Why you shouldn’t be afraid of nation-state hackers
When talking about information security, nation-state backed hackers are set up as the ultimate threat. The countries have brilliant hackers, unlimited resources, endless exploits, and they are all after you! Fortunately for us, there are also many more nation-state hackers who are not that skilled, on a tight budget, and forced to use off-the-shelf tools. Just because your organization might be of interest to foreign services does not mean that you should just give up.
Before we go much further, it’s important to acknowledge that some nation-state adversaries are, in fact, your worst nightmare. However, there is ample evidence of hacker “B-teams” amongst even the most sophisticated nation-state groups. Looking at the Russian attacks against the DNC, many simple mistakes are immediately apparent, including how easy it was to discover their origin. The group forgot to deploy anonymity tools, reused email and IP addresses for different parts of the operation and routed data through a single relay located in the U.S.
Even that looks professional compared to the Russian hackers detained in the Netherlands trying to spy on the Organization for the Prohibition of Chemical Weapons (OPCW) while carrying a receipt for the taxi ride from the GRU barracks to Moscow airport.
North Korea has frequently made similar blunders. One of the hackers behind the attack on Sony Pictures, Park Jin Hyok, allowed his real identity and aliases to become intertwined. He used his own address to register a video account and a payment account for his alias Kim Hyon Woo.
Even the Chinese hacking groups have been caught through simple OPSEC errors and code reuse, which allowed a single failure to hide their IP address. This slip-up lead to strong attributions on a wide range of attacks carried out over a decade by China’s “Panda” teams.
Many of these nation-state attacks also leverage very simple tools and techniques. In some cases, this may be an indication of the attackers’ skill level; in others, it may say more about the security measures used by the defenders.
It’s not surprising to see a large range of sophistication from these hacking teams. New tools are hard to write, new exploits are hard to find, and highly skilled hackers are in extremely short supply. Of course the attackers are going to use the least expensive and easily available capabilities against targets, where they will work and where the damage from attribution is not too severe.
This is why there is hope for defenders dealing with nation-state attackers. Most targets are not valuable enough to be worth attacking with the best people and tools. While someone thought it was reasonable to spend an estimated $1 million to create Stuxnet, that is an outlier. In all likelihood, you and most others will be initially targeted by the B-team, and most of the time that will be enough.
So, now the goal of dealing with nation-state attackers can be re-framed. If you can improve your security enough to stop the B-team, it’s likely that you will never encounter the A-team, because you are not worth it. Defending against the B-team is an achievable objective, where beating the A-team is a fantasy. It simply requires taking all the standard security measures and putting them into place inside your organization.
I also see an ecosystem advantage from this approach. Even if you are valuable enough for your opponents to deploy the big guns, those are in very limited supply. By forcing them to use them, nation-states are not using those tools to attack someone else. B-team capabilities are vast and cheap, but most countries can only use the A-Team people, tools, and zero-day exploits a very limited number of times.
In the end, there are people out there who can penetrate just about any network, no matter how fiercely defended. Most organizations simply don’t have the kind of security that requires a high level of sophistication. By stopping the nation-state B-teams, we prevent most attacks against ourselves and simultaneously make everyone less likely to be hit by the few A-teams that exist.
Lance Cottrell is the Chief Scientist for Ntrepid.