#RSAC: Cyber-threat Landscape “the Worst It’s Ever Been” Due to Nation-State Behaviors

Written by

The global cyber-threat environment is the “worst it’s ever been” due to the increasingly reckless behavior of the four major nation-state actors in this area: China, Russia, North Korea and Iran. That was the message of Dmitri Alperovitch, chairman, Silverado Policy Accelerator, and Sandra Joyce, executive vice president, head of global intelligence at FireEye, who provided the annual Global Threat Brief during a keynote session on day 3 of the 2021 RSA virtual conference.

Alperovitch began by describing how 2020 was a particularly challenging year for the cybersecurity sector. “We’ve had the global pandemic, we’ve seen cyber-adversaries of all types take advantage of stress and workload that is brought on to defenders, but also we’ve had the elections, and the cyber-interference that we all expected.”

SolarWinds

The two standout cyber-attacks of the past year – the SolarWinds and Microsoft Exchange incidents – were the first port of call for the two experts in this session. The pair noted the highly targeted nature of the SolarWinds hacks, with Alperovitch commenting that “this was a traditional espionage operation” by the Russian state that targeted foreign governments, particularly areas of the US government, and “other countries that would be used to facilitate access to those government networks.”

He added that a killswitch was in operation to shut down the malware, which was enacted in 99% of the victims – the ones that were irrelevant to their operation – to keep it in “stealth mode” as long as possible. Overall, this attack represents a modernized approach of getting “inside supply chains that are hard to detect and stay in there for long periods of time,” mimicking the previous tactic of using undercover human agents to infiltrate other nations.

Joyce observed that only very specific information was targeted in the attack, with even lucrative data like financial information ignored. “This was an operation to satisfy national-level collection requirements, and that’s espionage,” she stated.

“This was an operation to satisfy national-level collection requirements, and that’s espionage”

Microsoft Exchange

The targeted nature of SolarWinds was in stark contrast to the Microsoft Exchange attack this year, believed to be perpetrated by Chinese state actors. What started out in quite a traditional manner, with vulnerabilities exploited to target traditional targets such as dissident groups and Uigurs, turned into going “after literally everyone once they learned that Microsoft was going to patch these vulnerabilities,” explained Alperovitch.

This highly aggressive tactic had the effect of leaving many organizations that didn’t have the capacity to patch quickly very vulnerable to follow-on attacks by other cyber-threat actors. “It’s amazing to see this contrast where Russia is the more responsible actor in this particular case,” commented Alperovitch, adding that “the reckless nature (of the exchange attack) is quite unprecedented.”

China

The pair went on discuss the recent cyber-activities of China more broadly. Perhaps unsurprisingly given the pandemic, Chinese APT groups have been heavily targeting the healthcare/biotech sector, particularly vaccine developers and researchers, with the primary aim of “understanding the decision-making process of countries around the world,” according to Joyce.

Interestingly though, “we’re not seeing a lot of destructive or disruptive capability coming out of China,” in comparison to Iran and Russia. Joyce said this is part of China’s long-term strategy.

Another interesting trend the experts saw with China has been the re-emergence of the PLA (People’s Liberation Army) in cyber-operations recently, including in the Equifax hacks. This is quite a common tactic employed by Chinese APT groups, said Joyce, explaining that when exposed, they often go into “hibernation and retooling” and “what’s emerged is a much more focused and disciplined operation.”

China is also increasingly going after mobile devices to target dissident groups within the country. Joyce commented: “They’re using cyber means in order to perpetrate their political aims,” which “is going to continue into the future.”

Iran

Alperovitch first expressed surprise that Iran largely “held back” from targeting the US in cyberspace throughout last year, despite the assassination of Iranian General Qasem Soleimani at the start of 2020 following a US drone attack.

However, he noted they did interfere in the November presidential elections “in a more aggressive way than the Russians did in cyberspace.” This was exemplified by the Proud Boys spoof email campaign, which attempted to intimidate registered Democratic voters.

This demonstrated “a real evolution in the information operations, where they used cultural elements,” said Joyce, adding that “it really changed our thinking as to what the Iranian government is willing to carry out.”

