In 2018, I attended a cybersecurity meeting, where the speaker discussed the hack of Sony in 2014, which was motivated by the release of Sony's movie "The Interview." The FBI identified North Korea as the state-sponsor. He shared extensive technical information and emphasized that it is unusual for state-sponsored actors to target a private company. He believed that Sony’s biggest mistake was to ignore the warnings that began several months before the movie’s anticipated release. His final remark resonated with me: “If a nation-state is targeting your company, good luck.”
So, how do state-sponsored actors operate? Based on the Sony hack, they move through several stages over the span of months before executing the attack. The first step is infiltration, followed by installing malware, collecting data, exfiltrating that data, and finally executing the attack. In this case, the attacking group, known as Lazarus Group, utilized 45 different tools and custom coding to carry out the attack. Their toolkit included:
· Hard Drive Wipers
· Remote Access Trojans (RATs)
· Installers
· Spreaders
· Loaders
· General Tools
· Uninstallers
· Proxy
· Keylogger
· DDOS Bot
Additionally, they exploited a vast network of compromised IPs as command and control (C2) servers, spread across various countries including the U.S., Taiwan, China, India, Italy, and Thailand. These compromised servers acted as proxies to obscure the actual C2 servers.
They took their time to infiltrate, expand their access, and hide their malicious activities. Evidence suggests that they began exfiltrating data two months before they notified Sony, indicating a long-term, complex attack. The only aspect that wasn’t particularly complex was how they gained initial access: through spear fishing. Over 90% of cybersecurity attacks start with some form of phishing because it is effective.
In Summary the state-sponsored actors have the potential to inflict significant damage, because they typically have access to more talent and resources than other threat actors. Their strategic goals often focus on disabling and destroying, rather than seeking financial gain. The good news is that if you maintain a strong cybersecurity practice—starting with training your people on how to identify and avoid phishing attacks—you have a chance to protect your systems, and in the event of an infiltration, minimize the damage.
Comments