The high level of engineering behind nation-sponsored hacks makes it hard for businesses to protect themselves
Yahoo recently revealed it has suffered what is thought to be the largest cyber breach in history, in which data of about 500 million users has been stolen.
Information compromised includes names, email addresses, telephone numbers, dates of birth and encrypted passwords.
In a statement, the technology firm said the hack was state-sponsored, but it did not say which country it holds responsible.
Experts say Yahoo’s ability to identify the hackers as sponsored by a state is unusual, as it is often difficult to find out who is behind a cyber attack.
“In a third of all cyber attacks, the modus operandi is unknown,” Francois Brisson, head of cyber and technology at Swiss Re Corporate Solutions, says. “If you don’t know how the attack was carried out, then you will not find out who are behind it. Most threat actors, including states, pay hacker groups to do the job and they will then manipulate the evidence to avoid being discovered.”
Truly accurate attribution is very difficult to do and easy to get wrong because it requires the deep analysis of multiple indicators. Sean Malone, chief strategy officer at FusionX (part of Accenture) says: “It requires looking at the objectives, the techniques, the tools and the overall level of sophistication that is observed in the attack. Sometimes the threat actor, particularly more sophisticated ones, will conduct what’s known as a false flag operation, where they deliberately behave like another threat actor in order to confuse the target organisation.”
The techniques used for state-backed cyber attacks are similar to those used in other hacks, but the level of engineering behind an attack is a good indicator of who might be behind it. Hackers need funding for a very sophisticated attack, which could indicate sponsorship by a state, Brisson says.
The fifth domain of war
Although Yahoo is a high-profile example, it is certainly not the first victim of a nation-sponsored data breach and Accenture expects an increase in these types of attacks in future.
“Information warfare is considered to be the fifth domain of war, following land, sea, air and space. We’ve already seen instances where cyber attacks are conducted alongside a kinetic military conflict such as the attacks on the Ukraine power grid alongside more traditional kinetic operations,” Malone says.
“The world is getting more and more connected and not just our personal lives, but on a national level as well. Critical infrastructure, military assets, they all have IP addresses so they’re all connected one way or another, which only increased the importance of this fifth domain.”
The organisations most at risk of state-backed hacks are those that are protecting assets that would be of interest to a foreign intelligence organisations or to a military group. These fall into three categories: the more traditional military assets such as missiles and command centres; intelligence assets, including information which could be used to coerce a key individual in a government; and critical infrastructure, which would include utilities, nuclear reactors, financial institutions and internet service providers.
Malone explains: “All of those key components that underpin our society and how we operate as nations, even if they’re not strictly speaking military assets, they’re still of substantial interest because if you can cripple a society in advance of a kinetic conflict, it becomes much more difficult for a nation to counter that kinetic conflict.”
Brisson adds state-sponsored hackers could also be targeting businesses with intellectual property data and trade secrets.
“These companies invested a lot of money to develop, for example, an innovative product. They are more at risk because hacking is a very good way to save some funding for research and development. Specifically at risk are companies in the energy sector, transportation and technology,” he says.
Mitigating the risk
Protecting against a state-backed cyber attack is not materially different from defending against any other persistent sophisticated threat actor, Malone says. “It requires understanding the threat model in terms of who the adversaries are that you’re concerned about, what their motivations would be and how that would translate into a nightmare scenario for the organisation that you’re charged with protecting.”
Having this understanding will help to define the critical assets that really need securing. “The next step then is to secure those with multiple layers of security, so to put in place a security architecture that is layered and can withstand the failure of any individual security control in that architecture,” Malone explains.
Part of that is recognising that these adversaries, state-sponsored and otherwise, will likely be able to breach the company’s perimeter, so it’s important to treat even an internal network as potentially compromised.
But prevention alone is not enough. In order to be successful, a company really must develop advanced detection and response capabilities.
Malone adds: “More and more organisations are evaluating what their current ability is to counter this type of a threat and how they can improve. They do that by engaging in a sparring exercise with a simulated adversary, where they will hire an external group to come in and take the actions as a malicious advisory would, except in this case the sparring partner is operating on behalf of and for the benefit of the client organisation, which is what we do at Fusion X.”