State-Sponsored Cyber Attacks

The threat from highly capable, highly motivated nation state attackers is growing. What are the reasons behind this and what are they after?

MWR InfoSecurity was a contributor along with 70 other global security organisations to the 2015 Verizon Data Breach Investigation Report (“DBIR”). Through this collaborative effort, we have observed a marked increase in state-sponsored espionage related incidents and as the report states “the reality is that if a determined, state-sponsored adversary wants your data, they’re going to get it unless another state-sponsored entity helps you defend it.”

Fig 27 DBIR15

As figure 27 of the report clearly shows, the frequency of cyber espionage is a highly fluctuating pattern, with the one consistent attribute of growing more and shrinking less from year to year. It is now not the minority, but a strong contender with other types of traditional attack.

Fig 28 DBIR15

Figure 28 shows that the motivations of state sponsored attackers is clear – with 97% of espionage-related data breaches involving state sponsored actors.

The motivations for attack

State affiliated or sponsored actors often have particular objectives aligned with either the political, commercial or military interests of their country of origin. The way we see this manifest quite often in the UK is via the targeting of third party companies as a means to facilitate achieving these objectives. What actors are often attempting to gain in these attacks is information about their targets, or access to their targets through trusted relationships with the third party company.

Often the sensitive nature of data being held by a third party may not be fully appreciated or the company may not consider itself a target of nation states, and therefore often does not have the level of prevention, detection and response capabilities to prevent state sponsored attacks. 

Methodologies employed in state-sponsored attacks

Wherever possible, state sponsored actors will use standard attack methodologies that are used by other typical cyber-crime actors and penetration testers. They do so because they work incredibly effectively and are so generic that they cannot be attributed to any particular group. These usually involve targeted phishing emails followed by use of recent, known exploits (that the victim may not have gotten around to patching).

When they have a foothold, actors often move laterally into share servers and other systems where they can steal privileged credentials. From there they rarely use much malware, stick mostly to using administrator tools like normal system administrators and go to ground in a persistent, long term and relatively quiet and unobtrusive way, much like a parasite.

Any decent state sponsored actor is going to persist in their victim networks without their knowledge or much impact for months to years before discovery. Only when a company is highly mature in its security posture, is a high value target and generic attacks fail, will they resort to using costly 0-day malware developed internally.

The challenge of detection

Most organisations find out about a cyber-security attacks because someone else told them about it. Most types of attack are often visible in a short period of time, whether hacktivism, financially motivated or opportunistic, because they lead to public disclosure, fraud or often resource utilisation through DDoS.

State-sponsored actors will rarely make a lot of noise and cause sufficient disruption to warrant suspicion or trigger detection. Their objectives are to remain persistent so as to retain oversight of communications, or access to sensitive data. As such, they will also often plant persistence mechanisms (hidden malware) on systems throughout victim networks which may remain untouched or dormant for years. These can remain practically invisible until the victim attempts to extract the actors, and just as the victim thinks it was successful, the actors will utilise these to walk straight back in and continue operations.


State sponsored attacks are a highly rewarding and a relatively low cost / low risk way to carry out espionage and military operations. The likelihood of being able to attribute attacks back to a particular country with sufficient rigour is extremely low and the success rate on any concerted effort is almost entirely assured. Given this, countries that have pioneered the practice of cyber operations have enormously increased their capabilities, and countries that have sat on the side-lines for years observing the success of such operations are now diving in headfirst to get their capabilities in place.



Accreditations & Certificates

MWR is an accredited member of The Cyber Security Incident Response Scheme (CSIR) approved by CREST (Council of Registered Ethical Security Testers).
MWR is certified under the Cyber Incident Response (CIR) scheme to deal with sophisticated targeted attacks against networks of national significance.
We are certified to comply with ISO 9001 and 14001 in the UK, internationally accepted standards that outline how to put an effective quality and environmental management systems in place.
MWR is certified to comply with ISO 27001 to help ensure our client information is managed securely.
As an Approved Scanning Vendor MWR is approved by PCI SSC to conduct external vulnerability scanning services to PCI DSS Requirement 11.2.2.
We are members of the Council of Registered Ethical Security Testers (CREST), an organisation serving the needs of the information security sector.
MWR is a supplier to the Crown Commercial Service (CCS), which provides commercial and procurement services to the UK public sector.
MWR is a Qualified Security Assessor, meaning we have been qualified by PCI to validate other organisation's adherence to PCI DSS.
As members of CHECK we are measured against high standards set by NCSC for the services we provide to Her Majesty's Government.
MWR’s consultants hold Certified Simulated Attack Manager (CCSAM) and Certified Simulated Attack Specialist (CCSAS) qualifications and are authorized by CREST to perform STAR penetration testing services.