State‑sponsored or financially motivated: Is there any difference anymore?
What does the increasingly fuzzy line between traditional cybercrime and attacks attributed to state-backed groups mean for the future of the threat landscape?
Governments have always conducted offensive cyber-operations. But over the past few years, campaigns have seemed to grow in audacity and volume. The headlines scream about “state-sponsored” or “nation state” raids targeting everything from critical infrastructure to complex supply chains. But peer closer and the lines between these and traditional cybercrime are increasingly blurred.
What does this mean for the future of the threat landscape and the growing impact of cybercrime on global organizations? Without some kind of geopolitical consensus, it’s going to get a lot tougher to stop those criminal groups effectively being sheltered by nation states.
The traditional lines
When I started out writing about cybersecurity over 16 years back, the discovery of nation state attacks was a rarity. That’s what made Stuxnet such a huge event when it broke. Often, similar attacks were described as “state-sponsored,” which adds a little more ambiguity to attribution. It’s a sense that we know a government most likely gave the order for a campaign—because the target and type of attack did not align with purely financially driven motives – but may not have pulled the trigger itself.
The two terms have probably quite often been used incorrectly over the years. But that’s just the way governments like it – anonymizing techniques make 100% attribution difficult. It’s all about plausible deniability.
Whether nation state or state-sponsored, attack campaigns used to feature several key elements:
- Home grown or bespoke malware and tooling, potentially the result of time-consuming research to find and exploit zero-day vulnerabilities. This is the kind of capability that gave us EternalBlue and related tools allegedly stolen from the NSA.
- Sophisticated multi-stage attacks, often described as Advanced Persistent Threats (APTs), characterized by lengthy reconnaissance work and efforts to stay hidden inside networks for long periods.
- A focus on cyber-espionage or even destructive attacks, designed to further geopolitical ends rather than for naked profit.
To an extent, many of these points remain true today. But the landscape has also become way more complex.
The view from today
We currently live in a world where the global cybercrime underground is worth trillions annually. It’s a fully functioning economy that generates more than the GDP of many countries and is packed with the kind of freelance resources, knowledge and stolen data that many states covet. Just as legitimate defense contractors and suppliers are hired by governments from the private sector, so cybercriminals and their resources are increasingly the subject of informal and often ad hoc outsourcing agreements.
There has at the same time been a whittling away of historic geopolitical norms. Cyberspace represents a new theater of war in which no countries have yet agreed terms of engagement or rules of the road. That’s left a vacuum in which it’s deemed acceptable by certain nations to directly or indirectly sponsor economic espionage. It’s gone even further: in some cases organized cybercrime is allowed to do its own thing as long as its efforts are focused outward at rival nations.
Today’s landscape is therefore one in which the lines between traditional “state” and “cybercrime” activity are increasingly difficult to discern. For example:
- Many vendors on the dark web now sell exploits and malware to state actors
- State-backed attacks may use not just bespoke tools but commodity malware bought online
- Some state attacks actively seek to generate income from quasi-cybercrime campaigns
- Some states have been linked to prolific cybercrime figures and groups
- Some governments have been accused of hiring freelance hackers to help with some campaigns, whilst turning a blind eye to other activity
- It’s been suggested that occasionally government operatives are even allowed to moonlight to make themselves some extra money
Time to be proactive
What does the future hold? Just witness the furore over today’s ransomware epidemic, where cybercrime groups have been blamed for serious disruption to energy and food supply chains. The US has put some, like Evil Corp, on official sanctions lists. That means victims and insurers can’t pay the ransom without themselves breaking the law. But these groups continue to rebrand their efforts in a bid to outwit these rules.
The bottom line is that, while there’s still a market for their services, such groups will continue to work, whether with the tacit blessing or active sponsorship of nation states.
For threat researchers and CISOs caught in the middle this may not be of much comfort. But there is a silver lining. Many C-level execs can be guilty of adopting a fatalistic attitude towards state attacks: feeling that their opponents are so well-resourced and sophisticated there’s no point in even trying to defend against them. Well, the truth is that attackers aren’t necessarily superhumans backed by the apparatus and wealth of an entire nation. They may well be using commodity malware or even hired threat actors.
That means your security strategy should be the same, whatever the adversary. Continuous risk profiling, multi-layered defenses, watertight policies, and proactive, rapid detection and response.