What CISOs Need to Know About Nation-State Actors

[Editor's Note: This article was corrected on 12/13/23]

The cyberattack on SolarWinds began in 2019. It went undetected for months. A previous version of this article stated that approximately 18,000 of the IT management company’s customers were impacted. Approximately 18,000 customers downloaded compromised software. A joint statement from the FBI, CISA, the Office of the Director of National Intelligence (ODNI) and the National Security Agency (NSA) released in 2021 noted that the "...a much smaller number have been compromised by follow-on activity on their systems."  In an update, SolarWinds reports that fewer than 100 of its customers were hacked. 

Nation-state threat actors are well-resourced groups with a wide variety of political and economic motivations. Government agencies and critical infrastructure entities are obvious targets for these groups, often leading CISOs of other types of organizations to consider nation-state actors a minimal risk.

“The reality is all companies and industries are at risk,” says Shawn Henry, CSO of cybersecurity company CrowdStrike and former executive assistant director at the FBI. “There are absolutely certain companies that are of a higher priority, but I think CISOs need to understand regardless of the business you're in …you might be the victim of an opportunistic attack.”

Related:How Will the New National Cybersecurity Strategy Be Implemented?

Understanding the major players, what they target, and how they operate can help CISOs to understand their organizations’ risk and to prepare their teams to respond if an attack occurs.

The Big Four

Nation-state actors are often referred to as advanced persistent threats (ATPs). APTs leverage malicious cyber activity for espionage, data theft and system disruption, according to the Cybersecurity and Infrastructure Security Agency (CISA). Dozens of nation-states are engaged in cyber espionage activity, but China, Russia, Iran, and North Korea have emerged as the top players.  

What are some of the major motivations and threat actor groups associated with each of these nation-states?

China

Cyber espionage is a considerable tool at the disposal of the People’s Republic of China (PRC). “China, in particular, is probably one of the most advanced actors in the space,” says TJ Sayers, director of intelligence and incident response at the Center for Internet Security (CIS), a nonprofit focused on safeguarding organizations against cyberthreats. “They're simply trying to gain access, maintain persistence and steal as much intellectual property… as they can without raising any alarms.”

Related:NSA Gives Assessment of Cyber Threats from Russia, China, and AI

While intellectual property is a significant aim, CISA notes that PRC also likely has the capabilities to launch cyberattacks to disrupt critical infrastructure services in the US.

APT41 is a well-known China-based threat actor group. Evidence suggests that this group pursues both cyber espionage and cybercrime, according to a Mandiant report.

Russia

In recent years much of Russia’s cyber threat activity has been focused on Ukraine and its supporters, according to Henry. For example, the group Gossamer Bear’s activity likely indicates intelligence gathering related to Western military support of Ukraine, according to CrowdStrike’s 2023 Global Threat Report. The group has targeted NGOs, military suppliers, logistics companies and government research labs, according to the report.

“Historically, we've seen them [Russia] targeting Western democracies. We've seen them engaged in election-related intrusions, not just in the US, but in other democracies,” Henry adds.

Iran

CISA notes that “Iranian state-sponsored activity has included destructive malware and ransomware operations.”

“All of the financial sanctions that we've seen globally against Iran and North Korea …have essentially shut down their ability to generate revenue. So, they've turned to these economically motivated crimes,” says Henry.

Related:Another Cyberattack on Critical Infrastructure and the Outlook on Cyberwarfare

MuddyWater, group aligned with Iran, leveraged custom malware tools to spy on an unnamed Middle Eastern government for eight months.

Groups linked to Iran have also been active as the Israel-Hamas war continues. CrowdStrike attributed a series of cyberattacks and strategic web compromise operations to IMPERIAL KITTEN, an Iran-nexus adversary. The group has conducted attacks targeting Israeli organizations.

North Korea and Others

State-sponsored activity linked to North Korea includes ransomware campaigns against critical infrastructure entities, including health care and public health organizations, according to CISA.

“Labyrinth Chollima is one of the more prolific North Korean adversaries that we've tracked, and they've been active for over 10 years,” says Henry.

Attribution of nation-state-sponsored attacks is challenging. Cyber threat analysts must sift through myriad variables, like the victims of a particular campaign, TTPs and potential motivations. It is also important to note that different threat hunting organizations may use different names for the same group. The threat actor group may also style itself by different names.

The fluid nature of cybercrime means that individuals involved in nation-state-sponsored activity may also be pursuing financially motivated work on their own, using similar TTPs. Additionally, the threat landscape includes groups that pursue political and social agendas that align with a nation-states without direct support from that nation-state.

“We have seen this with hacktivist groups that are supportive Palestine, for example, targeting Israel. We've seen groups that are supportive of Ukraine that have targeted Russia,” Henry shares. “So, they're certainly related to the nation-state, but not directly [working] at the behest of the nation-state.”

If a company is attacked, attribution is typically not its primary concern. That’s where the intelligence community comes into play. “They're losing money or they're unable to provide services. They typically are not concerned if it's China or Russia; they just want to get back up on their operational feet,” says Sayers. “But in the intel community, it's helpful because we're able to learn about the actors, learn how they operate and then better provide defensive recommendations and mitigations for these organizations.”

Nation-State Targets and TTPs

Nation-state actors can target vulnerable enterprises in any industry, but some industries are more commonly attacked than others. For example, the IT industry is the most commonly targeted industry (22%), according to Microsoft Security. Attacking an IT company can give nation-state groups access to its customers, allowing them to widen the blast radius of the attack.

