Destructive attacks are rising from nation-states as companies are caught in geopolitical crossfires, according to a November 2018 survey from cybersecurity firm Carbon Black.
By Marilia Wyatt, CyberPrivacy
Geopolitical tensions can create potential cyberrisks for organizations operating in a highly interconnected global economy in which they may be used for collateral damage among countries that exhibit a higher propensity toward conflict.
The CyberPrivacy Brief:
- Nation-states launched destructive attacks against organizations 32% of the time in Q3 2018, according to the survey based on data from 37 Carbon Black incident response (IR) partner firms.
- Financial and healthcare remain most targeted industries (78 and 59% respectively), followed by retail (43%), manufacturing (41%), and government (27%).
- These destructive attacks are intended to paralyze business operations by manipulating and destroying data and IT assets. Damages can potentially incur compounding operational and financial costs.
Trends: Organizations are being used as a point of entry into other networks: 50% of all attacks leverage ‘island hopping,’ to access an affiliate’s network/data. A growing number of attacks exploit enterprise Internet of Things vulnerabilities and organizations’ websites as a poisoned ‘watering hole’ to infect visitors with malicious software. As companies’ IR strengthen, attackers, are evolving their capability to remain undetected inside corporate networks longer: 41% of respondents said network-based protections were circumvented and 51% saw counter-incident response tactics with 72% noting counter IR was in the form of destruction of logs.
Reasons for the attacks increasing: The report suggests attackers are growing “punitive” and armed with highly customized tools and services sold on dark web marketplaces providing them with new capabilities. Unlike generic attacks tools, services such as ‘attackers-for-hire’ – professional attackers offer economic espionage, precise data manipulation, DDoS attacks, and botnet rentals to disrupt and damage assets. Nation-states are running covert operations by increasingly using compromised infrastructures sold on the dark web as command and control posts.
Recommendations: The report advises organizations to gain greater visibility into their networks, which are home to a growing number of at-risk endpoints that IoT devices and cloud services produce.
The CyberPrivacy Commentary & Analysis
While destructive attacks intended to destroy corporate assets or sabotage are not new, they’ve been increasing in frequency since late 2016, said Dr. Andrea Limbago, a computational social scientist.
In December, the Ukraine power grid was struck again with destructive malware, later attributed to Russian-linked Crash Override. Crash Override is a highly customized malware with a wiper component, and is compiled to control the grid circuit switches and breakers. A few weeks earlier, Shamoon 2.0 surfaced, targeting Saudi government entities, infecting thousands of machines and spreading to Gulf states. Shamoon 2.0 was followed by the discovery of Stonedrill, another destructive malware targeting Saudi entities, but has also been discovered in at least one European organization.Source: The Escalation Of Destructive Attacks: Putting Dragonfly In Context, Endgame, 2017
While the Carbon Black report suggested China and Russia were responsible for nearly half of all cyberattacks, it wasn’t clear how it arrived at that in the report. Of 113 investigations, 47 stemmed from those two countries alone in Q3 2018. Iran, North Korea, and Brazil were also the origin of a significant number of recent attacks.
Mudding the water of attribution
Cybersecurity experts have said that just because malware is linked to China doesn’t mean that Chinese attackers are in the network. Chinese attackers could be easier to false flag since their malware is widely publicized and anyone can potentially download builders. Attackers can use a range of deception techniques to muddy the water of attribution including planting malware, language strings, and false flag timestamps to operate under cover of existing groups.
The bottom line: The increased use of politically motivated destructive attacks could cost organizations significant amounts of revenue and diminish their competitive advantage. These attacks are tailored to a target for various purposes, including shutting down corporate systems and denying incident response teams the access to data they need to investigate incidents. With greater counter-incident response tactics, companies must evolve as well and make their IR strategies stealthier to reduce damage and recover. The increase in destructive attacks might not be an anomaly, but a current state of affairs for businesses operating in a highly interconnected global economy in which they may be used for collateral damage among countries that exhibit a higher propensity toward conflict. Companies must prepare for crisis scenarios and have robust business continuity plans in place which they must prepare ahead of time for when mayhem strikes.
Suggested reading resources: In his new book, “Cyber Mercenaries: The State, Hackers, and Power,” author Tim Maurer, examines how states are now innovative in their deployment and use non-state attackers or ‘cyber mercenaries’ as proxies to carry out attacks and develop offensive capabilities to meet a foreign state’s objectives.