Skip to main content

Cyber Attacks From Unexpected Sources: Have You Considered Your Risk?

Published on 02/06/2021

Script kiddies, human error, low-level criminals, disgruntled employees, serious organised cyber criminals, nation state-sponsored groups.

When we talk about cyber threats, these are the ‘threat actors’ likely to be behind them—whether it’s highly sophisticated malware for either espionage or destructive purposes,  or the more straightforward (not nearly as dramatic) theft of data.

Regardless of sector and size, all organisations should consider all of these threat actors when assessing their risk. Even if they seem a bit unlikely. For example, many organisations will question why they should be worried about nation-state attackers having an impact on their business; surely they don’t have anything worth them making the effort, either because they aren’t a government department, their sector doesn’t have much to offer or the particular product they produce doesn’t have wide-reaching, money-making potential.

What is often not considered however is that many non-government entities can be both indirect and direct targets for national state-sponsored groups:

  • Indirect: Your organisation could be collateral damage in much larger state-level attacks, WannaCry and Solar Winds are examples of these.
  • Direct: Your business might be in the supply chain of a larger organisation and many cyber-attacks begin this way; Target and Not Petya are prime examples of these.

An Unlikely Source Or Just One That Hasn’t Been Considered?

In some cases, state-sponsored cyber-attacks can be very precise, such as the Stuxnet attacks in 2010 when a virus was created to specifically target the centrifuges at the Natanz nuclear enrichment facility in Iran. Although there was some collateral damage from Stuxnet, particularly in the following months and years when elements of the code were leaked into the public domain and subsequently used in other attacks, the actual risk to corporate entities was very small as the virus had been developed as a niche capability for a very specific outcome.  

However, as mentioned above, there have been more recent examples where state-sponsored attacks have had a devastating impact on a much wider range of government and corporate victims. In late 2020, US intelligence officials blamed Russia for the SolarWinds supply chain attack—where a significant number of US government agencies were compromised by a contaminated software download. The number of government departments affected demonstrates that the attacks were very successful, but they also affected hundreds, if not thousands, of other corporate organisations who also used SolarWinds products. This included companies in the UK and our cyber security partner, PGI was contacted by numerous concerned clients seeking guidance and reassurance on how to deal with the aftermath.

In the case of NotPetya, the origin of the biggest global cyber-attack to date was the widely-used Ukrainian accounting software, M.E.Doc. The developers of that software had poor cyber security measures in place, which enabled Russian-State actors to infect their servers—once a user of M.E.Doc updated their software, they were also infected. This attack resulted in the loss of millions for businesses around the world, all collateral damage as the threat actors aimed for a bigger target. 

How Do I Assess My Organisation’s Risk?

When assessing the nature of potential threats towards client organisations, we consider the motivation for an attack. For example, if your organisation is in the health sector, your most critical asset will be healthcare data and medical records, which are highly attractive to cyber criminals and many other nefarious actors. If you were a pharmaceutical company, then the motivation would be to steal your highly valuable intellectual property (IP), including product details and customer details. Similarly, if you were a Small to Medium-sized Enterprise (SME), you could be targeted by criminals looking to steal customer data or any unique IP you may hold.  

What history has shown us is that whenever large state-sponsored attacks happen, the nature of the business is normally irrelevant to the malware or virus itself, so no corporate entity should ever feel that they will not be targeted because a nation-state would “not be interested in attacking us”. As WannaCry and SolarWinds demonstrated, unintended victims were affected globally, and no business should ever dismiss state level attacks as purely a state-on-state activity.

Preparing Your Organisation To Manage Digital Risk

To help prevent your business from becoming collateral damage in a future state-level attack or even the gateway for a threat group to reach another victim, you can minimise the potential impact by starting with the basic cyber security advice such as adhering to the 10 Steps of Cyber Security, Cyber Essentials, and other more robust cyber security standards, such as ISO 27001.

We also recommend ensuring that:

  • Your workforces are suitably informed and aware of the threats from phishing and social engineering. Given that 90% of successful attacks begin with a phishing campaign, it’s vital to ensure everyone in your organisation has undertaken some form of cyber security education.
  • Your organisation has a robust security update/patching regime for software applications, to keep your corporate environment safe from the latest security threats. In the case of the WannaCry ransomware attacks, the NHS would not have been as badly affected by the malware if the devices being used had been updated to the already-released Microsoft security updates.
  • Your IT infrastructure has been configured correctly. It’s easy to blame technology when there is a cyber security incident, but many security weaknesses manifest because new technology hasn’t been deployed and configured correctly (or at all…did you remember to change those default admin login details?).
  • You have an understanding of the security posture of the various links in your supply chain. Truthfully, you have very little control over your suppliers, but conducting a supply chain security assessment will enable you to better manage the risk that your suppliers represent.

It’s important to never assume certain attacks are only reserved for large organisations, government agencies and critical national infrastructure. Cyber threats are everywhere and affect organisations of all sizes and sectors.

If you do think you have been the victim of a cyber attack or would like to speak to one of our specialists about protecting your organisation against cyber threats, please get in touch to speak to one of our specialists.

This article was published in partnership with our cyber security partners PGI.

© SES Secure Limited and ses-escrow.co.uk, 2021. Unauthorised use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to SES Secure Limited and ses-escrow.co.uk, with appropriate and specific direction to the original content

Contact us

If you would like further information, discuss your requirements, get a free no obligation quotation or just a friendly chat on how we could possibly help please fill in the details below and one of our team will get back to you as soon as possible.
Tick the box to receive regular updates and industry insights