Script kiddies, human error, low-level criminals, disgruntled employees, serious organised cyber criminals, nation state-sponsored groups.
When we talk about cyber threats, these are the ‘threat actors’ likely to be behind them—whether it’s highly sophisticated malware for either espionage or destructive purposes, or the more straightforward (not nearly as dramatic) theft of data.
Regardless of sector and size, all organisations should consider all of these threat actors when assessing their risk. Even if they seem a bit unlikely. For example, many organisations will question why they should be worried about nation-state attackers having an impact on their business; surely they don’t have anything worth them making the effort, either because they aren’t a government department, their sector doesn’t have much to offer or the particular product they produce doesn’t have wide-reaching, money-making potential.
What is often not considered however is that many non-government entities can be both indirect and direct targets for national state-sponsored groups:
In some cases, state-sponsored cyber-attacks can be very precise, such as the Stuxnet attacks in 2010 when a virus was created to specifically target the centrifuges at the Natanz nuclear enrichment facility in Iran. Although there was some collateral damage from Stuxnet, particularly in the following months and years when elements of the code were leaked into the public domain and subsequently used in other attacks, the actual risk to corporate entities was very small as the virus had been developed as a niche capability for a very specific outcome.
However, as mentioned above, there have been more recent examples where state-sponsored attacks have had a devastating impact on a much wider range of government and corporate victims. In late 2020, US intelligence officials blamed Russia for the SolarWinds supply chain attack—where a significant number of US government agencies were compromised by a contaminated software download. The number of government departments affected demonstrates that the attacks were very successful, but they also affected hundreds, if not thousands, of other corporate organisations who also used SolarWinds products. This included companies in the UK and our cyber security partner, PGI was contacted by numerous concerned clients seeking guidance and reassurance on how to deal with the aftermath.
In the case of NotPetya, the origin of the biggest global cyber-attack to date was the widely-used Ukrainian accounting software, M.E.Doc. The developers of that software had poor cyber security measures in place, which enabled Russian-State actors to infect their servers—once a user of M.E.Doc updated their software, they were also infected. This attack resulted in the loss of millions for businesses around the world, all collateral damage as the threat actors aimed for a bigger target.
When assessing the nature of potential threats towards client organisations, we consider the motivation for an attack. For example, if your organisation is in the health sector, your most critical asset will be healthcare data and medical records, which are highly attractive to cyber criminals and many other nefarious actors. If you were a pharmaceutical company, then the motivation would be to steal your highly valuable intellectual property (IP), including product details and customer details. Similarly, if you were a Small to Medium-sized Enterprise (SME), you could be targeted by criminals looking to steal customer data or any unique IP you may hold.
What history has shown us is that whenever large state-sponsored attacks happen, the nature of the business is normally irrelevant to the malware or virus itself, so no corporate entity should ever feel that they will not be targeted because a nation-state would “not be interested in attacking us”. As WannaCry and SolarWinds demonstrated, unintended victims were affected globally, and no business should ever dismiss state level attacks as purely a state-on-state activity.
To help prevent your business from becoming collateral damage in a future state-level attack or even the gateway for a threat group to reach another victim, you can minimise the potential impact by starting with the basic cyber security advice such as adhering to the 10 Steps of Cyber Security, Cyber Essentials, and other more robust cyber security standards, such as ISO 27001.
We also recommend ensuring that:
It’s important to never assume certain attacks are only reserved for large organisations, government agencies and critical national infrastructure. Cyber threats are everywhere and affect organisations of all sizes and sectors.
If you do think you have been the victim of a cyber attack or would like to speak to one of our specialists about protecting your organisation against cyber threats, please get in touch to speak to one of our specialists.
This article was published in partnership with our cyber security partners PGI.
© SES Secure Limited and ses-escrow.co.uk, 2021. Unauthorised use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Financechain Limited trading as SES and ses-escrow.co.uk, with appropriate and specific direction to the original content