Security
Headlines
HeadlinesLatestCVEs

Headline

State Sponsored Attacks in 2023 and Beyond

As 2023 begins I wanted to look forward on the future of state sponsored aggression and how we can see it change and evolve over the next year and beyond.

TALOS
#apple#git#intel#zero_day

Tuesday, January 24, 2023 07:01

As we begin 2023 I wanted to take some time and look at the state sponsored threat landscape. Over the last few decades we’ve seen seismic shifts in how state sponsored actors attack, starting with traditional espionage with attacks like Moonlight Maze and Project Gunman and evolving into more intellectual property theft and dissident targeting with attacks like Operation Aurora. Now activity is moving into increasingly destructive or destabilizing attacks we’ve seen used in both Ukraine and the Middle East with information warfare emerging as one of the key battlefields. One thing to note is espionage never left the landscape. It is a constant and significant force driving state sponsored hacking and always will be.

Throughout 2022 we faced one of the more unique landscapes that we have seen in cyberspace due to the ongoing war in Ukraine and associated attacks. Interestingly we saw the war leveraged in different ways by other state sponsored groups, not just those originating from Russia. As we discovered this past year, groups like Mustang Panda were launching malicious campaigns with documents related to the Ukrainian war as a lure. Demonstrating how this war is having far reaching impacts on the threat landscape, far beyond the actual war zone.

The war provided us with one of the first real life demonstrations of how much of a role cyber activities would play in kinetic warfare. Unfortunately, the answer is clouded by doubt of whether it played a surprisingly small role or if the Russians underestimated the capabilities and perseverance of Ukrainian people, neglecting the full scope of cyber capabilities. The question now is: where do state sponsored attacks move in the future? The retreat from globalization is going to shift the landscape and change the ways nation states are operating in cyberspace. As countries move to manufacture and build internally, their targeting will change accordingly. Instead of just attacking for espionage purposes, economic considerations will play a significant role. For the first time we will see how nation states will leverage cyber when facing the economic strain of this move away from globalization coupled with high inflation and interest rates that we haven’t seen in decades.

Retreat from globalization could usher in another era of IP theft

The post pandemic push against globalization could drive a new era in cyber-based intellectual property theft in the months and years ahead. The pandemic has changed the world in a staggering number of ways, but most crucially it could precipitate the end to the decades long march to globalization. Countries around the world were met with supply chain bottlenecks and the realization that just-in-time (JIT) shipping only works when your suppliers are available, and the push to bring jobs back stateside has already begun. Whether it’s Apple announcing chip manufacturing will begin in the United States or the CHIPS act being passed in the United States pushing hundreds of billions of dollars into semiconductor research, both enterprises and nation states are revisiting manufacturing.

This shift will have many downstream impacts, but the largest impacts will be felt in those countries where manufacturing dominates their GDP. This is also going to result in more autocratic nations spinning up domestic versions of products and technologies. Developing these new capabilities isn’t a simple process and typically requires significant investment into research and development to achieve the technological breakthroughs required for some manufacturing.

However, there is another avenue for those nations willing to take it –theft. More specifically cyber theft of intellectual property. This isn’t a new behavior, in fact back in 2012 General Keith Alexander famously said, cyber theft was the “greatest transfer of wealth in history” but since then the activity has cooled slightly. China and the US agreed to scale back their offensive operations and we haven’t had a barrage of high profile breaches at defense contractors and other high value targets in some time.

The playing field has grown considerably for state-sponsored actors. What used to be dominated by a handful of well-resourced countries is now seeing more nations turn to offensive capabilities to support their missions. As such the likelihood that other countries take a similar path seems likely. History has shown that the fastest way to come up to speed is to steal the intellectual property instead of developing it yourself. It’s also plausible that you could start to see criminal organizations take increasing interest in the intellectual property of their ransom and extortion victims as that data could be worth many times the ransom demand to a nation state trying to make up critical ground in technology or manufacturing.

Destructive attacks will increase as the retreat from globalization hastens

Over the last decade state-sponsored actors have increased their use of destructive attacks. They have historically been largely associated with Russian aggression: NotPetya, OlympicDestroyer, WhisperGate, CaddyWiper, etc. However, we have seen examples of other groups launching destructive attacks, most notably against Saudi Aramco and other Shamoon-associated targets. The use of destructive malware is poised to increase in the months and years ahead. These actors have learned that wipers are an effective means to destabilize a region or impact vital services. This was demonstrated most clearly in the Colonial Pipeline attack where a ransomware attack against its enterprise systems resulted in pipelines being stopped. This attack demonstrated how nations don’t need to attack critical infrastructure directly to disrupt it. There is little reason for these actors to avoid critical infrastructure as, to this point, cyberspace based aggression has seen little or no response.

