An Ethical Hacker’s Perspective on Nation-State Hacking from Russia

A recent UK report on Russian interference highlighted the issue of state-backed cyberattacks. SureCloud’s Cybersecurity Consultant, Corisande, spoke to the magazine, offering her insight into nation-state hacking and how businesses can stay protected. The full article can be found here, or check out her answer in full below!

Why might a nation-state target a particular business, and which industries, in particular, should be alert?

The Nation-State Actor is motivated by nationalism and tasked with gathering intelligence from or disrupting other nations via cyber means, or exploiting money from systems and people. This type of warfare has proven itself a low-cost, high-payoff way to defend national sovereignty and project national power.

The most common targets range from the technology industry (Google, Intel, RSA’s SecureID authentication), Financial Services or Influential Businesses (Operation Aurora), The Media, or other critical infrastructures, such as Government or Military offices or Gas and Electricity companies.

Overall, targets are likely to be organisations that own sensitive intellectual property, control significant finance, or are otherwise important to the running of or economy in the target country. A local bakery is unlikely to be a target, whereas a chemical processing company with proprietary compounds is far more likely to attract the attention of nation-states.

There are exceptions, though, such as when the target is a specific piece of technology (in the case of WhatsApp) where a huge amount of research and exploitation effort went into the compromise.

But once a Nation-State attacker is inside the target network, they tend to break out the 0days. At this point, they will have greater situational awareness of an organisation and more chances to ensure they’re not detected. So, utilising a collection of 0day exploits is both more likely to help them achieve their goal and less likely to have the exploit caught and rendered uselessly or “burned.”

What sort of impacts can nation-state cyber-attacks have on businesses? Loss of reputation, loss of value, data law breaches etc. 

Cyber-attacks result in unquantifiable damage. Loss of reputation, loss of value, and the effects of data law breaches, such as GDPR, the after-effects of a nation-state cyber-attack vary from industry to industry, company to company, and from day to day.

In general, the following are often associated with the consequences of an attack of this nature:

• Loss of intellectual property to overseas competitors;
• Loss of trust if personal data is leaked;
• In the cases of ransomware, massive financial losses;
• Ongoing loss of revenue from loss of business;
• In the most extreme cases, such as hospitals being attacked, loss of life.

Although large-scale companies that succumb to such attacks often come out on the other side, it can set them back decades of growth.

What can businesses do to protect themselves from potential state-sponsored cyber-attacks? 

The most critical first step is to understand what the motive for an attack would be. If the company owns the sensitive intellectual property, theft would be a likely motive. Similarly, if the organisation opposes a nation-state on a particular topic, a destructive attack may be more likely. Defending against high-effort attacks is expensive, and understanding the most likely targets within an organisation can help apply protections more effectively. When defending against Nation-State levels of attack, having a mature and empowered security team is absolutely essential:

• If you don’t already have an internal team responsible for security, build one
• Empower the team, we’ve seen instances where a security team is given a purely advisory role with no ability to enact the changes needed to secure the organisation, many compromises occur from both Nation States and other threats where the security team knew about the vulnerability but didn’t have the resources to mitigate it

Integrate security into the culture. Teach all your employees the importance of Cyber Security, not just the IT department. The human level of defence is what is most often exploited, thus usually the weakest part of the chain, but it can also be the strongest!

Does the Intelligence and Security Committee’s report simply reaffirm what we already knew? Do you expect to see a stronger government response against Russia’s cyber activity following its publication? 

The ISC’s report had a broad focus, and only 2 pages (sections 13 to 20) focused significantly on the UK’s defensive cybersecurity posture. What was clear is that the UK government has already adopted an attribution strategy. This means if a Nation-State is found to be the perpetrator of an attack, this attribution will be made public as a method to “name and shame” the responsible party on the global stage. The options for reaction are often limited when state-sponsored attacks are committed from within their own borders, no nation-state is going to extradite its own citizens to face justice in a foreign country. It is important to note that there was no mention of using offensive cybersecurity capabilities specifically as retaliation to nation-state cyber-attacks. The above response is based on the contents of the redacted ISC report without the classified Annex or evidence.

Discover Verdict Magazine’s full article here, which includes some of Corisande’s comments.

About Corisande

Corisande Evans, one of SureCloud’s Cybersecurity consultants, delivers a variety of pen-testing and cybersecurity-related engagements. Corisande has a background in Forensics and Open Source Intelligence Investigations as well as Red Teaming and both physical and technical Social Engineering.

Corisande is passionate about security, especially about security awareness. She has delivered training sessions to a range of different skill and seniority levels to ensure that the first line of defence, ‘The Human at the Keyboard’ has the best chance to fight against opportunistic attackers. Cori is a proud member of the Security Senoritas.