As the crisis in Ukraine continues to bubble close to boiling point, many are warning that should armed conflict erupt in Eastern Europe, advanced persistent threat (APT) groups backed by the Russian state are likely to open a second, cyber front.
And while the vulnerability exploits engineered by APTs for use in these cyber warfare scenarios pose little immediate threat to the average organisation, they will likely prove highly dangerous in the long term, so by paying attention to nation state activity, IT security pros can buy themselves valuable time to get out in front of the threats of the future.
This is the view of Coalfire UK managing director Andy Barratt, who, speaking to Computer Weekly this week, decried what he described as a certain cynical attitude towards nation state-backed attackers among many who don’t see them as a threat to the majority of organisations that are not either government bodies, operators of critical national infrastructure (CNI), or specialists in sectors such as defence.
While this is true, said Barratt, it’s still important to keep an eye on impactful nation state attacks. “The reason we have to watch nation state actors is not because any of us are likely to be targeted by Russia,” he said. “UK plc is highly unlikely to be targeted by a nation state, because they don’t want to burn their capabilities. The Russians are not going to break into the systems of M&S – they care less about Colin the Caterpillar than we do.”
Barratt said the thing that many people miss is that organisations risk becoming collateral damage in a way they are unwilling or unable to understand. In essence, he explained, if Russia conducts cyber attacks on Ukrainian or Western targets in the opening phases of a wider kinetic war, cyber criminals will watch what they have done, try to learn how they did it, and then emulate those tactics against business targets.
“The various crime syndicates that watch nation state activity see it as an easy way to get a return,” said Barratt. “If you treat cyber criminals as a functioning business, their observation of nation state activity massively enhances their own research into new attack techniques … [and] once they have a workable mass exploit, they’ll use it on whoever they can.”
“SolarWinds, for example, went from being a nation state attack to being widely deployed by organised crime. We spent six to eight months working with clients on forensic examinations of their SolarWinds environments looking for collateral damage.”
FCDO a likely target
Talking in the wake of the news this week that the Foreign, Commonwealth and Development Office (FCDO) had fallen victim to a cyber attack, Barratt said some kind of nation state action was probably the most likely explanation for this incident.
The hit on the FCDO went undisclosed and was only discovered by tech website The Stack when it found a published £467,325.60 FCDO contract to provide business analyst and technical architect support to analyse an incident. The contract was handed to BAE Systems without tender due to the extreme circumstances. It can be read in full here.
The FCDO said only that it had been the target of a serious cyber security incident, further details of which could not be disclosed, and needed urgent support to remediate and investigate it. The department has issued a separate statement to the BBC and others, but said only that it does not comment on security, but does have systems in place to protect and defend itself.
Barratt said that given the sensitive nature of a lot of the FCDO’s work – the foreign secretary is, after all, ultimately the person to whom MI6 reports – the likelihood of there ever being any meaningful comment on the attack was close to zero. “I suspect that’s as much information as we’ll get,” he said.
“The value of the deal was over £400,000, so I’d say the size of the incident was probably quite hefty,” he added. “There are many plausible things this could be about but knowing the Foreign Office’s role and their involvement in intelligence, it could be a shot across the bows by an interested party.”
It is also important for defenders to understand that the FCDO could have been breached by any number of means, and if the attackers were Russian state actors, they may not even have had to burn a precious zero-day. They could have just as easily snuck past the department’s defences using an old, unpatched vulnerability, or even through a phishing email.
Indeed, according to the US Cybersecurity and Infrastructure Security Agency (CISA), the federal government’s rough equivalent to the UK’s own National Cyber Security Centre (NCSC), nation state APTs tend to prefer old, unpatched vulnerabilities for a number of reasons, chief among them that they are quick and easy to exploit.
Two particularly favoured vulnerabilities in the past two years have been CVE-2019-19781 in Citrix VPN appliances, and CVE-2019-11510 in Pulse Secure VPN servers. Newsworthy as CVE-2019-19781 was, Citrix did of course patch the vulnerability, and two years on, it is not talked about very much, which gives cover to nation state APTs and criminal gangs alike.
CISA provides further resources for IT security teams to check in on from time to time, in the form of its Known Exploited Vulnerabilities Catalogue, which does exactly what it says on the tin, providing details of all currently known common vulnerabilities and exposures (CVEs) that are subject to active exploitation – at the time of writing, more than 350 of them. Defenders can also subscribe for updates.
Why you should watch security suppliers, too
Barratt said it is also worth keeping an eye on supplier responses to cyber attacks as they unfold, as these may provide valuable hints as to what nation state APTs are up to, and what might be on the verge of filtering down into the criminal underground.
“There are two big dependencies,” he said. “The first is whether the initial target by the nation state requires a sophisticated exploit.
“If so, the nation state compromises it through a new zero-day, or zero-day-like vulnerability, the vendor races out a patch, and this rapidly becomes apparent in the news, and criminals will immediately reverse engineer it, create an exploit, and use it to target businesses.”
If, on the other hand, a cyber attack is disclosed in the news and we don’t see a sudden rush of supplier activity, said Barratt, then it was “probably a phishing campaign and a trivial bit of malware”.
“Watch what they do so that you can defend against a copycat emulator,” he said. “People miss that bit, and it’s probably the most important advice I could give.
“I’m not saying go and buy a lot of stuff, just make sure that the attack pattern doesn’t circumvent the defences you rely on – because if you know about something, you can bet cyber criminals have known for longer.”