As Nation-State and Cybercrime Threats Conflate, Should CISOs Be Worried?

Phil Muncaster discovers that the lines between government campaigns and organized crime are increasingly blurred

The decade is just two years old, but already the world has seen its fair share of geopolitical crises. The difference between now and a decade ago is the cyber dimension. From Ukraine to Xinjiang, when tensions rise, they’re usually accompanied by destructive attacks, espionage, disinformation and other online maneuvers. However, less widely understood, is how the world of cybercrime is influencing that of nation-state attacks and vice versa. As an HP-sponsored report reveals, governments have increasingly become not only beneficiaries of, but also contributors to, the 'web of profit' that is the global cybercrime economy.

This matters because it is ordinary enterprises, critical infrastructure providers, NGOs, academic institutions and other organizations that are caught in the middle of escalating threats. Understanding the tactics, techniques and procedures (TTPs), of an increasingly Janus-faced enemy is a vital pre-requisite to improving cyber-resilience.

Times Have Changed

The first in a series of ‘The Web of Profit’ studies written by Surrey University senior lecturer, Mike McGuire, estimated that the cybercrime economy was worth $1.5 trillion annually. That was back in 2018 when the distinction between nation-state and financially motivated attacks was much clearer. In fact, it was the basis for a landmark agreement between the US and China brokered by the Obama administration, later duplicated by the UK government and Beijing. In it, both sides agreed not to engage their state-backed operatives in IP theft or other espionage designed to provide domestic companies with a competitive advantage. It lasted barely weeks before Chinese hackers were back at it again.

In hindsight, such a deal seemed naïve at best. Today it would be almost unthinkable as hostile nations continue to push the boundaries of plausible deniability. As outlined in the latest Web of Profit study, the US, China and other nations are all vying for strategic advantage. The SolarWinds campaign, which compromised nine US government departments and reportedly involved over 1000 Russian operatives, is just one example of the lengths governments will go to achieve this.

Another is the race to exploit the new opportunities presented by the COVID-19 pandemic. Espionage efforts focused on stealing vaccine IP and the attempts to disrupt supply chains illustrate how hard-wired offensive cyber activity is now for some governments, and how their motives and TTPs often cross over with those of organized criminals.

When Worlds Collide

What do these TTPs look like in practice? According to the report, there are several facets. These include government deployment of traditional cybercrime techniques such as SQL exploitation and DDoS for their own ends. Then there’s the weaponization of off-the-shelf malware, keyloggers and other cybercrime tools by state actors. The research claims that a sample of government attacks analyzed from the period 2010-2020 revealed 50% involved “low budget, straightforward tools” that could be purchased on cybercrime sites, versus 20% that featured more sophisticated, custom-made malware and exploits developed in-house by states. It also claimed that 10-15% of dark web purchases go to 'atypical' buyers or those acting on behalf of others, such as nation-state clients.

States don’t just buy from the cybercrime underground; sometimes their own tooling makes its way onto dark web sites, such as PowerShell Empire or the infamous EternalBlue exploit. Some governments are also engaging in attacks not simply to benefit their domestic champions, as China has for some time via economic espionage, but also to enrich the state itself. Here, North Korea is a classic example. A UN report from 2019 claimed the hermit nation had made as much as $2bn from attacks on banks and cryptocurrency exchanges to help fund its nuclear research and weapons capabilities.

Some states may also use cyber-criminals to do their dirty work, enhance plausible deniability or even allow operatives to moonlight for their own gain, as exampled by Chinese group APT41.

McGuire tells Infosecurity that the boundary between government-sponsored and purely criminal endeavors has continued to blur in the months since the report was written.

“In November 2021, stock trading platform Robinhood experienced a social engineering-based attack which exposed the personal information of around seven million customers. Payment not to disclose the stolen data was demanded. Some of my informants have suggested that this may have been a collusion of convenience between a professional cybercrime team out for profits and state agents trialing some new attack vectors while trawling for potential usefully personal information for later use,” he reveals.

“Elsewhere, the ongoing revelations involving illicit uses of the Pegasus spyware created by the Israeli cybersecurity firm NSO Group further emphasizes how commercial interests are dovetailing with state interests and, in turn, with the kind of overt law-breaking directly akin to cyber-criminality.”

