The Blurring Lines Between State Sponsored Threat Actors and Cyber Criminals

Like a bizarro-world DARPA (Defense Advanced Research Projects Agency), the military and defense organizations of foreign states hostile to the United States and allied Western nations have been driving innovation among international cybercrime organizations.  While the objectives of Russia, North Korea, China, Iran and other US adversaries may be geopolitical, their well-financed and highly organized hacking operations provide strategies criminal elements are increasingly adopting.  Moreover, the data exposed and leaked to the Dark Web by state sponsored threat actors is supercharging the efforts of criminals whose motivations are purely financial as opposed to the ideological aims of hostile state actors.

It can be difficult to quantify how many of the ransomware attacks and other data breaches plaguing businesses and other private organizations find their origins in state-sponsored attacks.  Yet, it would be imprudent to brush off the connection or to assume that private companies and non-governmental organizations aren’t at increased risk due to the activities of hostile foreign government hacking operations.  This paper will demonstrate that this risk is not a mirage.  More importantly, it will illustrate the mechanisms by which state-sponsored hacking are both actively and passively adopted by unaffiliated threat actors.  And how the deep pockets of foreign governments’ intelligence agencies are producing advancements that represent a threat to the information security of all organizations. 

Data Illustrating the Increase of State-Sponsored Privacy Threats

From 20% to 40% in a Single Year

In its 2022 Digital Defense Report, Microsoft noted that nation-state activity against critical infrastructure had doubled.  In the space of one year, state-sponsored attacks against critical western infrastructure jumped from 20% to 40%.  While, the report noted, these numbers are still smaller than the numbers of attacks perpetrated by insiders – especially in the financial and healthcare sectors – Microsoft nevertheless began delivering “nation-state notifications” or NSNs to its customers.  These alerts are delivered when organizations or account holders are compromised by nation-state activities.  Clearly, the need for such an alert is increasing.

The Digital Defense Report also recognized the top nation-state actors actively targeting customers naming Russia, China, Iran and North Korea – all adversaries of the US and the western alliance.  The report further identified IT service providers as the primary targets of these attacks.  Which makes sense as IT providers are a gateway to gaining illicit access to downstream clients in government, policy and infrastructure sectors.

53% of Nation-State attacks targeted the IT sector, NGOs, think tanks and the education sector

“The sophistication and agility of attacks by nation state actors will continue to evolve. Organizations must stay informed of these actor changes and evolve their defenses in parallel” says John Lambert, Corporate Vice President and Distinguished Engineer, Microsoft Threat Intelligence Center.  Microsoft warns that cyber actors have become more brazen and aggressive as geopolitical relationships have broken down.  Wars in Ukraine and the Middle East and other unrest globally only serve to further inflame this dynamic. 

Image from Microsoft’s 2022 Digital Defense Report

Despite the rising intensity of nation-state threats, Verizon’s 2023 Data Breach Investigations Report (DBIR) reports the actual number of breaches attributed to these actors remains limited. Verizon’s researchers found that actual breaches are still largely traced back to organized crime groups in more than 70% of cases. Meanwhile, end-user (internal) threats lead to breaches more often than state-based attacks.  However, it is the remainder – the 25% to 30% of cases that are contributing to the exponential improvement in tactics and methods being matriculated down to common cyber criminals.  And it is expected that the frequency of such attacks will increase.

The Motives of State Sponsored Threat Actors

The motives of garden variety hackers – the non-governmental ones anyway – fall generally into two buckets.  There are those that attack large information systems for financial gain.  Criminal types who either deploy ransomware and extort large sums, steal identities for financial exploitation or simply to steal PII to sell on the dark web.  Then there are those who consider themselves “hacktivists”, breaching systems to advance a religious or ideological position.  But the state-sponsored hackers are motivated by geopolitical goals.  The Digital Defense Report provides a synopsis of the motivations driving the hacking activities of the leading governmental sponsors of cyber attacks. 

Russia
Russia stepped up cyber operations leading up to and throughout its ongoing invasion of Ukraine.  They exploit weaknesses in western social media, traditional media and financial systems to seed propaganda and exert corrupting influence over US elections.  The goal is to weaken western support for Ukraine and to undermine NATO and other structures of democratic governance in the world.

China
The Chinese government has long engaged in more prosaic hacking activities.  For the Chinese government, the goal is to gain competitive economic advantage.  Theft of intellectual property is frequently the objective, finding ways to short circuit the costly and time-consuming process of research and development.  Bringing innovative products to market much more quickly and cost effectively, hacked and stolen business secrets help China continue to grow its industrial base at a fraction of the cost expended by western nations acting ethically.

Iran
Motivated by religious and political animus, the Iranian government has stepped up cyber attacks against Israel and its global supporters in the west.  Unable to necessarily prevail in direct military conflict with Israel and the United States, the Iranian regime seeks to destabilize western governments and inflict suffering on its regional enemies.

North Korea
The hermit kingdom, isolated from the global economy by sanctions, North Korea targets numerous kinds of organizations.  Aerospace and defense companies to gain military technology they’re unable to access on world markets.  Crypto currency and other financial organizations to help generate revenues they lack due to market access.  Aid organizations and other targets, to build their defenses, boost their internal economy and retain domestic control over their oppressed populace.

