ENISA’s Threat Landscape Report 2022 – Part 11 – State Sponsored Actors
Threat actors play a critical role in the cybersecurity threat landscape. They take advantage of vulnerabilities to cause harm to their targets. It is essential to understand their motivations, goals, and tactics to effectively manage cyber threats and respond to incidents. Keeping track of the latest developments in threat actor tactics and long-term trends in motivations and targets is crucial for effective cyber threat management. Understanding these trends also aids in planning cybersecurity defences and mitigation strategies. Prioritizing security controls based on potential impact and the likelihood of threats materializing can help create a dedicated strategy. Failure to consider threat actors and their tactics may result in inefficient defences or an inability to protect systems altogether, leading to a significant knowledge gap in cybersecurity.
ENISA Threat Landscape report 2022 considers four categories of cybersecurity threat actors:
- State-sponsored actors
- Cybercrime actors
- Hacker-for-hire actors
State-sponsored actor trends
Increased exploitation of 0-day and other critical vulnerabilities.
Based on publicly available reports, the most commonly identified intrusion vector was vulnerability exploitation, and in 2021, there was a record-breaking 66 disclosed 0-day exploits. State-sponsored actors were observed to exploit critical vulnerabilities, such as those affecting Microsoft, Pulse Secure VPN appliances, Atlassian Confluence, F5 Big-IP devices, Fortinet appliances, and Apache’s Log4j utility. In addition, these actors have been targeting small office or home office routers globally, using compromised infrastructure for their cyber operations, which can hinder defenders’ efforts. Moreover, Sandworm’s VPNFilter malware has been replaced by Cyclops Blink for targeting WatchGuard firewall devices and ASUS routers. It is crucial to stay vigilant and implement appropriate security measures to protect against these threats.
While the issue of 0-day vulnerabilities is not a new one, it is worth noting a significant surge in 0-day disclosures during the reporting period. Various factors have contributed to this rise in the number of disclosed 0-day vulnerabilities, including:
- The need for more software solutions has created a larger surface area for researching and exploiting vulnerabilities.
- Nation-state actors may resort to using 0-day exploits to overcome the enhanced security posture of their targets and the use of advanced security technologies.
- Nation-state threat actors have been increasingly allocating resources towards 0-day research and exploit development, with some efforts even leading to policy decisions such as the requirement for vendors to report 0-day vulnerabilities to the government in China.
- Increased focus on supply chain attacks, leading to research into the vulnerability of widely used software technologies, allowing attackers to gain initial access to multiple targets by exploiting one 0-day vulnerability.
- Access-as-a-Service markets have matured, offering services such as vulnerability research, exploitation, and malware payload development.
- Threat hunting and vulnerability research programmes are developing more capabilities to detect 0-day exploitation in the wild. More vendors have started to disclose the 0-day vulnerabilities of their software through security bulletins, and security researchers are publicly disclosing 0-day vulnerabilities before the vendor patches, especially if there was exploitation in-the-wild and no patch was available.
- Vulnerability developers have more opportunities to earn financial rewards for their 0-day exploitation work through hacking contests such as Tianfu Cup and Pwn2Own, or the underground marketplaces.
Heightened risk for Operational Technology networks
ENISA’s 2021 report predicted the increasing interest of state actors in targeting critical infrastructure and Operational Technology (OT) networks, and our observations during the reporting period confirmed this trend. Cyber operations targeting such infrastructure were primarily for intelligence collection, deployment of newly observed ICS-targeting malware, and disruption.
Public reports have identified three new activity groups, KOSTOVITE, PETROVITE, and ERYTHRITE, as having the intent or capability to target OT networks. Adversaries are willing to dedicate time and resources to compromise their targets and harvest information on OT networks for future purposes. Pre-positioning and information gathering are currently prioritized over disruption as strategic objectives for most adversaries in this space.
ENISA observed two new additions to the shortlist of ICS-capable malware: Industroyer2 and INCONTROLLER (also known as PIPEDREAM). These are the sixth and seventh known ICS malware, respectively, following Stuxnet, Havex, BlackEnergy2, CrashOverride or Industroyer, and Trisis or Triton. Industroyer2 was detected during the analysis of an attack against a Ukrainian energy company by the state-sponsored threat group Sandworm. INCONTROLLER is very likely a state-sponsored malware focused on disruption, sabotage, and potential destruction.
