How to Spot a Nation-State Cyber Attack
by Kory Underdown on Jul 28, 2022 12:00:00 AM
Over the last decade, cybercrime evolved from solo attackers to full-scale organized crime, commercialized business, and even weapons of war. Governments across the globe have watched cyberattacks increase dramatically and struggle continuously to deal with these threats. From cyber espionage to cyber terrorism, cybercriminals now pose a significant threat to national security and public safety.
Government organizations are not the only targets of these high-profile incidents. Though only a fraction of total criminal activity, state-sponsored hacking attacks target private businesses and the public sector. These attacks can be particularly harmful because their goal isn’t necessarily monetary gain but political or military objectives.
How would you distinguish between a cyberattack performed by a nation-state and a commercially motivated attack?
Knowledge is Power
Unfortunately, many organizations cannot differentiate the actual source of an attack. According to a recent study, 86% of organizations believe they’ve experienced a nation-state attack. Yet, only 27% are confident they can accurately determine the difference between nation-state attackers and commercial cybercriminals.
Knowing the difference is crucial to the decisions made to protect your organization and how you respond to the attack. Better preparation requires understanding the motivations, targets, and tactics used by both types of attackers.
What Makes Cyberattackers Tick
One of the most defining differences between the different types of threat actors is the motivations that drive them. Nation-states tend to use attacks to acquire sensitive data, damage critical infrastructure, and influence the political opinions of the populous.
These attackers play the long game. Their goals are to destabilize other nations and gather valuable information that could give them the upper hand in trade deals.
Monetary gain, above anything else, drives commercial cybercriminals. The outcomes may be similar such as theft of sensitive data, which is often held for ransom or resale, but the goal is almost always money.
In these cases, the funds go directly into the attacker’s pockets or are used to improve their attacking infrastructure further. They can stay ahead of security by reinvesting part of their ill-gotten gains. Investing in enhancing their attacks and evolving the malware makes them less detectable, thus improving their odds of success.
Where’s the Profit?
Nation-state attackers choose prey that furthers their motivations. In this case, profits don’t need to include monetary gain. Instead, information is the goal.
It’s easy to assume the only victims of this threat actor would be government entities or major industries, right? False.
While these are certainly top of the list, other target organizations for nation-state attackers include:
- Developers: To compromise software utilized by their actual targets in a supply chain attack
- Healthcare organizations: To obtain sensitive information
- Energy sector organizations: To disrupt commerce
- Social media influencers: To create buzz around their chosen narratives
On the other hand, commercial cybercriminals target any organization, large or small, that will potentially generate revenue. They look for high-value soft targets. The less mature the security posture, the easier an organization is to hit.
Cybercriminals are like any other business—they assess the ROI. Can a profit be made through ransom, extortion, or theft? It’s a target. Are there security gaps or easy exploits? It’s a prime target. It’s usually nothing personal, just business.
What’s the MO (Method of Operation)?
Another significant difference between the different types of attackers is their tactics. Nation-state attackers intend to maintain a long-term presence in their targets’ networks to facilitate repeat attacks. The goal is not to be detected or to leave behind remnants that recovery teams will not remove.
Nation-state attackers may plant persistent rootkits on endpoints weeks or months before the attack occurs. These become incorporated into backups that teams will use to restore compromised systems. A similar approach is to compromise secondary endpoints not involved in the initial attack. The goal is that these will not be investigated, leaving the attackers multiple footholds to restart future attacks.
Regular cybercriminals do not intend to remain in a network for extended periods. Their goal is to get in, extract whatever value can be gained from the victim fast, and get out. Then they move to a new target. They scrub logs and minimize the information left behind so that organizations can determine their exact route.
Anonymous vs. Braggadocious
Average cybercriminals lack the protection granted and anonymity demanded by a more prominent nation-state sponsor. State-sponsored attackers must go the extra mile to keep their exploits quiet and not tie themselves back to their sponsors. Political entities will disavow attackers who get caught to avoid an international incident.
For this reason, nation-state attackers value stealth. They are adept at leaving no trace behind that might indicate who they are or where the attack originated. These details are often identified forensically in post-attack analysis.
Many cybercriminal organizations are open about who they are. Although they don’t want to reveal their locations, they regularly brag about their conquests. They often chat about their ransomware on social media and leave digital calling cards in compromised systems.
Will You React or Respond?
Knowing the origin of an attacker is crucial for organizations to understand their next steps post-attack. For run-of-the-mill cybercriminals, the cleanup process is quite direct.
Investigations go far deeper when a nation-state actor is suspected. These require a thorough examination of internal systems, including assets that were not visibly involved. Additionally, an analysis of backups and devices post-restoration is done.
Rather than dealing with a responsive approach, organizations are best served by expecting the worst and being prepared.
To learn more about nation-state attacks, watch the expert panel discussion Protecting Your Organization Against State-Sponsored Cyberattacks. CISOs and cybersecurity experts weigh in on how to prepare and defend your organization from state-sponsored cyberattacks, provide insights into how these threats are evolving, and discuss what your organization can do to respond appropriately.
When researchers talk about DNS security, they often refer to anything that protects DNS infrastructure. Although protective DNS and DNS security fall under the cybersecurity umbrella, protective DNS takes a different approach to cybersecurity than standard DNS security. Both security strategies are important for the stability of your business, but protective DNS reduces risks from your weakest link–human error. Protective DNS is critical for you...
The impending Cisco Umbrella RC End-of-Life has many Umbrella users concerned about their next steps and questioning which protective DNS solution might be able to fill the gap for their organization.
Industry State of the Art
This month there was a high level of focus on compliance issues spanning several focus areas from governments and oversight agencies around the world. And while there were actions taken with regard to specific vulnerabilities, a larger spotlight was placed on bigger picture security considerations in a more general context.