Cyber Cold War:
Nation-State Hacking from Russia

Nation-state attacks typically intend to cause disruption to a country. In 2015, for instance, hackers, believed to be from Russia, were able to compromise three Ukrainian energy suppliers and shut off the power supply to thousands of customers.

“Overall, targets are likely to be organisations which own sensitive intellectual property, control significant finance or are otherwise important to the running of our economy in the target country,” Corisande Martinez Telfer, cybersecurity consultant at SureCloud, explains.

“A local bakery is unlikely to be a target, whereas a chemical processing company with proprietary compounds is far more likely to attract the attention of nation states.”

Yet, while critical infrastructure is often the primary target, any organisation that could assist in achieving the primary objective could find itself on the end of a state-backed attack.

“Nation-state hackers have no qualms about targeting any organisation or using them as a launch pad in their pursuit of valuable intellectual property, strategic intelligence, operational disruption, the proliferation of fake news or whatever their specific motivation might be,” Rich Turner, SVP EMEA at CyberArk, explains.

Turner points to the recent spate of cyberattacks launched against health organisations and enterprises amid the ongoing pandemic as proof, with healthcare bodies, testing laboratories and hospitals having been targeted.

“There are thousands of businesses that provide services to government – and millions more in the supply chain – and these can often hold significant data on government projects,” Vince Warrington, CEO of Protective Intelligence, notes.

With estimates suggesting that as many as 120 countries have developed cyber warfare capabilities, there is no saying who could find themselves on the end of a nation-state attack. What is more certain, however, is that any incident will be costly and damaging for the business involved.

Short-term consequences may include loss of data or lack of access to machines or systems, which often significantly impact the productivity and financials of a business. In the case of shipping company Maersk, which was hit by the NotPetya encryption malware – attributed to Russia by the National Cyber Security Centre – in 2017, the company’s shipping volume fell by 20% during the outage, resulting in a $250-300m loss.

“Then you have to consider the longer-term impact of a breach, such as loss of revenue, losing consumer trust, paying fines to regulators and even changes to the stock market,” explains Dr Shorful Islam, chief data officer at OutThink.

The financial impact of a breach can be huge. The 2017 Equifax breach, which the FBI has linked to military-backed hackers in China, is estimated to have cost the company $1.4bn so far, including a $650m settlement, $82m in technology and data security costs and millions more in legal fees.

“For businesses – providing they survive the event itself – the main problem is financial, both in the cost of recovering from the incident, to spending on improved defences, to managing the inevitable lawsuits or fines,” Warrington says.

However, depending on the goal of the attack, businesses may suffer more than just financially. According to PwC, close to 90% of consumers say they would take their business elsewhere if they don’t feel a company is handling their data responsibly.

“In relation to the after-effects of a successful cyberattack, a company often loses customers and their reputation suffers. Once that happens, value of the company often dissipates as well,” Cole says.

“Unfortunately, a victim of a cyberattack can be further victimised by the public for being thought to be lackadaisical in their cyber defense posture.”

Whether an attack is state-sponsored, carried out by an organised crime group, or launched by a lone attacker, the necessary response is largely the same. “Businesses should be defending against threats first and foremost,” Morgan Wright says.

According to recent analysis of data from the UK’s Information Commissioner’s Office (ICO) carried out by CybSafe, some 90% of data breaches in 2019 occurred as a result of human error.

“The type of malware used by nation states is often more sophisticated once it is allowed to operate, but the vehicle to get it there is invariably the same as most other attacks – vulnerable people,” Islam says. Rather than focusing on securing technology, attention must be turned to identifying and managing human risk.

However, there is no one-size-fits-all solution to mitigating cyberattacks. According to Telfer, in order to develop hardy defence against nation-state attacks in particular, businesses should first consider why they are likely to be a target.

“If the company owns sensitive intellectual property, theft would be a likely motive. Similarly, if the organisation opposes a nation state on a particular topic, a destructive attack may be more likely,” Telfer says. “Defending against high-effort attacks is expensive and understanding the most likely targets within an organisation can help to apply protections more effectively.”

Advancements in artificial intelligence (AI) technology are creating new ways for attackers to reach their targets and achieve their objectives.

It is already believed that Russian-backed operators are using deepfake videos, where AI is used to transpose a digital image onto an existing video, as part of disinformation campaigns.

Similar techniques have already been used to dupe businesses. In one case, an AI-generated voice was used to scam the CEO of a UK-based energy firm out of £220,000.

However, there are greater roles for AI to play in cyberwarfare. DeepLocker, recently developed by IBM Research to gain an understanding of how existing AI models could be combined to strengthen current malware, offers some idea of how attacks are likely to advance. DeepLocker uses AI to identify that it has reached its intended target through facial recognition, geolocation, and voice recognition, before launching a malicious action.

As attack vectors advance, so too must the defences used to stop a breach from occurring successfully.

“As attackers use more artificial intelligence and machine learning, so too must businesses respond in a similar fashion,” Morgan Wright insists. “Machine-speed attacks deserve a machine-speed response. Legacy hardware and software approaches are too slow to respond to modern threats and the speed of attack.”

Yet, for many businesses, defending against a nation-state attack will prove futile, Cole insists. Instead, businesses must realise that some breaches are inevitable, and instead focus on mitigating damage once they are already inside.

“This means a nation state gets into your enterprise, however you have additional instrumentation for lateral movement and you detect them before they can successfully move from the initial compromised endpoint towards the next step and whatever their final goal is,” Cole says.

The Russia report highlighted the UK’s intent to point the finger at Russia over state-sponsored attacks – something that other Western nations and many cybersecurity companies often refrain from doing, Charity Wright points out.

However, Russia, nor any other state, is likely to be deterred.

“Contemporary warfare is increasingly being fought on laptops rather than with troops on the ground. We have seen that infiltrating and shutting down an entire nation’s power system can be done remotely by just a few good brains and some advanced malware – achieving the same result with soldiers on the ground might take months and put a huge amount of lives at risk,” Islam explains.

To prepare for this new normal, businesses must continue to strengthen their cyber defences. And not just businesses in nations typically targeted by Russian-linked groups, but globally.

“If you think the UK and other western governments are not responding in kind to Russian nation state attacks, you are probably being a little naïve,” Islam concludes. “That is just how things are these days.”