Nation state cybercrime is a bigger threat than you might think

With cybercrime reported as a primary means of revenue for North Korea, experts are highlighting that nation state cybercrime is more of a threat to businesses than many currently think…


North Korea is using revenue from cybercrime to prop up its economy, as it provides a way around the economic sanctions the regime faces. This is the finding of a report published by cybersecurity firm Venafi this summer.

According to the report’s author, former Israeli intelligence operative Yana Blachman, there are estimates that the regime has generated profits of up to US$1bn a year from cybercrime, and its success in this area could lead to other rogue states following suit.

North Korea may care more about its ability to monetise cybercrime than Russia, China or Iran, with its capabilities development and deployment often skewed towards the types of attacks that generate funds, but it’s important to remember that this income is a secondary benefit of an inevitable capability.

This is the view of Brian Lord, CEO of Protection Group International (PGI), and past deputy director for Intelligence and Cyber Operations at GCHQ.

“North Korea – like all states – develops offensive cyber capabilities in order to facilitate a geopolitical effect and be able to measure its ability to impact adversaries,” he points out. “Large scale ransomware and financial crime are two of the tools available to states which operate more indiscriminately. They’re sometimes chosen either because they have the secondary benefit of generating some revenue, and/or they can create a fig leaf of deniability for states as the attacks look criminal in nature. However, they’re used first and foremost as disruptive tools.”

Businesses are in danger of cyberattacks from nation states

Both experts are not alone in agreeing, however, that nation state attacks are no less dangerous to businesses than those by criminal gangs, and many organisations are more at threat than they think.

“State-sponsored cyberattacks are on the rise and government and critical infrastructure enterprises are no longer necessarily the most at risk,” warns Lauri Almann, co-founder of CybExer Technologies and ex-permanent undersecretary for the Estonian Ministry of Defence.

For the most part, businesses are under threat from state attacks not specifically because of who they are, but because they comprise part of a nation’s fabric and eco-system and are collateral damage from an attacker’s attempt to adversely influence that fabric.

“This is either because of the victim’s use of a particular software system and they fall victim of a state attacker trying to assess its global reach – think, for example, NotPeyta – or because they’re part of a wider interconnected public service provision ecosystem,” says Lord.

But organisations shouldn’t assume that political neutrality or a lack of links to government or critical public infrastructure means they’re at low risk. Many commercial businesses will still have data that state-sponsored actors will seek to compromise in order to achieve their objectives. 

“It’s very crazy, and kind of scary to think that any individual or private company can become the target of a nation state-sponsored attack, but this is the reality,” says Blachman.

Not only does this mean you’re coming up against very skilled and sophisticated hackers, she says, but – at least in the case of North Korea – “they’re more brazen, reckless and even destructive in their approach”.

The tools and techniques used on businesses by nation state actors

For the most part, the tools and techniques used by states against businesses are types of malware and exploits that are already in the wild or within the capability of a reasonably talented hacker to create, says Lord. He explains this is because sophisticated zero days capabilities are generally reserved for high grade espionage and military or political targets.

These can still do substantial damage however, and the tactics, techniques and procedures (TTPs) of state-sponsored actors continue to evolve to take advantage of new opportunities as they present themselves.

For example, as the pandemic took grip, attackers quickly began exploiting vulnerable VPN concentrators – systems critical for business continuity – and misconfigured services such as insecure remote desktop protocol (RDP) servers.

“These can be used to break into organisations from the main gate. From there the attackers can move laterally and achieve their goals, whether that’s espionage, IP theft or simply business disruption,” says Paolo Passeri, cyber intelligence principal at Netskope.

In the case of North Korea, nation state actors have used everything from ransomware and malicious cryptocurrency applications through to system exploits and web skimming.

“They’re very skilled and over the years have crafted their own tools and tailored attacks to their targets,” says Blachman. “They constantly evolve their TTPs and right now North Korea’s use of code signing machine identities makes its attacks particularly hard to defend against. Stealing these equips the actors with the ability to pass off their own software as if it were from the genuine developer.

“It also enables them to carry out devastating supply chain attacks. Yet there’s not enough awareness around the importance of these machine identities, giving North Korean cybercriminals the opportunity to take advantage.”

Keeping your business safe

Businesses can best protect themselves from nation state attackers by keeping on top of cyber threat intelligence. Put simply, it’s all about knowing your enemy.

Knowing the latest TTPs used by nation state actors can help businesses be better prepared to fend off or detect an attack and minimise the attack surface.

“Cyber threat intelligence can help commercial organisations determine which state-sponsored threats are most likely to affect them on the basis of their industry and/or geography,” says Paul Prudhomme, head of threat intelligence advisory at IntSights. “It can also highlight which specific types of information and infrastructure these actors are most likely to target so that security teams can enhance the defences of those specific targets, such as with encryption or network segmentation.”

But it also comes back to the basics, such as keeping all systems patched and up-to-date and performing regular security assessments. No business can 100% protect itself from cyberattacks, but by ensuring cybersecurity is at the heart of everything you do, you can be assured you’ve done everything possible to keep your business safe.