The evolving threat landscape: nation state, third party attacks and cyber vandalism


Connected devices and flexible working practices may be beneficial to employees, but they have caused the boundaries of organisations to ebb and flow more than ever before. This, combined with increasingly complex partner ecosystems, means the days are over where a firewall alone was sufficient protection to halt those with malicious intent. 

In the modern business landscape, the use of third party suppliers is prolific. In fact, a recent survey from Thomson Reuters entitled ‘Third Party Risk: Exposing the Gaps’ found that 70 per cent of organisations have become more flexible and competitive because of third party relationships. With this in mind, plus the fact other businesses now have responsibility for your privacy, it’s no longer enough for businesses to understand just their own security set up. Every organisation within a company’s supply chain needs to be equally aware of, and shored up against, the risks posed by the evolving threat landscape. 

Getting to know your third parties 

With regulations such as General Data Protection Regulation (GDPR), Open Banking and the Second Payment Services Directive (PSD2) on the horizon, it’s critical for organisations to know and understand their entire ecosystem. By undertaking overarching audits on a regular basis and turning this into a mandated process, business can do just that. It also presents them with an opportunity to foster good threat intelligence sharing regimes and protect the whole supply chain from attackers. 

This kind of attack is illustrated by incidents in recent years involving banks. For example, thieves managed to steal $250,000 from Bangladesh’s Sonali bank in 2013, along with more than $12million from Ecuador’s Banco del Austro in 2015, using the banks’ access to the SWIFT network to send fraudulent messages and transfer money. It was also reported by Vietnam’s Tien Phong Bank in May 2017 that it foiled a similar attempt by attackers to steal money from the bank. 

For businesses in this situation, ensuring there isn’t a weak link in the chain can be the difference between being hit with an attack or crippling fine, or not. At a time when cyberattacks are big news and hitting the headlines on almost a daily basis, working closely with third parties in the supply chain on cyber strategy is the best way to ensure business survival and avoid failure.

The psychology of a hacker 

While attacks on third parties aren’t new, they are becoming more prolific. This evolution in the threat landscape is also being identified elsewhere in the industry, with one key example being the significant rise in cyber vandalism which has become apparent in recent years. On the plus side however, there is now much more data available to businesses allowing them to identify changes in attackers’ approaches and protect themselves before they become an issue. 

Using cyber vandalism as an example, it’s often difficult to see what reward comes from these form of attacks. This may be students looking to show off their cyber talents, researchers inventing new methods of infecting a system, or even developers who are creating more professional and serious viruses – this is often true of the state sponsored attacks too. Despite this, whoever the attacker, it’s quite safe to say that it’s very rare to be able to identify a motive for cybercrime like this. 

The WannaCry malware, specifically the usage of the Destova wiper component, also raises some interesting points when it comes to the psychology and the tasking of nation state hackers. Released in early 2017, the malware had one of the largest attack vectors to date, with upwards of 400,000 computers infected across 150 countries. Wiper software is a bizarre edition to the WannaCry mix, given the ransomware itself is already encrypting files in the hope that the organisation will pay up. Not only that, but it’s the same wiper software used by Lazarus. So does this indicate a close connection with the group, or is it a deliberate and obvious addition to point towards Lazarus as the perpetrators? Perhaps it is the lack of direction from a nation state (meaning hackers simply use whatever tools are at their disposal), but it’s more than possible this ambiguity is deliberate. Despite this however, the recent confirmation from the US and UK governments that it is “highly likely” WannaCry was caused by Lazarus, is just one example of how Governments are becoming more cautious about getting attribution in cybercrime right – it is now just as important to get attribution of financially motivated capabilities right as it would be for espionage. 

Looking at the Petya attack as another example, the motives of the attackers behind it are still a mystery. Unleashed in networks just two months after the WannaCry breach in July 2017, the United Nations’ top cybercrime official claimed that, while the attack was incredibly advanced and sophisticated, their strategy suggested money was not the motive. This makes attribution very difficult, as without a clear motive behind an attack – in this case, the use of highly unsophisticated attack vectors could challenge the nation state attribution assertion – it’s almost impossible to identify a pattern in behaviour and prevent future attacks.   

Taking immediate action 

Enterprises at all stages of the supply chain are under a constant barrage of cyberattacks. With the threat landscape evolving in these various ways and attacks becoming ever-more sophisticated, having time to stop and think about the actor behind the malicious intent may seem like a luxury. However, businesses need to start looking at cyberattacks from the adversary’s perspective to understand what is most attractive to an attacker. Is it more lucrative for them to attack the smaller businesses in the chain in a bid to reach the larger organisations, or will they go straight for the jugular and the top of the chain?   

Without this understanding problems will persist and organisations will fall further behind new developments as the threat landscape continues to evolve. Corporations need to act now if they are to ensure their cybersecurity strategies are keeping up with the attackers. Only then can they prevent the next newspaper headline from featuring their name – or the name of one of the organisations within their networks.     

Chris O’Brien, Director of Intelligence Operations at EclecticIQ   

Image Credit: Alexskopje / Shutterstock