Blog
State-sponsored Hacker Groups Expand Attack Mechanisms and Utilize Commodity Malware for Espionage
Mar 24, 2020

State-sponsored hacker groups have been active for the past couple of decades. These well-funded hacker groups work for governments to steal intellectual property, wreak havoc on essential services such as power grids, telecommunications and financial systems, and cause massive disruption to daily life. State-sponsored hackers also target commercial enterprises in their efforts to destabilize the economy and create social unrest. The more prominent state-sponsored hacks include the Sony Pictures cyberattack by North Korea’s Guardian of the Peace hacker group as a retaliation to the screening of ‘The Interview’ where North Korean leader, Kim Jung-Un, was portrayed in a negative light. Other prominent state-sponsored cyberattacks include the recent data breach at Mitsubishi Electric by suspected Chinese hackers, the campaign launched against Indian nuclear power plant to exfiltrate data by North Korean hackers as well as Iranian’s cyber espionage against Saudi Arabian oil companies.

All the attacks above carry a common theme – the hacker groups have deployed malicious software, which is sophisticated, modular and multi-faceted. The cyber-attackers could extract data, destroy data, and control important and sensitive operational technology and machinery. The malware was carefully designed and customized to create the intended damage.

Recent observations by CYFIRMA Research revealed a change in tempo and type of attack mechanisms amongst state-sponsored hacker groups. In Dec 2019, the company’s researchers captured multiple conversations in hackers’ communities discussing the launch of EMOTET campaigns. The hacker groups were all known to be state-affiliated and funded, and the attack mechanism of choice is simply commodity malware. As the name suggests, this sort of malware is designed from readily available tools which hackers can quickly re-jig and launch attacks. In the ensuing months, the number of state-sponsored attacks using commodity malware have continued to rise and following is a sample of campaigns observed:

March 2020
March 2020
Developing and emerging nations have also entered the fray, many trying to build cyber capabilities with limited know-how and skills. Utilizing readily available malware would provide easy entry into the world of cyber espionage. These emerging nations would leverage commodity malware for a start, and should they gain expertise over time, the attack mechanism may evolve to be just as sophisticated as the developed nations.

While the world tries to cope with the new players, the more mature state-sponsored actors have progressed to using deception techniques to create confusion. By leveraging on commodity malware, they are attempting to operate under the cloak of anonymity to avoid being identified as state-sponsored hacker groups. Commodity malware can, at times, fall outside the radar as security analysts deem them to be of low threat to the organization. When remediation actions are not taken immediately, hackers can install another malware for further intrusion. A simple commodity malware becomes a ‘Launch Pad’ and could result in a catastrophic outcome for the compromised organization.

The state-sponsored hacker groups have also started to collaborate, exchange information, and share attack mechanisms, as CYFIRMA Research has observed between Chinese Stone Panda and North Korean Lazarus hacker groups. By teaming to take down a common adversary, they increase efficiency and achieve their objective faster.

The accelerated pace which technology is progressing in the areas of artificial intelligence and machine learning as well as faster processing power of computer servers fuel the speed which malware can be replicated.

Despite the awareness of cybersecurity as a key domain in both government and business, the number of data breaches have not abated over time. In fact, the number of attacks and the cost of data breaches have been growing exponentially. Nation-state cyber conflicts are likely to escalate, and with it, collateral damage to commercial enterprises.

Our Recommended Remediation for Commodity Malware

To effectively prevent, detect, and respond to the malware attacks, we recommend the following actions: