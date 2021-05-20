The global cyber-threat environment is the “worst it’s ever been” due to the increasingly reckless behavior of the four major nation-state actors in this area: China, Russia, North Korea and Iran. That was the message of Dmitri Alperovitch, chairman, Silverado Policy Accelerator, and Sandra Joyce, executive vice president, head of global intelligence at FireEye, who provided the annual Global Threat Brief during a keynote session on day 3 of the 2021 RSA virtual conference. Alperovitch began by describing how 2020 was a particularly challenging year for the cybersecurity sector. “We’ve had the global pandemic, we’ve seen cyber-adversaries of all types take advantage of stress and workload that is brought on to defenders, but also we’ve had the elections, and the cyber-interference that we all expected.” SolarWinds The two standout cyber-attacks of the past year – the SolarWinds and Microsoft Exchange incidents – were the first port of call for the two experts in this session. The pair noted the highly targeted nature of the SolarWinds hacks, with Alperovitch commenting that “this was a traditional espionage operation” by the Russian state that targeted foreign governments, particularly areas of the US government, and “other countries that would be used to facilitate access to those government networks.” He added that a killswitch was in operation to shut down the malware, which was enacted in 99% of the victims – the ones that were irrelevant to their operation – to keep it in “stealth mode” as long as possible. Overall, this attack represents a modernized approach of getting “inside supply chains that are hard to detect and stay in there for long periods of time,” mimicking the previous tactic of using undercover human agents to infiltrate other nations. Joyce observed that only very specific information was targeted in the attack, with even lucrative data like financial information ignored. “This was an operation to satisfy national-level collection requirements, and that’s espionage,” she stated.

Microsoft Exchange The targeted nature of SolarWinds was in stark contrast to the Microsoft Exchange attack this year, believed to be perpetrated by Chinese state actors. What started out in quite a traditional manner, with vulnerabilities exploited to target traditional targets such as dissident groups and Uigurs, turned into going “after literally everyone once they learned that Microsoft was going to patch these vulnerabilities,” explained Alperovitch. This highly aggressive tactic had the effect of leaving many organizations that didn’t have the capacity to patch quickly very vulnerable to follow-on attacks by other cyber-threat actors. “It’s amazing to see this contrast where Russia is the more responsible actor in this particular case,” commented Alperovitch, adding that “the reckless nature (of the exchange attack) is quite unprecedented.” China The pair went on discuss the recent cyber-activities of China more broadly. Perhaps unsurprisingly given the pandemic, Chinese APT groups have been heavily targeting the healthcare/biotech sector, particularly vaccine developers and researchers, with the primary aim of “understanding the decision-making process of countries around the world,” according to Joyce. Interestingly though, “we’re not seeing a lot of destructive or disruptive capability coming out of China,” in comparison to Iran and Russia. Joyce said this is part of China’s long-term strategy. Another interesting trend the experts saw with China has been the re-emergence of the PLA (People’s Liberation Army) in cyber-operations recently, including in the Equifax hacks. This is quite a common tactic employed by Chinese APT groups, said Joyce, explaining that when exposed, they often go into “hibernation and retooling” and “what’s emerged is a much more focused and disciplined operation.” China is also increasingly going after mobile devices to target dissident groups within the country. Joyce commented: “They’re using cyber means in order to perpetrate their political aims,” which “is going to continue into the future.” Iran Alperovitch first expressed surprise that Iran largely “held back” from targeting the US in cyberspace throughout last year, despite the assassination of Iranian General Qasem Soleimani at the start of 2020 following a US drone attack. However, he noted they did interfere in the November presidential elections “in a more aggressive way than the Russians did in cyberspace.” This was exemplified by the Proud Boys spoof email campaign, which attempted to intimidate registered Democratic voters. This demonstrated “a real evolution in the information operations, where they used cultural elements,” said Joyce, adding that “it really changed our thinking as to what the Iranian government is willing to carry out.”

