Every organization needs to figure out their increased cyber risk from nation-state warfare attacks and deploy mitigations.
We have been worried about cyberwarfare for decades. It has been around for decades. The first nation-state cyber event that I ever read about, in the Cuckoo’s Egg happened in 1986, before we really even had an Internet. The 1990s and 2000s were full of massive nation-state cyber campaigns with code names like Titan Rain, Moonlight Maze, and Red Storm. Most of these nation-state attacks were mostly spying operations, trying to learn something the adversary did not know.
Stuxnet in 2010 was a game changer. I will call that the start of Nation-State 2.0. It was a highly sophisticated computer worm, modular in design, created with multi-nation-state cooperation, to take out physical nuclear weapon infrastructure. It was nation-state malware designed to cause physical damage. It has since been concluded that the physical damage it did was more effective than what would have been caused by traditional explosive bombing, because the targets were located in underground, bomb-resistant, protected bunkers. I think every computer security defender should read Kim Zetter’s Zero-day analysis. You will better understand cyberwarfare and how sophisticated it is now.
But the attack on Sony Pictures, the Solarwinds supply chain compromise, and now the latest Microsoft Exchange zero-day exploits have declared the nation-state game changed forever more. How has it changed? What makes nation-state cyber attacks Nation-State 2.0? Here are the changes:
No Longer Targeted
The single most startling factor is how untargeted the latest nation-state attacks have been. In the past decades, the only organizations that really had to worry about nation-state attacks were universities, think tanks, militaries, weapons, aerospace, or related contractors and suppliers. There had to be some reason the nation-state was targeting your organization.
That really started to change in the 1990s, where regular companies that produced regular goods started to be targeted for non-traditional competitive advantages. For example, I consulted for a company that made refrigerators. They were targeted by a nation-state group. Their new, more energy-efficient, refrigerator’s plans were stolen, and the nation-state made a cheaper, knock-off version that was made available before even the ripped off version. But the real tipping point, for me, was to learn that Sony Pictures…a Hollywood picture company…got targeted simply because a comedy film made fun of their nation’s leader. For that error in judgement, Sony Pictures paid dearly .
Then in the 2000s, a nation’s power, water, and rail, infrastructure became fair game. It is now assumed that many nation-states will try (and sometimes succeed) in taking out another nation’s infrastructure. Any nation can expect to experience widespread power and utility outages if their nation gets in a fight with another nation. It is the new rules of the game.
Today, any organization is fair game. Your organization is fair game. The Solarwinds attack compromised tens of thousands of organizations. The Microsoft Exchange zero-days compromised over a hundred thousand companies. I had a reporter ask me what type of organizations were exploited by the Microsoft Exchange hackers. “All of them!” was my reply. Not all companies were exploited, but it did not matter what “type” of organization. All companies are now fair game as direct targets or as unintended targets in the nation-state’s need to get to some organizations. If you didn’t used to include nation-state threat actors in your risk modeling, you now need to do so.
Zero-days Are Not Being Used Sparingly Anymore
We have always known that it was likely that most nation-states had dozens to thousands of unpatched, zero-day exploits ready to go as needed. But the traditional thinking was that the nation-state attackers used them sparingly, as last resorts. They could not be used a lot without “burning them”, which means to make them known to the vendor who would then patch them, making their overall value plummet.
So, the traditional nation-state method was to try to use any non-zero-day method first. Heck, 99% of hacking can be done using well-known techniques and vulnerabilities. Why burn a good zero-day if you don’t need to? Using a zero-day burns the zero-day and brings increased attention to the attacker, none of which is good for sophisticated nation-state attackers.
But even if the nation-state used a zero-day, it was often used sparingly, to gain initial foothold access. Then the attacker would establish another way in, such as a trojan backdoor program, or add themselves to an elevated group, and get out, removing all traces of the zero-day used.
The Microsoft Exchange nation-state attackers used four to seven zero-days (four were actively used and Microsoft found another three). Not one. Four. Or seven. And the attackers left the evidence around so that they would for sure be detected and start the normal chain of vulnerability reporting. This is not a sparingly used, zero-day attack. Why so many zero-days at once? Why did they not care about burning so many at once? Is it that they have so many, why care about burning four to seven at a time? It doesn’t make logical sense. Logic is something you could count on with a nation-state attacker. There was some comfort at least in that concept. Not anymore.
Don’t Care To Hide
Nation-state attackers used to take great pains to hide. Break in, get what you want, get out. No one is the wiser. The Sony Picture attackers publicly announced themselves. Solarwinds and the Microsoft Exchange attackers attacked so widespread and obvious that it was bound to become public knowledge.
Nation-states are not even caring enough to erase log files full of evidence. It is easy for a sophisticated attacker to clear out log files. In the old school spy days, you broke in, took control, did your devious stuff, then wiped the log files of any malicious evidence as the last thing you did on the way out.
Now, with the Microsoft Exchange attacks, one of the most common indicators of compromise (IoC) is particular events in the Windows log files which are create when the server has been compromised. It is the opposite of hiding. And the attacker knew the evidence would accrue, had ways to make it disappear, and still didn’t care enough to do it.
