How nation-state cyberattacks affect the future of infosec

Public web server-based APTs

Chinese-sponsored groups, including APT10, have launched waves of advanced persistent threats (APTs) against telecommunications providers for years. Collectively known as Operation Soft Cell, the attacks captured data from Active Directory, compromising usernames and passwords, along with other personally identifiable information, including billing data, call records, credentials, email servers and user geolocation data.

Operation Soft Cell's initial attack involved gathering information about the target network from its public web server. At first, the provider was able to detect and halt the attack. But, several months later, the attackers struck again, using information they gleaned from the initial attack. Eventually, they were able to launch lateral attacks by creating rogue privileged accounts that sheltered the attackers during subsequent remediation efforts.

This class of attacks is noteworthy because Operation Soft Cell attackers have a strikingly broad portfolio of techniques that can be used against any enterprise, not just telecommunications companies.

Because the attacks started with a public-facing web server, enterprises should think hard about protecting servers against client-side attacks. Mor Levi, Assaf Dahan and Amit Serper -- the researchers on the Cybereason Nocturnus team who studied the attacks -- recommended deploying an additional security layer for web servers. Tools such as web application firewalls, which are available from vendors like Imperva, Cloudflare and Tala Security, can prevent trivial attacks on internet-facing web servers. The researchers also urged organizations to think about exposing as few systems and ports to the internet as possible and ensuring web servers and web services are patched. They also recommended using an endpoint detection and response tool to improve visibility and proactively hunt corporate environments for sensitive assets.

Supply chain attacks

Chinese group APT41 is responsible for Double Dragon, a campaign targeted toward supply chains to conduct espionage for financial gain. Attackers observed financial activity that might indicate a future merger or acquisition, initially targeting gaming companies. It has since moved to target a range of verticals, including the automotive industry, media, high-tech firms and healthcare organizations. APT41 used compromised digital certificates and rootkits to target select individuals in the supply chain -- a rare modus operandi among APT operators.

The evidence of nation-state attackers learning to piggyback on top of one another's efforts is compelling -- and something to watch out for in 2020.

The most important lesson to learn from this example is that supply chain attacks are a favorite among nation-state attackers. Now is an excellent time for organizations to bolster their supply chain cybersecurity initiatives.

Hijacked attacks

Attackers typically operate autonomously. However, some clever ones have begun to use other bad actors' infrastructure to launch attacks.

One such example is Turla, a Russian group that used a host of tactics against a range of government and high-tech organizations in 10 countries. In its most recent slew of attacks, Turla hijacked the infrastructure used by the nation-state group Crambus to deliver malware. Although there is no direct way for enterprise cybersecurity professionals to protect against hijacked attacks, they should be in the back of security leaders' minds. The evidence of nation-state attackers learning to piggyback on top of one another's efforts is compelling -- and something to watch out for in 2020.

The takeaway here is for enterprise cybersecurity professionals to stay informed. Even if an organization does not see itself as a typical target, there is a good chance that nation-state attackers may disagree. To challenge those assumptions is the best way to anticipate the unexpected.