In this special edition of our Cyber Intelligence Briefing podcast, S-RM experts Paul Caron and Stephen Ross – both leaders within S-RM’s US cyber security team – discuss nation state backed cyber crime and how it impacts the threat landscape. They look at last year’s ransomware dip, what’s happening on the ground today and raise the question ‘what is next on the threat landscape horizon?’.
Listen to the latest S-RM podcast on YouTube
Attribution challenges: the intricacies of nation state threat actors
In physical conflict, groups with direct or indirect links to government states can receive various forms of support including; funding, space to operate within the borders of that country, or technology to refine their operations. The same is true in the realm of cyber. Nation-state threat actors operate with a layer of government support, which complicates the task of identifying the true perpetrators behind cyber attacks. Their substantial resources, funding, and access to cutting-edge technology create a strong barrier and incredible complex bread crumb trail for investigators to follow in attempting to trace back the origins of the attacks.
War historically has been land, sea, air. We then got into space. Now we are thinking about cyber space.”
Paul notes that as humans we naturally want to know ‘whodunnit’ but ransomware attribution is extremely difficult to pin down without a repeated connection to malware or an identifiable leverage pattern. It is easy to point fingers at a county alone, but the level of complexity is ‘astronomical’ with criminal organisations often doing the majority of the dirty work.
Impact of Russia’s invasion of Ukraine on the cyber threat landscape in 2022
Amidst the early tensions of the Russia-Ukraine conflict, experts anticipated a surge in ransomware attacks in the West as part of Russia's military doctrine. However, the unexpected occurred as ransomware attacks notably decreased. As Paul explains, this pause was due to cyber criminals switching time and resources away from attacking the West and propagating attacks at each other, specifically across Russia and Ukraine by groups with close direct or indirect affiliations with those countries.
What’s happening today and what we think will happen in the near future
Today, we have seen an uptick in ransomware activity. Paul notes, threat groups are still financially motivated and having ‘paid homage’ to their state they have returned to what they do best. But the threat landscape isn’t the same, there are new groups coming online - some forming when older groups fracture, perhaps owing to differences of opinion or political or socio economic ideals. Others are still large but evolving, reforming with slight differences, becoming ‘multi-threaded’ ventures, that is - one principle group operating under three or four different names, each with small differences in focus or types of attack such as credential compromise or social engineering, but still rolling up into the principle group.
Paul and Steve predict a continued upswing in attacks, in particular data exfiltration where attackers utilise local applications within corporate networks, camouflaging their presence and making tracing their actions exceedingly difficult, alongside social engineering attacks targeting high-level executives, threatening their reputation and/or brand, thereby putting increased pressure on how they handle the attack.
Finally, we may also see high-value individuals, such as influential business leaders and affluent personalities, increasingly become direct targets for ransomware – where the threat actor bypasses the need to go through an organisation to reach their goal.