A new study from HP has reviewed over 200 nation-state cyber incidents going back more than a decade, finding new connections between state-backed hacking groups and the criminal underworld. Cyber attacks of this nature have not only doubled since 2017, but are also increasingly incorporating attacks on physical assets (such as infrastructure).
The researchers believe that nation-states will only increase their use of “espionage, disruption and theft” in the coming years, escalating tensions and pushing the world closer to the brink of advanced cyber warfare.
Nation-state groups step up intelligence campaigns
Called “Into the Web of Profit,” the study incorporates research from HP’s Security for Personal Systems department and the University of Surrey. The actions of nation-state hackers are naturally difficult to research, but the report draws on a wealth of materials leaked by whistleblowers as well as the expertise of some 50 leading researchers in a variety of related fields.
The research finds a consistent escalation in nation-state tensions due to exchanges of cyber attacks over the past two decades, with a particularly sharp increase in recent years. To date, this world of cyber warfare has operated under a veneer of “plausible deniability”; nations generally have a good idea of who did what to whom, but concrete evidence that can be presented to the public is rare.
There has been something of an unspoken agreement to not escalate so long as these cyber attacks mostly involve surveillance and espionage. However, in the last few years there have been signs of that tacit agreement fraying. Nation-states are taking greater and more frequent liberties with each other’s critical infrastructure, even escalating to outright attacks with physical real-world repercussions in at least a few cases.
The report characterizes the growing relationship between nation-states and the cybercrime economy as the “Web of Profit.” Nation-states are increasingly sourcing tools and techniques from these private for-profit actors, and even sometimes engaging them as mercenaries of a sort. In return, the private criminal market has seen an uptick in tools developed by nation-states becoming available to those with enough money or the right connections.
As the situation escalates, the report projects that it will increasingly draw in unrelated businesses and private individuals. There has been an increase in attacks by nation-states on private companies engaged in research or holding intellectual property that they are interested in (coronavirus research being a prominent recent example). State-backed groups are also increasingly looking to supply chains as an entry point to their primary targets, which means thousands of additional businesses (and potentially their remote workers and cloud services) as targets.
With very little in place in terms of international agreements governing cyber attacks and this consistent increase in tensions, the researchers conclude that the world is closer to “advanced cyberconflict” (ACC) than ever before. This means, in part, nations greatly increasing their budgets for both traditional cybersecurity defenses and for developing new types of cyber attacks. This also means increased reliance on cybercriminals to provide tools and participate in attacks.
This leads to two possible outcomes: either an increasing normalization of severe cyber attacks, including those that do actual physical damage and may lead countries to consider a declaration of open war, or the development of some sort of “cyber-detente” via improved international regulations.
Stats on cyber attacks: Sophisticated nation-state campaigns doubled in 2020
The study finds a 100% increase in nation-state incidents from 2017 to 2021, with an average of 10 publicly attributed attacks in 2020. 40% of the attacks in the past year were directed at targets that include a physical component (such as utilities or industrial control systems), and 20% were tied to some sort of regional conflict.
Additionally, there are now more nation-state attacks intended to cause damage or destruction (14%) than there are attacks aimed at extracting data (8%). Nation-state attackers are also now more interested in enterprises (35% of attacks) than they are in government cyber defense agencies (25%) and other government bodies (12%).
Though more common and aggressive, nation-state cyber attacks are not necessarily becoming more advanced. Only 20% involved tools that the researchers classified as “sophisticated,” and 58% of the experts see these attackers recruiting players from the criminal underground.
Additionally, 10 to 15% of black market sales in this area are now to brokers believed to be supplying government groups and about 50% of the attacks reviewed involved some sort of relatively simple tool of this type that is commonly available. Nation-states are also hunting for weak links in the supply chain, with a 78% increase in attacks on vendors as the initial entry point in 2019.
Experts are not at all optimistic about the situation being defused via cyber-treaty. 70% feel it is necessary, but only 15% see something happening in the next 10 years. 37% say that it could take two decades, and 30% feel that there is no real chance of it ever happening.