Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:55 PM
Connect Directly

Rise of Nation State Threats: How Can Businesses Respond?

Cybersecurity experts discuss nation-state threats of greatest concerns, different types of attacks, and how organization can prepare.

Foreign cybercriminals pose a growing threat to enterprise targets, making risk management critical for commercial and government organizations facing increasingly dangerous attacks, according to the findings of a new report detailing the changes in threat actors and their tactics, activities, and motivations over the past six months.

The Flashpoint mid-year update to its Business Risk Intelligence Decision Report aims to inform business decision-makers about different threats so they can prepare to respond.

Major cyber players listed in the report include Russia, China, Iran, North Korea, and Five Eyes (US, UK, Canada, Australia, New Zealand), though the report states Five Eyes does not use its cyber powers for destructive attacks against allied systems. Researchers also listed cybercriminals, disruptive and attention-seeking actors, hacktivists, and jihadi actors.

"Nation states are always going to be at the top of [cyber] capabilities," says Jon Condra, director of East Asian Research and Analysis at risk and threat intelligence firm Flashpoint. "They have the time, resources, everything to carry out these types of attacks."

Condra, who authored the report, specifies Russia and China as two entities "moving rapidly" to solidify their cyber sovereignty. Both are abolishing anonymity and gaining stronger control over content presented to citizens and traffic exiting the country, which he says has big implications for companies doing business in each country.

Iran and North Korea are also on experts' radar, albeit at a lower level than Russia and China. Iran, which doesn't currently have a vibrant cybercrime community, is on experts' radar because of its focus on critical infrastructure. North Korea is "incredibly active", says Condra, and the report cites its ability to hit targets in the US and South Korea.

Tom Kellermann, CEO of Strategic Cyber Ventures, acknowledges the growing trend of foreign entites using cybercriminal groups to launch attacks. This started in eastern Europe, he explains, and has been embraced by the Russians and the Chinese.

"You see other nation states utilizing the same model to increase their own capabilities," he says.

Nation-state actors have also begun to work together, Kellermann notes. The "tech transfer" between Russia and Iran, and between China and North Korea, is "enabling 'B' teams to become 'A' teams so they can collaborate internationally."

Researchers discovered that activity among disruptive actors has quieted in 2017 as law enforcement cracks down on key groups and historical targets improve their security practices. Cybercriminals continued to target organizations this year as a means of collecting personal data and money from large businesses, particularly in healthcare.


Motivations of nation-state actors vary across the players in the space. Financial gain isn't a major part of nation-state attacks for most players, says Condra, but North Korea is the exception.

Dmitri Alperovitch, cofounder and CTO at CrowdStrike, says while much of North Korea's cybercrime is directed towards South Korea, it's "notorious" for using cybercrime to monetize and fund their regime. The country has been suspected of targeting the banking sector as a means to steal from financial institutions.

Condra cites Russia's attempts at intervening in elections by targeting political organizations. This is driven less by financial gain and more by the goal of stealing intellectual property, which can be used to expose sensitive information or embarrass candidates. Examples of this have been seen in the US, France, and Germany, he explains. 

Alperovitch also acknowledges a focus on data theft among nation-state adversaries. Some actors may "moonlight" and conduct military espionage by day, then use the same capabilities to steal for their own benefit after hours.

Cybercrime isn't only about stealing data for geopolitics or espionage, says Kellermann. Cybercriminals also aim to change and destroy data, which can have broad implications for businesses. He likens this to a burglar burning down a house after taking what they want.

After hackers pillage a brand's intellectual property, they can use the brand and its customers' trust to turn consumers away through business email compromise, malware-laced emails, and other forms of cybercrime. Kellermann says this is increasing with attacks like WannaCry, which created a polymorphic campaign and hit several critical infrastructure systems.


"One of the biggest shifts we've been seeing, increasing steadily over the last few years, is the move to fileless attacks," says Alperovitch. "They're moving away from leveraging malware to using these types of methods."

Threat actors can bypass tools that rely on machine learning to detect signatures, instead using components already in place. Alperovitch says among Russian threat actors, he has noticed the trend of leveraging online cloud services to blend in with an organization's network traffic.

Once adversaries have a foothold in the business, he explains, some exfiltrate data using Microsoft OneDrive. Admins monitoring the network see encrypted Microsoft traffic but don't notice anything is amiss.

While more advanced strategies are on the rise, threat actors continue to rely on traditional and effective forms of breaking in. Spearphishing continues to work, says Alperovitch, and many cybercriminals don't see the need to deviate. Web exploitation and Web compromise are also popular hacking methods.

What can be done?

"There are three things you need to do that are really key to responding to any type of intrusion," says Alperovitch.

Businesses should assume they have been compromised and get a compromise assessment, invest in endpoint detection and response (EDR) for greater visibility, and use that insight to put themselves in the mindset of an attacker, he continues. Those who have a strong security program and leverage EDR are in a better place than those who ignore the problem.

High-profile attacks are motivating organizations to take these threats seriously, says Alperovitch, and business execs are starting to ask CISOs the tough questions: "Have we already been breached?" "How do you know if we have been breached?" "Are you ready?"

Kellermann advises using intrusion suppression to hunt for adversaries already in the network. This method requires businesses to alter their architecture for the purpose of detecting, deceiving, diverting, and containing adversaries who have broken in.

"We can't stop them at the wall anymore, not when they're using NSA capabilities put on dark web forums," he cautions.

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada, July 22-27, 2017. Click for information on the conference schedule and to register.

Related Content:


Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Introducing 'Secure Access Service Edge'
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  7/3/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-09
An information leak was discovered on Yubico YubiKey 5 NFC devices 5.0.0 to 5.2.6 and 5.3.0 to 5.3.1. The OTP application allows a user to set optional access codes on OTP slots. This access code is intended to prevent unauthorized changes to OTP configurations. The access code is not checked when u...
PUBLISHED: 2020-07-09
In TimelineJS before version 3.7.0, some user data renders as HTML. An attacker could implement an XSS exploit with maliciously crafted content in a number of data fields. This risk is present whether the source data for the timeline is stored on Google Sheets or in a JSON configuration file. Most T...
PUBLISHED: 2020-07-09
The tough library (Rust/crates.io) prior to version 0.7.1 does not properly verify the threshold of cryptographic signatures. It allows an attacker to duplicate a valid signature in order to circumvent TUF requiring a minimum threshold of unique signatures before the metadata is considered valid. A ...
PUBLISHED: 2020-07-09
A reflected Cross-Site Scripting (XSS) Vulnerability in the KingComposer plugin through 2.9.4 for WordPress allows remote attackers to trick a victim into submitting an install_online_preset AJAX request containing base64-encoded JavaScript (in the kc-online-preset-data POST parameter) that is execu...
PUBLISHED: 2020-07-09
IBM Guardium Activity Insights 10.6 and 11.0 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure l...