State Sponsored Identity Breaches

Shimrit Tzur-David | November 27, 2019

Cybersecurity officials in Bulgaria revealed news of a massive hack that hit government databases.

According to reports, records of more than five million Bulgarians were stolen by hackers from the country’s tax revenue office.

In a country with a population of just seven million, the scale of the hack means that basically, every Bulgarian adult has had their personal information compromised.

Many questions remain unanswered about the Bulgarian government’s data breach. The identities of the culprits have yet to be uncovered. Motives for the hack are still being investigated.

But the very occurrence of this massive cyber attack brings up much more fundamental questions.

Enter the State-Sponsored Hack

State-sponsored cyber-attacks are an increasingly common phenomenon. Recent research suggests that nation-states or state-affiliated actors are involved in nearly twenty-five percent of all breaches.

Several reasons account for this trend, most notably the increased exposure of critical assets – from information to infrastructure – to the digital sphere. It is therefore not surprising that most, if not all, international conflicts host digital battles alongside physical ones.

Geopolitical consequences aside, the effects of state-sponsored campaigns in cyberspace are being felt more and more by private companies and individuals.

From this perspective, many questions arise as to how the changing cybercrime landscape – as well as the targets of said cybercrime – can affect the global enterprise.

Why Nation Hack: A Spectrum of Motives

For years, the prevailing wisdom was that state-backed cyber actors were unique among global hackers. While cyber-criminals are predominantly interested in financial gain, a country’s “cyberwarriors” are all about advancing their government’s interests. What this meant for risk assessment was that nation-state hackers presented little to no danger to the common user or the overwhelming majority of companies. Government sanctioned hacks, it was believed, focus only on hacking agencies of other governments, or perhaps the critical infrastructure of an enemy country, and at the very most government contractors with high-security classifications – but never the machines of average users or small company networks.

The pattern of hacks over the past several years however, has caused a paradigm shift on this point.

The 2016 U.S. Election was the first big incident to show that common-user data was not only a valued target of government cyber operations, but that such data could be weaponized. And here we see the first of the ‘new motives’ of nation-sponsored hacks emerging: accessing the value of citizen data.

The troves of ‘common user’ data could be put to a range of uses, from cyber espionage on population groups, to learning how to manipulate public discourse and opinion–as was done in 2016.

But the election-period hacks were not the only instances. In May the Justice Department made public that the Sofacy Group, the same Russian military organization responsible for the hack of the Democratic National Committee in 2016, had control of thousands of our small business and private networks. The targets of the Sofacy campaign were described by DoJ as “home and office routers and other networked devices.” As the lead FBI investigators in the investigation made clear, the threats posed by these and similar hacks could potentially affect “every American.”

And Americans have not been the only ones to be hit by state-sponsored attacks. One of the strongest examples of a state-backed cyber campaign was last year’s WannaCry malware attack, which was ranked among the most havoc-wreaking viruses ever. Attributed to North Korea by several Western governments, the hundreds of thousands of nodes affected by WannaCry consisted not only of those connected to government institutions, but to private networks as well. Here, the perpetrators of WannaCry understood that the most effective way of wreaking havoc was not breaching a government database, but withholding private-user data.

Chasing Secrets

Knowing that private data has weaponizing value for state-hackers would be bad enough.

From a business perspective though, there’s an even more important motive behind state-hackers that companies need to be aware of: The desire for – and theft of – intellectual property.

Truth be told, intellectual property theft between nations is nothing new, but has certainly taken on new forms in the digital age. The ongoing schism between the United States and China has brought this issue to the fore.

Contrary to popular conception, China’s efforts against the U.S. and other Western countries are not limited to stealing national security secrets such as weapons schematics and the like. Most instances of this type of data theft have targeted private industries, affecting mostly the businesses that operate within them. Take for instance China’s attempts to steal technology solutions for its government-run healthcare system. Between 2013 and 2014, Chinese hackers targeted at least eighteen American medical companies, forcing the healthcare sector to invest an additional $160 million in security for medical and pharmaceutical companies.

But China is not the only state that is weaponizing private data.

In recent years, researchers have uncovered massive state-sponsored cyber collection campaigns.  Last year, the US Justice Department indicted nine Iranians for infiltrating some 300 universities across the globe for stealing research, intellectual property, and academic data.

North Korea–which has become a hacking superpower in recent years – has also been responsible for digital theft efforts. Last year, for instance, U.S. federal agencies reported on Pyongyang’s “Hidden Cobra” campaign to infiltrate a wide spectrum of high-value industries including media, finance, and aerospace.

The damage inflicted by these operations can be incredibly high. According to the U.S. government, these campaigns cost American companies tens of millions of dollars in 2016. Today, that number is almost certainly much higher.

On Defense: Who’s Responsible?

When addressing responsibility for defending against state-backed hackers, the knee-jerk reaction is to point to governments.

But there are some big problems with placing this burden solely on the authorities:

While government agencies may have high-level defense capabilities at their disposal, it is only a broad, grass-roots culture of security that can really prevent cyber attacks from occurring. In response, some say that it is the government’s responsibility to force these practices on users in order to ensure security in the data-sphere. Granted, there have been major steps in enacting top-down data protection policy such as Europe’s GDPR and California’s Consumer Privacy Act. But the problem with government regulations is that they move too slowly when addressing threats and laying out comprehensive plans.

Experts have been pointing to this fact for nearly a decade. Indeed, sluggish response times to cyber threats have continued to plague government agencies.

 

The Solution Lies at the User-Level

Ultimately, the answer to securing networks and the cybersphere as a whole lies in a solution that is easily implementable at the individual user’s level.

Perhaps the best-kept secret in digital authentication is that pretty much all users already own high assurance cryptographic devices–their smartphones.

Harnessing the power of Bring-Your-Own-Device, or BYOD, organizations can deploy password-free, user-friendly authentication, with the highest assurance level in the industry. The passwordless BYOD-route also solves the myriad of organizational challenges that come with implementing effective identity protocols. This solution integrates fully integrable fully and seamlessly into existing legacy infrastructure, cuts IT expenses rather than adding to them, and is fully scalable across the entire enterprise.