State-backed threat actors will increase their reconnaissance against OT networks, develop capabilities, and increasingly target them in the foreseeable future, especially during times of crisis and armed conflict. State-backed actors interested in targeting OT networks will continue dedicating resources and developing extensible ICS malware frameworks because of their modularity and capability in targeting multiple victims and equipment used across multiple industries.
Destructive attacks as a prominent component of state actors’ operations.
It was observed during the Russia-Ukraine conflict that cyber actors conducted operations alongside kinetic military action, including the widespread use of wiper attacks to disrupt and destroy networks of governmental agencies and critical infrastructure entities. The primary intentions of these threat actors were to undermine public trust in the country’s leadership, spread fear and doubt, and facilitate disinformation operations. In addition to degrading the functioning of targeted entities, wiper malware was also used to achieve these goals. The tempo of these operations was relatively high, with Microsoft reporting that hundreds of systems in dozens of Ukrainian organizations were targeted in discrete destructive attacks from February 23, 2022, to April 8, 2022.
An interesting observation was the targeting of satellite communications using the AcidRain wiper malware. The EU, US, and the UK formally attributed this hack to Russia, which targeted Viasat, a commercial satellite communication company, prior to the Ukraine invasion. The impact of this attack was particularly felt in Ukraine, where Viasat satellite modems were not functioning, and there was spillover across central Europe as wind farms were disrupted and satellite internet connectivity was impacted.
Destructive or disruptive operations by state-backed actors will certainly continue as the conflict goes on. The government, military networks, and energy and communications sectors are prime targets in Ukraine from the perspective of critical infrastructure. Further disruptive operations could potentially spill over to other countries. Additionally, Western or NATO allies, especially critical infrastructure entities, are likely to be targeted as part of retaliatory actions in response to the sanctions imposed on Russia and the support provided to Ukraine. Pro-Russia cybercrime ransomware groups may be coordinated to conduct destructive operations against Western organizations, and state-sponsored groups may leverage existing ransomware variants to disguise their operations and generate plausible deniability.
Public attribution and legal actions continue.
ENISA’s 2021 report emphasized the increasing efforts of governments to disrupt, publicly identify, and pursue legal measures against state-sponsored threat actors. Throughout the reporting period, several notable incidents occurred involving these threat actors.
- An individual from Venezuela was indicted for using and selling ransomware linked to Iran, providing evidence of state-sponsored actors’ interest in utilizing ransomware for their strategic objectives.
- The USA charged four members of the APT40 group, a state-sponsored threat group. Additionally.
- The Security Service of Ukraine indicted three operators of the Gamaredon group.
- Two Iranians were charged with carrying out cyber campaigns and influence operations relating to the 2020 US Presidential election.
- The US Department of Treasury also imposed sanctions on the Blender cryptocurrency mixer service for laundering cryptocurrency on behalf of the state-sponsored Lazarus threat group.
- Four Russians were charged for their participation in the Triton and Dragonfly cyber operations targeting critical infrastructure.
- The UC Berkeley Human Rights Centre formally requested the Office of the Prosecutor for the International Criminal Court in the Hague to prosecute the Sandworm threat group for war crimes related to its role in shutting off power in Ukraine in 2015 and 2016.
- The FBI dismantled the Cyclops Blink botnet, controlled by Russia’s military intelligence service (GRU).
- The EU and US allies formally attributed the Viasat commercial satellite company cyber attack to Russia.
- The EU and member states condemned the cyber attacks against Ukraine and the Distributed Denial of Service (DDoS) attacks against several EU member states.
- An arrest warrant was issued by the Attorney General for a hacker of the state-sponsored APT28 group, which conducted cyber espionage against a NATO think tank in 2017.
Governments are increasingly prioritizing cyber operations, resulting in increased efforts to publicly attribute cyber campaigns, disrupt adversary infrastructure, and indict and shame operators. This trend is likely to continue, with more states taking legal action against threat actors in the near to mid-term future. However, it remains unclear whether these actions will deter highly sophisticated and determined state-backed threat actors in the long term. For example, even though the US Department of Justice indicted seven operators of the state-sponsored threat group APT41 and seized part of its infrastructure in September 2020, the group set up new infrastructure and continued operations from late 2021 until mid-2022. Additionally, the threat group APT40 continued to advertise for new recruits despite being indicted by the FBI. These examples suggest that indicting operators of a threat group may not always have a significant impact on the group’s cyber operations, and further coordinated actions may be necessary.
