In April, we commissioned an academic study – Nation States, Cyberconflict and the Web of Profit – showing that nation state cyberattacks are becoming more frequent, varied and open. One of the most notable findings from that report was that there has been a 100% rise in “significant” nation state incidents between 2017-2020. Today we are sharing the findings of a global survey of 1,100 IT decision makers (ITDMs), examining their concerns around rising nation state attacks and the risk implications for their enterprises.
Software Supply Chain Attacks by Cybercriminals
72% of respondents said they worry that tools and techniques used in nation state attacks could filter through to criminal threat actors and be used to attack their businesses. Such concerns are well-founded. In recent months, evidence has emerged that techniques used in the SolarWinds supply chain attack have already been adopted by ransomware gangs – a trend likely to continue.
“Tools developed by nation states have made their way onto the black market many times. An infamous example being the Eternal Blue exploit, which was used by the WannaCry hackers. Now, the return on investment is strong enough to enable cybercriminal gangs to increase their level of sophistication enabling them to mimick some of the techniques deployed by Nation States too. The recent software supply chain attack launched against Kaseya customers by a ransomware gang is a good example of this. This is the first time I can recall a ransomware gang using a software supply chain attack in this way.” – Ian Pratt, Global Head of Security, Personal Systems, HP Inc.
Some ransomware-as-a-service (RaaS) groups have become so flush with cash that types of attacks that were previously considered to be only within the capability of nation state adversaries, such as software supply chain attacks, are now within their grasp too. Motivated cybercriminal groups are known to optimize their operations by learning from other attackers about which tactics, techniques and procedures (TTPs) are effective against targets. For example, after operators of Maze RaaS started using data extortion as a tactic to pressure victims into paying ransoms, the other major RaaS operators quickly followed suit. The concern with the Kaseya supply chain attack is that because the attack vector was so effective at infecting many targets, software supply chain attacks perpetrated by financially-motivated threat actors could become a more regular occurrence.
“Previously, an Independent Software Vendor (ISV) with a modest-sized customer base that didn’t supply government or large Enterprise may have been unlikely to become targeted as a stepping-stone in a supply chain attack. Now, ISVs of all types are very much in scope for attacks that will result in compromised software and services being used to attack their customers.” – Ian Pratt, Global Head of Security, Personal Systems, HP Inc.
Beyond the risk from cybercriminals, the survey found more than half (58%) of ITDMs are worried their business could become a direct target of a nation state attack. A further 70% believed they could end up being “collateral damage” in a cyber war. When discussing specific concerns relating to a nation state cyberattack, sabotage of IT systems or data was the main worry, shared by almost half of respondents (49%). Other concerns included:
- Disruption to business operations (43%)
- Theft of customer data (43%)
- Impact on revenues (42%)
- Theft of sensitive company documents (42%).
Further highlighting this risk, the Nation States, Cyberconflict and the Web of Profit report found that the enterprise is now the number one target for nation state attacks.
“This is a very real threat that organizations need to take seriously. Whether defending against a cybercriminal gang using Nation State tools and techniques, or a Nation State itself, organizations are facing an even more determined adversary than ever before. Businesses of all sizes need to re-evaluate their approach to managing cyber-risk in the face of this. There is no single tool or technique that will be effective, so organizations must take a more architectural approach to security. This means mitigation through robust security architectures that proactively shrink the attack surface, through fine-grained segmentation, principles of least privilege, and mandatory access control.” – Ian Pratt, Global Head of Security, Personal Systems, HP Inc.
Nation States, Cyberconflict and the Web of Profit is available to download here.
About the research
The study is based on a Toluna survey of 1,100 IT decision makers in the UK, the US, Canada, Mexico, Germany, Australia, and Japan. Fieldwork was undertaken between 19th March – 6th April 2021. The survey was carried out online.