As a result of outdated systems and a persistent lack of investment, the UK government is highly vulnerable to state-backed cyber-attacks that “could bring the country to a standstill”. That startling claim was made in a joint House of Commons and House of Lords report issued at the end of 2023. As 2024 begins, it is useful to take a look at the current state of affairs in this key risk area, with a specific focus on the threat stemming from state-sponsored attacks.
Backed by governments with access to seemingly limitless funds, state-nexus adversaries have the resources to build ever more sophisticated malware to achieve their political agendas through malignant means.
Constraints on budgets and shortages of skilled specialist cybersecurity labour, particularly acute in the public sector, work to their advantage and significantly increase the vulnerability of the institutions being targeted.
NATO countries targeted
The UK is not alone in this. According to a report by Google, in the first year following the Russian invasion of Ukraine in 2022 there was a 300% increase in the number of phishing attacks targeted specifically at users in NATO countries. The severity of these state-sponsored cyber-attacks by Russia appears to have peaked toward the end of 2023.
The Ukraine has experienced a similar increase in the number of attacks. And in December 2023 Russia launched a devastating and highly successful large-scale cyber-attack on Kyivsta, Ukraine’s biggest mobile phone provider. The disruption caused the telecom service to collapse entirely, and spilled over into other sectors, including the financial ecosystem as users in many areas depended on their phones to access mobile banking.
Looking elsewhere, China has invested heavily in its cyberattack capabilities. The growing threat has led to US companies such as KPMG and Deloitte advising their consultants to bring burner phones on business trips to countries such as China in order to reduce the risk of those devices compromising the security of their systems more widely.
Espionage and data
Chinese capabilities appear to have primarily been used for the purposes of espionage and sensitive data collection and have not been weaponised in the same way as Russia’s. Their extent and maturity is therefore far less known and understood.
But as reported in the FT, Microsoft claimed that Chinese state-sponsored attackers breached a number of US systems in order to “disrupt critical communications infrastructure between the United States and Asia region during future crises”. While China vehemently denied responsibility for the attacks, US officials explicitly called out the threat posed by a “PRC state-sponsored actor” to critical US infrastructure.
The integration of cyber capabilities into more conventional arsenals of various countries has also been apparent in the clandestine as well as open warfare in the Middle East. We have recently seen the NSO Group offering its services to Israel’s government to track down hostages as well as suspected terrorists following the Hamas attacks on Israel. Bloomberg called it a “return to the fold for shunned cyber companies” that had previously been blacklisted by the US Commerce Department and also heavily criticised for their surveillance technology, which allegedly facilitates serious human rights violations in various countries around the world.
State-nexus adversaries use different tactics to those employed by hackers more generally. While they have obviously have access to much of the different malware out there, the following is a non-comprehensive list of some techniques that are more likely to be employed by state-sponsored actors in order to achieve objectives that go beyond the monetary.
The effectiveness of all types of malware is also being driven by advancements in and more extensive availability of AI tools.
Destructive software such as wiper malware is more frequently deployed by nation-state actors. The only purpose of this type of malware is to destroy and corrupt all data to make it totally inaccessible – there is no ransom demand, nor does the possibility of undoing the damage exist. Disruption rather than profit is the primary motive behind a wiper malware attack. Russia is believed to have launched a number of attacks on Ukrainian targets using this type of malware.
A “zero-day” attack has been commonly used by China for espionage activities in the North American region. The hacker takes advantage of a software vulnerability that has not yet been discovered, and exploits it through custom code.
The NSO group offers one of the most sophisticated pieces of off-the-shelf spyware currently available to governments. This tool is known as Pegasus. While we are all too familiar with phishing emails asking us to click a nefarious link, Pegasus is a form of “zero-click” malware. The type of malware accesses the target’s phone through apps like WhatsApp or iMessage without requiring any intervention by or involvement of the user. Once on the device, Pegasus has full access to all the data on the phone.
Generative AI
The effectiveness of all types of malware is also being driven by advancements in and more extensive availability of AI tools. The application of these tools to various types of attack vectors are making cyber threats even harder to prevent. For example, through the use of generative AI, data can be corrupted to produce “deepfake” videos and audios in an attempt to distribute misleading information or for the purposes of even more persuasive social engineering.
A shift towards fileless malware using living-off-the-land (LOTL) techniques that use tools that already exist rather than the attacker installing code makes it even more difficult for traditional security tools to detect a breach. As fileless malware does not require any software to be installed on a target’s device, hackers can cover their tracks, disabiling file detection-based security software that would normally identify the intruder. The attacker can then lurk in the background gathering valuable information and preparing to unleash a more devastating attack at a time that might maximize damage or coincide with some of the other objectives of their state sponsor.
Cybercrime-as-a-service or ransomware-as-a-service (RaaS) is becoming an increasingly profitable business model. RaaS is often distributed as a monthly subscription service. Developers sell the software to individuals and groups, lowering the entry barrier to cyber-attacks. This allows amateur cybercriminals to launch attacks on a large scale without the challenge of building the malware themselves.
Such amateurs can sometimes inadvertently become tools for state-sponsored entities who can use them for various tasks, including simply to test the defences of a potential target. In such a case the state-sponsored actor remains safely in the shadows while gaining valuable intelligence on potential vulnerabilities of a target system.
How can targets respond?
How can target governments, institutions and organizations respond other than by increasing budgets and hiring cybersecurity professionals?
Some clues lie in the responses of businesses who are continuing to adapt to the escalating cyber threats and the increasing likelihood that they themselves may become targets of state-nexus adversaries.
IBM’s 2023 security report reveals that significant investment in incident response (IR) planning in combination with testing and, crucially, employee training is taking place across the board. Enhancement and expansion of threat detection technologies has also become an integral part of current cyber security programs.
More than 60% of organizations are also already taking a more comprehensive approach to their vulnerability and risk management. This demonstrates that relying solely on Common Vulnerabilities and Exposures (CVE) scores and the Common Vulnerability Scoring System (CVSS) is unlikely to be enough and will put institutions at a disadvantage when compared to some of the best practice out there.
The integration of security testing into the software development process has proven to be extremely effective for bolstering cyber security.
Managed Security Service Providers (MSSPs) have helped businesses decrease the time required for breach identification and containment by up to 20%. Partly outsourcing cyber security management to specialist third-party vendors could enhance the effectiveness of a security framework. However, it is important to note that outsourcing carries some risk as well.
Some organizations are approaching cyber security from a hacker’s perspective through the integration of Attack Surface Management (ASM). This has allowed some organizations to identify and contain breaches 25% quicker and has improved their preparedness in the process.
Finally, the integration of security testing into the software development process (DevSecOps) has proven to be extremely effective for bolstering cyber security and the most effective cost mitigator when it comes to a breach. Businesses that followed a DevSecOps approach had an average breach cost that was $1.68 million lower when compared to those with low or no adoption.
One thing worth noting, and almost certainly worth exploring further particularly in the context of larger government operations, is that fewer than 30% of organizations utilized AI-driven security and automation, this despite its proven potential to enhance efficiency and reduce costs.
The increase of cyber-attacks and the growth of state-sponsored cyber warfare means that robust cyber defence has become a necessity. It remains to be seen whether it is possible for individual organizations and institutions to effectively resist an attack by state-nexus adversaries given the disparity in power between them.
Johanna Vogt is an Analyst on Global Relay’s future leaders graduate program.