Other critical infrastructure sectors like think tanks/NGOs, education, government, finance, media, and health care are also common targets.

“Adversaries employ diverse TTPs, making it crucial to understand your specific adversary’s tactics,” Sergey Lozhkin, principal security researcher on the Kaspersky Global Research & Analysis Team (GReAT), tells InformationWeek in an email interview. “Threat actors commonly utilize advanced social engineering, sophisticated data exfiltration methods, supply chain compromises, try to evade EDR detection and beyond.”

Phishing remains one of the most prolific TTPs, according to Henry. “They're going to use the least intrusive and the easiest, rather than using their most sophisticated techniques that cost more money,” he says. “They don't want those techniques to be discovered. They want to use them on the hardest targets where they can't get access through the front door.”

Threat actors look for ways to abuse identities to gain access and achieve their goals. Henry points out that sophisticated adversaries are finding ways to live off the land. “They don't have to connect to a command-and-control server and download malware, which is another potential [way] for them to be detected, but they can actually use the existing capabilities of the operating system,” he clarifies.

The cloud environment and misconfigurations within it are ripe for exploitation, and so are the legacy technologies that many organizations continue to use.

Reducing Risk

CISOs face a vast threat landscape, and nation-states are just one facet, albeit an intimidating, well-resourced facet. “It's easy for people to think just because an organization is well-resourced, like a state actor … that there's nothing you can do to defeat them,” says Randy Rose, vice president of security operations and intelligence at CIS.  

But defending against nation-state actors is possible. In fact, embracing the basics of cybersecurity hygiene can go a long way toward safeguarding an organization for many different types of threats. “Make yourself difficult to get into, and they'll move on to somebody who's an easier target,”  Rose explains. “Unless they're truly determined to get into your organization specifically, most of the time they're looking for crimes of opportunity.”

Nation-state threat actors may have sophisticated capabilities, but they are more than willing to snag the low-hanging fruit that they find. Inherent weaknesses in security architecture controls and configuration and poor patch management are easily exploited but also addressable by security teams.

Network monitoring and alerts are also an important capability for mitigating the risk of nation-state actors and otherwise. “If information security leaders and operational teams want to have any hope of stopping an attack, blocking it, detecting it, then they must have reasonable capabilities around detecting nefarious activity in the environment,” says CJ Dietzman, a senior vice president at Alliant Cyber, part of Alliant Insurance Services .

While CISOs think about how to defend their organizations against nation-state actors, they can turn to a wealth of external resources. CISA, for example, publishes advisories on nation-state threats and offers various resources to help security leaders defend their enterprises.

“CISA encourages organizations to utilize our Shields Up resources, nation-state cyber threat webpages and cybersecurity advisories, especially advisories on People’s Republic of China government-sponsored actors using living off the land techniques and Russian state-sponsored and criminal threats to critical infrastructure,” Eric Goldstein, CISA executive assistant director for cybersecurity, tells InformationWeek via email.

Cybersecurity leaders can also look to comprehensive lists of APT groups and operations and learn about TTPs via resources like MITRE ATT&CK. Industry-specific information sharing and analysis center (ISACs) offer insight and support on various threats. Organizations like the National Institute of Standards and Technology (NIST) and CIS have standards, benchmarks and controls designed to help organizations strengthen their cybersecurity posture. Additionally, many companies have threat intelligence sharing centers that publish information on threat actors.

Defending against any threat, nation-state or otherwise, requires CISOs to secure buy-in from their fellow leaders and their boards. This can mean discussing investments in defense-in-depth strategies and cyber insurance, planning for tabletop exercises and prioritizing employee cybersecurity training.

“We find the companies that do the best in this area have a culture that from the top-down, where everyone from the CEO to the folks at the front desk who are answering phones know what their role is relative to keeping the company safe from cyberattacks,” says Brendan Hall, a senior vice president at Alliant Cyber.

Responding to an Attack

While mitigating risk is essential, nation-state actors are persistent and sophisticated. They continue to snap up victims, and CISOs can help their organizations by having an incident response plan in place. For most organizations, an effective response to a nation-state cyberattack will require outside help.

“I've seen companies that have been breached by nation-states that have decided they want to … do this on their own, and they just suffer for weeks,” Henry shares. “They turn what could be what is an unpleasant experience into a very complex and negatively impactful experience.”

Working with government agencies and law enforcement is an important element of working through an attack. “You definitely want contacts at Homeland Security, the FBI and CISA in case one of these situations does come up,” says Hall.

The Future of Nation State Cyberthreats

As the 2024 US elections approach, concerns about nation-state manipulation and interference loom. “I think the biggest impact on the election whether it be ours or any other democracy is misinformation and the use of social media to push misinformation and to create a divide,” says Henry.

While the elections may be a focal point for nation state actors, they won’t be their sole target. As enterprises continue to onboard new technologies and new service providers, the attack surface broadens. Even if an enterprise is not the primary target of a nation-state actor, it could be swept up in an attack as, for example, the customer of an IT service provider and a victim of opportunity.

“Assume a state of compromise and trust but verify. I think those are important tenets as CISOs look ahead to 2024,” says Dietzman. “We've got to do our own independent, objective validation prior to deployment.”

New goals, new tactics, and new groups will emerge as a consequence of the geopolitical landscape, and nation-states will continue to be an active cybersecurity threat.

“We can block, we can defend, we can detect and disrupt, but unless we physically stop the human beings that are launching the attacks, they will continue to come after these companies until they are able to achieve their objective,” says Henry.