The Art of (Cyber) War

In the modern age, nation states are expanding the battlefield with targeted cyber attacks on their adversaries. Are you at risk? And why?

“Why cyber attacks?”

Nation states have always sought advantages to increase their geopolitical power and secure their interests both domestically and abroad. Before the dawning of the information age and global interconnectedness of people and networks, this revolved mostly around dominance in the physical and economic realms; obtaining and retaining territories and natural resources, expanding military presence and footprint, and political  and economic pacts and trade agreements. In the last two decades, however, with the advent and proliferation of global information networks and highly-connected systems, a new realm has emerged to supplement these methods of exerting and retaining geopolitical prominence. This realm is not bound by physical constraints, does not require seats at a negotiating table and votes of approval to enter, is not immediately visible, and can have absolutely devastating impact on adversaries who do not dedicate adequate resources to defending their position in it. That realm is Cyberspace.

The rise in state-funded or state-initiated cyber attacks can be attributed to a number of different interests by the respective nation states embracing these modern methods of “international diplomacy.” A few examples of nation-state motives that may drive cyber warfare efforts include:

1. Extract ransom payment or steal capital, likely to offset heavy costs of international sanctions in place against may of the nation-states perpetrating such attacks;

2. Exfiltrate secrets that can be used to damage an adversary economically or politically;

3. Cause serious disruption to an adversary, possibly leading to dire economic scenarios (think supply chain disruptions);

4. Steal intellectual property from corporations operating in adversarial nations to replicate the IP locally with major economic implications;

5. Cripple critical infrastructure to weaken an adversary’s defenses, or ability to serve their people; and,

6. Spread misinformation or prevent the spread of conflicting information to further their agendas and curate the message to not only the world stage, but also their own people.

“Who are the hackers? Are they military?”

State-level cyber warfare comes in many forms with many “faces.” When we think of nation-state hacking most of us have a western skew, immediately think of “the usual suspects”, China, North Korea, and Russia. That is of course not always the case as a number of western nations, including the United States have upped not only their cyber defensive capabilities, but also their offensive capabilities and activities in recent years. In most cases State hacking programs utilize both directly affiliated actors (possibly military affiliated) and private “for hire” or sponsored groups not directly affiliated. However, the line between “State hackers” and “non-State hackers” gets blurrier every day as hacking organizations routinely sell their services to the highest bidder, and in many cases it is near impossible to trace back beyond doubt the entity sanctioning such attacks.

In a joint report released by Trellix and the Center for Strategic and International Studies (CSIS) in March of 2022, an international group of 800 IT security decision makers were surveyed regarding their cybersecurity preparedness for and perception of nation-state attacks. Eighty-six (86) percent of respondents believed they have likely suffered attacks at the hands of nation state hackers or hackers directly sponsored by nation-states. Respondents indicated that attribution for attacks is mostly suspected and not confirmed as confirming attack origination has become increasingly challenging with sophisticated attackers. The report acknowledges that high publicity around Russia and China during the survey may have skewed responses as well.

The below chart, extracted from the joint report, identifies where respondents believe attacks on their organization have originated, though caveated that this is heavily “suspected” as previously mentioned. Respondents provided multiple answers in many cases, and rank ordered, therefore the total number of responses exceeds the number of respondents to the survey.

“How is cyber warfare conducted?”

As noted above, there are many motives that drive why a nation state may choose to engage in cyber warfare and develop its own internal capabilities to both defend against and attack adversaries. Based on these motives, different types of attacks and many different targets may be selected to achieve the mission.

Let’s take a look at three of the most common types of attacks seen today.

Distributed Denial of Service Attacks

A nation state may utilize Distributed Denial of Service (DDoS) attacks to attack military or national security infrastructure and capabilities, critical infrastructure, healthcare services, or other quality of life services.  DDoS attacks are meant to cause major disruption to an adversary nation and wreak havoc in a number of ways. DDoS attacks may be utilized against adversaries to affect their defensive posture, significantly impact the economic balance of the victim nation, or deny them access to necessary resources and services. Ultimately the end goal is to shake confidence in the national government and promote paranoia or outrage amongst the nation’s population.

One such example of a successful nation state initiated DDoS attack used as a retaliatory tactic against a victim’s infrastructure and public services occurred in June 2022 in Lithuania, and is well documented and described by Elizabeth Montalbano in a June 2022 blog post at ThreatPost. The post describes how Russian-linked hacking organization ‘Killnet’ targeted Lithuania’s state railway, airports, media companies, and government ministries with DDoS attacks. It also goes on to discuss the motives that spawned the attacks, in which the group claimed the attacks were in retaliation for the Lithuanian government closing transit routes between Russia and its satellite Kaliningrad at least in part due to Russia’s aggression against Ukraine.

