logo

How Nation-State Cybercriminals Are Targeting the Enterprise

Globe superimposed over image of person typing on keyboard; blue tint
Source: Pablo Lagarto via Alamy Stock Photo

COMMENTARY

Cyber warfare often mirrors traditional conflict, but as global geopolitical tensions continue to rise, the landscape of nation-state cyber-threat actors has shifted significantly. Recent events have spurred altered tactics, targets, and patterns of state-sponsored cyberattacks. While historically these threat actors focused primarily on critical infrastructure and government entities like energy grids and transportation, today's nation-state threat actors have expanded their scope further into the enterprise. 

This evolving threat landscape now demands that businesses strengthen their security posture and prepare for sophisticated nation-state-level attacks. The urgency is real — just recently, adversary groups like Velvet AntGhostEmperor, and Volt Typhoon have been spotted targeting major organizations, attempting to exfiltrate sensitive data and wreak havoc on critical systems. It's clear nation-state threat actors are moving out of the shadows and into the spotlight, and their threats are no longer on the horizon — they are at our doorstep. 

Expanding Targets: Enterprises Under Siege

In the past 12 months, an escalation of traditional conflicts has driven a rise in cyberattacks. For instance, as Iran supplies more weapons to Russia, and the US and Europe continue to impose additional sanctions against the country while arming Ukraine with advanced military capabilities, we can expect to see a rise in cyberattacks across various sectors. The vulnerability of critical infrastructure to cyber threats and heightened geopolitical tensions can be seen following the 2021 Colonial Pipeline attack, where prior agreements between US President Biden and Russian President Vladimir Putin to reduce cyberattacks on critical infrastructure were quickly abandoned with the eruption of the Ukraine war. 

As organizations digitize their services and operations, the interconnected nature of global business and infrastructure — and the vast amount of sensitive data they collect and store — have also made a wider range of enterprises attractive targets to nation-state threat actors. We are seeing increasing evidence of nation-state attacks, in unsuspecting industries like law, media, telecommunications, healthcare, retail, and supply chain logistics because of the sensitive data they are handling.

These companies hold high-value intellectual property, i.e., client information, patents, and proprietary contracts, and are often connected to wider networks of affiliates and vendors. A single cyberattack could grant the "keys to kingdoms" — undetected access to hundreds of critical systems and sensitive data — which is then leveraged by government-backed entities to gain a foothold in new markets and undercut competition. 

Mission vs. ROI: Differentiating Nation-State Threat Actors From Ransomware Groups

The key to defending yourself against a nation-state threat is first recognizing the different motives and goals of the threat actor. Unlike ransomware groups who are predominantly driven by financial return on investment (ROI) and, therefore, opt to target hundreds of businesses, waiting for one to bite, nation-state attackers are extremely well-resourced, mission-driven, and focused on long-term goals like stealing trade secrets, military intelligence, or high-profile personal information. Other motives include misinformation operations, disruption of critical infrastructure, and state financial gain under the guise of ransomware attacks. 

Understanding the Technical Prowess of Nation-State Actors

Nation-state threat actors have the time, technical expertise, and perseverance to achieve their specific goals — they have planned a highly targeted operation to gain knowledge through stealthy and persistent means, often moving laterally across networks to avoid detection, and reinfiltrating networks multiple times after being eradicated. They work diligently to hide their tracks from digital forensics and will go as far as to modify security logs, disable tools, encrypt systems, and alter timestamps, making it more difficult to attribute and differentiate their group, and hamper investigations.

Chinese-Nexus threat group, deemed Velvet Ant by Sygnia, demonstrated exceptional persistence by establishing and maintaining several footholds within its victim's environment — leveraging new techniques and the use of different technologies to evade detection. One method used for this persistence was exploiting a legacy F5 BIG-IP appliance, which was exposed to the Internet and leveraged as an internal command and control (C&C) system. The primary objective of this campaign was to maintain access to the target network for espionage purposes.

Similarly, a Demodex rootkit known to be used by GhostEmperor, a sophisticated nation-state actor first identified by Kaspersky in 2001, had resurfaced in the enterprise, attempting to carry out a wide-scale attack in 2023. The threat actor compromised servers, workstations, and user accounts by deploying the advanced rootkit and leveraging open source tools available on the Internet to communicate with a network of command-and-control (C2) servers, to avoid attribution.

Detecting and combating nation-state threat actors in the enterprise is an ongoing war, not just a battle.The most cyber-mature organizations assess and safeguard critical digital assets, prioritize network visibility, and take actionable steps consistently to strengthen their cyber resilience and hygiene in advance of a cyberattack. Other examples of key strategies include:

  • Regularly rehearsing various threat scenarios to clearly define response roles, at both technical and executive levels, and ensure a seamless and coordinated approach within the most critical first 24 hours of a crisis.

  • Utilizing and optimizing their security stack, prioritizing investment in tools that detect anomalies and offer both a holistic and a granular view of their networks and systems — because you can't find what you can't look for.

  • Looking into threat detection tools with AI and automation capabilities as part of their defense strategies to reduce costs and speed up digital forensic investigations.

Combating nation-state threat actors at the enterprise level requires more than just cyber readiness and investment — it calls for a collaborative effort. Before a crisis occurs, organizations should proactively build relationships with government agencies and industry peers. By fostering open communication and sharing insights and experiences, businesses can strengthen the wider security community and enhance collective defenses against these sophisticated nation-state-level threats.


Free security scan for your website