Global espionage used to sound like little more than the premise for a spy thriller. Today, it’s a growing concern for governments and businesses around the world. As more attacks capture headlines, companies and their corporate security teams are working furiously to defend themselves against cyber espionage and data breaches. Indeed, cybersecurity services are on pace to grow at a CAGR of 11.3 per cent by 2021.
Although attacks occur daily, it’s worth highlighting some of the biggest stories of this year, as they can be instructive as to what organisations are up against in 2019 and how they’ll need to defend themselves in the years to come. However, it’s also important to consider the stories in their full contexts.
Headlines about Russians infiltrating the U.S. power grid and the Chinese government implementing restrictive new data laws on foreign businesses can seem outrageous and inflammatory. But with something as serious as cyber espionage, it’s important to make sure you’re homing in on the signal and filtering out the noise to avoid costly and dangerous missteps.
We’ve broken down five of the most significant stories of the year and what you need to know about them:
1. Russian hackers breached U.S. utility control rooms
In March 2018, the U.S. formally accused Russia of having hacked American utility companies in a series of attacks that began in 2016. The U.S. wasn’t caught entirely unawares, as the Department of Homeland Security (DHS) notified companies in 2014 that such hacks could happen. Russia rejected the claim that it had orchestrated the malicious campaign, which is thought to be underway still, but the U.S. maintains that the attacks did stem from Russian actors.
The hackers reportedly used spear-phishing campaigns and watering hole attacks to capture the credentials needed to log into the companies’ networks. Spear-phishing attacks involve sending emails to victims that are designed to seem as though a legitimate source has sent them. The attackers target sites they believed the victims would use with malware as another way to capture sensitive information.
These attacks aren’t the first times Russian threat actors were found to be using spear-phishing against another country. At the beginning of this year, RiskIQ detailed a spear-phishing campaign against a Turkish defence contractor that appeared to have Russian involvement.
A U.S. official admitted that the hackers involved in the electric company breaches “got to the point where they could have thrown switches” — a chilling scenario for American leaders and citizens alike. However, the breaches were more likely to be a power play for Russia to show off its capabilities rather than an attack on critical infrastructure.
Flexing its cyber espionage muscles keeps Russia in the news and forces people to pay attention. However, if the hackers directly interfered with the functioning of the U.S. power grid, the situation would escalate quickly. Neither country wants to go to war; instead, they’re looking for ways to gain leverage over one another. That’s why Russia is unlikely to claim responsibility for any attacks, even though they understand the U.S. suspects that there is official sanction for these threat actions.
Nonetheless, it’s important to recognise that targeting utility companies is just one aspect of a much broader cyber espionage effort. Multiple groups in Russia are conducting threat campaigns aimed at different victims and areas of interest. These specific campaigns showcase Russia’s desire to be known as a predominant aggressor that is capable of being everywhere. While some of the country’s efforts focus on gathering general insights and information on targets, other campaigns are established so Russia can boast about their capabilities’ reach.
With specific goals for each campaign, it is very important for business leaders to consider what kind of target they would be. The fact that Russia has shown they can access U.S. power grids and other areas of interest is only a small window into the types of campaigns that are underway.
2. Calls emerge for the creation of a CyberForce
The revelation that Russian attackers had hacked their way into the U.S. power supply was disturbing, but not without precedent. Russia famously disabled part of Ukraine’s power grid and launched distributed denial of service attacks against Georgia before invading the country in 2008. There has long been a reason to believe that Russia would use similar tactics against other nations.
But Russia isn’t the only country to use cyber attacks. The U.S. has also been the target of attacks by Iran, and North Korea is believed to have retaliated against Sony Pictures for its production of The Interview with a cyber hack. Such threats aren’t diminishing, and with countries such as Russia and China bolstering their cyber defences, some experts believe the U.S. needs a militarised cyber force to defend against future attacks.
However, militarising the internet is a fool’s errand. It can’t be done because there’s no scenario in which other countries would sign on for creating a universal set of militarised web security agreements. The online world does not have borders or jurisdictions, so any attempt to police the internet would be limited. A better path forward would be to simply embed more cyber squads in police forces and ensure those people are trained properly.
The police have more power in the physical world, and with continuous education and resources, that power can be extended. However, cyber squads have will need to depend on collaboration to truly prevent and diminish cyber attacks. There must be more collaboration between the private and public sectors to strengthen defence infrastructures, improve threat hunting protocols, and increase education about cyber threats across the board.