Bleeding Edge Hacking Tech Jumps from State-Sponsored Threat Actors to Garden Variety Cyber Criminals

The line between foreign intelligence services and organized/semi-organized criminal enterprises is blurring in real time.  As well-financed, hostile governments work on leveraging the latest tech to undermine global adversaries, the advances they’re making and the successes they enjoy are being closely studied and adopted by common hackers – those interested more in financial gain than global hegemony. 

It is also likely safe to assume that some of the same individuals working within hostile foreign intelligence services are either using the same techniques they develop for their government to moonlight for personal gains.  Or they may be selling knowledge of these innovative practices outright to the highest bidder among organized crime syndicates.  Microsoft’s Nation-State Threat Report coins the term “Cyber mercenaries” to describe this type of motion. 

Whatever the pathways for the dissemination of these potent new strategies, it is indisputably clear that this advanced knowledge is being adopted and embraced by threat actors both within and outside of governmental channels.

How Intel Practices of Military and Government Intelligence Agencies are Being Applied to Criminal Hacking Activity

Benedict Collins of TechRadar explores how state-backed threat actors have been harnessing the advanced, built-in language support mechanics of Open AI and other powerful emerging technologies to improve their ability to effectively target foreign adversaries.  Gone are the days when a phishing attack was easily identified by poor syntax and grammar exposing the source as a non-native English speaker and a fraud.  Using language support mechanics, Iranian, Russian, Korean and other hostile intelligence agencies are able to much more convincingly establish legitimate-looking professional relationships with targets they seek to infiltrate. 

Google also confirms reports that hackers have been using Large Language Models (LLMs) to collect information about the industries and physical locations of target victims.  This provides the hackers with contextual insight about personal and business relationships which can then be more convincingly leveraged in Social Engineering attacks.   

A large language model is a type of artificial intelligence algorithm that uses deep learning techniques and massively large data sets to understand, summarize, generate and predict new content. The term generative AI also is closely connected with LLMs, which are, in fact, a type of generative AI that has been specifically architected to help generate text-based content.

Definition of Large Language Models

Collins writes, “North Korean linked [hacker] group Emerald Sleet has been observed using LLMs to learn how to exploit critical software vulnerabilities that are publicly reported, generate content to use in spear phishing campaigns, and identify organizations that gather information about North Korean nuclear and defense capabilities.”

Leading cyber risk management solution provider, CrowdStrike has issued its “2024 CrowdStrike Global Threat Report” in which the cyber threat landscape is defined and explored in deep detail.  The exhaustive report chronicles the acceleration in speed and ferocity of cyber-attacks, showing how western adversaries are using the latest AI and other tech to compress the time between initial entry, lateral movement and breach.  Specifically, the report notes how the rise of generative AI helps lower the barrier to entry for low-skilled threat actors (such as common cyber criminal elements) to development of attacks that are more sophisticated and state of the art.

The report warns that governments and private organizations alike “are entering an era of a cyber arms race where AI will amplify the impact for both the security professional and the adversary.”  In sixty-one pages, the report delivers a trove of critical insight and observations into threat actors’ activities.  Breaking down the entire global threat environment, the CrowdStrike report includes detailed assessments of threats emanating not just from the four nations identified in the Digital Defense Report referenced earlier.  But also, from governmental intelligence agencies within Vietnam, Syria, Pakistan, The Republic of Georgia, Columbia, India and Turkey.

Real World Examples of “Hacktivity” Among State-Sponsored Threat Actors

CrowdStrike’s Global Threat Report spends time examining the full array of methodologies and strategies used by nation-state threat actors as well as the hacktivists and cyber criminals learning from them.  However, several of the broad themes identified in this document are directly tied to external data privacy concerns which are at the heart of the Privacy Bee for Business platform.  It is these strategies which Privacy Bee for Business is best equipped to render mitigating defense. 

Theme One – Identity-Based & Social Engineering Attacks

Continued exploitation of stolen identity credentials and increasingly sophisticated methods leveraging AI and other emerging tech are being used to gain initial access by hostile nations and their criminal emulators. 

CrowdStrike says, “Adversaries spanning multiple motivations and regions continue to use phishing techniques spoofing legitimate users to target valid accounts, as well as other authentication and identifying data, to conduct their attacks. In addition to stealing account credentials, CrowdStrike observed adversaries targeting API keys and secrets, session cookies and tokens, one-time passwords (OTPs) and Kerberos tickets throughout 2023.”

According to CrowdStrike, Russian affiliated threat actors, “Fancy Bear” and “Cozy Bear” conducted ongoing credential collection campaigns throughout the last year, focusing on specially crafted spear-phishing emails.  In some cases exploiting Microsoft Teams messages to solicit multifactor authentication codes for Microsoft 365 accounts.

