A new study sponsored by HP Inc. finds that nation-state cyberattacks are becoming more common and that bad actors are increasingly targeting enterprises.

Nation-States, Cyberconflict and the Web of Profit documents a 100% rise in “significant” nation-state incidents between 2017-2020 with 35% of attacks targeting large businesses, followed by cyberdefense agencies (25%) and media and communications companies. The research includes analysis of more than 200 cybersecurity incidents associated with nation-state activity since 2009 as well as intelligence gathered from informants on the dark web and input from a panel of 50 leading practitioners in relevant fields.

Nearly two-thirds of expert panelists pointed to a “worrying” or “very worrying” escalation in tensions last year, with 75% saying COVID-19 had presented a “significant opportunity” for nation-states to exploit. Attacks on supply chains rose 78% in 2019, with more than 27 distinct supply chain attacks likely associated with nation-state assailants.

Enterprises are targets

Enterprises have become a target for nation-state attacks for several reasons, according to Ian Pratt, global head of security for Personal Systems at HP. “In some instances, where the company has high-value intellectual property, they could be targeted directly for strategic advantage,” he said, citing attacks on pharmaceutical firms. “In other cases, organizations might be targeted in an attempt to reach their customers in upstream supply chain attacks such as we saw with SolarWinds – where they are used as a steppingstone to the intended target.” The number of entities affected by supply chain attacks is estimated to have more than doubled in the second half of 2020, he said.

Motivations vary, and the report cites 14 different reasons nation-states engage in cybercrime, ranging from domination, retaliation and elimination to infiltration, negotiation and protection. “Some follow a strategy of disruption to gain an advantage by bringing disorder into an enemy’s defenses. Others adopt a strategy of extraction to gain an advantage through the illicit acquisition of a rival’s data and IP,” Pratt said.

More than 40% of incidents included an attack on physical assets such as power plants. There is also evidence that nation-states are stockpiling zero-day, or previously undiscovered, vulnerabilities. “They want to reserve the use of these weapons for targeted espionage or an offensive attack, saving them for a rainy day to reduce the chances of an attack failing because the vulnerability has been patched,” Pratt said.

In addition to gathering intelligence and conducting espionage, activity analysis indicates that some attackers have been attempting to steal intellectual property on vaccines and disrupt vaccine supply chains.

‘Low-budget tools’

Nation-states are buying tools and services on the dark web and also selling their inventions on the black market. Nearly two-thirds of expert panelists said they believe nation-states are making money from cybercrime and 58% said those actors are increasingly recruiting cybercriminals to conduct attacks.

“Half of the nation-state attacks analyzed involved the use of low budget tools easily purchased on the darknet, while up to 15% of darknet vendor sales go to those acting on behalf of other clients, such as nation-states,” Pratt said.

The fact that half of the tools used were built predominantly for espionage and just 14% for damage or destruction indicates that nation-states are more focused on listening than stealing, researchers said. They pointed to the massive hack of mostly government installations running SolarWinds WorldWide LLC software as evidence of this intent.

“Nation-states are also developing weaponized chatbots to deliver more persuasive phishing messages, react to new events and send messages via social media sites,” said the study’s principal author, Dr. Mike McGuire, senior lecturer in criminology at the University of Surrey in the U.K. He added that the future will likely see increased use of deep fakes. drone swarms that disrupt communications and conduct surveillance, and quantum computing devices that can break strong encryption.

A Geneva Convention for cyberwar?

Most members of the expert panel recommended that cyberconflict treaties could dissuade nation-states from escalating their activities, but two-thirds said they believe such an accord would take at least 10 years to negotiate or is likely never to happen.

“Consensus is going to be difficult to achieve,” McGuire said. Doing so requires agreeing on the parties and jurisdictions that should be involved, the kinds of activity covered and the scope of the agreement, which could range from weapons limitations to a code of conduct for a cyberwar. “For any treaty to be effective, there needs to be a wider recognition of legitimate nation-state interests in cyberspace, a recognition that is not overly shaped by individual nation-state strategic objectives,” McGuire said.

The best protection is at endpoint devices, such as PCs, researchers recommend. Once attackers get control of an endpoint they can often move laterally to other systems and remain undetected. Adoption of zero trust practices can limit this vulnerability, they said.

Image: Maxpixel