In 31 percent of the data security incidents that BakerHostetler’s Privacy and Data Protection Practice Team helped clients address in 2015, attackers used phishing, hacking and malware to access client data. 2016 Data Security Incident Response Report, 3. Chinese state-supported attackers have long targeted the intellectual property of U.S. businesses. As we discussed in an earlier blog post, U.S. government officials asserted that Chinese attack groups broadened their targets in 2015 to include personnel and medical records.
When a state-supported group launches a cyberattack on a business, it can create challenges that are different from financially motivated attacks. State-supported groups have the staff and funding to conduct painstaking reconnaissance on a business’s network to identify databases where sensitive data is stored. Regardless of how they initially gain entry into a computer network, the attack groups frequently deploy backdoors throughout the network. The multiple access points ensure that the attackers can maintain contact between command and control servers in China and the malware they have planted inside the target network, even if some of their tools are discovered and removed.
State-supported attackers regularly dump passwords from internal servers accessed by privileged company users such as domain administrators and database administrators. The password-dumping helps give the attackers access to sensitive data. Some of the attack groups carefully remove evidence of their attacks when they have completed their assignments by deleting log files, copies of the data they staged to exfiltrate, and their malware tools, which makes it difficult to determine what the attackers targeted and stole.
U.S. businesses can improve their ability to defend against such state-supported attackers by continually improving their technical and personnel-based defenses. Outside access to the business’s network should be controlled through multifactor authentication. Servers that store sensitive data should be identified and segregated from the remainder of the network. Privileged-user access to such servers should be restricted through use of one-time passwords or multifactor authentication. Intrusion detection systems should be tied to security information and event management (SIEM) systems, which should be monitored by a sufficient number of trained security personnel, whether on-site or through an outsourced service. Endpoint monitoring, network monitoring and threat intelligence monitoring should also be components of such layered defenses. These and other tools can give U.S. businesses an increased ability to stop state-supported attack groups before they can successfully access sensitive systems or data.
Although Chinese-supported attack groups broadened their targets in 2015, they are not the only state-supported cyber groups attacking U.S. entities. As an indictment unsealed March 24, 2016, discloses (at paragraphs 27-28), an Iranian Islamic Revolutionary Guard Corp attacker, Hamid Firoozi, repeatedly obtained unauthorized remote access in 2013 to a supervisory control and data acquisition (SCADA) system at the Bowman Dam, which is located 20 miles north of New York City. Firoozi’s access to the SCADA system would have generally given him the ability to operate the sluice gate at the dam, but it fortunately had been disconnected for maintenance.
U.S. businesses and other organizations obviously need to continue to improve their ability to detect and stop cyber attacks, including state-sponsored attacks. The attacks are likely to continue to escalate.