Twenty and thirty years ago, malware spent a lot of time and energy hiding. The malware would churn and churn to create billions of different-looking copies that were operationally the same (known as polymorphism). Today, nearly every phishing malware program morphs as a matter of its existence. Hide! Hide! Hide! It’s hard to find malware that isn’t morphing and encrypting. But not the Solarwinds or Microsoft Exchange attacks. Nope, they used and left behind plaintext malware examples which created other new plaintext files and executables with easy to identify malicious code.
For decades, malware modified the operating system upon exploitation, and hid its presence from the operating system and prying anti-malware scanners (the early versions were known as root kits). It’s not a new technique. The first IBM-compatible DOS virus, Pakistani Brain, did this back in 1986. In 2010, Stuxnet took great pains to hide its presence.
But not today’s sophisticated, nation-state malware. If you look for it, you will find it. Why don’t nation-states care to hide as much anymore? I am not saying all nation-state malware. Certainly, much of it still tries to hide. But why have the latest two nation-state malware programs (e.g., Solarwinds and the Microsoft Exchange exploits) not cared to hide? Not even a little bit. Are they outliers or trends?
Routinely Stealing Money Like Common Thieves
It used to be the nation-state malware mostly did spy stuff, looking for secrets, communications, and plans. You know, the type of stuff that James Bond would steal. Now, nation-state malware is often interested in financial gain. Some nation-state malware steals tens of millions of dollars from banks and compromised organizations. Some of it steals cryptocurrencies. Some of it encrypts servers and data and asks for a ransom. It is clear, that many nation-states are either directly and intentionally stealing money or looking the other way while some hacker within their jurisdictional control does the same. I do not remember James Bond, or older nation-state malware, stealing money. Now, it is just what some of them do to fund their nation. In some cases, money-stealing malware and hackers are a leading revenue source to that nation, year after year.
Becoming More Brazen
All of this shows that nation-states are becoming more brazen. They are attacking more often, far more targets, not hiding, stealing money, and any digital advantage is fair game. It is cyberwarfare unleashed. There is no digital Geneva Conventions equivalent to make it stop or slow it down. The current policy seems to be to get away with as much as you can get away with. There have even been many kinetic, real, physical war responses and bombings to cyberwar attacks, and that has not lessened them from occurring. There seems to be a clear trend to more and worse nation-state malware which attacks almost any organization.
The traditional, sparingly-used, cyberwarfare is being replaced by a permanently more aggressive policy. And this means that all organizations need to update their cyber risk calculations and defenses. First, start by making sure your risk modeling includes a nation-state threat actor scenario. No longer can you say nation-state threats do not apply.
Second, this means all organizations need to start taking all cybersecurity risks more seriously. It means understanding what legitimate executables and files should be running on your organization’s devices and getting alerted when something new shows up. The entities that first noticed the latest nation-state attacks, did so by recognizing something new and different had invaded their environments. If they did not catch the new (malicious) files, they noticed the strange new, foreign network connections, at odd hours. I am a big believer in any computer security defense that can help you understand what should be running on your network and can alert you when something new shows up. If you do not have a defense like this, you need to get one.
Third, I think a lot of CISOs are seeing this mess and thinking cloud-based software is looking better all the time. Cloud solutions are already cheaper and easier to budget for. No need to buy, maintain, and replace physical servers and all the accompanying supporting resources. Just pay a predictable per user subscription amount.
In this latest case, Microsoft’s cloud products were not impacted. I do not think that is lost on decision makers. But even if Microsoft’s cloud products were impacted, Microsoft could have patched the vulnerabilities without having to tell or wait on anyone Then they could have announced the issue after all the protection was in place. All the onus, preparation, and mitigation would have been on Microsoft, and not its customers.
Instead, the on-premise Microsoft Exchange model from the very beginning was going to be a race against time from the moment the vulnerabilities were publicly announced and the patches released to when vulnerable organizations would be protected. There has to be a lot of CISOs thinking…”Why should I continue to fight going to the cloud when it is more cost effective and more secure with less headaches?” I think you’re going to see a jump in the number of cloud subscriptions happening this year.
Lastly, educate your employees to be hyper-aware of nation-state attacks and how your organization could be targeted, directly or indirectly. A lot of past nation-state attacks started with spear phishing and social engineering attacks which compromised a few employees. Most employees of most companies probably do not even know what nation-state attacker or cyberwarfare means. Time to educate them.
Be aware that nation-states are great at compromising an initial target and then using that target’s trusted relationships to send very hard to detect spear phishing attacks. The emails arrive as replies to emails already being sent. The receivers, seeing the new requests from someone they otherwise trust, are more likely to open those emails and follow the instructions no matter how strange and unexpected the request is. Tell your end users that an unexpected request from even a trusted person is to be suspect. If the email is unexpected and contains an unexpected request, even if from a trusted person, it should result in the receiver slowing down and confirming the request another, better way. Better to take the time to call the person than to get compromised.
Nation-state attacks have changed. They are more frequent, wider spread, and causing far more harm. I think even most cyberwarfare experts are caught off guard by the sheer brazenness, especially in “peace time” conditions. The digital cold war is here. Time to officially recognize it. The only question is, are you paying attention and how are you preparing?