Nation States and Cybercrime: What You Should and Shouldn’t Worry About

Intrusion Team
Sep 10, 2021

A recent report from HP Wolf Security, Nation States, Cyberconflict and the Web of Profit, shows that “nation state cyberattacks are becoming more frequent, varied and open; moving us closer to a point of ‘advanced cyberconflict’ than at any time since the inception of the internet.”In addition to the analysis of nation-state cyberattacks, the findings paint a clear picture of escalations in tensions, supported by increasingly complex structures that intersect with the underground cybercrime economy – referred to as theWeb of Profit.

A key finding is that nation states are engaging with and profiting from said Web of Profit. Nation states are buying tools and services from the dark web, while tools developed by nation states are also making their way onto the black market such as the Eternal Blue exploit that was used by the WannaCry hackers in 2017.

Defining the Problem

Depending on who you are and your professional occupation, when someone says “nation state,” it could have several meanings.A good way to think about nation states in relation to cyberattacks and cybercrime is broken down by an expert on Twitter who laid out four relationships:

  • State-Operated: e.g., government organizations (think military) with hands-on government organization keyboards hacking their adversaries
  • State-Affiliated: extracurricular activities by government units and contractors
  • State-Sponsored: government agencies providing indirect funding to non-affiliates
  • State-Tolerated: government allowing cybercrime actors to target and act anywhere but in the nation-state homeland.

All of these are 100% accurate.The nerve-wracking part is Michael McGuire’s statement in the executive summary: “By deploying new kinds of analysis of the incomplete data we do possess, coupled with expert knowledge to fill in the gaps, we suggest that what follows offers a new basis for developing more informed, better-directed responses to the Nation State threat.” It’s that “better directed responses to the Nation State threat” part that is bothersome.

Some Twitter circles of INFOSEC experts have had recent discussions regarding individuals who are fed up with the pace of cybercrime and want to strike back…with the US government indirectly granting permission by turning a blind eye.However, that would be illegal.As a matter of fact, there is no act of retribution possible besides turning to the courts.The problem with getting to the courts (especially International) is that no matter how much evidence anyone has ever produced that link a nation state to cybercrime or cyber pilfering of intellectual data, the most accused countries (China and Russia), have adopted an answer straight out of Eddie Murphy’s Raw monologue:“Wasn’t me.” And so far, it’s working. Nothing happens.

Might Makes Right, But it Might be Wrong

Another theme of the HP Report is cyber-competition, cyber-conflict, and advanced cyber-conflict. We see little value in breaking these down to this level.There is competition below the level of conflict and then there is conflict.Again, not long ago I was engaged in discussions with other INFOSEC experts about mapping out how a ransomware attack could lead to an actual conflict between two nation-states.It proved to be much harder than most of us imagined.

Better directed responses to nation-state threats could mean a lot of things.None are described in HP’s report, except a leaning in the report towards International Law on cybercrime that would finally be nice to have and see used.But what nation state is going to sue itself and throw itself in jail for funding and sponsoring a cyber reconnaissance mission against a large US energy distribution network?The best response is todefend your network as they do – like your life and livelihood depend on it.

More of the Same, Only Different

Move over MITRE ATT&CK and get ready for SOTTT (HP’s new analytic tool) to help quantify what, who, where, and why nation state attacks occur and how to fill in gaps in understanding concerning such attacks.Their research provides new matrices and methods, but if you’ve been in the business for a few years or more, you’ve seen it all before.

HP makes assertions based on survey respondent answers such as: “The impression of Nation States’ direct involvement in cybercrime appears to be becoming more widespread; almost two thirds (65%) of the respondents to our expert survey believe it is possible for Nation States to make money out of cybercrime – an opinion that has also been acknowledged by the major international cybersecurity agencies.” Anything is possible.But it’s becoming more widespread because survey respondents believe it’s possible?

However, two cases do make sense.With the level of global restrictions and sanctions on North Korea and Iran, it should surprise no one if both engage in this type of activity regularly. HP’s analysis of North Korea’s Lazarus APT group is very convincing.

The Bottom Line

As dire as the HP report seems, it is a fantastic 101 Guide to helping understand how nation states may play a larger role in cybercrime than we think.The bottom line is twofold:

  1. It doesn’t matter. You must assume, regardless of your business, that everyone foreign and domestic are out to get you – your proprietary information, your customer data, or just plain digitally rob and extort you for many thousands if not millions of dollars.This happens the instant your business goes live on the internet on any platform. Once you’ve done that, you’ve stepped onto the battlefield.
  2. The one and only thing you can legally do about it is defend your enterprise with everything you have. You cannot hack-back, shoot-back, take revenge, go after, respond, or make better-informed respond actions.You can identify, conduct incident response, and perform forensics, mitigate, recover, reconstitute…and get back to business.You could also tie both hands to both feet and call your best lawyer and maybe find some decent cyber insurance.

We believe that while these reports are often thoughtful and interesting, they do not always help CISOs and IT decision-makers do their jobs.While you’re hypothesizing the SOTTT analysis on why a Chinese IP is suddenly attempting a brute force attack on your inventory database; your secretary just clicked a link in a legitimate-looking email and an Iranian dropper installs itself on her desktop and begins mapping your network. You can ignore lots and lots of statistics, survey results, matrixes, categorizations, and sub-categorizations.

What you should do is consider your IT security approach thoroughly, thoughtfully, and carefully.Things to think about:

  • How many layers of security do you need?
  • Are you spending enough IT budget on security?
  • Have you achieved Zero Trust status at all layers and levels of your enterprise?

If you need help with your security posture, feel free to reach out to us. Or check out our recently released Cybersecurity Confidence Report.

Resources that might interest you.

Get the insights cybercriminals don’t want you to know.