Geopolitical tension has a long-tail effect in cyberspace. In the aftermath of major political or military incidents, beneath the public posturing, nation state cyber-actors are already under orders to conduct campaigns aimed at countering the incident, spreading disinformation or straightforward revenge. This evolves into a cat and mouse game played out in cyberspace where attackers disguise their identities to deflect the target’s focus and create tension between the target and third parties – and the stakes are getting higher. As society becomes increasingly dependent on digital technology and networks for all aspects of life, so its value as a target to cause disruption and direct physical impact, as well as critical data destruction, increases.
To this point, recent VMware Carbon Black research that we have undertaken has identified that nation state-sponsored malware attacks are becoming increasingly focused on destruction. As the IoT expands the possible attack surface to any object, building or system controlled through the internet, so the likelihood of attacks on physical infrastructure targets increases and should be factored into defensive strategies. Together with an evolution in the way cybercriminals are getting access to critical systems, this is a concerning shift.
A look at past nation state-sponsored attacks highlights their ability to cause disruption, and the difficulties in correctly attributing attacks to perpetrators. The 2008 Beijing Olympics, for example, were attacked by what looked deceptively like malware generated by North Korea’s Lazarus Group. Communications, booking systems, television networks and apps were brought down, impacting ticket sales and causing physical disruption for Games visitors. It took considerable counter-cyberespionage expertise to discover that the malware originated with Russian group FancyBear. The motivation was the banning of Russian athletes from the Games following systematic doping.
In 2015, the Black Energy attack saw Russia use malware to attack three Ukrainian energy distribution companies, cutting power to three quarters of a million citizens and foreshadowing the potential of infrastructure-focused cyber-attacks to cause real-world disruption. This was brought into stark reality in 2017, when Petya ransomware was repurposed into NotPetya by Russian hacking group Sandworm and unleashed on Ukraine, before spreading worldwide and causing an estimated $10 billion damages globally. The key aspect of NotPetya demonstrating the evolution towards destructive malware was its pure focus on destroying data; once encrypted, no amount of ransom payments could bring that data back. It was designed to spread effectively and cause maximum irreparable damage.
A growing appetite for destruction
NotPetya marked a new era of destructive cyberattacks and our threat analysis teams here at VMware Carbon Black are seeing that trend continue to amplify. In our recent survey of incident responders, destructive/integrity impact was experienced in 41 per cent of attacks, up 10 per cent on the preceding two quarters and an ominous sign that cyberspace is becoming more punitive. This correlates with increasing geo-political tension when we bear in mind that politically motivated actors are less concerned about financial gain and more about causing disruption for citizens, businesses and governments in target countries.
In line with nation state-sponsored actors’ strategy of building out offensive capabilities for future deployment, we are also seeing increasing attempts at establishing network persistence, island hopping and lateral movement. Island hopping accounted for 41 per cent of attacks in our recent IR survey and lateral movement attempts were identified in over two thirds (67 per cent).
Driving this bid for network persistence and manoeuvrability is the potential for hitting larger targets by gaining access into smaller, less-protected corners of their supplier ecosystem. This is particularly concerning in the light of cyber-physical integration, with high value targets such as power plants, dams and commercial or residential buildings now commonly controlled by internet-enabled systems. These systems are often poorly secured with inherent weaknesses, with common ports connected to the internet making them easy to find and easy to exploit. They are often linked with small, local service providers, whose security vulnerabilities make them a prime target for island hopping incursions.
Off-the-shelf network access
But recent developments mean actors don’t even need to do the legwork to gain access into the networks they want to compromise. In the same way that we saw the evolution of ransomware into ransomware-as-a-service, we are now seeing a steady rise in the availability of access mining-as-a-service. Well-known companies are being hacked and access credentials offered for sale through darknet remote access marketplaces on a commodity basis. Some providers are so confident in the quality of their product that they run “try before you buy” offers and escrow services allowing buyers to test the validity of stolen credentials before confirming payment.
This considerably lowers the bar when it comes to accessing networks undetected. It is now not just expert and well-resourced nation state-sponsored groups that can compromise networks, access is available to anyone at a price – and not a high price – access can be bought for as little as $10.
Hunting the threats within
This lowered bar to access, combined with the growing frequency of destructive malware attacks amid constant geopolitical tension, pose a serious problem for network defenders. Networks are more likely to be compromised and, when they are, destruction – not just ransom - is a much higher risk. Further, it is not just the organisation’s own network that is under attack, any connected supplier with lower security could prove to be an ingress for an attacker to exploit.
Ultimately, it is not possible to protect the network by building an ever higher front gate when it’s likely that attackers are already inside it. Instead, defenders must focus on hunting out and neutralising the attackers – whether politically or financially motivated - that have hacked or bought their way through defences and are in prime position to launch destructive attacks. International tension is unlikely to de-escalate in the foreseeable future, so organisations need to be on the hunt for indicators of compromise within their networks, to avoid becoming either an accessory or collateral damage in geopolitical cyber-warfare.
Greg Foss, Senior Threat Researcher, VMware Carbon Black