“It really changed our thinking as to what the Iranian government is willing to carry out”

Alperovitch also highlighted the innovative ways Iran is leveraging social network sites like LinkedIn “to identify people within companies that they can target, particularly for espionage purposes – that’s now one of the major ways they’re getting inside organizations.”

North Korea

Turning to North Korea, Alperovitch observed that “when you think about it, they’ve come up with some of the most innovative attacks we’ve seen yet.” This included the model pioneered with their attacks on Sony several years ago – the so-called hack and leak approach.

Joyce also noted how the North Korean government sponsors general cybercrime to gain funding, the first nation-state to employ this kind of crossover. This means groups such as APT838 regularly attempt bank heists around the world, at one point “targeting 16 different financial organizations at once.”

The speakers additionally highlighted that unlike Iran, Russia and China, which often leverage common off-the-shelf tools like Cobalt Strike to help prevent attacks' being attributed to them, North Korea is increasingly developing and using its own home-grown tools.

This is part of the Juche principle, which emphasizes the need to stay independent from other countries, and is also being demonstrated by North Korea’s development of its own cryptocurrencies.

Finally, Alperovitch noted that North Korea has been “pioneers” in supply chain attacks. “They’ve targeted AV vendors, even cryptocurrency software to insert backdoors into their applications,” he said, adding that “it’s incredible levels of sophistication we’re seeing from North Korea.”

Russia

Interestingly, there was very little in the way of Russia targeting the US elections last year. Nevertheless, Alperovitch said that “we still saw some major activities that were quite disturbing from Russia aside from SolarWinds in 2020.”

This included the targeting of a number of VPN exploits and the noticeable use of the Golden SAML technique in the SolarWinds attack, which “allowed them to mint their own tokens and then have access to multiple applications within the same federated environment,” explained Joyce. The innovative techniques used by Russia in the past year were also very successful at obfuscation, according to Joyce. For example, “they would name their own infrastructure after their target infrastructure so you couldn’t tell the difference.”

Russia has also ramped up its targeting of cloud providers recently, and its heavy targeting of authentication and identity systems “makes it super hard for defenders to actually do incident response, because if the actor’s using legitimate credentials of a real employee inside the network, it’s so difficult to figure out if the action that you’re looking at was done by a legitimate user within the network or by the adversary,” said Alperovitch.

Another hugely concerning activity of Russian state actors has been its growing targeting of critical infrastructure, including notably that of the transportation industry by the Tmep.Isotope group. Joyce emphasized that these types of threats have a huge impact, “not just to the systems themselves but in instilling fear in people.”

Ransomware

Topping any of these activities though, in terms of the threat posed, is ransomware, according to Alperovitch. “It’s impacting everyone on the planet from your grandmother, who now has to find Bitcoins to unlock her family photos, to smaller organizations, small districts and hospitals, to the largest companies,” he outlined.

Joyce noted that ransomware actors are increasingly using shame as a tool to extort their victims, for example threatening to “dump data that they’ve found – they’ll even call competitors and your customers. They want to make sure they can use shame as a tool and that puts organizations in an impossible situation.”

The experts also highlighted that the size of ransom demands has exploded recently, one example being a recent extortion attempt of $50m.

Another interesting observation made by Alperovitch was that “most of these operations, in terms of the hard-core criminals that are developing the malware and capabilities, are in Russia or Russian speaking and many of them are being hidden or in some cases assisted even by the Russian intelligence services.”

Future Trends

Alperovitch and Joyce concluded the session by outlining some of the cyber-threat trends they expect to see in the coming months and years. Most immediately, they predicted the upcoming Olympic Games in Japan will be heavily targeted, as Joyce noted it provides an opportunity “to send a message and do it at scale.”

A more general trend highlighted was that threat actors, particularly the nation-states discussed, are becoming increasingly reckless and shameless, unafraid of the consequences of their actions.

As a result, Alperovitch believes “the threat environment is the worst it’s ever been,” largely because “from a geopolitical perspective, the four primary adversaries we face – Russia, China, Iran and North Korea – our relationship with them from a Western standpoint is the worst it’s been for at least 60 years.”

He noted they have largely stopped caring about a good relationship with the US and have become increasingly reckless as a result. He added: “I really fear for what’s to come with the growing sophistication of these adversaries and also their willingness to push us further and further because they don’t fear the consequences.”

What’s hot on Infosecurity Magazine?