10 deadliest differences of state-sponsored attacks

If you believe that protecting against cyberattacks from government agencies requires the same processes as defending against any other threat -- well, to some extent, you are right.

Government agencies will happily use easy "script kiddie" tools and well-known exploits to get into your systems to avoid tipping their hand about who they are and what they're really after. And they have the money to buy and use the most advanced tools used by criminal organizations to get into your payments data.

So protecting against these kinds of common attacks is necessary if you are trying to protect yourself against state-sponsored attackers -- but it is not sufficient. There are some key differences about attacks that originate with foreign governments, and ignoring these differences could prove deadly. 1. They're going after different types of data

Vandals are out to make a loud splash, so they'll go after public-facing websites, or just randomly disrupt whatever's within reach. Criminals will go after stuff they can sell.

Foreign nations will hit embassies and government agencies for political information, said Jaime Blasco, director of labs at San Mateo, CA-based AlienVault, Inc.

And they'll go after private companies, as well -- and not just defense contractors, either.

"If specific companies have developed a technology or method to do something, they might steal information to gain that information for competitive advantage for Chinese companies," he said. And they'll also go against personal information or business information that would provide them with insights they need to break into more companies.

Blasco was part of the team that took down UglyGorilla, a Chinese hacker who broke into computers at five U.S. Companies including Westinghouse Electric Co. and United States Steel Corp earlier this year and stole trade secrets and other information.

Blasco also uncovered Sykipot, a China-based attack which was able to bypass two factor authentication and steal trade secrets from the automotive and aerospace industries.

"What we thought was a primary reason for gain might not be as obvious anymore," said Carl Wright, general manager at San Mateo, CA-based TrapX, which recently uncovered a Chinese attack against international shipping and logistics companies.

For example, an attack against certain types of agricultural equipment might produce valuable insights about grain production, he said.

2. The might not be after data at all>

Foreign governments are after power, and not just in the "information is power" kind of way. They'll go after another country's actual power grid, fuel pipelines, or nuclear reactors.

"They would be also happy causing disruption in government services, taking out communication systems, disrupting a nation's economy, or causing reputation damage of state-related institutions," said Jeff Williams, CTO at Palo Alto, CA-based Contrast Security.

Of course, we play this game as well. It's pretty well accepted that the U.S. was behind the Stuxnet attacks that took out the nuclear reactors in Iran and delayed their ability to produce weapons significantly, said Williams.

3. They're operating on a longer timescale

Criminals and vandals are after quick payoffs.

"When you steal someone's credit card, the time period that that's a valuable asset is very short," said Carl Wright, general manager at San Mateo, CA-based security firm TrapX. "At some point, the credit card company cancels that credit card and the consumer is issued a new card."

A foreign government, by comparison, could have unlimited patience.

"They might get in and sit there for a while and not try to do a whole lot until they feel the time is right," said Ben Johnson, chief security strategist at Waltham, Massachusetts-based Bit9, Inc.

In fact, he said, they might actually patch vulnerabilities they find in order to keep anyone else from getting in and setting off alerts. "If they think they tripped up a defense, they might lay low for a little bit," he said. "Or, on the flip side of that, if they think they're about to be kicked out because the company is killing off the user accounts, they might grab data as fast as possible."

4. They might never be discovered

According to this year's Verizon breach report, 84 percent of the reported attack discoveries were made by third parties.

This is particularly the case of credit card data, said D.J. Vogel, a partner in the security and compliance practice at Naperville, Ill.-based professional services firm Sikich LLP.

When payment data is stolen, there are numerous third-parties involved that might sound the alert, he explained. The individual consumer, for example, who finds unusual charges on her bill. The payments processors and credit card companies who monitor transactions for unusual patterns. Law enforcement agencies eavesdropping on illegal credit card number auctions.

But when it comes to the theft of trade secrets, it could be years before the victim finds out -- if they find out at all, he said.

"The industry as a whole is less likely to identify state-sponsored attacks, he said. "It's much easier to fly under the radar, and not be undetected."

And even if a company discovers that it's been attacked and data was stolen, that's still not the whole story.

