Paul Pratley, Associate Director, Head of Investigations and Incident Response
5 mins read
We, along with 70 other global security organizations, contributed to the 2015 Verizon Data Breach Investigation Report (“DBIR”). Through this, we’ve observed a marked increase in state-sponsored espionage related incidents. And as the report states, “the reality is that if a determined, state-sponsored adversary wants your data, they’re going to get it unless another state-sponsored entity helps you defend it.”
As the above figure, taken from the report, clearly shows, the frequency of cyber espionage is a highly fluctuating pattern, with the one consistent attribute of growing more and shrinking less from year to year. It’s now no longer the minority, but a strong contender with other types of traditional attack.
This image shows the motivations of state sponsored attackers is clear – with 97% of espionage-related data breaches involving state-sponsored actors.
State affiliated or sponsored actors often have particular objectives aligned with either the political, commercial, or military interests of their country of origin. The way we see this manifest quite often in the UK is via the targeting of third party companies as a means to help achieve these objectives. What actors are often attempting to gain in these attacks is information about their targets, or access to their targets through trusted relationships with the third party company.
Often the sensitive nature of data being held by a third party may not be fully appreciated or the company may not consider itself a target of nation states. Therefore it often doesn’t have the level of prevention, detection, and response capabilities to prevent state-sponsored attacks.
Wherever possible, state-sponsored actors will use standard attack methodologies used by other typical cyber-crime actors and penetration testers. They do so because they work incredibly effectively and are so generic they can’t be attributed to any particular group. These usually involve targeted phishing emails followed by use of recent, known exploits the victim may not have gotten around to patching.
When they have a foothold, actors often move laterally into share servers and other systems where they can steal privileged credentials. From there they:
Any decent state sponsored actor’s going to persist in their targets networks without their knowledge or much impact for months to years before discovery. Only when a company is highly mature in its security posture, is a high value target, and generic attacks fail, will they resort to using costly 0-day malware developed internally.
The majority of organizations find out about a cyber-security attacks because someone else told them about it. Most types of attack are often visible in a short period of time, whether hacktivism, financially motivated, or opportunistic. This is because they lead to public disclosure, fraud, or often resource utilization through DDoS.
State-sponsored actors will rarely make a lot of noise and cause sufficient disruption to warrant suspicion or trigger detection. Their objectives are to remain persistent to retain oversight of communications, or access to sensitive data.
As such, they will also often plant persistence mechanisms (hidden malware) on systems throughout victim networks which may remain untouched or dormant for years. These can remain practically invisible until the victim attempts to extract the actors and, just as the victim thinks it was successful, the actors will utilize these to walk straight back in and continue operations.
State sponsored attacks are a highly rewarding and relatively low cost/low risk way to carry out espionage and military operations. The likelihood of being able to attribute attacks back to a particular country with sufficient rigor is extremely low - and the success rate on any concerted effort is almost entirely assured.
Given this, countries that have pioneered the practice of cyber operations have enormously increased their capabilities. Whereas any countries that have sat on the side-lines for years, observing the success of such operations, are now diving in headfirst to get their