Diverse threat intelligence key to cyberdefense against nation-state attacks
Identifying the top nation-state actors can depend on who you ask, which underscores the need to gather threat intelligence from varied data sources.
In a climate where geopolitical issues now can drive industry discussions, organizations will be better served if they formulate their cybersecurity strategy on information that reflects threat activities on an international scale.
Also: The best VPN services (and how to choose the right one for you)
For some organizations, this requirement means gathering threat intel that is comprehensive and, in particular, diverse.
Most threat intelligence houses currently originate from the West or are Western-oriented, and this can result in bias or skewed representations of the threat landscape, noted Minhan Lim, head of research and development at Ensign Labs. The Singapore-based cybersecurity vendor was formed through a joint venture between local telco StarHub and state-owned investment firm, Temasek Holdings.
"We need to maintain neutrality, so we're careful about where we draw our data feeds," Lim said in an interview with ZDNET. "We have data feeds from all reputable [threat intel] data sources, which is important so we can understand what's happening on a global level."
Also: The best VPN services for iPhone and iPad (yes, you need to use one)
Ensign also runs its own telemetry and SOCs (security operations centers), including in Malaysia and Hong Kong, collecting data from sensors deployed worldwide. Lim added that the vendor's clientele comprises multinational corporations (MNCs), including regional and China-based companies, that have offices in the U.S., Europe, and South Africa.
He noted that threat activities may not necessarily be motivated by geopolitical issues, as some threat activities originate from the region in which their targets are based. The vendor's Chinese customers, for example, have experienced cyberattacks that originate from Asia.
Rather that being politically driven, he added that most attacks tend to be financially motivated.
When nation-state threat actors are involved, the top three countries from where attacks originate are often China, Russia, and the U.S., said Candid Wuest, vice president of cyber-protection research for Acronis.
Also: Asian banks are a favorite target of cybercooks, and malicious bots their preferred tool
North Korea and Iran round out the top five locations from where nation-state attacks originate, and there has been little change in the countries that lead this pack, said Wuest, citing data points from Acronis' monitoring network. The data security vendor was founded in Singapore and is currently headquartered in Switzerland. Its founder Serguei Beloussov is Russian-born, but picked up Singapore citizenship in 2001. He left his role as CEO in 2021 and currently serves as Acronis' chief research officer.
Echoing Lim's views, Wuest told ZDNET that U.S. nation-state threat actors often are under-represented because most major news organizations are Western and generally will not make reference to this specific group of nation-state actors.
He noted that U.S. state-sponsored attacks also are very targeted, involving one to two victims rather than hundreds, and often go unnoticed. In comparison, the volume of nation-state attacks from China may seem higher because there are more organizations looking out for this group of threat actors, he said.
He added, though, that attacks from Chinese nation-state actors have also been higher in volume and frequency. In particular, there has been an increase in attacks targeting VPNs and firewalls, and known vulnerabilities in systems such as Microsoft Exchange Server.
Also: The best VPNs for streaming your favorite shows and sports
The U.S. government last month released a report highlighting the top software vulnerabilities commonly exploited in 2022. These included several flaws previously highlighted in 2021 and used by China's state-sponsored cyber actors, according to the August 3 statement released by U.S. security agencies and their Five Eyes allies comprising Australia, New Zealand, Canada, and the U.K.
The Chinese government, on the other hand, has blamed U.S. intelligence agencies for a July 2023 cybersecurity attack on Wuhan Earthquake Monitoring Center, citing a "very complex" malware used in the incident. Beijing said the attack appeared to originate from government-backed hackers in the U.S. and had targeted network equipment that collected seismic intensity data. The datasets contained information concerning national security, such as details of military defense facilities, which are taken into account in determining seismic intensity.
Chinese officials suggest that accessing relevant data from seismic monitoring centers can enable hackers to estimate underground structures of a specific area and assess if it is a military base. This data will prove useful to foreign military intelligence agencies, such as the U.S. Department of Defense.
U.S. tech vendors, though, believe Chinese nation-state actors are armed with more sophisticated tools and tactics.
"Chinese cyber espionage has come a long way from the smash-and-grab tactics many of us are familiar with," said John Hultquist, Google Cloud Mandiant's chief analyst. "They have transformed their capability from one that was dominated by broad, loud campaigns that were far easier to detect. They were brash before, but now they are clearly focused on stealth."
