Cyber Security Pros Should Worry About State-Sponsored Cyber Attacks

State-sponsored cyber intrusions have become an increasing concern to both Australian governments and organisations. Defence Minister Richard Marles warned just last year that the country was seeing a greater interest from state actors in critical infrastructure.

Nathan Wenzler, chief security strategist at cyber security firm Tenable, said state-sponsored threat actors typically infiltrate by stealth and spread. Wenzler said Australian organisations should treat them as seriously as other actors or face serious risk during a geopolitical conflict.

According to Wenzler, the recent state-sponsored attack from Russia-backed group Midnight Blizzard on Microsoft showed it is a myth large organisations are immune. Companies need to gain complete understanding of their environment and mature their risk management approach.

State-sponsored cyber attacks are a growing concern in Australia

State-sponsored cyber threat activity is on the rise in Australia. The Australian Cyber Security Centre found total reports of cybercrime were up by 23% to 94,000 in the year to June 2023, attributing part of that increase to state-sponsored attacks against critical infrastructure.

The ACSC report said that part of the reason for this increase in state-sponsored activity was the creation of the new AUKUS defence partnership between Australia, the UK and the U.S., “with its focus on nuclear submarines and other advanced military capabilities.”

SEE: Why uncertainty Is the biggest challenge to Australia’s cyber security strategy

A Cybersecurity Year in Review report from Dragos, which specialises in industrial and critical infrastructure security, found that there was a continued trend of adversaries targeting industrial organisations worldwide, some of which are linked to state-sponsored groups.

“Despite its geographical isolation, Australia is not exempt from the onslaught. In fact, the Dragos Intel team has observed numerous instances of adversaries directly targeting Australian critical infrastructure entities,” said Conor McLaren, principal hunter at Dragos.

These included “strategic cyber espionage operations”, according to McLaren.

Volt Typhoon an example of threat to Australian geopolitical interests

Australia and New Zealand joined other Five Eyes intelligence partners last year in calling out a link between hacking network Volt Typhoon and China. It was found Volt Typhoon compromised thousands of devices and U.S. critical infrastructure, with a view to espionage and sabotage.

Employing “living off the land” techniques, which do not typically raise alarms for cyber security professionals as they spread, Volt Typhoon and linked groups have been named as a potential threat to Australian critical infrastructure and organisations, should they gain a foothold.

Tesserent CEO Kurt Hansen recently told TechRepublic Australia that the current geopolitical environment created risks for commercial organisations should tensions deteriorate and that business models are at risk. Hansen urged organisations to exercise vigilance for these attacks.

How and why state-sponsored cyber attacks usually happen

The common pattern seen in state-sponsored attacks is stealth, according to Tenable’s Wenzler. Attackers are quiet in their attack methods, taking a “lie-in-wait approach to infiltrating a network, compromising a device or system, and waiting for opportunities,” Wenzler said.

Typically, their aim is to spread.

“They don’t cause damage, they don’t raise alarms,” Wenzler explained. “But they keep spreading. They’ll use that first place to compromise more, get to credentials, get to applications, because nation-state actors are not looking for financial reward.”

Ultimately, these actors want the potential to cause harm if there is a conflict.

“They’re looking to shut down critical infrastructure or military operations. They’re looking to cause panic or impact citizens, by shutting down services like water supplies or power,” Wenzler said.

State-actors need to be treated seriously as financial crimes

Australian organisations may not be taking state-sponsored cyber attackers seriously enough, according to Wenzler. The main reason is because, in contrast with traditional cyber criminals like ransomware attackers, state-sponsored attackers have no immediate financial impact.

“But the level of damage they can cause is so much greater,” Wenzler said. “Financial loss is obviously a big issue, but think about that sort of meticulous methodical nature of infiltrating every single thing in your environment, and then if I need to, they could just take it all down.”

While this is often seen as a government problem, Wenzler said these actors seek to go beyond critical infrastructure, and any service provider like supermarkets or hotels have responsibilities to the public.

“We can’t turn a blind eye to these things even in the private sector,” Wenzler said.

Midnight Blizzard: Lessons for Australian cyber security pros

Microsoft’s disclosure in January 2023 of a compromise by state-sponsored threat actor Midnight Blizzard is a warning no organisation is immune from state-sponsored attacks. Even with more resources and awareness, large companies are still vulnerable to compromise.

SEE: Top cyber security trends that will dominate the Australian market in 2024

“A lot of organisations have this idea that bigger companies just do it better … and it’s only those of us who are smaller that have to worry about it. And that is not the case,” Wenzler said. “This is a very pointed example of where the same kind of challenges can happen to anybody.”

Identity credentials a key vector for threat actors to gain foothold

The Midnight Blizzard compromise shone a light on identity and credentials. Wenzler said a takeaway for Australian cyber security teams was to be clear on the management of credentials and ensuring there are no credentials out there that are forgotten or not being protected.

This can be a common situation around service accounts, or non-human accounts. Wenzler said these accounts are assigned to applications or automated functions so they work, but then are often missed or forgotten about, even though they often have higher privileges.

“They’re prime targets for attackers,” Wenzler said. “If you can get those kinds of accounts, you get great access to the infrastructure, and there’s a good chance no one’s paying attention to it. You need to get a handle on identity and the rights and permissions everything has.”

Interconnected environments require holistic approach to security

The Microsoft attack also exposed the misconception security functions can be treated like “little isolated silos”, Wenzler said, where performing a checklist of tasks like patching Windows systems or hardening cloud infrastructure is all that was required to safeguard security.

“The challenge is that all these things are connected,” he said. “Those Windows systems could provide access to your cloud environment, and that can potentially reach your critical infrastructure. It’s remembering that all of these things are tied together.”

How cyber teams can combat state-sponsored security threats

Following Midnight Blizzard’s compromise of Microsoft, Wenzler argued cyber teams should revisit security measures like ensuring multi-factor authentication is enabled, and applying best practice approaches like principle of least privilege, to minimise identify compromise risk.

However he added the key was to aim for a holistic understanding of an organisation’s environment, adopting a mature risk management approach to security, and being ready to engage government agencies and enforcement for support in the event of a threat.

Aim for understanding of your organisation’s interconnected environment

Organisations should take steps ahead of time to understand their environment as completely as possible, Wenzler said. This was particularly useful for identifying activities from state-sponsored threat actors, who through ‘living off the land’ techniques, were not setting off obvious warning for cyber security teams, meaning they were much harder to detect.

Take a proactive risk management approach to cyber security operations

Organisations are also advised to follow frameworks like NIST and The Essential Eight, which have shifted over time from a focus on putting up walls and hoping threat actors bounce off them, towards advising a more proactive risk management approach to cyber security.

“As we embrace this idea security is much more about risk management thanjust implementing IT services, then you have to start to understand that risk landscape; that means being proactive, understanding the environment, understanding the risk profile, and using that to make good decisions about what to do next, including what security controls are right for you,” said Wenzler.

Be ready to engage law enforcement authorities for support

While organisations are likely to seek to solve the problem of a state-sponsored threat actor like a normal security incident, Wenzler said that it was also important to be engaging law enforcement and local government authorities, who have detailed knowledge of state threat actors. This will also support other organisations, as the threat could be more widespread.

Wenzler said law enforcement agencies would sometimes offer additional resources. However he said many private sector organisations still do not include government agency and law enforcement contact details in incident response plans. He said it was important to document who to reach out to beforehand, rather than be searching when an incident happens.