Nation-state cyber attacks double in three years

Nation state-backed cyber attacks are becoming more widespread, varied and open than ever before, with the number of significant incidents doubling between 2017 and 2020, according to the University of Surrey’s senior lecturer in criminology, Mike McGuire, who argues that the world is moving closer to a point of advanced cyber warfare than at any time since the inception of the internet.

In a newly released study sponsored by HP Inc, McGuire analysed more than 200 cyber security incidents linked to nation-state activity in the past 11 years, drawing on first-hand intelligence gathering from informants active on the dark web, and consultation with a panel of experts in cyber security, intelligence, government, law enforcement and academia. The report paints a concerning picture of escalating tensions supported by complex structures that tightly intersect with the underground cyber criminal economy, the so-called “Web of Profit”.

Among the study’s key findings was a worrying escalation in international tensions during 2020, with a majority of study participants saying the Covid-19 pandemic had proved a significant opportunity for nation states to exploit. Among other things, nation states are increasingly trying to acquire Covid-19-related intellectual property (IP) data, such as information on vaccines.

“When we look at nation-state activity through the lens of this report, it comes as no surprise that we have seen such an escalation over the past year – the writing has been on the wall for some time,” said McGuire.

“Nation states are devoting significant time and resources to achieving strategic cyber advantage to advance their national interests, intelligence-gathering capabilities and military strength through espionage, disruption and theft.

“Attempts to obtain IP data on vaccines and attacks against software supply chains demonstrate the lengths to which nation states are prepared to go to achieve their strategic goals.”

The study also identified a rise in supply chain attacks, up 78% in 2019 – with nearly 30 distinct supply chain attacks taking place between 2017 and 2020 that have a possible link to nation-state actors – the SolarWinds incident might be thought a good example of this. Also, more than 40% of the incidents analysed now had some element of hybridisation in that they involve a physical attack on assets as well as a digital one – attacks on critical national infrastructure (CNI) would fall into this category.

Ian Pratt, global head of personal systems security at HP, said: “Nation-state conflict doesn’t take place in a vacuum – as evidenced by the fact that enterprise is the most common victim within those attacks analysed.

“Whether they are a direct target or a stepping-stone to gain access to bigger targets, as we have seen with the upstream supply chain attack against SolarWinds, organisations of all sizes need to be cognisant of this risk. As the scope and sophistication of nation-state attacks continues to increase, it is vital that organisations invest in security that helps them stay ahead of these constantly evolving threats.”

The study found that governments that act maliciously in cyber space are increasingly using tactics that have already been road-tested by organised criminals. Government-backed actors also seem to be stockpiling zero-day vulnerabilities, and 10-15% of dark web vendor sales are now to atypical purchasers, or brokers for governments.

In other instances, offensive cyber tools developed by government agencies are making their way onto the black market – most famously the EternalBlue exploit used in the WannaCry attacks. About one-fifth of government-backed attacks were found to use custom-made weaponry such as targeted malware probably developed in-house, but about half involved easy-to-buy, straightforward tools bought on the dark web.

“Cyber crime economies are shaping the character of nation-state conflicts,” said McGuire. “There is also a ‘second generation’ of cyber weaponry in development that draws upon enhanced capabilities in computing power, AI [artificial intelligence] and cyber/physical integrations. One such example is ‘Boomerang’ malware, which is ‘captured’ malware that can be turned inward to operate against its owners.

“Nation states are also developing weaponised chatbots to deliver more persuasive phishing messages, react to new events and send messages via social media sites. In the future, we can also expect to see the use of deepfakes on the digital battlefield, drone swarms capable of disrupting communications or engaging in surveillance, and quantum computing devices with the ability to break almost any encrypted system.”

To ease rising tensions and prevent nation states from being drawn into more hostile cyber attacks, 70% of the expert panel said they thought some kind of international treaty would ultimately be necessary – this is by no means a new idea – but just 15% of them thought a cyber convention would be agreed on this decade, 37% said it was more likely to come in the 2030s, and 30% said it would probably never happen.

McGuire said a cyber peace treaty would depend on both scope and consensus. “Any treaty would need to specify the parties included, the range of jurisdictions involved and the activity it would cover,” he said.

“Nation states also need to agree on the principles that would shape any cyber treaty, such as weapons limitation. But these factors can be hard to define and achieve – just look at the recent proposal for a cyber crime treaty put to the UN. While the proposal did pass, 60 members voted against it and 33 abstained. A lack of international consensus would make any cyber treaty unlikely to succeed.”