Countering State-Sponsored Cyber Attacks
Facebook Twitter LinkedIn
Blog Post

Countering State-Sponsored Cyber Attacks

Marius Goeddert
Published on Oct 04, 2022


What makes Nation State Actors so special compared to other threat actors?

I think it's important to understand the differences between the different threat actor groups, I think is super important for a CISO. Those are usually seen as the following. We have the insiders, on the one hand, the attack comes from the inside. So it's an employee which intentionally, accidentally or abused from the outside helps on an attack. We've seen this in the Ukraine situation. So latest since then, this is a concern. The second group that CISOs are concerned about is the hacktivist, so usually following a special ideology or sympathizing with the specific side in a conflict. And again, this is what we've seen massively during the Ukraine war, for example. The classic group that CISOs are concerned about is the organized crime groups, the professionals. They are usually after the money. They have different maturities, so, for example, from ransomware to sophisticated payment fraud attacks and they're getting better over time and the last group actually is the one which is subject to this exercise. And this is the nation-state level attacks. The nation-state levels are characterized by vast resources they have to use for their attacks potentially. And in worst case, they have lots of patients. So we've seen in nation state-level attacks which are going over more than a year, for example. So they are able to launch very sophisticated attacks. They use their intelligence organizations and there are special cyber forces in the countries. And they have lots of tools and techniques and they have very, very special and sometimes even unique knowledge. So we know that the nation states usually collect the knowledge on zero-day exploits. So these are vulnerabilities which aren't yet publicly known, and they obviously can then be used in an attack once and once they've been published, then they get pitched sooner or later. And that's what we've seen in a couple of nation-state attacks.


What are the main countries we are concerned about and what are their motives?

So the countries you will most likely hear about most often in the context of nation state cyber attacks are typically North Korea, you hear about China, you hear about Russia and you hear about Iran. And however, if you look at the threat landscape report of the different intelligence organizations globally, then you will find out there are far more names on their respective lists and some of the countries are actually very surprising to us. All well-known countries or even what we would call “on our side”, so to speak. We've seen that many nation states in the last few years were ramping up their cyber capabilities significantly. So I think this is seen as a basic capability of all modern countries to have cyber defense and in some cases even cyber offense operations capabilities. So in some countries, we see a relatively open discussion is being held on if and which offensive actions would be allowed. But I would say in most countries, actually, it's pretty non-transparent. Which cyber operations are being carried out by the nation-state where the citizen actually is living in. And when you look at the different cyber operations carried out, this very much depends on the motives and the priorities of the respective country. So we see in some cases it's just monetary income. Is the motive for North Korea, for example, they are very much interested in money.

In most cases, you see an interest in industry knowledge. So, espionage, for example, the classic country we think about here comes from Asia. It's for example, China. But here again, many, many countries are doing this actually, even ones we would attribute to the “western” side. Others again, have motives on destruction or to reduce the stability of the country. So, for example, attacking critical infrastructure, I think of, for example, about the Stuxnet attack a couple of years back against the nuclear facilities.


What is the best way to defend against a nation-state-backed attack?

Yeah, I mentioned that the nation states actually are able to carry out very sophisticated attacks. However, we have seen, and this applies, for example, for the attacks we've analyzed during the Ukraine war, that many of the attacks comprise of standard techniques, like, for example, phishing or spear phishing emails, so targeted emails or the abuse of known and public available volatilities. Which just need to have patched on internet-facing applications. So, the basic thing which is always advisable is basic hygiene, like awareness, the understanding of phishing emails and not clicking a link, and especially not entering the credentials then on the fake website which opens up. We talk about multi-factor authentication, I think this is a baseline capability. Patching is super important, and we see increasing importance for structural capabilities such as network segmentation, which can help. But we know that the capable nation-state, if they really want to get into an organization, then it's super difficult to have an effective defense against this. I mean, CISOs know for a while already, there’s never 100% security. So regardless of how sophisticated you tailor your organization, your security organization, there may be a more sophisticated attack, which reaches your perimeter, your defense.


Since the Ukraine war cyber threats got increased public attention. What incidents have we seen?

So during the Ukraine war, real nation-state level attacks we've seen primarily among the directly involved countries. So we've seen such attacks in Russia and Ukraine and a little bit in Belarus as well. We have been super vigilant when the NATO application of Sweden and Finland came up, especially for the organizations in the Nordics. But, and this the good news, we've not seen related cyber activities directly attributable to NATO application. Jens Stoltenberg warned very publicly and I think he just repeated it as an earlier sentence, and Biden stressed this as well, he warned Russia indirectly with a sentence that is, A cyber attack against a NATO country may invoke Article 5, which actually says that this is an attack against a NATO ally, which leads to the consequence to the other countries and other NATO allies will help and defend that country accordingly. So on the nation-state side, I would say we've not seen that much. We've seen more, plenty of attacks actually, from hacktivists on both sides. These were primarily distributed denial of service attacks, for example, against organizations still doing business in Russia, was one example. But we've not seen very serious attacks on that side. And in many cases, the attacks cannot be clearly attributed back to a specific threat actor or to the nation-state or to hacktivists fighting with one side.

So I've had calls with a couple of CISOs who had a DDoS attack, and they of course, have a range of IP addresses from where the attacks predominately came, which is then obviously botnets or something like that. But it cannot be clearly attributed back to who is now the one who was paying for that.


Has the Ukraine war the potential to change the cyber threat landscape in the future?

Yeah, I mentioned that more countries are actually investing into their cyber capabilities. Now, especially in the Ukraine situation. Look at the Germans, for example, parts of their significant ramp-up of funding for the armed forces, which will go into cyber capabilities. And we made experiences in the past that it's just a matter of time until these capabilities, tools, techniques or even knowledge on zero days will leak down and may then be used and abused by organized crime groups afterwards. The most famous leak, most likely was the Shadow Brokers leak from I think it was 2016, and the Shadow Brokers is hacking group and they actually made a couple of tools and data about zero-day vulnerabilities publicly available. And it's obvious that this data and these threats came from a group which is called the Equation Group. And we believe that this can be, that they belong to the National Security Agency in the United States, so the NSA. And there's a link again, I mean the nation-state tools do know what they will leak. That means practically, the Ukraine war has the potential to accelerate the evolving landscape even more.


Who should attend the round table discussion and what can attendees expect?

I think the nation-state topic is a super, super interesting topic for everybody who is concerned about security in an organization. Of course, cyber security, the most prominent one. But this goes even into the area of physical security and executive protection. I would say that especially CISOs, (Chief) Security Officers, security experts and other people besides us who are interested in the topic are well advised actually to attend this exercise. I think participants can expect a good discussion on this topic and that we all sharpen our understanding of what we can do and potentially when is good good enough or where even actions crucial.


What are your expectations in terms of the round table discussions?

I think especially in the last few years, collaboration, intelligence, and experience sharing among the, I call them “the good guys”, became a capability of increasing importance. So I'm always delighted if I have experienced people in a room discussing options for a topic like this one which is not so easy and where a silver bullet is not so obvious or perhaps even not existing.



On-Demand Access
Re-live CSLS 2022
Watch more than 90 sessions on-demand
Download all available presentations
Subscribe for updates
Please provide your email address