Theme Two – Increasingly Sophisticated Social Engineering Campaigns

A crystal-clear example of the adoption of state-sponsored threat actors’ methodologies, CrowdStrike recounts the actions of the hacker group known as “Scattered Spider”.  The Global Threat Report notes over the last year that this criminal hacker collective conducted sophisticated social engineering campaigns employing tactics like SMS phishing (smishing) and voice phishing (vishing) to harvest credentials, attain passwords and initiate multifactor authentication resets on highly researched and targeted accounts – a practice perfected by state-sponsored actors.  These deliberate targets often included employees in information security and other IT-related roles which were carefully selected for their utility in supporting lateral movement and further account compromise once security processes had been sidestepped.

Theme Three – Third-Party Relationship Exploitation

The Global Threat Report reveals a dire fact that Privacy Bee for Business has been warning about for some time.  Quoting the report here since we couldn’t say it any better ourselves.

“Throughout 2023, targeted intrusion actors consistently attempted to exploit trusted relationships to gain initial access to organizations across multiple verticals and regions. This type of attack takes advantage of vendor-client relationships to deploy malicious tooling via two key techniques:

1. compromising the software supply chain using trusted software to spread malicious tooling and
2. leveraging access to vendors supplying IT services.

Threat actors targeting third-party relationships are motivated by the potential return on investment (ROI): One compromised organization can lead to hundreds or thousands of follow-on targets. These stealthy attacks can also more effectively provide an opportunity for attackers seeking to exploit a hardened end target.”

As noted earlier in this paper, cyber criminals (and state-sponsored threat actors they emulate) are increasingly focused on IT vendors.  IT vendors are attractive for several reasons.  Because they routinely have high level access to secure and critical information systems containing valuable data, and because their products and services allow for easy lateral intrusions once initial defenses have been breached. 

These realities reveal the weakness in most organizations’ cyber security practices.  Particularly with regard to external data privacy.  For organizations that already focus on securing external data (which is a small but growing cohort thanks to the efforts of Privacy Bee toward raising awareness of this critical vulnerability) external data privacy management practices go a long way toward protecting themselves against data privacy-related breach threats.  Undeterred, threat actors are targeting third party IT (and other partners) with sophisticated social engineering attacks since it is much less likely that any organization extends its data privacy defenses to cover all its third-party relations.  As a result, many breaches are succeeding by attacking integrated third-party information systems.

Read More: Privacy Bee for Business White Paper, “The Shortcomings of Third-Party Risk Management and How to Get it Right for Your Organization” elaborates on this particular set of risks and provides guidance on how to cover this vulnerability.

Perhaps even more insidious, however, are third-party attacks targeting the software supply chain.  There are two reasons why software supply chain attacks are even more devastating than most.  First, nearly all organizations have grown Increasingly reliant on software to automate and manage a broad array of internal business processes.  HR management, financial management, procurement, supply chain logistics management and many other business processes are leveraging software solutions which expose a new and dangerous attack vector.  As a result, malicious code injected into expansive enterprise software platforms can exist, undiscovered, for a very long time, enabling exfiltration of data on a massive scale without detection.  Second, most organizations – even those with robust internal development resources building custom applications – routinely utilize code sourced via a wide array of channels making it very easy to unwittingly inject malicious code into internal applications even if they’re not at all web-enabled.

According to current data from Statista, between 2019 and 2023, year-over-year growth in open-source software supply chain attacks has been extensive with 280% growth in 2023 representing double the sum of all attacks reported between 2019 and 2022.  The following chart from Statista illustrates the 2020 to 2022 period.

YoY GROWTH IN OPEN-SOURCE SUPPLY CHAIN ATTACKS WORLDWIDE FROM 2020 TO 2022

Image: Statista

Read More: Privacy Bee for Business White Paper, “Supply Chain Attacks are On the Rise – A Primer on Supply Chain Privacy Risk”  elaborates on how supply chains – both software and physical – are being exploited and what organizations must do to reduce their risk.

Conclusions

This corner of information security – the external data privacy segment – is evolving as quickly as the cutting-edge threats emanating from the military and government intelligence agencies arrayed against western governments and enterprise.  However, awareness and adoption of external data privacy as the most important, emerging attack surface is lagging the expansion of efforts on the part of threat actors – both state sponsored and the criminal organizations emulating their strategies.

The reality is, most organizations attempting to stem this tide of AI-enabled social engineering being perfected by heavily resourced intelligence agencies are showing up to a gun fight armed with a knife. 

The good news is, there are immediate, highly cost-effective steps any organization can take to implement an effective defense against the arrayed forces of state-sponsored and organized criminal threat actors.  Privacy Bee for Business delivers a platform specially tailored to address the most pressing need facing information security leaders today – external data privacy protection, management and risk mitigation. 

The platform provides no-cost tools for Employee Risk Management, External Data Privacy Audits and Privacy Risk Assessments.  Taking these totally no-cost steps produces measurable data on existing risks and actionable strategies for plugging the vulnerabilities.   Privacy Bee for Business also delivers a proven-effective method for not only protecting the customer organization against bleeding edge hacking and data breach tactics, but also the ability to extend Vendor Risk Management functions covering third-party relationships, ensuring robust protection isn’t undermined at weak points.