top of page
Jourden Parks, CISO

You Better Watch Out, You Better Not Cry: Nation State Hackers Are Coming to Town



As we near the end of the year, it's time for festive nights, glittering lights and merry sounds of holiday cheer, turkeys being carved, eggnog in your cup, and hackers hacking your corporation and nation. The year 2022 has bestowed upon the world a never-ending procession of devastating cyberattacks, data breaches, digital con artists, and ransomware assaults. As the Covid-19 crisis, economic uncertainty, geopolitical instability, and grave human rights concerns continue to churn around the earth, cybersecurity vulnerabilities and digital attacks have proven to be the gift that keeps on giving.

Attackers are aware that your employees represent a soft target, and the reasons why are rather simple:

  • jobs went remote.

  • corporation security budgets plummeted, presenting vulnerability from the ground up.

  • nation-states signed deals allowing internet and telecommunication systems, which are used as high-tech spyware, access to vulnerable systems.

  • longtime, highly skilled hackers are aging out or burning out from carrying the extra load from a severe lack of fresh-faced, skilled workers.

The answer, too, is simple, whether you are a nation or a corporation:

  • You must have access to a team of cybersecurity experts that are as skilled as criminal hackers, and it is imperative that your cybersecurity budget reflect your seriousness to protect your nation, your corporation, your people.


Nation-State Hackers

The real threat is state-sponsored hackers emboldened with a "License to Hack." A state-sponsored cyber-attack is one that is authorized and supported by a government. They are far less expensive and dangerous than conventional military operations, but no less destructive in their outcomes. They are government-sponsored employees who disrupt or compromise other countries, organizations, or individuals in order to get access to sensitive information or intelligence, which can have global repercussions. They might be employed as part of a covert "cyber army" or mercenary "hackers for hire" by businesses that support the goals of a government. As they are encouraged to spread instability overseas by their government, the hackers care little for the risks involved.

In China, they are provided more immunity than law enforcement. U.S. NSA hackers, in contrast, have a wide set of must-follow rules and are penalized for working for private companies in a cybersecurity capacity after leaving the agency. The Chinese-sponsored hackers live in comfort, similar to how U.S. social media businesses treat their employees, with cushy bean bags, meditation and yoga rooms, and cafeterias disguised as banquet halls.

Governments have a distinct advantage over private organizations when it comes to conducting hacking campaigns since they have greater resources at their disposal and better marketing campaigns to attract more people willing to work for them, or they just take the top 1% of students in state-controlled schools and teach them to code. The government has more significant resources to invest in the development of hacking tools, more incentives to gather intelligence, and a longer history of data collection.

Corporations and individuals are frequently caught in the crosshairs of cyber warfare between nations. A state-sponsored hacker, also known as an Advanced Persistent Threat (APT), is a cybercriminal who works for a government and has access to government resources, including unlimited financing and some of the more advanced technology money can buy. These organizations are dangerous because their members are so well-versed in technical details, seasoned veterans, and they take their work very seriously. They move slowly, often taking weeks or months to move their plan forward. They have an unrivaled talent for operating in silence. If hackers have been spying on an institution's networks, it could be months or years before the target discovers it, if at all. Groups of this caliber, that are ideologically motivated and engage in espionage, sabotage, and intellectual property theft, are challenging to combat or mitigate.

For a long time, military superpowers like China, Russia, and the United States have dominated cyberspace; they have hacked each other's networks and engaged in cyber espionage campaigns, with consequences that have occasionally extended into the physical world, including the destruction of nuclear facilities and the manipulation of political outcomes of democratic elections. Lebanon, Kazakhstan, and Vietnam are just some nations that have lately begun to catch up to the government hacking game despite not having a historically strong cyber rating. State-sponsored assaults are increasingly seen as the predominant danger to governments and large-scale companies worldwide due to the proliferation of such attacks on a global scale.

North Korea

Bureau 121 operates inside the Reconnaissance General Bureau, the North Korean government's intelligence organization. Every year, North Korea brings in fresh faces from the School of Automation to serve Bureau 121. These students learn computer science fundamentals, including how to code, use an operating system, set up a network, and hack. The North Korean government's criminal propensity makes it so dangerous. Over the past decade, hackers from North Korea (nicknamed "Lazarus Group") have launched attacks on governments and corporations. There is evidence that cybercrime, hacktivism, and intelligence gathering are their primary motivations, and to them, hacking is just another form of criminality committed for mundane money grabs.

In 2016, North Korea carried out a stunning bank hack that siphoned $81 million from accounts at Bangladesh Bank in a matter of hours by using the SWIFT credentials of Bangladesh Central Bank personnel to submit over three dozen false money transfer requests to the Federal Reserve Bank of New York. The bogus requests prompted the Federal Reserve Bank of New York to move millions of dollars from the Bangladesh Bank's accounts to bank accounts in the Philippines, Sri Lanka, and other Asian countries. Two years later, hackers with ties to North Korea attacked the Japanese clearing firm Coincheck, stealing $534 million, making it one of the largest cryptocurrency heists ever.

