According to Verizon’s Data Breach studies into industrial espionage attacks against the private sector, the volume of nation-state actors increased from being 12% of the perpetrators of such attacks in 2018, to 23% in the 2019 study and to 38% in the 2020 study. There’s no escaping the fact that nation-states are increasingly engaged in hacking.
Indeed, from what I’ve witnessed as a cybersecurity consultant, nation states are getting ever better at hiding; so the extent of their engagement could even be higher. State hackers use various techniques such as acting through proxy layers/actors, avoiding attribution by manipulating data, using clever toolkits and other means to mislead forensic analysts (sometimes by imitating other nation-states or criminal actors).
Perhaps it’s because attribution is becoming ever harder to stick, that certain nation-state actors have become bolder in their attacks and have begun to target critical infrastructure.
Deadly consequences?
When in the past, nation-state hacking goals were intelligence, influence, disinformation, propaganda, industrial and political espionage, the spread today also includes a troubling shift towards using cyber-attacks on real world critical infrastructure that aim to hurt or even kill citizens of the target countries.
From April to July 2020 Israel's water supplies were threatened three times by a nation-state actor, suspected to be Iran. The industrial controls of Israeli water processing facilities were attacked in an attempt to alter the injection of treatment chemicals to unsafe levels and the attack was so disconcerting, a cyber counter attack was levied against the Iranians (allegedly initiated by Israel) that disrupted port traffic at the Port of Shahid Rajaee.
After a US attack on Iranian backed Hezbollah forces in Iraq, the US CISA issued a warning to utility companies to be on the lookout for Iranian cyber counter attacks followed by additional warnings throughout this year.
Looking to prevention, the US Department of Energy recently issued an alert to US power utilities to shore up their IT security infrastructure and proposed a ban on the use of Chinese and Russian equipment. The threat has been so high against critical infrastructure in the US, the Federal Energy Regulatory Commission has begun levying fines. US utility companies that do not comply with the stringent Critical Infrastructure Protection (CIP) cybersecurity reliability standards, can be fined up to $10 million.
COVID-19 research hit
In the throes of the COVID-19 epidemic the US, Canada and the United Kingdom all reported attempts by Russian and Chinese state actors to steal, manipulate and even obstruct the development of the COVID-19 vaccine. First warnings of such activity came from a joint CISA/FBI PSA to the vaccine research community in May 2020.
By July, the US Department of Justice issued an indictment for two Chinese nationals working for the People’s Republic of China. They were not only charged with attempted theft but attempted destruction of vaccine research held in the United States, Australia, Belgium, Germany, Japan, Lithuania, the Netherlands, South Korea, Spain, Sweden, and the United Kingdom.
With tangible evidence of Russian interference in the US presidential election in 2016 and with the US intelligence warnings that Russia, China and Iran were attempting to influence the outcome of the November 2020 election, there is significant public concern too about the power of foreign states over domestic matters. Not even “supposedly secure” US federal government agencies are safe from attack.
Ransomware criminals upping the stakes too
Next to nation-state actors, the use by organized crime of ransomware to lock down and disrupt enterprises and public sector entities has reached a new level with extortion being added as a double indemnity this year. Pioneered by the Russian organized crime/state actor privateer Evil Corp, ‘owned’ by Maksim V. Yakubets and Igor Turashev, these attacks now include data mining victims’ corporate data and threatening to sell it on the darknet to the highest bidder.
Evil Corp targets have included Mexico’s Petromex, causing major logistics trouble and payment delays throughout the country. They also include Garmin, which suffered significant downtime impacting customers worldwide (including grounding those US pilots who use Garmin maps in their planes). Whereas Petromex had viable backups and were able to recover without paying the $5 million dollars to the attackers, Garmin eventually paid a $10 million dollar ransom through an intermediary.
In the past ransomware-focused criminal organizations would avoid targets where human lives would be at risk. But now even hospitals are seen as acceptable. In September 2020, a ransomware attack on the German Düsseldorf University Clinic led to a death of a patient. German law enforcement is seeking prosecution of the Russian attackers. The same criminal gang was also responsible for attacking and taking down all 250 facilities of US based UHS healthcare.
If we were once under the impression that investing in cybersecurity was a decision based on the risk of data and financial loss, it’s time to reappraise. We have entered an age where attacks could truly lead to devastating consequences, certainly to enterprise survival and now even to the safety and lives of our citizens.