CrowdStrike: Nation-state cyber operations gaining steam

A Feb. 19 report by threat intelligence firm CrowdStrike makes the case that nation-state offensive cyber operations are here to stay, documenting how the practices have become key weapons for global powers even as the U.S. and other countries seek to impose greater costs for bad behavior in the digital space.

Some nation-states "gave lip-service to curbing their clandestine cyber activities," but behind the scenes they have actually "doubled down" on such tactics over the past year, the report claimed.

CrowdStrike characterized 2018 as a "transition year" for many nation-state hacking groups as they switched up tactics in response to high-profile "name and shame" tactics from the U.S. and other allies.

While there were no high-profile global attacks like WannaCry or NotPetya to point to, a range of metrics indicated that overall global hacking and probing of networks has gone up significantly in the past year.

The most active and dangerous groups for U.S. businesses and governments continued to be those associated with the so-called Big Four: Russia, China, Iran and North Korea.

"Across the board we saw more nation-state activity," Adam Meyers, vice president of intelligence at CrowdStrike, told FCW. Indictments have a better track record of deterring criminal groups than countries like China and Russia, he added.

"To say indictments don't change behavior -- certainly on the criminal side it appears to have changed behavior," said Meyers. "From a nation-state perspective, they're going to continue to have intelligence requirements and continue to execute against them."

Breakout times -- defined as the speed with which an actor moves from gaining an initial foothold within a network to gaining broader access -- continued to shrink as threat groups hone their tactics. Russian groups like Fancy Bear led the way with a breakout time of less than 19 minutes, nearly eight times faster than their closest competitor, North Korea-based groups.  

In response to the findings, some were quick to warn that faster breakout times do not automatically translate to greater capability.

"Very slow and methodical is extremely hard to detect and no less indicative of the risk posed by the threat actor," wrote Jason Kichen, a former U.S. intelligence officer with a background in cybersecurity.

"It's a matter of looking at who's targeting you and what they're targeting," Meyers said. "I think [breakout time is an] interesting data point, but it's not necessarily the thing that an organization or individual trying to protect themselves should be focused on."

North American countries faced the highest proportion of "malware-free" attacks, such as credential theft, compared to other regions. Globally, the media, tech, academic, energy and health care sectors were the most common industries targeted with malware-free attacks, while about three out of four attacks against governments relied on malware.

Meyers said that IT modernization and increasing migration to the cloud carry the biggest cybersecurity-related risks when it comes to the U.S. government. The federal government is in the midst of a concerted policy push to update networks and systems, but large changes to an organization's IT environment can often open new security holes and vulnerabilities.

"There's a lot of cloud implementation, and that could be done very securely or very insecurely," Meyers said. "In the government's rush to modernize and improve their systems, they need to be really thoughtful in how they approach these things."