To close out National Cyber Security Month, today we take a look at some of the most sophisticated, skilled and well-funded cyber threat actors out there - state-sponsored hackers. Just this week, Microsoft announced the same group credited with the SolarWinds hack, who they call Nobelium, has targeted the cloud services of key players in the global IT supply chain, with no less than 140 companies having been targeted and 14 confirmed cases of compromise.  The attack was first detected in May, but it only made public headlines recently. The SolarWinds hack went undetected for most of 2020 and its discovery badly embarrassed Washington, prompting President Joe Biden to attempt to draw a line in the sand about what kinds of attacks from state-sponsored actors would not be tolerated and would prompt some type of US cyber retaliation. Apparently, those warnings have fallen on mostly deaf ears to this point, especially in Vladimir Putin’s Russia.

What typically separates state-sponsored hackers from the rest?

State-backed hacking is primarily about intelligence gathering — whether for national security, or to gain commercial or strategic advantages. But with the ransomware element now also a major part of the threat landscape, reaping monetary rewards from certain industries as a byproduct is gaining steam as well (successful cyber attacks are a major source of state income in North Korea for example).  Whether you are a target for their main objective, a springboard to reaching their main target, or just collateral damage, the tentacles of state sponsored hacking can reach and affect you at any time.

So who are the main players?

There are numerous groups operating under the guise of state-sponsored hacking, but for the purposes of this article, we’ll focus on five of the most notorious. But first, a word on all the different names these groups are known by. For security professionals, state-sponsored entities are typically considered to be APTs (Advanced Persistent Threats), and as such, they can be assigned simple names with a number designation, like APT29, which is the moniker used in many security circles for the Russian group credited with the SolarWinds attack.  But different companies use different naming conventions – Microsoft calls that same group Nobelium, while other groups use naming conventions featuring animals to distinguish the country of origin, like Cozy Bear is APT29/Nobelium, Bear names for Russia, Dragon names for China, and Kitten names for Iran. North Korea’s most notorious group is more of a loose collective working with the state, but not necessarily in the state – and are known as the Lazarus Group. With that out of the way, let’s run down the top five groups:

• Cozy Bear (APT29) – This Russia based group has been active since 2008.  Their claims to fame have allegedly been the 2015 attack on the Pentagon (also as key players in Russian attempts to influence the 2016 US presidential elections), the FireEye hack, the SolarWinds hack, the most recent attack on the global IT supply chain, and numerous hacks involving the theft of COVID-19 vaccine data.

• Lazarus Group (APT38) a.k.a Hidden Cobra and Zinc – This group, working on behalf of North Korea, has been active since around 2010. Their alleged operations include Operation Troy, the WannaCry ransomware attack in 2017 which infected over 300,000 systems and brought in a massive monetary windfall for the North Korean regime, and also numerous hacks involving the theft of COVID-19 vaccine data.

• Double Dragon (APT41) – This China based group has been active since 2010. They have a split personality.  When they are not doing work on behalf of the state conducting espionage (credited with espionage operations against 14 different countries, including the US and the UK), they work on the side to make money for themselves by targeting private companies in the travel and telecommunications industries in order to access data they can use for surveillance and provide groundwork for future operations (ransom, blackmail, tracking dissidents, etc.). Basically, their state connections allow them to use the most sophisticated espionage tools to steal money for themselves.

• Fancy Bear (APT28) – This Russia based group has been active since 2005. Their most visible success was the DNC (Democratic National Committee) hack in 2016 and the cyberattacks on Emmanuel Macron's campaign websites in the run-up to the 2017 French Presidential elections.  They are experts in leveraging the power of phishing emails, using email domains to trick their would-be victims into believing that the elaborate phishing emails produced by the group are coming from legitimate sources. They seem to specialize in targeting political and defense targets in furtherance of Russia’s strategic interests. But with the way they have mastered the phishing/spear phishing attack vector, anyone can easily become a victim.