Does It Matter?

However, while the nation-state/cybercrime crossover may be making the threat landscape more fluid, it doesn’t necessarily need to matter to corporate defenders, according to Jens Monrad, head of Mandiant Intelligence EMEA.

“With the lines increasingly being blurred, organizations need to ensure their security teams can quickly identify and assess the threat, regardless of the motivation behind the threat,” he tells Infosecurity. “For example, while a foreign state might be a more severe opponent to be compromised by, the business impact in the shorter term might be smaller than being compromised in a targeted ransomware attack by a cyber-criminal, where the risk of sensitive data being stolen and leaked is higher.”

BlueVoyant International chairman and former GCHQ director Robert Hannigan agrees that “from the perspective of the busy CISO, exact attribution of an attack is interesting but not critical.” However, he stresses that it matters more in some sectors like defense and utilities.

“Knowing you are the likely target of sophisticated state actors demands a different threshold of risk tolerance. Geopolitical activity starts to matter: the NCSC’s recent warning about likely Russian state activity around the Ukraine crisis has caused CISOs across many major organizations to reassess their defenses,” he adds.

“Knowing the favored vulnerabilities exploited by Russian agencies in the past, and some of the techniques they routinely use, helps focus that process.”

Are We Heading for Cyber-War?

As nation-states borrow tools, techniques and even workforce from the cybercrime underground, there’s another risk – that these efforts empower more governments to engage in de facto acts of war. Most (64%) of the experts McGuire spoke to when compiling the report said the escalation in recent tensions was “worrying” or “very worrying.” The study concluded that “advanced cyber-conflict” is closer than at any stage since records began. This phase is characterized by governments engaging in repeated digital attacks, focusing more offensive activity on physical assets, and the “potential use of conventional weapons” to strike back after cyber-attacks.

Some 70% of these experts warned that some form of cyber-treaty is now essential if nation-states are to avoid being drawn into more serious conflict. However, the chances of that happening are slim. In the meantime, organizations caught in the middle will have to respond as best they can by doubling down on defense at the endpoint, according to HP Inc.

The firm’s global head of security for personal systems, Ian Pratt, believes organizations must take a new architectural approach based on zero trust principles, supported by micro-virtualization for fine-grained segmentation. With micro-VMs isolating malicious activity from the rest of the network, he argues that organizations have a formidable defense layer. HP’s zero trust technology, SureClick Enterprise, which is built into PC design adds this extra level of endpoint security.

“As a result of micro-virtualization, malware is rendered harmless,” says Pratt. “You’re protected against truly novel zero-day attacks which no one could possibly detect, as well as malware which has simply evaded detection by other tools.”

As nation-states continue to flex their muscles, CISOs will increasingly need to consider such innovations if they are to keep their organization safe.

From the maker of the world's most secure PCs and printers, HP Wolf Security is a new breed of endpoint security. HP's portfolio of hardware-enforced security and endpoint-focused security services is designed to help organizations safeguard PCs, printers and people from circling cyberpredators. HP Wolf Security provides comprehensive endpoint protection and resilience that starts at the hardware level and extends across software and services. For more information, visit www.hp.com/wolf.

*Based on HP’s unique and comprehensive security capabilities at no additional cost among vendors on HP Elite PCs with Windows and 8^th Gen and higher Intel® processors or AMD Ryzen™ 4000 processors and higher; HP ProDesk 600 G6 with Intel® 10th Gen and higher processors; and HP ProBook 600 with AMD Ryzen™ 4000 or Intel® 11th Gen processors and higher.

**HP’s most advanced embedded security features are available on HP Enterprise and HP Managed devices with HP FutureSmart firmware 4.5 or above. Claim based on HP review of 2021 published features of competitive in-class printers. Only HP offers a combination of security features to automatically detect, stop, and recover from attacks with a self-healing reboot, in alignment with NIST SP 800-193 guidelines for device cyber resilience. For a list of compatible products, visit: hp.com/go/PrintersThatProtect. For more information, visit: hp.com/go/PrinterSecurityClaims.

***HP Security is now HP Wolf Security. Security features vary by platform, please see product data sheet for details.