Protecting Enterprises from State-Sponsored Hacks

Threats and Attacks

Protecting Enterprises from State-Sponsored Hacks

Read more
Jul 1, 2021

Any way you look at it, 2020 was a crazy year. From the coronavirus outbreak to the U.S. presidential elections, the year held many eccentricities. And prowling behind the many changes that overcame our lives were new trends of cyberattacks and security threats, often backed by nation-state actors.

In the tense political and economic climate, state-backed actors used every possible means to gain leverage over their rivals. And in the midst of the chaos, every individual and organization can become a victim or collateral damage in the context of bigger conflicts.

Here’s a glimpse of what we put behind and how you can protect yourself in the future.

The disaster of supply-chain hacks

Late in 2020, network management software supplier SolarWinds became the beachhead of a massive supply chain attack. Hackers, allegedly state-backed, breached SolarWinds’s servers and planted malware into the software updates the company was sending out to its 17,000 clients, which included many government agencies, cybersecurity firms, telecommunication companies, and Fortune 500 businesses.

The foothold allowed the attackers to hack and steal pertinent information from many of these targets. While the natural target for a nation-state actor would be government agencies, this attack reminded us once again that government-backed hackers are very much interested in stealing information from commercial entities as well. According to a Microsoft report, 44 percent of the targets included software firms, IT services, and equipment providers; and 18 percent were financial institutions, health organizations, telecommunication companies, and national security-related firms.

Per Microsoft: “This is not ‘espionage as usual,’ even in the digital age. Instead, it represents an act of recklessness that created a serious technological vulnerability for the United States and the world. In effect, this is not just an attack on specific targets, but on the trust and reliability of the world’s critical infrastructure in order to advance one nation’s intelligence agency.”

Microsoft also warned that while this particular attack appears to focus on the United States and many other democracies, it also provides a powerful reminder that “people in virtually every country are at risk and need protection irrespective of the governments they live under.”

In fact, this is not the first massively disastrous supply chain attack. In 2017, MeDoc, a Ukrainian supplier of accounting software, became the vessel of another state-sponsored supply chain attack, this one attributed to Russia, which spread the destructive Petya ransomware to hundreds of thousands of computers from more than a thousand organizations in dozens of countries.

The security pandemic

Topping the list of eccentricities in 2020 was the COVID-19 pandemic, which changed our lives in many ways. But while the virus outbreak brought the physical world into a quasi-halt and shut down many sectors, the digital economy saw a huge boost. From remote working to online streaming, e-commerce, and Zoom conferences, our physical activities were replaced by their online counterparts. And every new change trailed its own set of security challenges and new grounds for state-backed hackers to compete.

In October, at the beginning of the new academic year, an Iranian hacking group targeted several universities in Europe and the U.S. with a massive phishing campaign, according to Malwarebytes. The group was hosting phishing websites in Iran, which is a strong indication of being tied to the government. Given that many universities are running virtual training programs due to COVID-19 protocols and are more reliant on digital communications instead of in-person meetings and classes, the hackers had a greater incentive and fewer barriers to target them.

Similar cases have happened throughout the year, with state-backed hackers taking advantage of organizations’ reliance on work-from-home rules and their lack of preparation for remote-work infrastructure to target employees and executives and to steal sensitive information.

Interestingly, data on COVID-19 vaccine research also became an area of fierce competition between nation-states. In this case, the victims became pharmaceutical companies and research labs that were carrying out the research on the vaccine. Among the targets was Pfizer, whose vaccine data were leaked online after hackers broke into the systems of the European Medicines Agency (EMA), an agency responsible for evaluating, monitoring and supervising new medicines introduced to the EU.

Research from Microsoft showed that at least three nation-state actors were involved in cyberattacks against seven prominent companies involved in COVID-19 vaccine research. The main methods of attack included “password spray and brute force login attempts to steal login credentials,” and “spear-phishing lures for credential theft.” The attackers posed as recruiters, health professionals, and WHO officials.

The bigger picture

According to Accenture’s 2020 Cyber Threat Landscape Report, throughout the year, state-sponsored hackers used off-the-shelf tooling and open-source penetration testing tools at an unprecedented scale to carry out cyberattacks and hide their tracks.

Other security experts are warning of the rise of “private sector offensive actors” (PSOA), which are commercializing cyber threats and, like mercenaries, are renting their capabilities to, among others, governments. One such company, the NSO Group, has been involved in more than 100 abuse cases, according to Citizen Lab. The growing market for PSOAs, estimated to have become a $12 billion economy, has provided governments with an attractive option to buy tools and talent when they can’t build them in-house.

And the Center for Strategic and International Studies has compiled a report of dozens of state-backed cyberattacks that have gone under the radar in 2020 while the high-profile attacks have been grabbing the headlines. The victims run the gamut of private and public, small and large organizations.

The key takeaway is, every organization, person, and device can get caught up in the cyber-crossfire between nation-states. And it is more pertinent than ever that every enterprise adopts key measures that will enable it to protect itself against the constantly changing landscape of cyberwarfare.

Some key protective measures

We can’t predict the future, so we don’t know what the next big thing in the cyberthreat landscape will be. But we can surely learn from the past and address the key bottlenecks that result in organizations becoming victims of state-sponsored cyberattacks. Here are three things that can dramatically improve the security of your organization:

Zero-trust security: In today’s world, where the lines between cloud and on-premise assets are fast blurring, it is harder than ever to determine what is inside or outside an enterprise’s network. Many organizations that relied on perimeter defense have allowed threat actors to slip through their defenses when they moved to cloud or hybrid models because they didn’t understand the security dynamics of the new architecture. Zero-trust is a security policy that pertains organizations must place no trust on any actor or device inside or outside their network perimeter. Everything must be granted based on identity verification and access management. Zero-trust policies will make sure that your assets are secure regardless of your network architecture.

Network segmentation: With so many devices and users running on enterprise networks, keeping track of everything and finding malicious activity can become very difficult. Malicious actors often cover their tracks by blending their activity into the ton of traffic that already exists. Segmentation divides a network into smaller parts. It can improve network performance, but it is also a good practice for improving security. By controlling which parts of an enterprise network have access to others, you can prevent security incidents in one section from spilling into others. It will also give you better visibility into the activity that takes place within the network and will help you in finding and rooting out malicious behavior.

Passwordless authentication: If there’s one thing that most security incidents share, it’s credentials. From phishing to keylogging to password spraying and other types of attacks, attackers are constantly looking for ways to bypass authentication. When the only thing protecting a corporate account is a password, it’s only a matter of time before a brute-force attack breaks through the portcullis or a careless employee gives away the key to the castle. Passwordless authentication technologies secure accounts by removing passwords, the one thing that makes them insecure. With passwordless technology becoming easier to use, easier to implement, and more affordable, there’s no reason for enterprises to stick to old, insecure methods.

More Things That Might Interest You

Threats and Attacks

Addressing the Log4j Vulnerability

Read more
Dec 14, 2021

Threats and Attacks

Why Defense-in-Depth is Key to Defeating Ransomware

Read more
Sep 23, 2021

Threats and Attacks

Emotet is back, and it’s after your passwords!

Read more
Nov 22, 2020