"The million-dollar question becomes what the heck they're doing with it?" asked Dodi Glenn, senior director of security intelligence and research labs at Clearwater, FL-based ThreatTrack Security, Inc. "Are they trying to design another apple iPhone and sell it cheaper? Or are they trying to tap into an iPhone with some vulnerability that they'll never disclose? They don't make it known what they do with the data. We can only infer what they're targeting."

5. They're not afraid to get physical

Despite what you see on television, a criminal isn't likely to follow a company executive around in order to physically infect their laptop or cellphone with malware.

The cost -- time, travel expenses, possibility of getting caught -- are too high. It's much easier to go after some other executive who has a phone that can be hacked without physical contact.

In the case of state-sponsored attacks, however, especially within that state's own borders, the costs and risks are minimal.

In fact, they might actually set up a meeting with the targeted executive, said Michael Shaulov, CEO at San Franscisco-based Lacoon Mobile Security, Inc.

Then all they need is a little private time with the laptop or cell phone in order to infect it. There are even several ways to infect iPhones, Shaulov added. And, of course, a foreign nation-state often has full access to its own telephone networks.

6. The airwaves aren't safe

The airwaves aren't safe either, Shaulov added.

"In Russia, they discovered a couple of fake mobile cell towers," he said. "Every time someone would pass through that coverage area, someone in the government would intercept their communications."

The same approach works on foreign territory as well, he added. A mini cellphone tower can be hidden in a suitcase and carried to a location close to the target, or placed in a vehicle in order to have a larger coverage area.

"If you look out the window and see a white van, be suspicious," he said.

7. They stay on target,/p>

A financially-motivated criminal wants to see the biggest return on their investment, so they'll go after the least-defended companies first.

"There are certainly plenty of targets," said Steve Hultquist, chief evangelist at Sunnyvale, Cal.-based RedSeal, Inc. "I can just go on to the next one."

A company doesn't have to have perfect security to defend itself -- all it has to do is avoid being the lowest-hanging fruit.

A state-sponsored attacker, however, is motivated by strategic gain, not financial. They'll keep after a company, its employees, and its business partners, until they get in.

8. They have a large, well-organized team

Criminals are most likely to work alone, or in loosely-affiliated teams. A state-sponsored attacker, however, might be working out of an actual office, under a well-trained project manager.

"State-sponsored cyberattacks are much more likely to be organized and run by a large group of people," said Jeff Williams, CTO at Palo Alto-based Contrast Security. "They're going to have a full lab full of people trained and executing a whole bunch of attacks against a whole bunch of things at once." And they'll work around the clock, added Udi Mokady, CEO at Israel-based CyberArk Software, Ltd.

"It's based on people working shifts with well-managed processes and development," he said. "They behave like a development arm and are able to carry out sophisticated attacks."

And speaking of development...

9. They'll create new zero-day exploits

A foreign government can afford to create a brand new, unique zero-day attack to go after individual targets.

"They are deeply talented and likely spend substantial resources to identify zero day vulnerabilities," said John Dickson, principal at San Antonio, TX-based Denim Group, Ltd. "They have shown willingness to have a lot of people spend a ton of time trying to get into certain places."

And the foreign government would then keep those vulnerabilities secret, to use them again, or to ensure that it's attack wouldn't be discovered.

A criminal is also interested in getting the maximum use possible out of an exploit, but within a much shorter time frame. An exploit that's sitting around not being using isn't making them any money and, given how slowly some companies patch, even a discovered exploit can remain profitable for years to come.

10. They set the bar for other types of attacks

"The reality is that US companies and government agencies only barely prepared for the very lowest level of threat -- the auditor," said Contrast Security's Williams.

And auditors are always several years behind the curve, because they use regulations and standards drafted years before. That means that most organizations are unprepared for techniques commonly used today by all types of hackers, such as automated tools.

"We should be building systems designed to resist the attacks that we expect ten years from now, not the attacks occurring two years ago," he said. That means that all organizations should be getting ready to face long-term, well-coordinated, almost invisible attacks.

"In ten years, this type of attack will be available to even unskilled attackers, and we should be preparing our critical infrastructure to withstand it," he said.

Join the CSO newsletter!

Error: Please check your email address.

Tags cyber espionagestate-backed attackssecurityAlienVaultAPTsadvanced persistent threats

More about Inc.VerizonWestinghouse Electric Co.

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Maria Korolov

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts