Protect and survive: dealing with adversarial nation states

The Russia-Ukraine war has heightened awareness of possible cyber attacks from all nation-state adversaries. Who are the main antagonists and how can businesses and governments protect themselves?

Attacks in cyberspace can have grave physical consequences, as the 2010 Stuxnet cyber attack showed. Believed to have been jointly carried out by the US and Israel, the infamous cyber assault crippled Iran’s nuclear programme after taking over systems and causing centrifuges to tear themselves apart. 

More than a decade later, there has been a surge in warnings of a similar attack targeting critical infrastructures such as utilities and water, following Russia’s invasion of Ukraine. Alerts from officials in the US and UK describe how Russia is constantly scanning business systems, looking for weaknesses through which to attack.

Growing sanctions imposed on Russia make the country a significant cyber threat to the West. So far, Russian cyber attacks have remained basic, consisting mainly of basic distributed denial of service (DDoS) – flooding websites with traffic to make them unusable – although Ukraine says attempts to hit its electric grid have taken place.

But more broadly, the war has heightened governments’ and businesses’ awareness of the threat posed by all nation-state adversaries. Aside from Russia, several other major nation-state players are actively perpetrating attacks on the West, each with differing aims. 

The main hostile nations are China and Russia, with Iran and North Korea “a close second”, says Philip Ingram, MBE, a former colonel in British military intelligence. “They use a mix of state and criminal capabilities, many of which are state-sponsored.”

Some nation-state attackers are aiming for financial gain through government-sanctioned organised crime. One example is the North Korean group Lazarus, which was recently linked to a $625m (£492m) cryptocurrency heist. “Economic constraints limit North Korea’s efforts to bitcoin heists and ransomware attacks – something the West is getting slightly better at thwarting,” says Ian Thornton-Trump, CISO at threat intelligence firm Cyjax.

Other nations are looking to steal business and state secrets. China wants to gain economic advantage through intellectual property, which helps the nation “save billions in development costs”, Ingram says. 

China has a “very capable” cyber section within its military, says Jamal Elmellas, chief operating officer at security consultancy Focus on Security. “They see cyber as an additional weapon in their arsenal.”

Following the Stuxnet attack, Iran’s cyber strategy is regional- and defence-focused. Thornton-Trump thinks the country is now in watch and learn mode as events in Ukraine unfold. “They desperately want to have sanctions removed and conducting a major Iranian cyber campaign would be counterproductive to facilitating those discussions.”

Meanwhile, Russia is focused on diplomatic and military targets as well as influencing through disinformation. “This has been evident in Ukraine, and after interference in elections across the globe,” says Ingram. 

At the same time, the Russian threat comes from organised crime. This is not necessarily sanctioned by the government but is “very capable”, says Elmellas.

Hostile nation states are a threat to all businesses, especially if they operate in critical sectors such as utilities, financial services or healthcare. In general, firms developing and fielding new technology should be on alert, Ingram says. 

The most successful nation-state attacks are those we don’t see or know about

Those involved in a supply chain are also more likely to be attacked as a route into large organisations such as governments. This happened during the 2020 SolarWinds breach, which saw Russian adversaries gain access to US government departments after attacking an IT software provider.

It’s a growing risk for businesses to become part of the fallout of a global major cyber attack, even if they are not themselves a target. “The SolarWinds attack provided adversaries with incidental access to many other businesses which were not themselves targeted,” says Gemma Moore, director at information security consultancy Cyberis.

Other attacks seeing businesses become part of the collateral damage include the 2017 NotPetya incident and WannaCry ransom attacks. Perpetrated by North Korea, WannaCry brought the NHS to a standstill after hitting multiple organisations via out-of-date Windows XP systems. 

Addressing the nation-state threat requires a solid cybersecurity strategy. This includes having “a strong foundation” including the basics, says Ian Usher, deputy global practice lead of strategic threat intelligence at cybersecurity consultancy NCC Group. “Patching, access controls, assessing defensive measures, logging, backups and incident planning.”

Threat intelligence also plays a vital role. “It helps organisations understand their unique place within the landscape so they can tailor intelligence collection around the threats most relevant to them,” he says.

In addition, business culture is integral in protecting from the nation-state threat. Firms need to understand which business data is critical and ensure it is protected from all risks, Ingram advises. 

As part of this, cybersecurity should be part of a wider business risk strategy. “The threats should be properly understood so the risk can be mitigated in an as cost-effective and business-enhancing way as possible,” says Ingram, adding that a sound cybersecurity profile is “a real marketing asset”.

Investing in technology is also important. Legacy technical debt will overwhelm firms who have underinvested in IT and security controls, says Thornton-Trump. “Some nation states and cybercriminals will no doubt exploit these opportunities as victim countries struggle to manage the basic necessities of their citizens in an increasingly polarised political climate.”

Overarching this, governance is key, says Elmellas. “It is there for a reason: as the organisation scales up, so should its security capability. You need to be aware of where the boundaries are and secure them – which is even more critical now than ever, as the borders have moved with increased home working. Test your defences; you have to see security as a functional resource.”

Nation-state adversaries will continue to respond, especially in light of sanctions such as those imposed on Russia by the UK and the US. For this reason, it’s important to be alert – after all, the most damaging attacks are those that go unnoticed. 

“The most successful nation-state attacks are those we don’t see or know about,” Ingram warns. “Adversaries can be quietly sitting in a network, watching, listening and stealing what is wanted, rather than perpetrating attacks designed to cause nuisance or harm.”