"The result is an adversary much harder to track and detect. The reality is that we are facing a more sophisticated adversary than ever and we'll have to work much harder to keep up with them," Hultquist wrote in a commentary note on the recent Microsoft security breach, believed to be the work of cyberattackers based in China.
Also: This data platform will help banks share criminal intelligence
Codenamed Storm-0558, the adversary group gained access to Microsoft email systems for intelligence gathering, according to Microsoft. The tech giant said the breach impacted 25 organizations, including U.S. government agencies and accounts of individuals likely associated with these agencies.
Chinese cyber-espionage activities have increasingly leveraged initial access and post-compromise strategies aimed at minimizing detection, noted a July 2023 post by Google Cloud Mandiant. "Chinese threat groups' exploitation of zero days in security, networking, and virtualization software, and targeting of routers and other methods to relay and disguise attacker traffic both outside and inside victim networks," the U.S. vendor said. "We assess with high confidence that Chinese cyber espionage groups are using these techniques to avoid detection and complicate attribution."
In an interview with ZDNET, Hultquist reiterated the increased sophistication of attacks from Chinese nation-state actors, which have been notably more stealth and tougher to detect. He pointed to the complex attack instigated by Storm-0558 as indicative of skillsets that have improved dramatically.
He named China, Russia, North Korea, and Iran as the top nation-state actors most often encountered by Google Cloud Mandiant's customers. These threat actors also are targeting critical information infrastructures and, in some cases, working with governments or government-funded adversary groups and providing compromised information to intelligence agencies.
Also: The best security keys
Wuest, though, deemed the U.S. as the most sophisticated among nation-state actors, noting that the Equation Group -- believed to be part of the Five Eyes alliance -- used a specific encryption algorithm in a series of targeted attacks a decade ago that, until today, remains unbreakable.
He then ranked attacks by Russian nation-state actors second in terms of sophistication, followed by their counterparts in China.
Chinese threat actors often opt for volume in terms of their attacks, which are not usually sophisticated in nature, he said, suggesting that this simplicty might be because there is little reason to improve their tactics if these attacks continue to be effective. For instance, Chinese threat actors still use spear phishing, which is not difficult to execute and is largely dependent on humans as the weakest link, he said.
And while Wuest acknowledged that Chinese attacks are now more advanced, he noted that this was a natural progression as most skills would typically improve over two decades.
Describing Chinese nation-state actors as more sophisticated might be overstating the threat landscape and a rhetoric used by western governments to raise overall awareness among organizations about the need to have good cyberdefense, Wuest said.
Also: AI, trust, and data security are key issues for finance firms and their customers
He added that the majority of cyberattacks today still target old vulnerabilities that organizations have been left unpatched.
Lim also noted that threat actors have been targeting security appliances and attempting to evade detection. He said actors are now more targeted and aware of appliances used specifically by government agencies, and hence know which devices to target.
Attackers are also constantly updating their tactics, using the most current methods and targeting popular tools, such as video-conferencing applications and VPNs, he added.
The growing threat underscores the need for organizations to do the basics and adopt best practices, said Wuest, who noted that some companies are still failing to patch known vulnerabilities. With spear phishing and 90% of attacks coming through email, he also emphasised the importance of email security and other measures to combat such attacks.
Also: Can AI detectors save us from ChatGPT?
This defense will be especially critical as more hackers tap generative artificial intelligence (AI) to churn more convincing phishing email messages, scraping personal information from social media accounts to create fake personas, he said.
Lim concurred, noting that his team had begun detecting generative AI and machine-learning tools being used to craft emails, as well as to circumvent verification and access controls.
Wuest added that cyber criminals can leverage AI to gain scale and speed in launching attacks, and make it more difficult to verify and authenticate users.
He expressed concern that generative AI will disrupt many industries and significantly change how attacks are carried out. If generative AI is used to trigger false commands, for instance, the risk and potential threat will be significant, he said.
Hultquist urged industry leaders to transform their practices alongside threat adversaries or risk falling behind. "We need more data, better engineering, better tools, and better [defense] plans," he said. "Technology is always changing, as are the adversaries. We have to work hard to stay on top of that."