Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:30 PM
Terry Ray
Terry Ray
Connect Directly
E-Mail vvv

Collateral Damage: When Cyberwarfare Targets Civilian Data

You can call it collateral damage. You can call it trickledown cyberwarfare. Either way, foreign hacker armies are targeting civilian enterprises as a means of attacking rival government targets.

We're in the dawn of the age of global cyberwarfare: Nation-state hackers are knocking out critical infrastructure. They're disrupting lines of communication. They're stealing military technology. They're sowing discord and confusion.

But they're also attacking nonpolitical "civilian" targets — businesses, schools, hospitals, and the like — to reap the rewards of low-hanging political fruit. These attacks comprise what some call "trickledown cyberwarfare," and these civilian data stores are the new battleground.

For example, about three years ago, the US Department of Defense issued a warning that foreign nation-state hackers were targeting not only government contractors with advanced persistent threats (APTs), but also academic institutions. The FBI reportedly issued a similar warning on the same day, indicating that Chinese hackers were equally interested in compromising sensitive data held by commercial enterprises in the US – specifically including companies in aerospace, entertainment/media, healthcare, and telecommunications networks.

Both warnings came on the heels of a substantial attack originating in China against the University of Virginia — specifically targeting two employees conducting work related to China. The school was noted for its numerous connections to large government contractors and intelligence agencies in the US, as well as to the DoD in general.

The Attraction of Civilian Data Targets
Unfortunately, this is par for the course for private-sector businesses and NGOs. Sometimes the breach is to get a critical piece of political or military information to be used later. Sometimes it's to steal intellectual property or research so that the hacking nation can get a competitive boost in the economic and/or military might. Sometimes it's to cull some personal information about someone with the right security clearance — which may mean orchestrating a super-breach, compromising several million other accounts along the way.

Notably, these breaches aren't about anything so pedestrian as identity theft or credit card fraud. Instead, the goal is to use the information gleaned as a jumping-off point — to allow escalated access to yet more critical information. This is especially the case with healthcare organizations, where the right juicy health-record tidbit about a well-placed employee (or family member thereof) of a government arm can be used to extort some small amount of extra information or escalated access, turning that employee into an inside-attack threat.

This may sound conspiracy-theory-esque, but enterprises have been seeing these very real threats over the past few years — and will see them in greater numbers through 2019 and beyond. Nation-state hackers aren't going after the private sector and academia in the absence of anything better to do. They're doing it because their efforts can pay off big dividends in the long run when it nets them secret and useful economic, military, and national-security information down the road.

Plus, it's often a heck of a lot easier to hack a company or academic institution than it is to hack a federal agency or military contractor because the former isn’t often paying enough attention. It may know where its data originated or is supposed to be, but it may not be able to identify all of the places where its data has migrated.

And that's assuming we're talking about data that a given organization already perceives as important. As we've seen with these types of attacks, though, one man's junk is another man's treasure.

How to Duck and Cover
Therefore, organizations need to be far more informed about their data — and not just the data they perceive as top priority. To best guard their data stores, organizations have to rely on more than their internal priorities alone because so many other perspectives and variables are at play.

The only thing they can do, then, is to watch their data. All of it.

This task is less daunting when applied as the first, foundational step of an infosec strategy. Once you've begun monitoring all data across the board, you can easily apply analytics to the activity logs generated from your data monitoring, building a model of your entire data user population. Now you can more effectively analyze all data user-data interactions — without yet having had to identify (much less prioritize) a single bit of data.

After all, whether they are common criminals or sophisticated cyberwarriors, we know that attackers will always want to break into our databases. So we need to be looking at the databases. Otherwise, we're asleep at the switch.

Related Content:



Terry Ray has global responsibility for Imperva's technology strategy. He was the first US-based Imperva employee, and has been with the company for 14 years. He works with organizations around the world to help them discover and protect sensitive data, minimize risk for ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Strategist
2/26/2019 | 4:56:26 AM
What's the objective
From what I've seen on civilian security breaches where their private information has been compromised, the objectives seem to be more aligned towards discrediting the government or statutory boards where the information is supposed to be held. It's an interesting tactic...
User Rank: Moderator
2/11/2019 | 12:35:37 AM
Laymen attacked
We should be more concerned of the invasive nature of hacking. This is because today, hackers are hitting the ground more as compared to previous attempts of just focusing on major corporations. Laymen are now affected as well which is getting scarier as we speak. Confidential data which we would have previously deemed as safe is now at stake.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/17/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-19
In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.
PUBLISHED: 2020-09-18
A cleartext storage of sensitive information in Nextcloud Desktop Client 2.6.4 gave away information about used proxies and their authentication credentials.
PUBLISHED: 2020-09-18
Prototype pollution in json-bigint npm package < 1.0.0 may lead to a denial-of-service (DoS) attack.
PUBLISHED: 2020-09-18
Improper Input Validation on Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11....
PUBLISHED: 2020-09-18
Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11.2 before 11.2.1a, Citrix SD-W...