State-backed hacking attacks are a big worry, but most firms don't know what to watch out for

The vast majority of information security personnel think their business is a target for foreign cyberattacks - but identifying and defending against them is a challenge.
Written by Danny Palmer, Senior Writer

The vast majority of cybersecurity professionals think that the business they work for is a target for nation-state hackers, but only a small fraction think that their organisation can confidently identify if attacks are actually being carried out by hostile states.

According to analysis by cybersecurity company Trellix, half of all organisations think they've been the target of a nation-state cyberattack within the past 18 months, while a further 42% think they'll be subject to one in the future. Fewer than one in 10 businesses believe that they're not a target for nation-state hackers at all. 

For organisations that have been targeted by nation-state-backed hackers, the most likely suspects identified by cybersecurity staff are Russia and China, along with cyber -criminal mercenaries suspected of working on behalf of governments.  

SEE: A winning strategy for cybersecurity (ZDNet special report) 

North Korea, Iran and western governments are among those that are also suspected of being behind attacks, while some cybersecurity staff concede that it's just too difficult to tell who is behind campaigns. 

When asked how confident they were that, without help, their organisation could tell the difference between cyberattacks carried out by a nation states and cyberattacks carried out by cyber criminals, just a quarter said that they have complete confidence that this would be the case. 

This lack of awareness could lead to issues down the line, as nation-state-backed hacking operations are often designed to create long-term persistence on networks, meaning that if an intrusion isn't correctly identified as being the work of hostile government-backed cyber attackers, even if an attempt is made to clean it up, not knowing that it's a well-resourced nation-state-backed attack could lead to backdoors and other remnants of the attack being missed – and exploited later on. 

"Nation-state cyber incidents are more sophisticated and persistent than an average cyber crime incident. Successfully detecting and responding to these types of attacks requires a deeper understanding of the adversaries' methods and their intended goal," John Fokker, principal engineer and head of cyber investigations at Trellix, told ZDNet. 

"Many organisations struggle with successfully detecting backdoors left behind after a state-backed cyber incident," he added. 

Even organisations that aren't confident in their ability to identify nation-state-backed cyberattacks say it's important to be able to do so, although many are limited by cybersecurity strategy or a lack of resources. The vast majority – 90% – of those surveyed said that their own government needs to do more to help to help them protect themselves against hostile, foreign observatories. 

"Governments can provide organisations who have been targeted with vital intelligence to better assess the origin and objective behind a state-backed cyber incident," said Fokker. 

Defending against cyberattacks, particularly those by enemies with significant resources behind them, is a challenge, but there are steps that can be taken to improve the odds. This includes cyber-hygiene measures, like applying critical security patches, and requiring the use of multi-factor authentication to help keep attackers out of the network. 

It's also vital for cybersecurity staff to fully understand the network they're defending, so they can identify all the assets that need protection and to take action against any potentially suspicious activity


Editorial standards