Q&A: Staying alert for state-sponsored cyber attacks

We recently sat down with Toni Gidwani, director of research operations at threat intelligence firm ThreatConnect.

We recently sat down with Toni Gidwani, director of research operations at threat intelligence firm ThreatConnect to discuss cyber security and the dangers of state-sponsored hackers.

Tell us about yourself and your role

Before joining the company in 2015 I spent seven years as a senior analyst in the US Department of Defense and four years working on strategy and policy in the Secretary of Defense’s office.

At ThreatConnect, I’ve worked with the team researching the Democratic National Committee and the World Anti-Doping Agency breaches, as well as investigating Chinese connections to phishing attacks on The Hague during the South China Sea dispute with the Philippines.

As an analyst I’ve seen hacking escalate to state-sponsored or geo-political levels and governments and businesses affected as a result. ThreatConnect’s mission is to unite people, processes and technologies behind intelligence-driven defence.

What is the biggest impact geo-political hacking is having on business right now?

Geo-political, or state-sponsored hacking has become a major headache for businesses, governments and non-profit organisations in recent years. Countries like Russia and China are using their cyber powers to leverage a vast network of criminal hackers, challenging the defences of their victims.

The ‘Cold War’ has given way to the ‘Cyber War’ – the new modus operandi that involves covert cyber espionage and sabotage operations designed to gather sensitive information and to disrupt targeted systems and operations. State-backed attacks are not contained to corridors of power like the Kremlin and the Pentagon, however. Private enterprises that engage in sensitive activities are just as likely to come under attack as public institutions. The same is true for non-profit and regulatory bodies.

How does this compare to the dangers of criminal hacking?

The world is becoming increasingly interconnected, which has given rise to greater efficiency and the easier exchange of data. Governments across the world are drawing up plans to facilitate and encourage the ever-increasing flow of data between citizens, and public and private sector organisations. There is no sign of this slowing.

However, today’s borderless networks pose new security challenges and can provide hackers with more ways to cause chaos. A data breach in one organisation’s network can provide hackers with an avenue into its partners and customers, and before any can respond, a chain reaction of breaches has occurred. Criminal hacking is usually designed to target the largest possible number of victims in order to increase the chances that someone will click on a malicious link or mistakenly transfer money.

Organisations of all kinds need to be aware of these types of threats. It is essential that security directors have the knowledge and the tools ready to defend their businesses against state-prompted cyber threats. To do this, they must first understand the key behaviours of state-sponsored hackers.


What are the characteristics that define state sponsored hackers?

1. Denial and deception:

One of the most prevalent tactics amongst this class of actor is the old ‘bait and switch’ method. This is essentially the practice of using a false identity to throw investigators off the trail. The anonymity of web-based attacks means that nation-states can operate via puppet actors, making it extremely difficult to prove links between individual hacks and state intelligence.

Even if those links are made, it is still unlikely that analysts will be able to determine the exact origin and purpose of the orders behind them. ‘Guccifer 2.0’, the hacker behind the DNC leaks, exemplifies this aspect of the state-sponsored hacker. He has presented himself online as a lone hacktivist out for justice. However, tell-tale details including his unlikely server hosting locations and his lack of a credible backstory point towards a Russian denial and deception operation. The purpose of these distractions is to confound security analysts’ attempts to plug the gaps hackers are entering through and thereby prepare against attack.

As a result, it’s essential that security directors have a comprehensive view over all their defence systems in order to identify a wide range of attack types. The best way to counter an unknown enemy is to have visibility into activity at all entry points.

2. Precise targeting:

State-sponsored hackers are also often identifiable by their dedication to a specific target. For example, the WADA breach was executed through a successful spearphishing campaign. Phishing emails were closely tailored to that particular organisation, containing details and inside knowledge which fool employees into believing the communications are genuine; they open malicious documents or install malicious software.

Another example of this is the so-called ‘CEO scam’ method, in which an email purporting to be from the company chief requests the employee make a money transfer to the attacker. Organisations need to ensure they have strict communications policies in place in order to combat this. They must educate their employees in the types of email they can expect to receive from management, and what is likely to be malicious. Caution is of paramount importance – any irregularity should be viewed with suspicion.

3. Advanced persistent threats (APTs):

These quiet lurkers embed themselves on a network once access has been gained. For example, some malware can edit its code once installed to mask its presence, making it harder for security solutions to backtrace it and remove it. Such code can then gather sensitive data in secret, either extracting personal details or monitoring communications, feeding the results back to the hacker. 

This has the added benefit of allowing the hacker to develop a long-term picture of the target organisation. As a result, security teams need to be aware that a lack of immediate fallout after a suspicious incident does not necessarily mean that the danger is past – it may be only biding its time.

How can companies understand what type of hacker they are dealing with?

State-sponsored hacking is becoming an increasingly public cyber threat, and organisations across the world need to ready themselves for the possibility of a highly targeted, stealthy attack. Many organisations are used to the idea of scattergun cybercrime, but are unprepared to meet a well-equipped and dedicated state-level attacker.

It is the duty of security operations directors to address this now, and ensure that they have complete visibility into their security posture. With hackers’ tactics evolving all the time, a comprehensive and flexible threat response is a must – neither governments nor enterprises can afford to leave the back door open. With the UK government announcing that it is going to give its cybersecurity strategy a major boost in terms of investment, we are likely to see more law enforcement agencies and private sector bodies collaborating in the fight against cybercrime.

As organisations begin to appreciate the benefits of security systems working together and communicating with each other they will come to recognise that unifying people, processes and technology will define the future of cybersecurity.

Image source: Shutterstock/alexskopje