Online crypto game Axie Infinity was a tremendous success until this year when hackers from North Korea stole $625 million from the blockchain network supporting it. Using two separate transactions, the hacker stole 173,600 Ether and 25.5 million USDC from the Ronin bridge. In November of 2021, when Axie Infinity's user base had grown to an unmanageable scale, the Ronin team claims the hack began, and they had to reduce safety standards to meet the increased demand. When the company's expansion slowed, it neglected to shore up its security, resulting in the most fantastic cryptocurrency hack in history. A few months later, hackers from the same North Korean group struck again, stealing $100 million from the Harmony Horizon Bridge, a service allowing users to move their crypto assets from one blockchain to another.

CHINA

Hackers working for the Chinese government are considerably more severe, and their ability as hackers should worry anyone who believes wars are still waged with "boots on the ground." The battleground, the stakes, and the participants in the expanding global fight are all virtual. Hackers working for the Chinese government are pervasive and sneaky. They are responsible for several high-profile breaches targeting U.S. institutions and businesses. One such instance is the Aurora operation. The goal of the 2010 hacking operation was to collect intellectual property to assist Comac, a Chinese state-owned aerospace company, create its own aircraft, the C919 jet, to compete with industry competitors like Airbus and Boeing.

As a result, cyber operations are now widely acknowledged as a valid method for conducting industrial espionage. Typically, Chinese hackers get into computers to steal intellectual property, which they then utilize to produce knockoffs, reducing the need to acquire technology elsewhere or create themselves. It is now widely believed that Chinese hackers have gained all of the components required to construct their Comac C919, including the designs for the engine, airframe, flight control systems, digital flight equipment, and even the tires.

2020 witnessed a flurry of world-altering events, including the SolarWinds breach, one of the worst cyberattacks of the 21st century, not because a single company was penetrated, but because it triggered a much wider supply chain issue that affected thousands of organizations, including the United States government. Thousands of SolarWinds clients' networks, systems and data were compromised. The scope of the hack is among the largest ever documented.

The Orion network management system is used by over 30,000 public and commercial organizations, including municipal, state, and federal agencies, to manage their I.T. resources. As a consequence, thousands of users' data, networks, and systems were infiltrated when SolarWinds distributed the backdoor virus as an update to the Orion software. Customers of SolarWinds were not the only ones affected. As a result of the hack exposing the internal dynamics of Orion users, the APTs could access the data and networks of the clients and partners, exponentially increasing the number of victims. SolarWinds was an ideal candidate for this type of supply chain assault because several international corporations and government organizations utilize their Orion product. The hackers simply had to inject malicious code into software updates or patches supplied by SolarWinds.

Government agencies including Homeland Security and corporate bodies such as FireEye, Microsoft, Intel, Cisco, and Deloitte were affected, as data suggests emails went missing from their systems. Hackers initially gained access to the SolarWinds networks in September 2019, but the attack was not publicly identified or at least disclosed until the end of 2020, so ATPs likely had over a year of total access.

It is now known that Russian government-affiliated APTs hacked SolarWinds, allowing Chinese hackers to exploit the vulnerability and create a dual attack. A Chinese state-backed hacker outfit recently put malicious code into the Chinese messaging service MiMi, basically replicating the SolarWinds attack. As a result of attackers seizing control of the servers that provided MiMi, users were given a version of the application containing malicious code. In essence, this was an attack on the software supply chain in which the software delivery pipeline was hijacked. And nobody was aware for months. Western media have mostly ignored this security issue, perhaps because it looks to be Chinese monitoring of non-American and non-European targets. Regrettably, this incident is indicative of a growing trend of government strikes against software supply chains. The governments and corporations of the West should take notice and adopt defensive measures.

A few branches of the CCP People's Liberation Army (PLA) are known to have cyber capabilities, specifically PLA Unit 61398 and PLA Unit 1486. However, some of the hacks come from Chinese schools and factories, which isn't that odd when you bear in mind that China has a major firewall preventing most Chinese people from accessing the websites being hacked. It is safe to assume that if a company being blocked by the firewall is hacked from within China, then the hackers are Chinese operatives. And then there is tiktok, a massive data collection and surveillance network masquerading as bad dance moves and silly cat videos. Which is worse? Chinese hackers stealing data, or people sending personal data directly to China. The Chinese government is obsessed with acquiring as much personal data as possible, including private health and medical records, about as many Americans as possible.

The distinction between nation-state APT collectives and individual and small-scale financially motivated criminal hacker collectives no longer exists. APT hackers are increasingly outsourcing their skills to cybercriminal groups to line their own pockets. Combine their attributes and you have the makings of the perfect storm.

