Security researchers at IBM have noticed a disturbing trend among companies that've been hacked: Their systems are often victimized by not just one state-sponsored hacking group, but several.
"It's pretty common these days that we'll go to an organization, and we'll see three to four nation-state actors in the same organization," according to Wendi Whitmore, the head of IBM's incident response team, X-Force.
At RSA, security experts have been discussing state-sponsored hackers and what companies can do to stop them. Unfortunately, the threat is growing; countries such as China and Russia remain prolific on the hacking front, while Iran and North Korea are growing more active.
"You're seeing now a wide variety of attackers of increasing skillsets across the globe," Whitmore said during a talk at the annual security show.
According to Whitmore, state-sponsored hackers have been particularly focused on targeting the transportation industry. That's because companies such as airliners and airports hold valuable data on customers, intellectual property, and location-based information, such as air traffic data. The same companies can also maintain large IT infrastructures, which can make them harder to defend, whether it be from one adversary or several.
Tom Etheridge, Stuart McKenzie, and Wendi Whitmore (Photo: @IBMSecurity)
Crowdstrike fends off attacks from nation-state hackers for its customers. Tom Etheridge, the company's VP of services, told PCMag that attackers often exploit vulnerabilities in online web servers. Other favored tactics include phishing emails, tricking employees into opening a malicious link on social media, or using stolen login credentials to break into a system.
When nation-state hackers do breach a company, they tend to work quick. For instance, Russian actors can on average begin moving across a victim's corporate network within 20 minutes of first gaining access, Etheridge said. North Korean hackers, meanwhile, take two hours, whereas Chinese hackers can take about four.
That's why companies need to react fast to a live hacking threat. "If you can catch the attacker in the first few days of an attack, you have so much more of a chance to being able to establish what they're doing," said Stuart McKenzie, VP of FireEye's Mandiant security firm.
"The longer it goes, the harder it becomes. And if it goes on for a significant amount of time, then you'll no longer begin to trust your infrastructure," he added.
So how might companies address the state-sponsored hackers? Well, don't expect the world's governments to rein it in. At RSA, policy experts have also been discussing whether the US and other countries can adopt international standards that'll help limit state-sponsored hacking. But the big obstacle is figuring out how such a deal will be enforced when many countries prefer the current status quo, in which state-sponsored hacking crimes often go unpunished.
"We're having a great deal of difficulty convincing people, especially bad actors in this space, that any norms are valuable," said Paul Rosenzweig, a senior fellow at The R Street Institute think tank.
"Until we make people pay a penalty for behaving badly, things won't change," added James Lewis, program director at the Center for Strategic and International Studies.
As a result, companies will need to brace for more cyber attacks. To protect themselves, IBM's Whitmore said organizations need to invest in tools and security staff that can allow them to detect and respond to hacking incidents quickly.
"I think the biggest win a company can have is not that there will be no attack," she told PCMag. "The win is limiting the attack. The quicker you can detect the attacker, the more you can limit the impact."