Reading about the latest hacks by alleged nation state sponsored groups from China or Russia may make for interesting lunchtime reading. But do these groups pose a real threat to the typical business? Many security managers ask themselves: Do I really need to worry about nation state actors?
In this article, we will answer that question.
Countries that are subject to economic sanctions, such as North Korea, can resort to desperate measures to obtain the funds they need to support their economy. This is especially true for weapons programmes and security related activities that are the focus of many sanctions. A United Nations report estimates North Korea has amassed over half a billion dollars of cryptocurrency, obtained by hacking financial exchanges and cryptomining.
Cryptomining is attractive to criminals of all kinds, not just nation state actors, as it is a means of printing free money – provided you can get someone else to pay the electricity bill that is. And this is exactly what happens when cryptomining malware is injected into webpages or installed onto user’s computer systems. A 2019 report by MIT estimates that over 4% of the total Monero currency in circulation was mined by criminals on other people’s computer systems.
When it comes to searching for targets to install cryptomining malware, it really doesn’t matter who you are or what industry you serve. All the attackers are looking for is a powered on server where they can install their mining software. The attack itself is most likely scattergun rather than targeted against you personally. So as real world economic sanctions start to bite, it is no surprise that nation states turn to cybercrime as a means of raising funds.
The risk of cryptojacking (as the malicious installation of cryptomining software is sometimes called) is not just a risk to your business – but also your customers. An effective cryptojacking campaign looks for opportunities to multiply its processing power. So rather than simply installing the mining code on your server to churn away 24*7 mining Monero, the attackers may also seek to inject the malware into your website in order to use it as an attack vector against all your customers and inject the malware into their browsers when then visit your website. Cryptojacking surged by 450 percent over the course of 2018, according to the “IBM X-Force Threat Intelligence Index 2019.”
The well known WannaCry ransomware is thought to have originated in the North Korean Lazarus cybercrime collective. Some researchers believe that the version of WannaCry that caused so much havoc was actually a pre-release beta version that escaped the control of its creators during testing. However, in 2019 the use of ransomware by nation state actors is seen as part of a more complex battle order – with the main purpose being to cause confusion and divert resources while other activities (such as industrial espionage or sabotage) are underway. The recent Ryuk malware campaign is an interesting example, as security researchers believe that Ryuk was developed in Russia but includes code recognisable (most likely stolen) from North Korean Hermes malware.
Malware created by nation state actors eventually leaks into the criminal web – whether the original inventor is the NSA or North Korea. As nation state agencies deploy more resources to create ever more sophisticated malware, this only serves to enhance the abilities of cyber-criminals over time.
In the Spring of 2017 in Ukraine, the servers of Linkos, a small family owned tax-software business, were compromised by hackers from the Russian military. They added their own malware to the Linkos software which was then distributed to customers across the Ukraine. The malware did nothing until June 27 2017 when it was used to distribute what has become known as the destructive cyber-attack in history – NotPetya.
The NotPetya malware wiped the hard drives of the machines it infected and then wormed its way across company networks using the EternalBlue vulnerability stolen from the NSA. One of the machines it infected was in the regional accounts office of Danish shipping company Maersk.
Within minutes the malware wormed its way across the global network of Maersk. 574 offices, in 130 countries controlling 800 cargo ships, 76 ports and almost a fifth of the worlds total shipping capacity running on 4,000 servers and 45,000 PCs. NotPetya killed them all. Except one. One single domain controller in Ghana, taken offline at the time of the attack due to a local power cut, was the only surviving Domain Controller and from it the network could be rebuilt. The cost to Maersk alone is estimated to be $300 million – and they were not the worst hit business. The total world wide cost of the NotPetya 2017 attack is reported to be USD$10 billion by the US Government.
Maersk was not a target of the malware – they only had one small office in the Ukraine where the Russian attack was targeted. Yet Maersk and the other businesses affected around the world were all collateral damage – caught in the cross-fire of someone else’s cyberwar.
Industrial espionage is a real threat for businesses that invent their own products. Take aviation as an example. It costs many billions of pounds to design a new aircraft and many years to design, prototype, test and certify the many components.
In order to save time and money, according to a Crowdstrike report, the Chinese government used cyberespionage to steal details of components from established aerospace engineering firms in order to design their own elements for their new C919 plane. Dubbed Turbine Panda, this group is alleged to have stolen details of the engine design from engine manufacturer CFM International for example.
The attackers used malware delivered on USB drives by human operatives recruited by the Chinese intelligence service. The malware was then used to access the networks of companies engaged as supplies to the aircraft project – the aim being to steal the technical details so China could manufacture their own version of the components instead of buying them.
Whether criminals are after payment card details, or nation state actors are after product blueprints – the cybersecurity principles remain the same. Segment the network, patch the software, monitor the logs, configure the firewalls and so on. The notable difference is that nation state actors are more likely to have the ability to deploy people into your business as well as malware – although criminals do this well. Consider adding a social engineering and physical access test to your next network penetration test in order to ascertain how secure your physical offices are as well as your network.
Critical National Infrastructure and utilities
At the time of writing, only three cyber-attacks have taken place against critical national infrastructure which resulted in physical damage to the infrastructure – beyond the infection of computers with malware.
In 2009 Stuxnet destroyed thousands of the centrifuges Iran was using for nuclear enrichment . In 2017 Russian Triton malware caused the shutdown of the Saudi oil refinery Petro Rabigh. And new research into the 2016 Christmas blackouts in Ukraine have revealed a disturbing but failed part of the attack which is now believed to have been designed to cause explosive failure of electrical equipment. Reported by Wired, the security firm Dragos, who specialise in protecting industrial control systems, have identified records in newly available logs which record attempts by the malware to disable failsafe circuit breakers. The apparent intention being to cause massive electrical overloads while engineers are restarting the electrical grid after the first wave of powercuts.
If you are responsible for the network security of a utility company or other critical national infrastructure then the risks you face are reasonably well understood – albeit rapidly evolving. Nothing less than best-in-class cyber security practices defending against each step of the cyber kill chain is required.
What may not be apparent is the risks to other businesses that are related, however loosely, to high profile utility and critical infrastructure organisations.
Successful cyber-attacks are always a chain of events, with the attackers looking for the easiest means to proceed to the next step of the attack. For example, proudly declaring on the website for your air-conditioning servicing business that your customers include a railway and an airport will put you on the radar of the cyber-attackers. Perhaps your systems have remote access into the systems of the airport for maintenance and diagnostic purposes. The airport spends a fortune on cybersecurity and physical security – but your network may appear like a softer target as a means to access the airports network. The attackers won’t know for sure whether there is any useful access or information about the airport in your systems until after they have infiltrated your network. The only way for them to find out is to compromise your network. Once inside your systems can be used as a pivot to now attack your customer or supplier – through malware laden emails or more directly if the networks are linked by a VPN.
Organisations of any size should be concerned about the behaviour of nation state actors in the cybersecurity arena – whether you are running power stations or plumber’s merchant. Whether the target of a direct attack, or simply caught in the cross fire – the weapons of cyberwarfare are increasingly powerful and getting easier to deploy.