The FBI and Department of Homeland Security have issued multiple alerts warning of increased cyber attacks on medical research and other organizations that have not traditionally been targeted by advanced threat actors. While targeted attacks are not new, we are seeing the nature and objectives of attackers expand. Threat actors are using increasingly sophisticated technology, tools and techniques, including those produced by nation state militaries and intelligence organizations. Yet most organizations still just react, investing in cybersecurity programs based on regulation and common maturity frameworks rather than in proactive risk mitigation strategies. While these cybersecurity programs are essential to promoting good cyber practice, reactive approaches do not adequately counter targeted attacks. As targeted attacks evolve, organizations need to commit to specific defensive investments in tools, techniques and skills to buy down risks efficiently.
Understanding the evolution of targeted attacks
Targeted attackers have specific aims and objectives. They differ from general opportunistic attacks that look for vulnerabilities and distribute malware indiscriminately. The initial recognition of targeted attacks occurred in addressing cyber espionage against US military and defense industry targets. Next Peak co-founder Greg Rattray coined the term advanced persistent threat (APT) in 2007 to describe how advanced threat actors will persistently attack targets with data, information and knowledge essential to the attacker, no matter how strong an organization’s defenses.
Since that initial recognition, the objectives of targeted attacks have expanded greatly. Once focused primarily on national security espionage, these threats now stretch across a wide range of aims and industries. Targeted attackers’ aims now vary from intellectual property theft, to political or economic espionage, political coercion, competitive disruption, to even provoking embarrassment. Increasingly, we are also seeing evolved hybrid targeted attacks with a combination of aims. A quick look at the evolution of these attacks would include:
- The state-sponsored Chinese cyber espionage attack against US paint company, Valspar, had dual economic and national security implications. The intellectual property stolen included advanced epoxies for aircraft wings and cost Valspar its entire Chinese market.
- The massive attack on Saudi Aramco – which took out 35,000 computers and threatened 10 percent of global oil production – focused on disruption but had politically coercive objectives with the Iranian state-sponsored attackers stating that the attacks were in response to Saudi crimes against humanity.
- North Koreans disrupted Sony Pictures’ operations in retaliation for the unreleased comedy parodying North Korea, The Interview, while also stealing and releasing confidential data including film scripts, personal data, confidential emails and salary information.
- Russian state-sponsored attackers hacked both the Democratic National Committee (DNC) and Republican National Committee (RNC) in the run up to the 2016 Presidential election, but only DNC emails and documents were leaked, demonstrating attackers’ multiple aims of espionage, provoking embarrassment and affecting election outcomes.
- North Korean actors conducted major SWIFT-based attacks on the Bank of Bangladesh and other financial institutions, stealing $81 million from the Bank of Bangladesh alone. This is a continuing major pressure on the global payments system, with state-sponsored attackers targeting poorly secured banks to fund national security objectives like nuclear weapons development.
Sophisticated adversaries are flexible and adaptable, and will find targets and adopt new modes of attack to meet their own various objectives. The latest evolution of ransomware epitomizes the multi-threat aspect of current targeted attacks. Ransomware has moved from being purely opportunistic and criminal to becoming targeted and deep. Recent attacks on Garmin and Travelex show threat actors aiming for bigger targets, and the FBI and Interpol have warned of increased targeted ransomware attacks on healthcare, industrial and transportation organizations.
Targeted attackers have also increasingly deployed ransomware while simultaneously stealing customer data as leverage to ensure payment, blurring the lines between ransomware attacks and data breaches. Cloud service provider Blackbaud recently disclosed that it paid a ransom to prevent stolen customer information from being leaked following a ransomware attack in May. Magellan Health, Cognizant, LG and Xerox have reportedly all faced similar hybrid attacks.
As targeted attackers’ aims and objectives evolved, the risk profile of organizations in a variety of different industries has changed. The good news is that not all companies are at risk from all targeted attacks. Understanding your organization’s risk profile – based on industry, assets critical to you and attractive to attackers, operating locations and other factors that impact your attack surface – is crucial to forming effective defensive strategies to prevent and minimize losses if targeted. Not just computers and data are at risk – intellectual property, competitive advantage, shareholder value and business viability can be lost.
Reducing risk of targeted attacks
So far, organizations have been playing catch-up in understanding and mitigating risk from targeted attacks. Valspar did not think that they were at risk from targeted attack because they were a paint company, ignoring the fact that improving advanced materials and developing aviation technology were key elements of China’s 12th Five-Year Plan. While many companies today acknowledge risk from targeted attackers, they often do not have focused capabilities to understand who might attack them, how they would attack, the risk of an attack, and how to mitigate that risk proactively.
Organizations must go from a security mindset to a defense mindset. Defenders need to understand attacker objectives, their tools, tactics and procedures, and put in place focused defensive measure to protect, detect respond and recover. Organizations must devise approaches for constant vigilance. Defenders should leverage industry standard frameworks like the MITRE ATT&CK Framework and engage in forums like these where rapid evolution of how to best defend occurs. With focus, organizations can invest appropriately reducing risks and protecting their stakeholders.
Next Peak helps clients deepen their understanding of targeted attacks and how to think about risk mitigation. Our network of elite Cyber Defenders will conduct full spectrum threat assessments tailored to your organization, identifying potential attackers and threat vectors, leveraging our front-line experience countering APTs, and matching potential threats to your critical assets, operations structure, industry vertical, and geographic location. Let us help you upgrade your cyber processes to face the threat of evolving targeted attacks, find out more here.