MWR InfoSecurity was a contributor along with 70 other global security organisations to the 2015 Verizon Data Breach Investigation Report (“DBIR”). Through this collaborative effort, we have observed a marked increase in state-sponsored espionage related incidents and as the report states “the reality is that if a determined, state-sponsored adversary wants your data, they’re going to get it unless another state-sponsored entity helps you defend it.”
As figure 27 of the report clearly shows, the frequency of cyber espionage is a highly fluctuating pattern, with the one consistent attribute of growing more and shrinking less from year to year. It is now not the minority, but a strong contender with other types of traditional attack.
Figure 28 shows that the motivations of state sponsored attackers is clear – with 97% of espionage-related data breaches involving state sponsored actors.
The motivations for attack
State affiliated or sponsored actors often have particular objectives aligned with either the political, commercial or military interests of their country of origin. The way we see this manifest quite often in the UK is via the targeting of third party companies as a means to facilitate achieving these objectives. What actors are often attempting to gain in these attacks is information about their targets, or access to their targets through trusted relationships with the third party company.
Often the sensitive nature of data being held by a third party may not be fully appreciated or the company may not consider itself a target of nation states, and therefore often does not have the level of prevention, detection and response capabilities to prevent state sponsored attacks.
Methodologies employed in state-sponsored attacks
Wherever possible, state sponsored actors will use standard attack methodologies that are used by other typical cyber-crime actors and penetration testers. They do so because they work incredibly effectively and are so generic that they cannot be attributed to any particular group. These usually involve targeted phishing emails followed by use of recent, known exploits (that the victim may not have gotten around to patching).
When they have a foothold, actors often move laterally into share servers and other systems where they can steal privileged credentials. From there they rarely use much malware, stick mostly to using administrator tools like normal system administrators and go to ground in a persistent, long term and relatively quiet and unobtrusive way, much like a parasite.
Any decent state sponsored actor is going to persist in their victim networks without their knowledge or much impact for months to years before discovery. Only when a company is highly mature in its security posture, is a high value target and generic attacks fail, will they resort to using costly 0-day malware developed internally.
The challenge of detection
Most organisations find out about a cyber-security attacks because someone else told them about it. Most types of attack are often visible in a short period of time, whether hacktivism, financially motivated or opportunistic, because they lead to public disclosure, fraud or often resource utilisation through DDoS.
State-sponsored actors will rarely make a lot of noise and cause sufficient disruption to warrant suspicion or trigger detection. Their objectives are to remain persistent so as to retain oversight of communications, or access to sensitive data. As such, they will also often plant persistence mechanisms (hidden malware) on systems throughout victim networks which may remain untouched or dormant for years. These can remain practically invisible until the victim attempts to extract the actors, and just as the victim thinks it was successful, the actors will utilise these to walk straight back in and continue operations.
State sponsored attacks are a highly rewarding and a relatively low cost / low risk way to carry out espionage and military operations. The likelihood of being able to attribute attacks back to a particular country with sufficient rigour is extremely low and the success rate on any concerted effort is almost entirely assured. Given this, countries that have pioneered the practice of cyber operations have enormously increased their capabilities, and countries that have sat on the side-lines for years observing the success of such operations are now diving in headfirst to get their capabilities in place.