State sponsored threat actors are hacking groups that are government funded, highly-skilled and extremely motivated. China, Iran, North Korea, Russia, Vietnam and Syria – to name just a few - have each been blamed for cyberattacks in recent history.
These types of group are often called APTs, or Advanced Persistent Threats, and are numbered to identify them. Strictly speaking an Advanced Persistent Threat (APT) is an attack in which unauthorized access to a network is achieved and covertly maintained for an extended period, but the term has come to denote the groups themselves.
APTs have specific objectives for their attacks, aligned with either the political, commercial or military interests of their country of origin. This contrasts with the average cybercrime where the criminals are attempting to realise a personal monetary gain.
OK, but how does this affect the average SME?
The tactics, techniques and procedures of advanced persistent threats (TTPs of the ATPs) eventually make their way into the criminal realm and are used by criminals to create new malware such as new variants of ransomware.
As an example, one of the zero-day vulnerabilities used in the famous (state sponsored) Stuxnet worm that attacked uranium enrichment centrifuges in Iran, was copied and used in (criminal) malware to perpetrate cybercrime on an astonishing scale.
Between November 2013 and June 2014, the zero-day vulnerability exploited by Stuxnet was detected by Kaspersky anti-virus software 50 million times, on almost 19 million machines all over the world.
Effectively, the APTs are doing the difficult research and development for the criminals. And that resurfaces as new means for the criminals to attack businesses.
The recent NotPetya ransomware is believed to have been a false flag. That is, an action that tries to either mislead investigators so that the blame is placed on an innocent party, or to mask the true intent of the attack under investigation.
All indications are that the true intent of NotPetya was to cause disruption within the Ukraine, whilst masquerading as a normal financially motivated ransomware. Of course, to mask the true intent, NotPetya was seeded into other countries to make it look like a normal ransomware and to take the spotlight off the Ukraine.
The masking activity, therefore, was to attack businesses in other countries.
The National Cyber Security Centre has attributed “with high confidence” NotPetya to the GRU, the military intelligence service of the Russian Federation. In other words, to APT28.
The significance of that attribution is that the NotPetya attacks can be classified as cyber warfare. And that classification has given the Zurich American Insurance Company cause to refuse payment on a cyber insurance policy held by US snack food giant Mondelez, who were infected by NotPetya.
Zurich are claiming an exclusion "hostile or warlike action in time of peace or war" by a "government or sovereign power" exempts them from liability.
An understandably unhappy Mondelez are suing Zurich for $100 million.
One of the TTPs employed to compromise a target is to attack and successfully compromise one of the target’s supply-chain companies, who might have weaker cybersecurity.
If the APT can infect or compromise systems in use by the supply-chain organisation, when staff from that organisation visit or email the true target, the compromise can be passed on to the real target.
It is for this reason that it is now mandatory for suppliers to military or government contracts to have the CyberEssentials certification, and to enforce that degree of rigour back down their supply chains – all the way.
That CyberEssentials certification must be pushed back down the supply chain to every organisation that comes into contact with or processes personal data related to the contract.
Pro-Networks have successfully implemented CyberEssentials for many of our customers, in all types of profession. A CyberEssentials accreditation is a convenient and recognised means of promoting your company’s data protection standards, as well as helping to safeguard your data from attack.
We’d be delighted to discuss your compliance, cyber security and staff awareness training requirements.