• Helix Kitten (APT34) – Like North Korea, Iran likes to employ more of a loose collective working with the state, but not necessarily in the state. These contract hackers conduct many of the regime’s offensive operations, even though many are not true believers in the cause, but rather, simply cyber mercenaries. They are best known for the 2013 New York Dam hack and attacks on the Australian Parliament House in 2019. Like the Chinese Double Dragon group, these hackers moonlight for themselves when they are not doing the bidding of the Iranian government, using the most sophisticated tools afforded them by Iranian regime to rake in cash for themselves. They were thought to have been extinguished in 2019 when ten individuals from Helix Kitten were publicly named, with three employed by Iran’s Ministry of Intelligence, and the others working at the Iranian cybersecurity company Rahacrop. But rumors of their demise were apparently premature, as the group seems to have executed successful attacks since 2020 that caused chaos across the Middle East and South Asia.

Russia on a Roll, China very effective, North Korea a serious player

According to Microsoft’s Digital Defense Report, which covers July 2020 through June 2021, Russia accounted for most state-sponsored hacking detected by Microsoft over the past year, with a 58% share of the detected attacks (and a 32% success rate), mostly targeting government agencies and think tanks in the United States, followed by Ukraine, Britain and European NATO members. China, on the other hand, accounted for fewer than 1 in 10 of the state-backed hacking attempts Microsoft detected, dropping their number from 12% in the year ending in June of 2020, to 8% for the year ending in June of 2021, But they were successful 44% of the time in breaking into targeted networks. North Korea was actually second as country of origin at 23%, up from less than 11% previously. Overall, nation-state hacking has about a 10%-20% success rate according to Microsoft’s Digital Security Unit. One of the only bits of good news is that only 4% of all the state-backed hacking Microsoft detected last year targeted critical infrastructure, with Russian agents far less interested in it than Chinese or Iranian cyber-operatives. So maybe Putin is watching that line in the sand just a little bit.

There’s a reason cybersecurity feels like you against the world

Sophisticated, state-sponsored attacks and APTs are obviously no joke, they are the stuff of nightmares for even the most robust cybersecurity departments and technologically savvy organizations. It is a scourge that will take no less than you’re A-game to repel in a best case scenario if you are a chosen target, and an effective, up-to-date and thorough Emergency Incident Response plan to rely on in the event the unthinkable happens and you are compromised by one of these dangerous groups. And remember, APTs are just one kind of threat that can emanate from outside our borders, others like the REvil organized ransomware group are always on the prowl too, not necessarily working on behalf of a government, but working under the protection afforded by being in countries the US has no jurisdiction over, raking in millions in ransoms and stealing/leveraging all kinds of data for whatever nefarious purposes they can dream up.

How can GDF help?

GDF’s vulnerability assessments and penetration tests are designed to see where your cybersecurity posture stands right now.  We will review policies and procedures to identify patch management issues, use threat signature databases updated to detect these latest threats during our testing, test for existing intrusions/compromises, and we can help you in multiple ways from an Emergency Incident Response perspective, from helping you create/review/maintain an effective Emergency response plan, to being able to get boots on the ground to respond to your breach or intrusion with our Emergency Response Teams strategically positioned around the country to give you unrivaled response times.

We even have remote options available using agents which can be remotely deployed across tens of thousands of endpoints enterprise-wide in as little as two hours, with all the components being up and running within 24 hours. Once a threat is detected, the network is analyzed and the unique automated response and cross-system remediation capabilities spring into action – remediating the threat in real time. Your system will also be constantly monitored by a 24/7 SOC team and be constantly updated with front-line security intelligence to ensure rapid response. For our Vulnerability assessment and penetration testing clients, we also offer no retainer SLAs (Service Level Agreements) so you can have GDF waiting in the wings to respond to your emergency without having to pay anything if no emergency incident occurs, since we will already be intimately familiar with your unique cybersecurity posture and requirements from our assessments and testing.

So call GDF at 1-800-868-8189 today, or fill out the form below and we’ll contact you, and let’s get started.