According to Verizon, state-based actors are responsible for the great majority – 82 per cent – of cyber espionage, with attacks aimed at stealing sensitive data from government or commercial organisations.
Verizon has trawled through seven years-worth of data in its annual Data Breach Investigation Report (DBIR) to produce what it says is the first data-driven publication on advanced cyberattacks, its Cyber Espionage Report.
Verizon found public sector organisations and manufacturing companies to account for the bulk of cyber espionage targets, at 31 per cent and 22 per cent respectively. However, this figure is based only on data collected from 81 organisations that contributed to the 2020 DBIR.
The top compromised data varieties for cyber-espionage breaches all fall outside regulatory reporting requirements. They were credentials (56 per cent), secrets (49 per cent), internal (12 per cent) and classified (7 per cent).
The report also identified APAC as the region suffering the most cyber espionage attacks, (42 per cent of total between 2014 and 2020).
It says these threat actors pose a unique challenge to cyber defenders and incident responders because they leave little to no indication of their actions or objectives in order to avoid detection and thwart response efforts.
“Through advanced techniques and a specific focus, these determined threat actors seek to swiftly and stealthily gain access to heavily defended environments,” the report says.
“Depending on their goals, they move laterally through the network, obtain targeted access and data, and exit without being detected. Or they stay back and maintain covert persistence.
“Many choose not to move immediately toward their objectives, opting to embed themselves in the environment where they persist quietly until their next move.”
The report does not identify by name any nation state responsible for cyber espionage. Ashish Thapar, managing principal and head of APJ at Verizon, and one of the co-authors of the report said it was not possible to do this reliably.
“There are instances where we’ve seen false flags implemented to pinpoint a nation or a group or a threat actor.”
Phishing has been consistently the most common attack vector: it accounted for 90 per cent of breaches in 2014, 81 per cent in 2019 and an average of 79 per cent overall.
Only making it into the top 10 attack vectors this year is password dumper, where large numbers of username/password are obtained from a hack and dumped onto the dark web. Users who have the same password for multiple accounts can then be compromised.
The report says asset identification is one of the most important things an organisation can do to protect important assets from cyber espionage.
It describes asset identification as “a fundamental requirement for a solid information security posture … A foundational part of the risk management process, which aims to define and prioritise risks for an organisation. It urges all organisations to identify asset owners and implement asset access controls.
Mr Thapar said restricting user access to information to those who need it is an easy and simple option that is much under-implemented. “It doesn’t cost a lot of money, but it’s still often not properly implemented. It’s one area, which really needs a lot of attention.”
The report references The Vocabulary for Event Recording and Incident Sharing (VERIS) framework, a set of metrics designed to provide a common language for describing security incidents in a structured and repeatable manner.
Mr Thapar said it provided a useful guide to the measures an organisation could take to protect against cyber attacks. “It clearly calls out controls, which are very nicely mapped to these different attack vectors.”
The Australian Cyber Security Centre’s produces the Essential Eight risk management framework: a prioritised list of eight mitigation strategies. However, Mr Thapar said this was not as widely implemented as it should be.
“The government is trying to drive home certain very simple to do, basic hygiene practices. But implementation of the Essential Eight is really something that needs more effort.”
In addition to standard cyber security techniques to detect prevent and detect cyber espionage, Verizon suggests organisations should also be alert to an unexpected loss of competitive advantage that could indicate the theft of intellectual property or customer/market data.
Verizon’s 2020 DBIR reported a decrease in cyber espionage, from 13.5 per cent of breaches in 2018 to 3.2 per cent in 2019. However, the CER suggests this is the result of under-reporting.
“It’s reasonable to assume that the overall cyber-espionage rate suffers from chronic underreporting. Other motivations (ie financial) lend themselves toward having a more clearly identifiable end state,” it said.
“Cyber-espionage, on the other hand, can potentially be associated with longer attack timelines and potentially unending exploitation.”