The line between state and non-state cybercriminals continues to blur. Currently, the main actors of cyber threats remain Russia, China, Iran, North Korea and the cyber criminals sponsored by them.
Outside the scope of Western law and law enforcement, hackers from these countries pursue different goals, and their states have a diverse set of motivations. Yes, North Korea needs a financial component to support Kim Jong-un’s regime, bypassing international financial sanctions. Although the state uses subversion and disinformation against South Korean targets, it is the state that acts as a criminal group. In turn, Russia, China and Iran pursue the achievement of political, military and industrial goals. The Russian government is focused on espionage (particularly in the energy sector), disinformation and coercion. Russian cybercriminals are focused on financial gain, and their actions are tolerated (if not encouraged) by the Kremlin. China is involved in massive intellectual property theft. Iran’s focus is on Israel and the Gulf states, as well as energy companies.
A recent cyber security survey found that 74% of respondents believed that their organization had been attacked by government-sponsored hackers in the 18 months prior to the survey, with 32% of respondents very confident. And although 18% of respondents expect that this will be a problem in the future, 8% expressed the opinion that they do not expect an effective solution to this problem at all (this opinion is shared by respondents whose organization belongs to the list of critical infrastructure objects). According to the estimates of representatives of the organization from the cyber defense sector, on average, a nation state attacked them twice within 18 months. 42% blame a cybercriminal group acting on behalf of an unknown nation-state. This percentage increases slightly for those organizations that expect to face such a threat in the future, to 44%. This remained true for most of the countries analyzed, with the exception of Germany and Australia, where organizations were more likely to suspect that the Russian Federation was behind the incident (44% and 47%, respectively). Respondents may have focused more on the Russian Federation, given the publicity surrounding incidents attributed to Russian-sponsored hackers that occurred around the time the survey was conducted. In Australia, China is also seen as a potential threat, with 46% of respondents suspecting that China is behind incidents targeting their organizations.
In addition to cybercriminal groups carrying out attacks on behalf of governments, it is widely believed that nation-states build their cyberattack arsenals in collusion with international cybercriminal groups, sharing tools, techniques and skilled professionals.
However, in the case of anticipation of future incidents, respondents shifted to the perception of China as the most likely actor (46%). Russia and groups of cybercriminals acting on behalf of unknown states are leading by a small margin — 44% each. Although the response from organizations that have been attacked in the past 18 months and those expected to be attacked is small, the responses show how organizations assess this threat, which is indicative of their preparedness. China and Russia are the countries most often identified as attackers by most organizations. This is consistent with other research showing that they are the most active cyber-attackers of any other state-based attacker. Although the baseline number of respondents in each sector who identified the most likely participant in a future cyber incident was low, the responses indicate differences in threat perceptions and expectations between sectors regarding the likely participant in a past and future cyber incident:
Sectors that consider Russia the most likely participant in a past cyber incident:
– media and telecommunications (59%);
– banking, financial services and insurance (45%);
– oil, gas and utilities (35%);
Sectors that consider Russia the most likely participant in a future cyber incident:
– logistics and transport (75%);
– media and telecommunications (53%);
– health care (43%);
Sectors that consider China the most likely participant in a past cyber incident:
– health care (52%)
– production (51%)
– distribution and transport (37%)
Sectors that consider China the most likely participant in a future cyber incident:
– IT and computer services (70%)
– government (57%)
– production (44%)
This distribution by sector corresponds to the pattern of cyber activities of these states. Energy, for example, is a likely Russian target because of the importance of the energy industry to Russia, while attacks on telecommunications companies could support other espionage activities.
Data, IP and network security architecture remain the primary targets of cybercriminals. 48% of respondents who believe they have been the victim of an incident involving state-sponsored hackers cited access to consumer data as a motivation for cyberattacks, followed by access to confidential information (46%) and theft of intellectual property (37%). The collection of information about cybersecurity protections and processes, with 42% saying that cyberattacks target this data, may indicate a particular interest in gathering information that can assist in future attacks. In terms of personal data, while cybercriminals can use this data for financial gain, nation-states appear to be obtaining personal information for espionage or counterintelligence.
10% of surveyed organizations still do not have a cyber security strategy. Organizations that have developed cyber incident response strategies (especially those providing guidance on government incidents) have a higher level of confidence in distinguishing between government and non-government cyber incidents. Only 27% of respondents said they were completely confident in their organization’s ability to distinguish cyberattacks by an enemy state from other cyberattacks. Survey respondents indicated that limited skills, outdated network technologies and security tools increase vulnerability. Most respondents (over 90%) say they have shared information about attacks, but not always complete information about the attack or its consequences. About 9 in 10 respondents believe their government should do more to support organizations (91%) and protect critical infrastructure (90%) from enemy state-sponsored cyberattacks.
Communication between the public and private sectors is critical to countering hostile state-sponsored cyber threats. Governments can provide advice and information that identifies both specific threats and vulnerabilities as well as broader trends and inform companies of developments, but this can only be improved if there is sufficient sharing of information from the private sector to ensure that government is also aware of incidents in the field of cyber security.