There has been an escalation in complexity, speed and impact of cyber attacks by nation-states. The sources for most of the activity have been China, Russia and North Korea. These trends drive the need for a more comprehensive and disciplined approach for protecting business interests with this heightened risk. We’ll take a look at some specific events and their impact, as well as some general thoughts for mitigating risks.
In recent years, China’s Hafnium group has been accused of targeting American business interests with the primary objective of exfiltrating intellectual property information from research institutions, health care, defense contractors and policy think tanks.
For thousands of years, this type of theft was performed by “spies on the ground.” Cyber-attacker spies operate in their native country with “leased servers on the ground” in the United States. The business impacts are lower returns on the costly investment and lost competitive advantages associated with creating intellectual property.
Earlier this year, Hafnium has been accused of exploiting a vulnerability of On-Premises Microsoft Exchange servers. It’s been estimated that 30,000 to 60,000 Exchange servers worldwide were compromised by this very sophisticated hack. The resulting business impact was the disruption of email flow and the costs of investigating and completely rebuilding these Exchange servers. While there doesn’t appear to be evidence of widespread data exfiltration with this specific attack, Exchange rebuild efforts were required to avoid future exploration from potential hidden malicious software.
Solarwinds, a Texas-based company with an IT management product called Orion, was compromised in early 2020 when a software update containing malicious code went undetected for several months. It is estimated that 18,000 Orion instances received the malicious software. Russia’s Foreign Intelligence Service (a.k.a. SVR) is believed to be responsible for this breach which exfiltrated data from a minimal subset of the compromised companies. Some experts believe we “dodged a bullet” as the business impact by the perpetrators could have been significantly larger.
As a result of sanctions, cash-starved North Korea has turned to ransomware attacks as a primary source for “bitcoin cash.” In 2012, Kim Jong Un formed a cyber Reconnaissance General Bureau (RGB) intelligence agency and stated that with his “brave” cyberwarriors, “we can penetrate any sanctions.” South Korea has reported 1.58 million North Korea attempted cyberattacks a day. The impact of ransomware attacks can be crippling to businesses until the victims make a ransom payment or restore data from a backup that is not accessed by the ransomware encryption. The average ransom payment in 2020 has been estimated at $300,000, but remediation and rebuilding can bring costs up into the millions. There have been Arkansas companies forced to declare bankruptcy after ransomware attacks. While many companies have cyber-insurance to cover such attacks, the cost of cyber-insurance is an increasing business cost.
These alarming events show the need for new methods of cybersecurity to combat state-sponsored hackers effectively. One new mindset is the idea of “Assume Breach” and that your network is already breached or will be at some point. Businesses can not only focus on traditional prevention methods, such as firewalls and passwords. They must also employ detection tools, like Security Incident and Event Management (SIEM) software, to identify breaches before they can do significant damage. Another model that goes along with “Assume Breach” is the “Zero Trust Model,” first proposed by John Kindervag in 2010. This model’s premise is “not trusting anything inside or outside the network’s perimeters and verifying anything and everything trying to connect to resources before granting access.” While this sounds simple, the discipline, tools, cost, and training to accomplish this will take time for businesses to implement. Security must be a foundation of any business practice rather than an add-on consideration.
In the book Great by Choice, Jim Collins discusses one of the attributes of great leaders is “productive paranoia.” These recent events bring this attribute into greater focus and importance for all of us.
Keith Woodruff is CTO and NWA Managing Partner of Edafio Technology Partners. Sam Grubb of Edafio is a cybersecurity consultant and author of How Cybersecurity Really Works: A Hand-On Guide for Total Beginners.