate the actual source of an attack. According to a recent study, 86% of organizations believe they’ve experienced a nation-state attack. Yet, only 27% are confident they can accurately determine the difference between nation-state attackers and commercial cybercriminals. 

Knowing the difference is crucial to the decisions made to protect your organization and how you respond to the attack. Better preparation requires understanding the motivations, targets, and tactics used by both types of attackers.

What Makes Cyberattackers Tick

One of the most defining differences between the different types of threat actors is the motivations that drive them. Nation-states tend to use attacks to acquire sensitive data, damage critical infrastructure, and influence the political opinions of the populous. 

These attackers play the long game. Their goals are to destabilize other nations and gather valuable information that could give them the upper hand in trade deals. 

Monetary gain, above anything else, drives commercial cybercriminals. The outcomes may be similar such as theft of sensitive data, which is often held for ransom or resale, but the goal is almost always money.

In these cases, the funds go directly into the attacker’s pockets or are used to improve their attacking infrastructure further. They can stay ahead of security by reinvesting part of their ill-gotten gains. Investing in enhancing their attacks and evolving the malware makes them less detectable, thus improving their odds of success. 

Where’s the Profit?

Nation-state attackers choose prey that furthers their motivations. In this case, profits don’t need to include monetary gain. Instead, information is the goal. 

It’s easy to assume the only victims of this threat actor would be government entities or major industries, right? False.

While these are certainly top of the list, other target organizations for nation-state attackers include: 

  • Developers: To compromise software utilized by their actual targets in a supply chain attack
  • Healthcare organizations: To obtain sensitive information
  • Energy sector organizations: To disrupt commerce
  • Social media influencers: To create buzz around their chosen narratives

On the other hand, commercial cybercriminals target any organization, large or small, that will potentially generate revenue. They look for high-value soft targets. The less mature the security posture, the easier an organization is to hit.

Cybercriminals are like any other business—they assess the ROI. Can a profit be made through ransom, extortion, or theft? It’s a target. Are there security gaps or easy exploits? It’s a prime target. It’s usually nothing personal, just business.

What’s the MO (Method of Operation)?

Another significant difference between the different types of attackers is their tactics. Nation-state attackers intend to maintain a long-term presence in their targets’ networks to facilitate repeat attacks. The goal is not to be detected or to leave behind remnants that recovery teams will not remove.

Nation-state attackers may plant persistent rootkits on endpoints weeks or months before the attack occurs. These become incorporated into backups that teams will use to restore compromised systems. A similar approach is to compromise secondary endpoints not involved in the initial attack. The goal is that these will not be investigated, leaving the attackers multiple footholds to restart future attacks. 

Regular cybercriminals do not intend to remain in a network for extended periods. Their goal is to get in, extract whatever value can be gained from the victim fast, and get out. Then they move to a new target. They scrub logs and minimize the information left behind so that organizations can determine their exact route.

Anonymous vs. Braggadocious 

Average cybercriminals lack the protection granted and anonymity demanded by a more prominent nation-state sponsor. State-sponsored attackers must go the extra mile to keep their exploits quiet and not tie themselves back to their sponsors. Political entities will disavow attackers who get caught to avoid an international incident.

For this reason, nation-state attackers value stealth. They are adept at leaving no trace behind that might indicate who they are or where the attack originated. These details are often identified forensically in post-attack analysis.  

Many cybercriminal organizations are open about who they are. Although they don’t want to reveal their locations, they regularly brag about their conquests. They often chat about their ransomware on social media and leave digital calling cards in compromised systems.

Will You React or Respond?

Knowing the origin of an attacker is crucial for organizations to understand their next steps post-attack. For run-of-the-mill cybercriminals, the cleanup process is quite direct. 

Investigations go far deeper when a nation-state actor is suspected. These require a thorough examination of internal systems, including assets that were not visibly involved. Additionally, an analysis of backups and devices post-restoration is done.

Rather than dealing with a responsive approach, organizations are best served by expecting the worst and being prepared. 

To learn more about nation-state attacks, watch the expert panel discussion Protecting Your Organization Against State-Sponsored Cyberattacks. CISOs and cybersecurity experts weigh in on how to prepare and defend your organization from state-sponsored cyberattacks, provide insights into how these threats are evolving, and discuss what your organization can do to respond appropriately.

Search
MORE Cybersecurity

Cybersecurity Report Mid-year 2022

Inside this report, you’ll see there’s been significant increases in botnet, DDoS, and phishing attacks, often on critical systems and infrastructure.

Get the Report

SIEM Integration with Data Export Feature

Data Export feature allows customers to transmit DNS query data from DNSFilter to an external location in real-time.

Learn More about Data Export

Lifesaver Program

Current OpenDNS customers get FREE DNS security through September 2022 when you commit to a 1-year deal with DNSFilter.

Get More Details
LATEST POSTS

How to Spot a Nation-State Cyber Attack

From cyber espionage to cyber terrorism, cybercriminals now pose a significant threat to national security and public safety.

"MSP Friendly, Intuitive, Powerful" — ArcLight Case Study

ArcLight Solutions is a longstanding MSP primarily working with healthcare clients, rural hospitals and private practices.

Compliance ≠ Security: Healthcare Organizations’ Biggest Threats

Compliance and security are not the same. And in healthcare, this difference is incredibly important. Checking off compliance boxes will not ensure patient data

Explore More Content

Ready to brush up on something new? We've got even more for you to discover.