Threat Actors

In June 2020, the Australian prime minister announced that their country was under attack. “Based on advice provided to me by our cyber experts, Australian organisations are currently being targeted by a sophisticated state-based cyber actor,” Mr Morrison said from Parliament House.

These attacks on our neighbouring country had the potential to cause widespread damage to Australia, its stability, and its economy; however, for many businesses, the threat of a nationwide cyber-attack and the consequences of this on individual companies is abstract and not well understood.  At the same time, albeit further afield, the US Department of Justice and the Treasury took action against a group of Nigerian nationals who are believed to have cost American citizens over USD 6,000,000 by perpetrating Business Email Compromise (BEC) fraud schemes and romance schemes.

In light of these varied scenarios, we thought it was time to investigate who the current cybercrime perpetrators (actors) are, what type of schemes they are specialising in and how this impacts businesses today.  While many threat actors exist, many of those currently in the news fit into the following groups:

  1. State-Sponsored Actors

It is estimated that at least 30 nations are actively waging cyber warfare on other countries targeting their economic, military, political or commercial infrastructure. Groups that are nation-state sponsored have unparalleled technical, financial, and material resources to create sophisticated attacks and are known for playing a “long-game”.

These groups often conduct cyber-espionage to find competitive information, resources, or users to advance their political or military agendas. While mainly focusing on activities that benefit the interests of one nation over another; businesses may negatively feel the impact of this cybercrime too.

Cyberweapons such as Stuxnet and NotPetya severely impacted not only their designated targets but businesses throughout the globe, causing billions of dollars’ worth of damage. A nation-state may also want your companies Intellectual Property for its use.

Defending against state-sponsored actors may seem lofty for an individual business; however, actions can be taken, including:

  • Ensuring your patch/vulnerability management is up to date
  • Employing Advanced Endpoint Protection and Anti-ransomware technology
  • Considering which of your business assets may be attractive to a nation-state.

  • Organised Crime

Organised crime groups are motivated by financial gain. They undertake cybercrime to steal PII that can be sold on the dark web, and hijack critical business resources for a ransom.  Various tactics are used to achieve their goals, but they are responsible for the significant recent increase in Business Email Compromise and Ransomware attacks. These groups also use Remote Access Trojans seen recently in New Zealand, along with phishing, social media, extortion, cryptominers, exploit kits, and blackmail.  One hacking group, Fin7 are suspected of gleaning USD$50 million in profit each month of operation.

Defending against organised crime schemes involves the basics of good security hygiene, including:

  • Strong password management and Multi-Factor Authentication
  • User Awareness training (Often phishing schemes are the first entry point for an attack)
  • Advanced endpoint protection
  • Timely patching to encourage the attacker to find an easier target
  • An Incident Response Plan to prepare your business to respond to any incident in a timely and coordinated fashion

  • Hacktivists

Hacktivist groups are motivated by a political, social, or religious agenda. They target government entities and corporations to expose what they believe are unjust or unethical business practices. Unlike organised crime groups, they tend to be loosely affiliated individual hackers or smaller groups who band together to highlight a cause or expose a perceived injustice.

Common tactics employed by these groups include the defacing of corporate websites, the hijacking of social media accounts and DDoS attacks on websites. Well-known hacktivist groups Anonymous and LulzSec have previously targeted various high profile victims, including the US presidential campaign, the Islamic State (IS) and certain corporates. Since 2016 however attacks attributed to hacktivist groups have reduced.

Defending against an attack from hacktivists starts with considering whether your business could be a target by understanding the causes that these groups are acting in support of (i.e., environmentalism) and being aware of how your brand is perceived concerning these issues. Create a sound and secure social media management strategy and stay up-to-date with trends.

  • Insider Threat

The insider threat refers to anyone operating inside your business such as employees, contractors, trusted vendors or third parties. Insider threats are challenging to detect as an insider may have valid credentials, inhouse knowledge of systems and security and operate in a trusted position.

Typically, the insider threat comes from two different areas. Firstly, many are disgruntled or ex-employees who may wish revenge or financial gain (a second revenue stream). These insiders have malicious intent. The second category, however, can do just as much damage, and that is insiders who are negligent or commit unintentional errors.

Insider threats appear to be on the rise, and some studies believe they play a role in 50% of security breaches. The insider threat is one that is difficult to manage and we believe is an overlooked area that businesses should focus on as thoroughly as their external threat strategies.

High profile cases where insiders have caused damage include Edward Snowden, who disclosed two million confidential files in 2013 and a South Korean employee who sold 27 million company data files for profit. However, most insider threat cases do not make the news as are considered Human Resource matters for internal resolution.

A business needs to have visibility across their network for tracking user behaviour and identifying anomalous behaviour to protect against the insider threat. This visibility has been made more challenging of late as many businesses have moved to the cloud where access monitoring and granular log detail creation may not be as rigorous. Other actions companies can consider for protection against insider threat include:

  • Employing the concept of ‘least privilege” when granting system and file access
  • Ensuring all devices on the network (including BYOD) are protected via a firewall, media control and protected against Bluetooth and other peripherals
  • Instigating Employee Wellness programmes to uncover disgruntled or employees under stress or duress early
  • Conducting cybersecurity training frequently to minimise unintentional errors.

While various cyberthreats are highlighted in the media every day, understanding how and whether these threats may apply to your business can be challenging. Defending your business against a known threat may be easier and more effective than defending against the unknown.

Therefore, we recommend staying aware of the key activity happening in the cybercrime world via threat alerts and becoming familiar with the main perpetrators and their motives to ensure your defence strategies are appropriate.

As mentioned by Sun Tzu in The Art of War, “If you know the enemy and know yourself, you need not fear the result of a hundred battles”.