TA2541

Phishing and email scams constitute the greatest external cybersecurity danger, but the human aspect, such as workers and contractors, remains the key concern for the vast majority of nations and corporations. A group known as TA2541 entered networks covertly for a lengthy period without modifying their techniques, demonstrating that they successfully avoided detection and set beneficial conditions for themselves, as they faced no pushback. They have been responsible for a continuous campaign of phishing and malware assaults since 2017.

Industry-targeted phishing emails are typically the first line of attack. Emails purporting to come from legitimate businesses in the transportation, aviation, and aerospace industries are often phishing schemes designed to steal users' personal information and infect their computers with malware. However, the sheer volume of messages sent over the years and the implied sense of urgency are enough to trick employees into downloading malware, despite the fact that the lures aren't actually customized to your organization. For example, bait sent to aviation and aerospace industry employees may appear as requests for aircraft components or information about an air ambulance flight.

While TA2541 first sent out macro-enabled Word documents over email to spread its RAT attacks, it has since switched to utilizing OneDrive and Google Drive URLs. The organization has released malware payloads since its inception, and all of them can be found for sale or downloaded from open-source or underground markets. Aerospace, aviation, transportation, military, industrial, energy and aerospace firms across Europe, the Middle East, and North America have been the primary targets of this organization. They have been able to evade detection for over five years thanks to their advanced avoidance methods and remain active while churning out phishing emails to new targets worldwide.

While researchers have not yet determined the group's ultimate goal or base of operations, they have established that whatever malware is supplied is used to gain remote control of compromised computers and steal sensitive information. Until the operation is shut down, it is expected that the attackers will continue their global campaign of phishing emails and malware installations on unwitting users.

Conti Cripples Costa Rica

Ransomware is the devastating hack-du-jour. The leadership structures of ransomware outfits resemble those of Fortune 500 companies, down to the presence of boardrooms and cubicles. For example, the pro-Russian Conti Group is withholding data stolen from the Ministry of Finance for a US$10 million ransom. This data presumably consists of personal tax returns and business documents belonging to Costa Rican individuals and corporations. This ransomware attack was among the most disruptive in history and had extensive repercussions, causing daily losses in the tens of millions of dollars, compelling Costa Rica to declare a national emergency, a first for a nation in response to a cyberattack. The second attack on the Costa Rican Social Security Fund devastated the country's healthcare infrastructure. HIVE ransomware, which had connections to the Conti attack, was used.


ALPHV / Darkside Attacks U.S. and Italy


The Colonial Pipeline Company, an American oil pipeline system that originates in Houston, Texas and primarily supplies gasoline and jet fuel in the Southeastern United States, was hit by a catastrophic ransomware assault in 2021. Due to the lack of multi-factor authentication, a standard security feature in modern software, the CEO informed U.S. senators that hackers only required a single password to access the system rather than a direct assault on the company's network. A group of blended hacker mercenaries calling themselves Darkside/ALPHV/Blackcat, are suspected Eastern European hacking outfits that use ransomware and extortion for financial gain at the expense of their victims. Shortly after the Colonial Pipeline attack, they made a statement stating their "goal is making money, not creating problems for society."

And like Grandma with her whiskey-soaked eggnog, Italy is also getting hammered. The Italian National Cyber Security Agency has issued a warning about a rise in assaults on Italy's power companies and infrastructure. Late in August, hackers broke into the computer networks of Italian energy company Eni and service provider GSE. These incidents are part of a pattern across the European Union and point to Russian participation; Russia may be using hybrid warfare to target Europe's energy infrastructure, including pipelines. The BlackCat ransomware organization claimed responsibility for the attack on GSE and the theft of almost 700 GB of data. Given that they insist on being politically neutral, it should come as no surprise they have also targeted the Italian fashion house, Montcler.

The NATO treaty states that an attack on one member nation is an attack on all member nations. Despite several NATO countries being the targets of cyberattacks in recent months, the organization has not indicated when such attacks may trigger Article 5, which states that an act of war against a NATO member will elicit a reaction from the entire organization. The alliance is reluctant to publicly disclose under what circumstances the article would be invoked and seems to prefer a milquetoast response over a direct declaration. The Western Alliance should be wary, while ambiguity is the hacker's playground.

The Road Ahead

Large and small nations and corporations alike are facing cybersecurity breaches at an alarming pace. It is apparent the threat landscape has changed dramatically over the past several years, as seen by the prevalence of recent high-profile assaults in all critical infrastructure sectors: healthcare, banking, retail, government, manufacturing, and energy. You must protect your assets from hackers and other "threat actors," you must do in-depth security assessments that emulate real threat actors to determine how threats work within your system. Although it might hurt initially, these security assessments must be done without rules because real-world threat actors don't follow rules. They make sure their mission is successful at any cost. While the situation seems dire, all hope is not lost. Protecting vital infrastructure, training security professionals, and raising budgets must be top priorities for governments and businesses in order to ensure safe and secure networks. If we don't take the matter seriously, there is always a group lurking in the shadows who will.


Jourden Parks, CISO, Brightside Industries Group


Recent Posts

See All

Comments


bottom of page