Should organisations be concerned by cyberespionage?
23 March 2017 | 0
Barely a month goes by without new reports of a country engaging in cyber espionage or other technology-enabled attacks. As the Internet of Things propels us towards a completely connected world of exponentially growing data there is every chance your organisation will be interesting to attackers—including from nation states.
There is a growing realisation that this is the case.
“Espionage hasn’t really changed. It has always been more about the goals rather than the methods,” Jarno Niemela, F-Secure
According to a recent report from cybersecurity vendor Trend Micro, IT decision makers across Europe and the US believe cyberespionage is the most serious risk to their organisation. A Public Accounts Committee report, meanwhile, noted that the threat of “electronic data loss from cybercrime, espionage, and accidental disclosure has risen considerably”.
That does not mean nothing can be done to dampen the risk. But how serious a problem is industrial espionage, from nations or otherwise?
Goals over methods
“Espionage hasn’t really changed,” says Jarno Niemela, senior security researcher at F-Secure. “It has always been more about the goals rather than the methods.”
Leaks from CIA and GCHQ confirm the capabilities of intelligence agencies are sophisticated and wide in scope. There is speculation that Russian intelligence might permit cybercrime to occur within its borders, and that information taken from this might sometimes be useful to the state.
And in 2015 China and the US reached a cyber-agreement to reduce espionage in private sector firms—signalling the frequency with which these attacks took place.
The FBI filed a federal indictment that accused five hackers from China’s People’s Liberation Army Unit 61398 of stealing information from corporations including US Steel and Westinghouse, as well as breaking into the United Steelworkers union. And an indictment from the Justice Department accuses two Russian spies and two cybercriminals of being behind the enormous Yahoo email breach attack—the largest data breach in history.
Most cyberespionage is undertaken by state actors or state-affiliated actors, typically chasing information that is politically or militarily expedient. But there are cases where pure commercial information has been obtained, quite possibly leaked to friendly people within companies and in exchange for some other favour.
Stolen data currency
“[Stolen data] is being used as currency,” Niemela says. “As long as you are doing something that has some kind of value that can be replicated for information you are a target. Even if you are not interesting, it’s very likely that one of your customers is.”
Cyberespionage attacks often start at affiliated businesses rather than the main prize—perhaps first infiltrating a sub-contractor before finding their way to the ultimate target.
“We saw a case where an alarm systems provider was hit,” he says. “The final target was somebody operating a larger company. There have also been cases where a subcontractor providing some software component was breached, and their documentation was poisoned with exploits so their customers getting the documentation were hit.”
Most large-scale espionage has state affiliation, but not all, says Niemela. There are also instances where criminals breach an organisation and put the information up for sale on the dark web, so businesses themselves are not engaging in espionage but are happy to pay money for it.
Matters become decidedly more complicated when attribution is factored in—it is very difficult to say with certainty where an attack came from. Educated speculation and gluing together various pieces of evidence is about as good as it gets—nothing can be 100% certain.
The methods used by state or state-sponsored groups are really not very different to the kinds of attacks criminal gangs would put into the wild. The goals can be similar too: compromise systems to monitor networks and collect as much useful information as possible.