The number of hostile nation-state hacking operations is rising as new countries invest in cyber-intrusion campaigns and existing state-backed attack groups take advantage of the rise in organisations adopting cloud applications.
Crowdstrike’s 2022 Global Threat Report details how the cyber-threat landscape has evolved during the past year. One of those developments is the rise of new countries engaging in offensive cyber operations, including Turkey and Colombia.
In accordance with Crowdstrike’s naming conventions, attacks by Turkish-linked groups are detailed as attacks by ‘Wolf’ while attacks by Colombian operations have been Dubbed ‘Ocelot’ – in a similar way to how cybersecurity researchers name Russian government-backed activity ‘Bear’ or Chinese hacking groups ‘Panda’.
Activity by one of these new groups is detailed in the report; a Turkish-based hacking group, dubbed Cosmic Wolf by researchers, targeted data of an unspecified victim stored within an Amazon Web Services (AWS) cloud environment in April 2021.
The attackers were able to break into the AWS cloud environment using stolen usernames and passwords, which also provided the attackers with the privileges required to alter command lines. That means they were able to alter security settings to allow direct Secure Shell Protocol (SSH) access to AWS from their own infrastructure, enabling the theft of data.
Ultimately, countries are seeing that cyber campaigns can be easier to conduct than traditional espionage and are investing in these techniques.
“There are a lot of countries out there that look at this and realise it’s cheaper, it’s easier and it’s got plausible deniability built into it,” Adam Meyers, senior vice president of Intelligence at Crowdstrike, told ZDNet.
“That’s what’s happening – we’re seeing more countries have developed these programmes and they’re going to get better at it over time.”
One of the reasons countries are increasing their offensive cyber capabilities is due to the impact of the global pandemic. Lockdowns and stringent travel checks made it harder for traditional espionage techniques to be effective, leading towards investment in cyber operations.
“It’s created a little bit more demand or accelerated planning around developing cyber capabilities for some of these countries that would have perhaps relied on other means previously,” said Meyers.
The shift towards cloud applications and cloud IT services has also played an unwitting role in making cyberattacks easier. The rise of hybrid working means many employees aren’t based in an office, instead connecting remotely via collaborative applications, VPNs and other services – using a username and password.
That makes being productive while working remotely simpler for employees – but it’s also made things simpler for hacking groups, who can secretly access networks with a stolen – or guessed – username and password.
Some of the biggest cybersecurity incidents of recent years, like the SolarWinds and Microsoft Exchange attacks, have demonstrated how an attack targeting cloud services and cloud supply chains could be powerful, particularly if cloud is misconfigured or poorly monitored.
“As organisations are moving to the cloud and looking to develop better capabilities, threat actors are moving there as well,” said Meyers.
There are, however, steps that organisations can take to help make their networks and their cloud infrastructure more resistant to cyberattacks, including the adoption of a zero-trust strategy of not trusting devices connecting to the network by default.
The research paper also recommends that organisations work towards eliminating misconfigurations in their cloud applications and services by setting up default patterns for setting up cloud, so when new accounts are set up, it’s done in a predictable manner, minimising the possibility of human error going undetected. Cloud architecture should also be monitored and maintained with security updates, like any other software.