Fortinet white paper: Cyber espionage difficult to attribute, difficult to detect

Line of Defence Magazine - Summer 2023-24

Cyber espionage

According to a Fortinet cybersecurity white paper, it’s almost certain that nation state malware is present and undetected in many government agencies and critical infrastructure entities.

On 8 December 2023, the New Zealand Government joined Five Eyes partners in condemning malicious cyber activity conducted by the Russian Government targeting organisations and individuals in the United Kingdom (UK).

According to Judith Collins, Minister Responsible for the Government Communications Security Bureau (GCSB), the statement follows the UK’s attribution of spear phishing attacks impacting its domestic democratic institutions and civil society organisations to a Russian Federal Security Service (FSB) actor known as “Star Blizzard”.  

“New Zealand does not tolerate attempts to undermine the integrity of democratic institutions through cyber or any other means,” said Ms Collins. “NGOs and civil society organisations also play an important role in enabling social inclusion in our democracies, and any attempt to interfere with their ability to do that is unacceptable.”

It was the second time in two months that the GCSB’s National Cyber Security Centre (NCSC) had joined like-minded international partners to condemn malicious Russian cyber activity.

View this article in the Line of Defence Magazine Summer 2023-24 downloadable digital edition…

On 1 September 2023, the NCSC issued a Malware Analysis Report on the infamous Chisel malware, which was observed in a campaign targeting Android devices used by the Ukrainian military. This malware was deployed by the actor “Sandworm”, linked to the Russian General Staff Main Intelligence Directorate (GRU)’s Main Centre of Special Technologies (GTsST).

“Russia’s pattern of malicious cyber activity continues to demonstrate disregard for the framework of responsible state behaviour online and for the international rules-based order,” said Ms Collins, adding that the recent spear phishing attacks were “a reminder to all New Zealand organisations to ensure they have strong cybersecurity measures in place.”

State-sponsored attacks pose espionage threat

Published in November, the NCSC’s Cyber Threat Report 2022/2023 noted that 23 per cent of cyber incidents reported in the past year showed indications of a connection to state-sponsored actors, with a total of 73 incidents.

“State-sponsored cyber actors primarily pose an espionage threat to Aotearoa New Zealand,” stated the report. “These actors continue to demonstrate intent and capability to target Aotearoa New Zealand.”

“State-sponsored cyber actors are typically motivated to maintain covert persistence on computer networks of high intelligence value. To achieve this goal, malicious cyber actors continue to identify novel weaknesses in—or new techniques for—evading Aotearoa New Zealand cyber defences.”

These attacks typically seek to understand our diplomatic and policy positions or to undertake commercial espionage, including the theft of intellectual property from organisations. They may initially present as if conducted by a financially motivated actor or, at times, they may actually be financially motivated.

This type of activity, says the report, is difficult to attribute with high levels of confidence to specific cyber actors and specific states. Indeed, about half of all incidents reported in the past year showed neither clear links to state-sponsored activity nor criminal activity.

Espionage attacks: quiet and patient

“Beyond the risk of cyberattacks by nation-states, organised crime and even lone cyber hackers have the intent and capacity to threaten businesses and individuals,” write Glenn Maiden and Nicole Quinn, authors of Fortinet’s Government and Industry: Partnering on Cybersecurity to Strengthen Data Security whitepaper.

According to the white paper, cyber threats present substantial new risks to individuals, businesses, governments, and nations, regardless of their origin.

“As it stands, it’s almost certain that nation-state malware is present and undetected in many government departments and agencies, managed service providers (MSPs), electricity distributors, and other critical infrastructure entities.”

“The speed at which one nation can target another nation’s vulnerabilities by cyber means is rapidly increasing. When a vulnerability is discovered, there are often weeks, months, or more before businesses identify the risk, giving organisations less time to patch and prepare their IT defences.”

According to Fortinet’s 2022 Networking and Cybersecurity Adoption Index, fewer than 49 per cent of New Zealand and Australian organisations said they could detect a security breach in less than 90 days, with 23 per cent taking between two and three months.

Surprisingly, says the whitepaper notes, high-profile, well-resourced, and cyber mature businesses can be more severely affected by attacks such as ransomware than smaller entities. In 2021, for example, large organisations in the United States of America, such as JBS Foods, Colonial Pipeline, CNA Financial, and Frontier Software, all fell victim to destructive cyberattacks.

But whereas ransomware attacks tend to be quite obvious and immediate, given that the attacker wants to cause as much disruption as possible to elicit payment, a “motivated nation-state intent on espionage or intellectual property theft is far less easy to identify,” write Maiden and Quinn.

“As it stands, it’s almost certain that nation-state malware is present and undetected in many government departments and agencies, managed service providers (MSPs), electricity distributors, and other critical infrastructure entities,” they continue. “That malware may be lying dormant, waiting to be activated, or quietly stealing sensitive data from the compromised network.”

Regarding the recent Star Blizzard controversy, Moscow claims that there is no evidence for allegations of the digital spying campaign. The Russian foreign ministry has previously dismissed Western reporting on Star Blizzard as anti-Russian propaganda.

*Fortinet is an advertising partner of Line of Defence Magazine.