Skip to main content

When cybercrime and nation-state warfare collide

(Image credit: Image Credit: Welcomia / Shutterstock)

Cybercrime has evolved and accelerated at a disturbing rate in recent years, from its emergence as a new phenomenon to the rapid formation of a global marketplace of professional cybercrime services. Today, geopolitical tensions are reflected in cyberspace. The 2010 discovery of Stuxnet, believed to be a US-Israeli cyber-attack on Iran’s nuclear facilities, was a paradigm shift in the battle to protect critical national infrastructure from nation-state warfare. Since then, the nature of warfare has shifted fundamentally, with governments pumping defence spends into developing advanced cyber-weaponry to oust their opponents on the international stage.

Recycling nation-state tools for sophisticated attacks

But what about when cybercrime and nation-state warfare collide? At the recent RSA conference in San Francisco, former member of the National Security Agency Patrick Wardle highlighted an alarming advancement: hackers previously limited by a lack of skills and resources are easily collecting and repurposing malware developed by nation-states.

Using Apple Mac malware, Wardle demonstrated how repurposing attack tools can be quick and simple, assuring the crowd that thousands of cyber-criminals are out there doing exactly the same with much more advanced and even state-developed cyber-weaponry – reaping the benefits of the government spends and skilful development behind it. Creating new attack tools takes a great deal of time, money and effort – why wouldn’t hackers use their technical skillsets to simply repurpose the best of what’s already out there? Especially when it makes attribution far more challenging, providing the anonymity that cyber-criminals crave.

Hackers have reused and repurposed each other’s code for some time. The Windows hacking tool EternalBlue developed by the NSA and then stolen and leaked in 2017 made its way around the criminal ecosystem to be used by various hacking groups – signalling that the US had lost control of its cybersecurity arsenal – and since then, a number of other state-sponsored attack tools such as Vault7 and ShadowBrokers have also been released into the wild only to be weaponised by cybercrime gangs and nation-state adversaries. The reality is that whether it was leaked or simply used operationally, once a cyber-tool is discovered in the wild it becomes free game for cyber-criminals to hunt for, collect, and re-purpose.

Advancements in the cyber-arms race

The barrier to entry for military-grade attack tools is falling, and the physical damage is likely to be severe. The vulnerabilities introduced by the convergence of IT and operational technology (OT) systems are already evident – the WannaCry ransomware attacks began in medical and corporate networks yet spread to industrial plants across Europe and Asia to cause significant periods of downtime, representing a watershed moment in the increasing cases of OT networks being affected by malware never intended or specialised for them. As attackers begin to use state-sponsored tools that they lack the specific intelligence to test or deploy, we can expect to see more and more attacks having unintended consequences and causing collateral damage in the OT space, rendering critical infrastructure more at risk than ever.

Soon, AI will be weaponised by governments to discover and design novel attack methods, and these sophisticated tools may well come out of the government AI labs and into the hands of criminals.

Traditional tools don’t stand a chance

These advancements in the cyber-arms race are ramping up the threat level and defeating legacy security tools, pushing organisations even harder to adapt or die. With cyber-criminals adopting nation-state grade capabilities, organisations will have to step up their own operations to keep pace. Wardle himself was quick to make it clear that signature-based defences will not stand a chance against repurposed attack tools – malware when it is redeployed can easily be tweaked such that it slips under the radar of these traditional tools.

When it comes down to it, cybercrime is innovating much faster than the security industry is. Antivirus vendors simply cannot create new signatures as quickly as new malware variants are being developed, and with our digital systems growing more complex than they’ve ever been, attempts to create rules that predict how an employee will use a particular system and how internal data should flow have become an exercise in futility. The cybersecurity needed for today and critical for tomorrow is one that is threat agnostic, able to disrupt attacks without needing to define the attack type.

Trying to guess what attacks will look like is no longer enough and impossible to do with any level of certainty – what organisations need is a real-time understanding of what the ‘normal’ behaviour of their digital business looks like. With a behavioural understanding of their systems, organisations can constantly monitor emerging threats and thwart even the most sophisticated attacks – even if the malware has been tweaked.

The future of defence is hybrid

With access to hyper-sophisticated attack tools becoming more readily available by the day, thousands of organisations globally are accepting that we cannot throw humans into what has now become a machine fight. The future of the security team is hybrid. AI-powered defences are affording these organisations with a complex understanding of the ‘normal’ activity across their digital estate, supercharging threat investigations and finding patterns in the noise of the network that conventional tools would miss, as well as autonomously enforcing this ‘normal’ by responding to deviations at machine speed as they emerge.

What is particularly crucial here is unsupervised machine learning. Rather than relying on curated samples from the past or potentially biased data sets, unsupervised learning algorithms analyse real-time information to find unexpected patterns and anomalies — without fixed categories or labels. Free from the shackles of historical attack data, unsupervised machine learning can analyse mass amounts of real-time data at immense speeds, unveiling patterns and anomalies that go unnoticed to the human eye and traditional defences alike.

This self-learning approach to security – free from the need to define or even understand the threat actor – represents an important step forward in the vital move away from looking outwards and asking what the next attack will look like, towards looking inwards and asking: what does the digital world of my organisation look like?

Armed with this knowledge, organisations will be better placed to tackle the upcoming phases of the cyber-arms race. With AI being deployed by attackers, AI security systems that make machine-speed decisions based on live data will become even more crucial. Advances in attack methodology must be met with advances in defence – the situation is escalating out of our hands, but AI is altering the scales and empowering defenders to be more innovative than the bad guys.

Marcus Fowler, Director of Strategic Threat, Darktrace

Marcus Fowler spent 15 years at the Central Intelligence Agency developing global cyber operations and technical strategies, until joining Darktrace in 2019.