He’s a hoodie-wearing guy in a dark basement, what then-candidate Trump called “somebody sitting on their bed that weighs 400 pounds.” Or a foreigner from a developing country who composes laughably worded emails about get-rich-quick schemes. But these stereotypes aren’t close to the truth. Instead, many hackers belong to well-funded, highly efficient organizations supported by rogue states. They’re smart, tenacious, and dangerous.
The threat of cyberattack from malicious state actors can be hard to jibe with the names used to identify them. Do you really have to be wary of a “Cozy Bear,” “Cicada” or “Mint Sandstorm”?* But the damage they cause to businesses and individuals is significant, surpassing $8 trillion last year.
Four Major State Actors in Cyberterrorism
Hackers come from, and are supported by, many countries. But there are four major nations that present ongoing threats to our institutions and citizens: North Korea, Russia, China, and Iran. What do they hope to achieve, and how do they do it?
Threats from North Korea
One recent hack involved a North Korean operative who posed as a remote IT worker by faking his employment history. It’s assumed that after he was let go from the company, he contacted them with ransomware demands, threatening to sell online the data he stole.
While there is a financial component to this type of hack, it can be categorized as espionage. North Korean hacker groups like Advanced Persistent Threat 45 (Apt45, or Andariel) have a history of cyber extorting financial institutions and government entities at the behest of Kim Jong Un’s regime. The goal is to steal military plans and money to fund North Korea’s nuclear weapons programs. These hacks are increasingly sophisticated – there is some indication hackers are using virtual video-cloning software to hide their identities on calls.
Cyberattacks from Russia
Last September, Russian Foreign Intelligence Service (SVR) cyber actors AKA Advanced Persistent Threat 29 (Apt29) began targeting servers belonging to JetBrains TeamCity. The company produces software that automates the integration of code changes from multiple developers into a single codebase and is used by over 30,000 organizations. Apt29 is the same group behind the 2020 Solar Winds attack that impacted over 18,000 customers.
SVR-associated hackers use unpatched vulnerabilities and other methods to collect foreign intelligence and technical data with the intent of compromising supply chains and creating disruptions to assist them in the war in Ukraine.
Concerns over the threats from Russia led the US government to ban Kaspersky Lab’s cybersecurity software this past summer. In the words of Commerce Secretary Gina Raimondo, “Russia has shown it has the capacity, and even more than that, the intent to exploit Russian companies like Kaspersky to collect and weaponize the personal information of Americans.”
Threat Actors from China
PRC-backed hackers target transportation, water, energy, and telecommunications verticals, including the small and medium-sized businesses that operate in these sectors. Sometimes the aim is to steal intellectual property, like the 2022 Operation CuckooBees attack that stole trillions of dollars’ worth of intellectual property. Another motivation is espionage, for example, the recent Salt Typhoon hack of communications companies like AT&T and Verizon. Tensions with Taiwan may be one motivation behind these cyberattacks; but the wider plan, according to FBI Director Christopher Wray is to “land low blows against civilian infrastructure to try to induce panic and break America’s will to resist.”
In one move to address these threats, the US Commerce Department recently proposed rules aimed restricting the use of Chinese (and Russian) software and hardware in connected vehicles sold in the United States.
Threats from Iran
In the past year, Iranian-affiliated hackers have used brute force attacks to access systems belonging to critical US infrastructure, like government entities, engineering, and energy sectors. They are also partnering with other groups to launch ransomware attacks, then splitting the ransom profits. And CyberAv3ngers, an Iranian Government Islamic Revolutionary Guard Corps (IRGC) are now using AI tools like ChatGPT to research vulnerabilities and opportunities for attack.
Iranian hackers are also active in spear-phishing and social engineering attacks, leading the US government to offer a $10 million reward for information on long-time hacker Alireza Shafie Nasab, and others.
The Takeaway
Hackers are not isolated individuals. Many belong to highly organized, government-affiliated groups. They aren’t always motivated by financial gain: their larger goal is getting a foothold in organizations where they can eventually cause disruption.
You don’t need to run a nuclear power plant or transportation company to be a target – although if you partner with government entities, infrastructure providers, or supply chain companies, your risk might be higher. To deny easy access to hackers, your organization should require multi factor authentication (MFA), provide cybersecurity training to users, and ensure your that password policies meet password strength guidelines.
*Where do these crazy names come from?
Cybersecurity companies use different naming conventions to identify threat actors. And sometimes these names change, adding to the confusion. Microsoft, for example, initially christened groups with names referencing elements from the periodic table (phosphorous, gallium, mercury). Unfortunately, a limit of 118 elements required the periodic table be replaced by a two-word naming convention. The second word is weather-related (blizzard, typhoon, hail) and tied to the region from which the attack was launched. According to Microsoft, the first name in the convention is meant to distinguish the group from others. Or not. There’s really no clear explanation for some of these names that seem to derive from a game of Exquisite Corpse.
Feeling paranoid after reading this? You don’t need to be! Speak to one of our cybersecurity experts to discover how InterDev can keep your organization secured against hackers.
