By Jacques de la Riviere, CEO, Gatewatcher
Few prefixes excite the cybersecurity market as much as ‘state-sponsored.’
The label immediately conjures images of well-equipped, highly-resourced teams targeting high-profile organisations and individuals. And the war in Ukraine, alongside offensive operations from the likes of North Korea and Iran, has further propelled these images into the public consciousness.
As usual, truth is stranger than fiction: because whilst ‘state-sponsored’ threats are very real and present, they are far more nuanced than one might imagine.
State-sponsored objectives
In this context, “state-sponsored” simply means cyberattacks that are backed by a national government. This does not necessarily mean the government itself is directly responsible for the attacks, but they are providing support or encouragement.
This support may take the form of financial backing, be it funding for attackers or the development of tools. Alternatively, it may be training and resources, or simply offering a combination of sanctuary and cover by ignoring the cyberoperations originating within those borders.
The attacks are linked to the political or economic goals of the ‘sponsoring state.’ The most common objective is the theft of intellectual property from businesses in a different country, or simply to influence public opinion.
However, in more extreme cases, state-sponsored attacks can aim to disrupt critical infrastructure like power grids or communication systems, or even gain military advantage by stealing information – as cyberattacks become cyberwarfare.
State-sponsored techniques
With such a strong set of resources, state-sponsored groups often have access to a sophisticated arsenal of techniques and tactics. However, when compared to isolated, lone wolf actors, or indeed, small organised criminal gangs, one aspect that characterises state-sponsored groups, is the alignment of these tools to a particular objective.
For example, if espionage or the theft of sensitive data is a primary objective, state-sponsored groups have been seen to use:
- Spear phishing: Crafting emails that appear legitimate, tricking targets into revealing information or clicking malicious links.
- Watering hole attacks: Compromising websites frequented by the target, infecting their computers with malware when they visit.
- Zero-day exploits: Utilizing previously unknown vulnerabilities in software, often acquired through targeted attacks on software developers.
- However, elsewhere, when trying to cripple critical infrastructure, these groups have employed:
- Denial-of-service (DoS) attacks: Flooding a system with traffic, making it inaccessible to legitimate users.
- Malware: Destructive software that can delete data, encrypt files for ransom, or disrupt operations.
- Supply chain attacks: Targeting software providers to inject malicious code into their products, impacting users unknowingly.
- Lastly, there has also been an array of techniques used to influence and manipulate public opinion (typically around political discourse) such as:
- Social engineering: Using social media platforms to spread disinformation, propaganda, or incite unrest.
- Hacking and leaking: Stealing and releasing sensitive information to discredit opponents or sway public opinion.
- Botnets: Networks of compromised devices used to amplify fake news and manipulate online conversations.
- As a mark of the sophistication of the thinking behind these techniques, they are even deployed in different contexts.
Espionage-focused attacks are often long-term campaigns, building trust with targets before extracting information. Attackers typically focus on specific, high-value sectors like defence, energy, or finance.
By comparison, disruption-focused attacks aim for fast, impactful damage. They might target critical infrastructure like power grids or transportation systems during times of heightened tension.
Elsewhere, influencing operations rely on volume. Attackers might manipulate social media algorithms to flood a region with propaganda during an election.
State-sponsore d defence
As this brief analysis shows, state-sponsored cyberattacks can pose a major threat. A strategic response is necessary to defend businesses and public sector organisations alike:
Education: Ensuring cybersecurity awareness – and the consequent actions – is vital. Training employees to spot threats and fostering a culture of vigilance are key first steps.
Active defence: Firewalls, network detection and response, intrusion detection, and multi-factor authentication create strong barriers to protect targets.
Collaboration: Information sharing means a faster threat identification and a coordinated response. There is strength in numbers.
By understanding the techniques employed and the motivations behind state-sponsored attacks, businesses can empower themselves to protect critical assets in the ever-evolving digital landscape. Whilst it is important to not see these attackers as unbeatable, it is equally important to understand the depth and scope of threat they present.
About the Author
Jacques de la Riviere is the founder and CEO of Gatewatcher, a cybersecurity provider based in France. Jacques has held positions throughout OpenCyber, Adneom and BK Consulting. He is also currently vice-president of Hexatrust – a cluster of 100 European software cybersecurity leaders and cloud providers.
Jacques de la Riviere can be reached online at https://www.hexatrust.com/en/