Nation State Cyber Attacks
Nation State Cyber Attacks
No target is too insignificant for the big player hackers.
Compared to the costs of conventional weapons; cyber is a relatively cheap method of attack and defence. Military hardware is heavily dependent on technology requiring high level computer skills to keep it running but exposing it to the same risks as other computerised systems. Any serious disruption to front line military hardware will bring on a full scale shooting war. The current Nation State cyber-attack scene is to gain knowledge and disrupt while keeping well away from any casus belli.
Attacks are likely to stay away from obvious military or infrastructure targets and aim for the soft underbelly. This is looking to be the supply chain. Disrupt the supply of the ‘thing-ummy bob’ and you can win the war (thank you to Gracie Fields). Fortunately there is no all-out war and hopefully there is not going to be one but Nations need to prepare for the worst. Having an offensive cyber strategy is only any use if you know that it works. That must involve trying it out. This requires some subtle deployments to ensure that not too much fuss is caused. As a bonus the operation might make a little cash on the side through ransomware.
In the UK the National Cyber Force has been established to counter threats including those from Nation States. Governments have taken action against foreign cyber threats by restricting which countries can operate or supply hardware. Huawei 5G hardware has been banned in the UK and USA because of possible threats from the firmware running the devices. Steps such as these do reduce the Nation State threat but tend to shift the attacker’s sights onto softer and less obvious targets within the business world.
In 2020 the SolarWinds Orion platform was compromised by the hacker group Nobelium. Orion is a core SolarWinds product concerned with Network monitoring and analysis. In SolarWinds’ own words Orion is ‘One vendor. One platform. One single pane of glass’; Nobelium threw a brick through the glass. The vulnerability has since been fixed but this was a sophisticated attack delivered through official SolarWinds patches that could harvest user’s data without any obvious effects on Orion’s performance. No nation has admitted responsibility for sponsoring Nobelium but it clearly has access to substantial resources.
The implication for industry is that any business could be the target of an attack even through well established and trusted suppliers. Unlike Ransomware or Denial of Services incidents there may not be any signs within the system that any attack has taken place. A recommended safeguard is always to ensure that systems are patched to the latest version. Unfortunately the SolarWinds Orion attack was through its own patches. Although this distribution method could be used again patching should never be discontinued or delayed. The risks from zero day attacks are to be judged greater than from malware within patches.
Combatting Nation State Attacks
Bulletins from trusted security sources should be monitored for news on compromised systems. Kindus display a selection of trusted security incident news feeds.
Analysis of local log files will provide evidence of suspect activity. Commercial software will shift through copious log output and report trends and alert to unexpected events. Suspicious activity to look out for would include:
- Multiple log-in failures
- Access from unexpected IP addresses
- Unusual activity within infrequently used accounts
- Password changes for admin accounts
If there is evidence of an attack any compromised systems should be isolated from the network. It is unlikely that this the sole target of an attack. Web searches for similar incidents should provide additional information or confirm that any reports are ‘normal’ for the situation in question. In the UK suspected cyber-crime incidents should be reported to the National Cyber Security Centre.