Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:30 PM
Terry Ray
Terry Ray
Connect Directly
E-Mail vvv

Collateral Damage: When Cyberwarfare Targets Civilian Data

You can call it collateral damage. You can call it trickledown cyberwarfare. Either way, foreign hacker armies are targeting civilian enterprises as a means of attacking rival government targets.

We're in the dawn of the age of global cyberwarfare: Nation-state hackers are knocking out critical infrastructure. They're disrupting lines of communication. They're stealing military technology. They're sowing discord and confusion.

But they're also attacking nonpolitical "civilian" targets — businesses, schools, hospitals, and the like — to reap the rewards of low-hanging political fruit. These attacks comprise what some call "trickledown cyberwarfare," and these civilian data stores are the new battleground.

For example, about three years ago, the US Department of Defense issued a warning that foreign nation-state hackers were targeting not only government contractors with advanced persistent threats (APTs), but also academic institutions. The FBI reportedly issued a similar warning on the same day, indicating that Chinese hackers were equally interested in compromising sensitive data held by commercial enterprises in the US – specifically including companies in aerospace, entertainment/media, healthcare, and telecommunications networks.

Both warnings came on the heels of a substantial attack originating in China against the University of Virginia — specifically targeting two employees conducting work related to China. The school was noted for its numerous connections to large government contractors and intelligence agencies in the US, as well as to the DoD in general.

The Attraction of Civilian Data Targets
Unfortunately, this is par for the course for private-sector businesses and NGOs. Sometimes the breach is to get a critical piece of political or military information to be used later. Sometimes it's to steal intellectual property or research so that the hacking nation can get a competitive boost in the economic and/or military might. Sometimes it's to cull some personal information about someone with the right security clearance — which may mean orchestrating a super-breach, compromising several million other accounts along the way.

Notably, these breaches aren't about anything so pedestrian as identity theft or credit card fraud. Instead, the goal is to use the information gleaned as a jumping-off point — to allow escalated access to yet more critical information. This is especially the case with healthcare organizations, where the right juicy health-record tidbit about a well-placed employee (or family member thereof) of a government arm can be used to extort some small amount of extra information or escalated access, turning that employee into an inside-attack threat.

This may sound conspiracy-theory-esque, but enterprises have been seeing these very real threats over the past few years — and will see them in greater numbers through 2019 and beyond. Nation-state hackers aren't going after the private sector and academia in the absence of anything better to do. They're doing it because their efforts can pay off big dividends in the long run when it nets them secret and useful economic, military, and national-security information down the road.

Plus, it's often a heck of a lot easier to hack a company or academic institution than it is to hack a federal agency or military contractor because the former isn’t often paying enough attention. It may know where its data originated or is supposed to be, but it may not be able to identify all of the places where its data has migrated.

And that's assuming we're talking about data that a given organization already perceives as important. As we've seen with these types of attacks, though, one man's junk is another man's treasure.

How to Duck and Cover
Therefore, organizations need to be far more informed about their data — and not just the data they perceive as top priority. To best guard their data stores, organizations have to rely on more than their internal priorities alone because so many other perspectives and variables are at play.

The only thing they can do, then, is to watch their data. All of it.

This task is less daunting when applied as the first, foundational step of an infosec strategy. Once you've begun monitoring all data across the board, you can easily apply analytics to the activity logs generated from your data monitoring, building a model of your entire data user population. Now you can more effectively analyze all data user-data interactions — without yet having had to identify (much less prioritize) a single bit of data.

After all, whether they are common criminals or sophisticated cyberwarriors, we know that attackers will always want to break into our databases. So we need to be looking at the databases. Otherwise, we're asleep at the switch.

Related Content:



Terry Ray has global responsibility for Imperva's technology strategy. He was the first US-based Imperva employee, and has been with the company for 14 years. He works with organizations around the world to help them discover and protect sensitive data, minimize risk for ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Strategist
2/26/2019 | 4:56:26 AM
What's the objective
From what I've seen on civilian security breaches where their private information has been compromised, the objectives seem to be more aligned towards discrediting the government or statutory boards where the information is supposed to be held. It's an interesting tactic...
User Rank: Moderator
2/11/2019 | 12:35:37 AM
Laymen attacked
We should be more concerned of the invasive nature of hacking. This is because today, hackers are hitting the ground more as compared to previous attempts of just focusing on major corporations. Laymen are now affected as well which is getting scarier as we speak. Confidential data which we would have previously deemed as safe is now at stake.
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-18
Infinite Loop in zziplib v0.13.69 allows remote attackers to cause a denial of service via the return value "zzip_file_read" in the function "unzzip_cat_file".
PUBLISHED: 2021-06-18
Secure 8 (Evalos) does not validate user input data correctly, allowing a remote attacker to perform a Blind SQL Injection. An attacker could exploit this vulnerability in order to extract information of users and administrator accounts stored in the database.
PUBLISHED: 2021-06-18
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
PUBLISHED: 2021-06-18
Advantech WebAccess/SCADA Versions 9.0.1 and prior is vulnerable to a directory traversal, which may allow an attacker to remotely read arbitrary files on the file system.
PUBLISHED: 2021-06-18
Advantech WebAccess/SCADA Versions 9.0.1 and prior is vulnerable to redirection, which may allow an attacker to send a maliciously crafted URL that could result in redirecting a user to a malicious webpage.