Know Your Enemy: The Nation-States Provoking a Hundred Cyber Battles

Nation-state cyber attacks are a matter of fact, so which countries should businesses be worried about and why? Kate O’Flaherty reports

The idea of needing to know your enemy to win a battle is not new. In fact, it’s central to the famous passage from Chinese military general Sun Tzu’s book, The Art of War: “If you know the enemy and know yourself, you need not fear the result of a hundred battles.”

Tzu’s book was written hundreds of years ago, but it’s still incredibly relevant today in a geopolitical landscape dominated by kinetic and cyber warfare.

So, first things first, who is your enemy? In the cyber domain, much like the physical, the world is largely split into two parts: On one side is the West, which boasts state-of-the-art cyber skills boosted by a long relationship between the UK and the US. On the other side is the East, with China, Russia, Iran and North Korea – all formidable cyber adversaries with varying capabilities and aims.

Recently, Russian cyber aggression has been making headlines as the war in Ukraine rages on. The UK and the US have expressed concerns about Russian attacks on so-called critical national infrastructure, and Ukraine claims to have thwarted several cyber assaults over the last 18 months.

Beyond critical infrastructure, adversaries from government-affiliated groups in all hostile nations are making their way into systems through supply chain attacks. These allow stealthy adversaries to lie in wait and maximise the collateral damage.

Let’s take the example of SolarWinds, the supply chain attack thought to have been perpetrated by Russia.  Adversaries had been hiding in systems for months, eventually entering the networks of multiple high-profile companies and government agencies through a software update.

So, what can organisations do to avoid falling victim? Here’s everything you need to know about the risks posed by the most capable nation-state adversaries and how to keep your company safe.

China and Russia

Most experts agree the most capable nation states are China, Russia, Iran and North Korea – or ‘CRINK’, the term coined by Cyjax CISO Ian Thornton-Trump.

The first two, China and Russia, are formidable adversaries for different reasons, says Philip Ingram MBE, a former colonel in British military intelligence. “China uses a lot of its state capabilities in the cyber environment to position itself for the future,” he says. This has led to concerns about technology firms such as Huawei, Hikvision and ZTE.

“China uses a lot of its state capabilities in the cyber environment to position itself for the future” Philip Ingram

China is well-known for stealing intellectual property (IP) to gain an economic advantage: The country reportedly stole US military technology to build its J-20 fighter jet. “This can save billions on research and development,” Ingram says, adding that the country is also looking at large contract opportunities to “see if it can give Chinese companies additional competitive insights”.

China’s most feared adversaries include APT1 (Comment Crew) and APT10 (Stone Panda). “Groups go after information in the technology, aerospace and industrial sectors using a wide range of tactics,” says Paul Baird, chief technical security officer UK at Qualys.

Meanwhile, Russia has four real targets: Military, political, critical national infrastructure, and information. “It uses state actors to try and steal military secrets, influence and get ahead of political decision making, and disrupt cooperative activity in countries of interest,” says Ingram.

Russia is known for spreading disinformation and is also looking to threaten critical national infrastructure while looking for vulnerabilities that can be exploited later, Ingram says. “It does so through targeted disruptive information campaigns aimed at increasing political divides, sowing discourse and influencing how populations think.”

Russian groups, including Fancy Bear (APT28) – the group that hacked the Democratic National Committee’s emails to influence the 2016 presidential election – are often linked to the country’s intelligence services.

Iran and North Korea

Iran, meanwhile, “is not in the same league as Russia or China” and remains focused on the regional and international interests of its two main target countries, the US and Saudi Arabia, says Ingram.

“It is highly likely that North Korea is utilised by Russia and China for plausibly deniable cyber operations”Paul Baird

According to Baird, Iranian adversaries such as APT33 and APT34 have been associated with espionage, destructive attacks and data theft.

North Korea is financially motivated, and its main target is cryptocurrency and foreign currency. This is “purely to allow it to bypass sanctions”, explains Ingram. He points out that there are only two internet pipes into North Korea: A “relatively low bandwidth pipe” from China and a high bandwidth one from Russia. “It is highly likely that North Korea is utilised by both countries for plausibly deniable cyber operations.”

Famous for attacking Sony in 2014, the Lazarus Group is perhaps the most well-known North Korean state-sponsored adversary. Kennet Harpsoe, senior cyber analyst at Logpoint, describes how the group’s tactics have evolved from more simplistic “distributed denial of service (DDoS) attacks and website defacement” to highly sophisticated cyber espionage, cyber warfare and financially motivated attacks.

A dynamic shift in CRINK

Nation-state tactics continue to evolve. There has been a dynamic shift in the main nation-state aggressors known as CRINK, says Chris Spinks, head of operations at Cyjax. “The [aggressors] used to sit comfortably in cyber military units or intelligence services. While most of these are dabbling, or have dabbled, in cyber crime and espionage in recent months, we are seeing an emergence of a new category of cyber mercenary doing the dirty work at the behest of the traditional nation-state actors.”

He cites the example of “DDoS noise” made by pro-Russia group Killnet. Perhaps these groups are trying to “create an organised distraction” to allow government adversaries to gain access stealthily, Spinks suggests.

There has also been a surge in “minimal effort” cyber attacks targeting the supply chain to achieve “maximum and spectacular results”, Thornton-Trump says.

Beyond SolarWinds, Thornton-Trump argues that attacks now focus on “rapidly exploiting legacy systems”, such as Microsoft Exchange. “Legacy code and appliances that have not been updated for many years are not able to withstand modern adversaries’ capabilities,” he warns.

Shoring up your defences

According to experts, organisations keen to shore up their cyber defences should invest in proactive rather than reactive measures to protect themselves. While it might not stop a cyber assault, this type of investment could slow it down enough to be detected and responded to “before serious compromise”, says Morgan Wright, chief security advisor at SentinelOne.

“We are seeing a new category of cyber mercenary doing the dirty work at the behest of the traditional nation-state actors”

Chris Spinks

As part of this, businesses and governments must press forward on improving their cyber hygiene, suggests Thornton-Trump. For example, he highlights the importance of patching: “If you can’t patch it, replace it.”

At the same time, Ingram advises fostering a healthy cyber culture through awareness, training and “leadership from the top, but reflected at all levels”.

In an era of increasing nation-state attacks, a robust threat intelligence programme can also help protect you from damage. A solid programme allows organisations to model current events and understand geopolitically if they would be a target for attack, says Wright. “Understanding tactics, techniques, tools and courses of action make it easier to look at the problem through the eyes of the adversary.”

A threat intelligence programme must assess which information is important to the business. This will offer results that are “relevant, timely and actionable”, says Spinks. To be useful, the initiative must be able to detect and communicate potential risks early, he adds. “This will help keep track of adversaries’ behaviour, changes in tactics, and the overall capabilities of the organisation.”

It’s true that knowing your enemy will help stop cyber-attacks, but only if you combine it with other ways to protect your business. Get the basics right, train your staff and ensure you have an awareness of cybersecurity at all levels of the organisation.