The enterprise is the most common target in nation-state cyberattacks that increasingly catch a “wide range” of victims in the crossfire, a report has found.

By volume the vast majority of cyberattacks are conducted by criminal groups driven by profit, which target low-hanging fruit at a large scale.

But a HP-sponsored report conducted by Michael McGuire, senior lecturer in criminology at the University of Surrey, has highlighted how lines between traditional cybercrime and nation-state attacks have become increasingly blurred in recent years.

An analysis of more than 200 cybersecurity incidents associated with nation state activity between 2019 and 2021 found a 100% overall increase of attacks conducted by or on behalf of countries.

The researchers note that nation state subterfuge is “by its nature a notoriously opaque area of research”. As such it also drew on “first-hand intelligence gathering” from informants operating on the dark web, along with consultations from 50 practitioners in fields including government, academia and law enforcement.

The enterprise was the most common target of nation state hacks, accounting for 35% of attacks. Intellectual property theft, supply chain disruption and stolen currency are among the key motivations for such attacks. The pandemic has led to an increase in nation states attempting to steal vaccine development data, with the report noting a 50% rise in attacks on pharmaceutical companies such as Pfizer. In 2020 there were an average of 10 publicly attributed nation state attacks per month, according to the report.

“When we look at nation state activity through the lens of this report, it comes as no surprise that we have seen such an escalation over the past year; the writing has been on the wall for some time,” said McGuire. “Nation states are devoting significant time and resources to achieving strategic cyber advantage to advance their national interests, intelligence gathering capabilities, and military strength through espionage, disruption and theft.”

From SolarWinds to Hafnium

The growing trend of nation state cyberattacks can in part be explained by the “widening use of cyber to support traditional military and intelligence goals” writes Ian Pratt, global head of security for personal systems at HP.

Cost and scale are large contributing factors explaining this shift to cyber; instead of sending a network of spies a country can instead monitor its adversaries with the click of a button. The right strain of malware delivered against the right target can be just as destructive as a missile.

And unlike a kinetic attack, it is far easier for nation states to cover their tracks using proxy hacking groups. Some 58% of experts surveyed in the report believe that nation states are actively recruiting cybercriminals to conduct attacks.

While businesses might not be the primary targets of nation states, the report warns how the enterprise is increasingly being affected, either as direct targets or caught in the crossfire.

The recent SolarWinds hack is a primary example of a supply chain attack carried out by a nation state. In late 2020 nation state hackers with ties to Russia exploited a vulnerability in the IT vendor’s Orion software, which was widely used across the US government and private sector. According to Anne Neuberger, deputy national security adviser for cyber and emerging technology:

Roughly 18,000 entities downloaded the malicious update. So the scale of potential access far exceeded the number of known compromises. Many of the private sector compromises are technology companies, including networks of companies whose products could be used to launch additional intrusions.

In early 2021 it was the turn of China-linked advanced persistent threat group Hafnium, which deployed zero-day exploits to compromise over 20,000 organisations running on-premises Microsoft Exchange servers.

“Nation state conflict doesn’t take place in a vacuum – as evidenced by the fact enterprise is the most common victim within those cyberattacks analysed,” explains Pratt. “Whether they are a direct target or a stepping-stone to gain access to bigger targets, as we have seen with the upstream supply chain attack against SolarWinds, organisations of all sizes need to be cognizant of this risk. As the scope and sophistication of nation-state cyberattacks continues to increase, it’s vital that organisations invest in endpoint security that helps them to stay ahead of these constantly evolving threats.”

Despite recent attacks such as the attempted poisoning of a water treatment facility in Florida hack making headlines, critical infrastructure has remained a small target of nation states with just 10% of attacks.

Privatisation of nation-state tools

It is well established that hacking tools developed by nation states can – and have – ended up for sale on the dark web. In some cases, these capabilities have been turned back on the same countries that developed them. In 2017, mysterious hacker group Shadow Brokers carried out a digital raid on the US National Security Agency (NSA) and stole the EternalBlue exploit, which was then used to conduct the worldwide WannaCry ransomware attack and the NotPetya attack, both that same year.

Of the incidents analysed in the research, 20% involved “sophisticated, custom-made weapons” of the kind developed by nation states, such as EternalBlue. But the majority of hacking tools – 50% – were “low budget” and readily available on the dark web.

The research found that most of the tools used by nation states were for surveillance purposes as intelligence agencies sought to remain covert rather than destructive.

“This unprecedented fusion between politics, strategic manoeuvre, commerce and crime is beginning to pose unique challenges in how to regulate the digital world, especially the search for common areas of interest which can lessen tensions between Nation States,” writes Maguire.

All of this has created what the report calls a ‘Web of Profit’, in which nation states develop, buy and sell hacking tools and hire cybercriminals.

“In this way, nation states have become both beneficiaries of and contributors to the Web of Profit that constitutes the cybercrime economy,” the report notes.

This activity feeds into a cybercrime industry estimated to generate more than $1.5tn in revenues annually, a figure far larger than the most profitable companies combined. Such is the impact of stolen digital currencies, data and intellectual property, the associated revenue has even boosted economic indicators such as GDP, foreign currency reserves or export value, the report notes.

This is perhaps most notable in North Korea, which has increasingly turned to cybercrime to circumvent sanctions against the authoritarian state. Its hacking efforts have included an $81m digital bank heist against the Bangladeshi Central Bank in 2016.

The increasing overlap between military objectives and cyberattacks has resulted in calls for a cyber-treaty to lay down clearer rules of engagement in cyberspace. Of the experts surveyed in the report, 70% said such a treaty is needed to prevent escalations to cyberwarfare. However, just 15% believe an agreement will come in the next 5-10 years.

The cyber threat landscape is always evolving, whether it’s new twists on tried and tested techniques or new technologies entirely.

According to McGuire, deepfakes, drone swarms and quantum computers “with the ability to break almost any encrypted system” are the threats of the future.

“We are all in the crossfire now, so it’s critical that every business does what it can to protect itself and its wider network,” adds Pratt.