Nation state cyber spies from Iran and North Korea are increasingly cooperating with commercial ransomware gangs to cause damage in Western corporate networks.
Impacting organisations, and therefore, the economy in the West serves the aims of these countries. The lines between nation state and financial motivation are blurring, including their skills and equipment.
The research group Unit 42 from Palo Alto has stated in a recent report that the hacker group Jumpy Pisces is involved in a ransomware incident with new tactics. It appears that the group is acting as a so-called Initial Access Broker (IAB) to gain access to victim networks and share it with the commercially driven Play ransom group.
The Jumpy Pisces group is, according to Unit 42, sponsored by the North Korean state and is linked to the General Office for Intelligence of the Korean People’s Army. It is also known by the names Andariel and Onyx Sleet and has been involved in cyber espionage, financial crime and ransomware attacks in the past. It has already been charged by the US Department of Justice for using the custom-developed ransomware Maui.
This is now the second prominent case of cooperation between state actors and cyber criminals in a short period of time. Back in August, the American Cyber Defense Agency, or CISA for short, warned in its communique that Iranian cyber actors with close ties to the government are targeting American and other Western organizations by trying to penetrate their networks. The FBI stated that these groups are linked to the Iranian government. As soon as these actors manage to penetrate a network, they pass these accesses on to other ransomware gangs so that they can carry out the final stages of an attack to harm the target companies. According to the motto: what is bad for the West is good for Iran.
Skills are converging
The cyber risk for companies has also grown for another reason. Until now, state-funded cyber hackers were considered the elite in their field because they were highly trained, well financed and could work in large, structured teams. Their supreme discipline was to find zero-day vulnerabilities and then use them specifically and for as long as possible against the target companies.
But the high profits from the private ransomware business have also equalised the balance of power here. Chainanalysis’ analyses assume that around 1 billion US dollars will have been generated with ransomware in 2023.
Ransomware operators have professionalized and switched their business to the highly scalable digital as-a-service model. Criminals without much prior technical knowledge can now enter the ransomware business as affiliates and attack companies and private individuals via these central ransomware-as-a-service (RaaS) platforms. A ready-made toolset of digital attack packages helps them do this. These platforms are financed by sharing profits, typically 80% for the affiliate, which the RaaS platform owner pockets 20%. .
These sums have allowed RaaS platform vendors to pivot from simple social engineering to gain initial access into a victim’s infrastructure to reverse engineering vulnerability patches from vendors to produce exploits within a handful of days, or allowing the automated stuffing of account credentials stolen in other attacks. Many of these RaaS platforms have also incorporated defence evasion capabilities that render end-point security controls incapable of detecting the attack. As a result, the technical equipment and capabilities of state and private actors have become much more similar, which is why cooperation between the two suddenly seems more plausible. They are increasingly meeting on an equal footing.
For companies, this means one thing above all: the probability of being successfully hacked has continued to grow. Those responsible should therefore focus more on building resiliency to a successful attack instead of pretending that it’s possible to prevent all attacks.
Processes and capabilities that can be used to investigate a successful attack while it is in progress have become more important. This also includes all the essential mechanisms that enable those responsible to allow detection that isn’t subject to evasion, incident response capabilities that allow the rapid investigation and mitigation of threats to allow business processes and supporting infrastructure to be restored with minimal impact.
About the Author
James Blake is Global Head of Cyber Resiliency Strategy at Cohesity. Our mission at Cohesity is simple: to protect, secure, and provide insights into the world’s data. The largest organizations around the globe rely on us to strengthen their business resilience. With the Cohesity Data Cloud, we are able to deliver on that mission. Our customers can recover from cyber events faster, manage and secure their data at enterprise scale, and gain valuable insights with our industry-leading AI capabilities.
