Are state-sponsored cyber-attacks a serious threat to your businesses?
The notion that a country’s military cyber-division has your business in their crosshairs for a cyber-attack feels ridiculous. Firstly, what could your business have possibly done to warrant such an attack and secondly, why would your business be a target?
Why do state-sponsored cyber-attacks target businesses?
A state-sponsored attack usually has one of three objectives: probing for and exploiting national infrastructure vulnerabilities, gathering intelligence or exploiting money from systems and people.
Directly attacking government or military systems to achieve any of these is hard. Comprehensive defences are in place and so the chance of success is low. But attacking businesses – where senior executives often baulk at the idea of spending money on the security basics – is far easier.
Businesses have become a favourite of state-sponsored attackers because they’re the least defended port into a country through which money or information can be extracted and disruption or unrest can be injected. Yet not all types of business are likely to be attacked.
What types of business should be concerned about state-sponsored attacks?
Let’s be real for a moment and acknowledge that most businesses don’t have to worry about state-sponsored cyber-attacks. Only if you fulfil one or more of the following criteria do state-sponsored cyber-attacks become a credible threat:
- You provide a service that would cause public disruption if it went offline (gas, electric, water, telecoms, Internet, medicine, transport, waste management or education etc.)
- You hold an active government contract
- You are a government or local council entity
- You are a highly profitable company
- You hold significant sensitive information (e.g. intellectual property or classified/secret information)
- You have a high financial sensitivity to IT downtime
- You have an office or operate in a potentially volatile region (Africa, Middle-East, Syria, Iran, Israel etc.)
Depending on which criteria you meet, the motives for an attack are different, but they generally fit into one of three categories: espionage, political or financial.
Espionage
Espionage is the most common motive and attacks of this type typically target companies who hold intellectual property or classified information and steal it to be used for blackmail, intelligence theft or counter-intelligence.
Political
Politically motivated attacks target companies whose service is important to public life and then hit their IT systems with a destructive attack to create unrest and disrupt the populace.
Financial
Financially motivated attacks target companies with a high likelihood of answering a ransom request such as those with a high sensitivity to downtime. The attack then uses ransomware or a distributed denial-of-service attack to disable their IT systems and pressure them to pay up to relieve the disruption. However, the ransom money isn’t the attacks’ goal because the real aim of such an attack is to manipulate stock prices or global markets to improve the attacking country’s position in the global ecosystem.
What threats do state-sponsored cyber-attacks pose to my business?
Existing threats
In the main, state-sponsored cyber-attackers use existing methods of attack but delivered from a military-scale operation. This means you’re now up against a cohesive team of well-educated computer engineers, using military-grade systems and an entire data centre or global bot network to deliver the attack.
There is an upside though and it’s that the principles of a strong cyber-defence still apply. If you’ve already made the effort to secure your operations, scaling up those defences and using more mature solutions provide a good deal of safety.
Unique threats
State-sponsored attackers also have several unique tricks up their sleeve which leverage their more advanced capabilities. Here are a few examples:
Surveillance
The most common type of attack is near undetectable man-in-the-middle intelligence-gathering operations. After infection, every email, file, and phone call is harvested, passed on to the attacker and analysed. GhostNet was a surveillance attack attributed to China (although they deny involvement) that infected high-value locations such as embassies in Germany, South Korea, India, Thailand, Pakistan, Iran and 97 other countries before being discovered.
Destruction
Infecting and overloading industrial systems to cause damage that will kill and injure employees whilst hurting economic output is another favourite tool of state-sponsored attackers. One such attack, attributed to Iran (although they deny it), occurred in 2018. Purpose-built malware was used to target a petrochemical plant with the intention to override safety controls, cause a build-up of pressure and trigger an explosion.
Crippling infrastructure
Other attacks are purely malicious. Russia is attributed (although they deny it) with the creation of the CyberSnake malware which provides attackers complete access to a network and the option to wipe all data from connected systems. The malware was used as a secondary channel of attack to cripple the Ukrainian power grid during Russia’s invasion into Ukraine in 2014. A number of countries also had strange power issues in 2019, although none were officially attributed to a cyber-attack.
Espionage
Finally, there are state-sponsored attacks that aren’t for the purposes of war, but for economic gain. In 2018, China allegedly conducted a multi-year cyber-espionage campaign that involved stealing intellectual property from several aviation engineering companies and using the stolen technology to design and build an entire aeroplane.
How can I protect my business against a state-sponsored cyber-attack?
Although state-sponsored attacks can be a genuine threat for certain businesses, there are several actionable steps you can take to increase your security.
1. Have the basics in place
Whilst the basics won’t protect you from state-sponsored attackers, they provide a fundamental level of cover, which is negligent to be without.
At a bare minimum, you need to be Cyber Essential certified – although if you wish to undertake government contracts, you’ll need the Plus certification. We have an entire article on how to achieve the security basics if you’re interested in learning more.
Alternatively, if you feel you have a secure environment but want validation, we also offer thorough security audits.
2. Integrate security into your culture
Whilst a check-list exercise like Cyber Essentials gets you started on security, to have any real chance against state-sponsored attackers, you need security integrated into the culture of your business. This can only be achieved by adopting and practising globally recognised security standards like ISO 27001 and adopting a continual improvement mindset.
A security culture is especially important if you plan on tendering for government work since standards such as ListX become easier to comply with if you’re already treating security sensibly.
Address things at the human level by simulating attacks and identifying which employees need extra training. Accountability of security with the board is also essential to ensure priorities are maintained.
3. Isolate critical IT systems/data stores
Separating your most important IT assets from the open Internet and general internal network multiplies the difficulty of stealing your intellectual property, taking down your IT systems or disrupting your operations by an order of magnitude.
But since most businesses are built around easy access to these resources, it’s not as easy as just cutting all connections to your critical IT assets. With some intricate networking and rights management configuration it is possible though and drastically improves your resilience.
If isolation isn’t a possibility at all, data loss prevention plus complete encryption for data both in transit and at rest should be made a priority instead. Our teams are well versed in this sort of project, so can help you undertake an effective implementation.
4. Clean up your technology supply chain
The banning of Huawei’s cellular networking products in critical infrastructure and government systems by the US and elsewhere may seem like paranoia, but it guarantees that if a backdoor does exist, you don’t have it.
If you’re in a government contract or planning to tender for one, you’ve probably already made steps to mitigate your use of risky hardware and software. However, if you’re still yet to map out what hardware or software you have in your infrastructure, undertaking an audit is imperative.
5. Engage in threat-sharing
Collaborating with the others in your industry to trade threat intelligence is an effective way to rapidly increase your resilience.
If the idea of sharing your security vulnerabilities and attacks you’ve had against your IT systems with your competitors sounds too risky, check if your IT support provider is already doing something similar.
A proactive support provider should already be taking lessons learnt from one client and applying them to all their other clients (for example, blocking a malicious IP for all clients after it was found targeting one). Having an IT support provider who specialises in your industry helps since it provides you with more relevant defensive updates.
6. Secure your communications
It’s imperative that you have at least one fully secure channel of communication (e.g. voice, data, text, video). Whilst apps like WhatsApp offer some security through end-to-end encryption, news stories such as the invasive WhatsApp exploit show that it’s far from business-grade software.
A secure communications solution is necessary for guaranteeing you have at least one channel of private communication – be it voice, video, text or email.
Securing your communications is especially important for companies with offices in volatile regions since state monitoring is more prevalent.
Conclusion
If you think you’re at risk of a state-sponsored attack, want to be secure enough to tender for government contracts or simply want to improve your defensive capabilities, we have experience in helping businesses in your situation.