State-backed threat actors increasingly focus on supply chain compromises
Supply chain attacks accounted for 17% of the intrusions in 2021, a significant increase from less than 1% in 2020, and according to some sources, as much as 62%. State-backed threat actors have realized the potential of such attacks, and are increasingly targeting third parties to expand their cyber operations downstream to their clients.
Cloud Service Providers (CSPs), Managed Services Providers (MSPs), and IT services organizations are often targeted by threat actors, as they can exploit the trust relationships to conduct nefarious operations. The NOBELIUM activity group has consistently targeted service providers and their downstream customers, while other actors targeted over 40 IT services companies based in India to access their clients’ networks.
State-backed threat actors will continue to develop their toolsets to target and compromise supply chains as indirect vectors to achieve their objectives. They will likely leverage software supply chain attacks, such as open-source software development libraries, popular software packages, and software platform compromises, to gain access to the networks of hundreds of victims.
Geopolitics continues to influence cyber operations
The collection of intelligence through cyber operations is driven by geopolitics, and targeting increases with escalating tensions. In recent years, state-backed threat actors have increasingly targeted third parties to expand their cyber operations downstream to their clients. For example, there have been several cyber operations against Ukrainian entities by state-backed groups due to the ongoing armed conflict, where they focused on initial access operations and collection of intelligence that would give military forces any tactical or strategic advantage.
State-sponsored threat actors have also targeted governmental organizations in 42 countries that support Ukraine, as well as entities from countries in Southeast Asia, Japan, Australia, and Taiwan. Security researchers believe that these threat groups are tasked with collecting intelligence on investments, negotiations, and influence related to the Belt and Road Initiative. Furthermore, the volatile international situation is likely to trigger more cyber operations driven by geopolitics in areas like the Middle East, Eastern Mediterranean, Arctic Region, Baltics, Afghanistan, Yemen, Syria, and Libya.
During the reporting period, there have been cyber campaigns from threat groups reportedly connected to an increasing number of states such as Vietnam, Turkey, Pakistan, India, Ukraine, Belarus, and others. We can expect more states to deploy their cyber capabilities for the collection of intelligence, especially in times of increased tensions or conflict.
During the armed conflict in Ukraine, various hacktivists, cybercriminals, and nation-state groups were mobilized. One unique group, the IT Army of Ukraine, is difficult to classify as either a hacktivist group of volunteers, a state-backed group, or a hybrid of both, and there is no consensus in the cyber security community. The IT Army of Ukraine is expected to be a topic of interest for future scholars in cyber warfare studies, potentially highlighting a trend in future conflicts.
In February 2022, Ukraine’s deputy prime minister and minister for digital transformation announced the creation of the IT Army of Ukraine, calling for volunteers to coordinate actions through a Telegram channel with 300,000 subscribers. The IT Army targeted various entities and primarily conducted coordinated Distributed Denial of Service (DDoS) attacks but was not limited to them.
As Ukraine had no military cyber command unit during the Russian invasion, it created a hybrid entity similar to Estonia’s Cyber Defence League, composed of Ukrainian and international civilians, private companies, and Ukrainian defense and military personnel, making it difficult to categorize. This raises questions related to international laws in cyberspace, state cyber norms, and the targeting of civilian infrastructure, and the ethics of private companies.
It is expected that state actors will likely adopt the structure and setup of the IT Army of Ukraine as a blueprint for non-state participation in future conflicts, particularly for states without an organized military cyber command unit. These crowdsourced cyber armies may incorporate a non-public side, further complicating their structure, operational conduct, and analysis by the cyber community, scholars, and cyber warfare analysts.
Tech companies’ increasing defensive role in cyber operations during conflicts
During the Russian invasion of Ukraine, it was observed that some major technology companies were taking sides and supporting Ukraine in the cyber war. Microsoft stands out as the most prominent example, providing support to Ukrainian cybersecurity officials in combating FoxBlade malware, as well as supplying awareness and intelligence reports on Russian cyber operations. For their efforts, Microsoft and AWS were awarded the ‘Peace Prize’ by Ukraine’s President, Volodymyr Zelenskyy.
It is important to note that this trend is both interesting and challenging to evaluate. The long-term consequences of such strong alignment with one side of the conflict are not yet well understood. Furthermore, the role and responsibilities of private companies in future cyber operations during conflicts are being debated, such as whether tech companies should shoulder the burden of defense.