Ransomware Attacks

Ransomware attacks are often used as a method of denial of service, but in many cases, are initiated with an economic motive - namely to extract as much money as possible from target victims. Many state-backed or state-sponsored hacking groups prefer ransomware attacks because it accomplishes the mission (major disruption to adversary industry or public sector operations) and it may net them a big pay day if the victim unadvisedly pays the ransom. Beyond singular payouts, the mercenary or state-backed hackers can continue extorting payment via double extortion, a persisting ransom-based attack discussed by Hive Systems’ own Katie Dodson in her ACT post dissecting the rise of Conti Ransomware and double extortion.

Ukraine has been the subject of a number of suspected Russian state-sponsored ransomware attacks including the infamous and exceptionally damaging NotPetya attacks suffered in 2017. If you have not heard of the NotPetya attacks, we highly suggest reading Andy Greenberg’s Wired magazine blog post from August 2018 “The Untold Story of NotPetya, the Most Devastating Cyberattack in History” . The post provides a narrative account of the impact and damage caused by the NotPetya attacks against Ukrainian public and private sectors.

Zero-Day Vulnerabilities

Another common attack vector for nation state hackers or state-sponsored hacking groups is the use of zero-day vulnerabilities to gain unauthorized access to public or private sector information systems. In many cases the endgame is to extract or exfiltrate as much sensitive information and data as possible as quickly as possible (smash and grab), but in some cases, the endgame is to simply hide and accumulate data as an advanced persistent threat (APT). Zero-day vulnerabilities are vulnerabilities that may or may not have been previously identified or disclosed, but for which no security fix or patch exists to mitigate. Hackers love zero-days because there is usually no means of stopping them readily available short of isolating affected systems, and in many cases detection platforms are not equipped to identify or detect exploits in progress.

A great example of a zero-day vulnerability being leveraged in the wild by a nation-state against an adversary was covered by MalwareBytes’ Threat Intelligence Team in a blog post in June 2022 titled “Russia’s APT28 uses fear of nuclear war to spread Follina docs in Ukraine”. Russian espionage group APT28 (a.k.a. Fancy Bear) leveraged the Follina zero-day remote code execution vulnerability in Microsoft Office against Ukrainian targets in their ongoing war effort. APT28 initiated a campaign whereby a malicious word doc (maldoc) was disseminated within the Ukrainian government via a targeted phishing campaign that preyed on the fears of nuclear warfare. Fearful, unsuspecting targets opened the maldoc which contained an article discussing the likelihood of Vladimir Putin using nuclear weapons in his war on Ukraine, triggering the embedded malicious code allowing APT28 to exfiltrate sensitive information and data from Ukrainian targets.

“Am I a target?”

Individuals may be targeted by nation-state or state-backed cyber attacks based on the underlying mission or goal. If you work for the government, or may have access to private or public sector services, public infrastructure, healthcare systems, or other high value systems, you may find yourself the target of attacks that aim to compromise you unknowingly to gain access to those systems.

While you may be the target for compromise, in most cases the nation-state attackers’ endgame includes a much larger picture. In many cases, they simply want to accumulate as much sensitive data as they can, or to cause major disruptions in their adversaries’ systems. However, there is always the possibility that if you are a public figure or government official, targeted attacks against you as an individual may be worthwhile to nation-state attackers. Such motivation may include inflicting economic harm or stealing an identity, influencing elections, influencing public opinion of a person or celebrity, or discrediting individuals to further their agenda.

“How can I protect myself?”

Individuals can take steps to protect themselves that also inherently protect their employers or companies, and national interests. The best way to protect yourself is to be vigilant. Follow your company or employer’s security policies if they have them, or you can follow good cybersecurity practices such as spotting and avoiding phishing emails, never installing software without properly vetting it, keeping your software and operating systems up to date, exercising good operational security and not sharing information that may make you a more susceptible target (especially information about your position or level of access).

At the same time, the private and public sector must work around the clock to detect and respond to new and emerging threats. A strong cyber defense is critical  in this day and age not only to protect consumer and individual interests in cyberspace, but also national and geopolitical interests.

Learn more about ways you can protect yourself by checking out our other Approachable Cyber Threat (ACT) posts, or if you are a public or private sector organization concerned with your susceptibility to attacks, let us know! Hive Systems’ offers in-depth risk and threat assessment services designed to help you identify the very weaknesses a malicious actor could leverage to compromise your system and your data. Reach our team of professionals at https://www.hivesystems.io/contactus today!

Follow us - stay ahead.

Read more of the ACT