Critical infrastructure has always been a red line, albeit one that’s already been crossed several times. Russia has attacked Ukraine’s power system multiple times, resulting in a loss of service and in some cases black outs. However, I’d argue that all of Russia’s attacks could be associated with the war against Ukraine, a war that started in 2014 with Russia’s invasion of Crimea. Looking at the conflict as it stands now, it appears that, in regional wars, kinetic attacks against critical infrastructure seem far more efficient with bombs being able to inflict more lasting damage. This may not be the case for more long distance opponents where kinetic attacks are more costly and difficult. The only reason to use exclusively digital attacks would be the desire to keep the facilities functioning, although there is no guarantee that a cyber attack couldn’t be destructive, as demonstrated by Stuxnet.

Today state-sponsored actors are looking for ways to disrupt critical infrastructure without attacking it directly, for fear of reprisal. The colonial pipeline attack gave them the playbook they needed and in all likelihood we’ll see it play out again. The only way to prevent critical infrastructure from being a target is to establish rules of engagement for cyberspace which is unlikely to happen anytime soon, barring a calamitous cyber event. The reason is that the big players aren’t willing to give up their own capabilities for times of war, at least not yet. Critical infrastructure isn’t the only place where these groups attempt to destabilize their adversaries. The information battlefield has only grown from the days of pamphlet drops and forgeries. With the advent of social media, information can be used in powerful and unexpected ways.

Information moves impossibly fast today. Viral news spreads like wildfire across the globe and in a matter of hours has traversed it many times over. The issue is, how do we know it’s true? The line between true and false has been blurred repeatedly by leaders both elected and otherwise around the world. As such an opportunity has been created for state-sponsored groups to leverage this as a wedge. We’ve seen it in the US elections in 2016, we saw it again in the French election-related hacking, and we saw it countless times in the COVID era. Misinformation and disinformation are now powerful tools that can be wielded to effect change on a scale previously thought to require physical involvement, and those with the capacity to abuse it have noticed.

One of the interesting aspects of social media is that each user’s experience is largely unique to them. Meaning that it’s based on aspects of your life, for instance your location, profession, and social circle. This provides avenues for targeted misinformation and disinformation to hit specific groups. We’ve already seen this done in the election interference where things were targeted at certain demographics or groups.

For most nation states this is an incredibly attractive avenue as it’s easy to conduct, relatively cheap, and easy to plausibly deny. Worst case scenario they get exposed, fold up the current campaign and spin up new companies or organizations to start the next one armed with the lessons learned from the previous failures. The activities on social media for nation states hardly ends with misinformation and disinformation.

Targeting of citizens will continue as mobile spyware market grows

The last five years has seen an explosion in the mobile spyware market. NSO Group is the most well known but there are new startups flooding the market, all promising the same level of zero-day support and repeatable in-memory access. These tools are marketed as the ultimate spy tool to expose criminals and terrorists around the globe but it is often being found used against dissidents, activists, and journalists. Today everyone’s life exists on their devices from email to documents to private communications. It’s all right there and if you have millions of dollars to spend it’s easily accessible. The truth is that if someone deems your information valuable enough, they can get it, they just have to be willing to spend the money to accomplish it. For most of us that means we’re in the clear. Unfortunately, the risks are quite high for the few that choose to challenge those in positions of power or aid those in doing so. To be clear this isn’t something an average person or even company would be able to purchase, but for intelligence apparatuses around the globe it’s all too easy to achieve.

In many countries around the world there are rules and protections in place to prevent domestic abuse or targeting overreach. The problem is that there are lots of countries with access and willingness to skirt the typical rules of engagement. Governments are starting to take action against these mobile spyware companies, but for every company they knock down another one will rise up. There are no easy solutions for the small minority of people that fall into this targeting, but technology companies are beginning to work on it.

The world is shifting away from globalization in the post pandemic era. Interest rates are exploding and borrowing just got a lot more expensive. State-sponsored groups are going to be squeezed just as we all are. Cyber operations are cheap both financially and politically. Rarely do you need to put boots on the ground and you can launch the attack from the other side of the planet without a single physical asset at risk of being discovered. Additionally, cyber campaigns carry a much higher level of deniability and rarely have political repercussions. The appetite to expend scarce resources in espionage activities will always exist, but if an agency can conduct five or six cyber operations for every non-cyber campaign, then the value is in cyber. Maximizing value will be increasingly important as budgets around the world tighten to counter the increased cost of borrowing. Additionally, the push away from globalization likely increased the non-governmental targets for state-sponsored groups going forward.

TALOS: Latest News

New PXA Stealer targets government and education sectors for sensitive information