3. The Trump administration has no security infrastructure in place for the midterm elections
The midterm Congressional elections will take place in November, and the highly-anticipated contests are sure to draw scrutiny nationwide. With constant fear of Russian interference in U.S. elections, citizens might expect the administration to have strict security protocols in place. However, NBC News reported that as of late July, the president had not appointed any officials or agencies to develop a central strategy that can provide election security.
This is concerning because there is clear evidence that Russia has plans for infiltrating the U.S. democratic processes and the resources to succeed. RiskIQ recently analysed an attempted breach by a Russian threat actor who tried to hack the credentials of a top staffer to Sen. Claire McCaskill, a Missouri Democrat. Russian state-backed actors launched a spear-phishing attack similar to those deployed against Hillary Clinton’s campaign chairman John Podesta and former Secretary of State Colin Powell.
Russia operates a sophisticated espionage and political interference network, so the idea that hackers would try to influence the midterm elections is not without merit. However, creating a central threat detection and defence strategy is extremely challenging. While there are some common sense guidelines people can follow, such as not using their personal email accounts for sensitive messages because these accounts are easily hacked, robust security infrastructures are far more complex.
Right now, the U.S. must contend not only with spear-phishing and watering hole attacks but the proliferation of fake news and the infiltration of social media platforms as well. Fake profiles are difficult to wrangle, and they have a real impact on people’s thinking. False information spreads like wildfire on the internet, and putting out the flames is a tremendous undertaking. Russia is obviously aware of this, which makes social media an easy way for the country to flex its muscles and appear in legitimate news. By using popular channels that don’t offer immediate insight into what profiles are fake, Russia has the opportunity to make themselves look dangerous and capable of anything.
Today, social media is a critical battleground in the war against propaganda and fake news, with no easy strategies for winning. Although taking down fake profiles is a necessary component, it’s essentially a high-stakes game of whack-a-mole. Mass influence and education are essential to mitigating the effects of fake news while also defending against other types of attacks.
With so many threats looming, a strong, effective defines would likely require cooperation between the public and private sectors. And it’s not something that can be built overnight.
4. Foreign cybersecurity laws created risks for U.S. companies
Countries such as China recently implemented restrictive laws that could theoretically jeopardise U.S. data and security. Under China’s new national security standards, foreign businesses must not only undergo government-run security reviews but also store their information within China. Russia, too, is leveraging legal strategies to gain access to foreign corporations’ data. The federation now stipulates that the FSB security agency must run source code reviews on foreign technologies before they can be sold.
While this sounds alarming, it’s less concerning than one might think. The U.S. also requires companies to conduct source code reviews when expanding into the country, so Russia and China aren’t doing anything the U.S. hasn’t done as well. The new laws are worth paying attention to and companies should keep an eye out for further restrictions that are likely to be put in place. But companies shouldn’t let recent developments prevent them from expanding into China, for instance, if they see lucrative business opportunities there.
5. The Pentagon released a do not buy software list
Earlier this year, the Pentagon assembled a list of software companies that it’s advised military purchasers not to buy from. Fearing malicious intent by Russian and Chinese parent companies, the Pentagon teased out a number of software providers that may have been holding companies owned by parent organisations in those countries. The publication defence One reported that the Pentagon has partnered with the National Defence Industrial Association, Professional Services Council, and Aerospace Industries Association to distribute the list to military contractors.
Private company leaders may believe they should adhere to the same list and perhaps avoid buying from Chinese or Russian companies period, not just those included in this roundup. But it’s important to remember that there are many reasons the Pentagon may have created the list. There may be economic motivations for discouraging software purchases from foreign companies, or the U.S. government may be making a power play of its own.
Before making a blanket decision about where you purchase software from, dig into the logic behind why providers were named on the list. There may well be real security concerns associated with certain companies, such as spyware or coding vulnerabilities, and you should educate yourself on those. But making snap judgments one way or the other can blind you to opportunities and security risks, so don’t take missives like the Do Not Buy list at face value.
Meet threats with measured strength
Global espionage is a substantial threat, and both private and public leaders should be investing in methods to defend against it. However, as espionage-related stories become more prevalent, it’s important to delve into the context and determine what is a real threat and what is clickbait. Now is the time for measured, decisive action, not for getting caught up in fake news and manufactured hysteria.
Yonathan Klijnsma, Head Researcher, RiskIQ
Image Credit: Deepadesigns / Shutterstock