Barely a month goes by without new reports of a country engaging in cyber espionage or other technology-enabled attacks. As the internet of things propels us towards a completely connected world of exponentially growing data there is every chance your organisation will be interesting to attackers – including from nation states.
There's a growing realisation that this is the case.
According to a recent report from cybersecurity vendor Trend Micro, IT decision makers across Europe and the US believe cyber espionage is the most serious risk to their organisation. A Public Accounts Committee report, meanwhile, noted that the threat of "electronic data loss from cyber crime, espionage, and accidental disclosure has risen considerably".
That doesn't mean nothing can be done to dampen the risk. But how serious a problem is industrial espionage, from nations or otherwise?
"Espionage hasn't really changed," says Jarno Niemela, senior security researcher at F-Secure. "It has always been more about the goals rather than the methods."
Leaks from CIA and GCHQ confirm the capabilities of intelligence agencies are sophisticated and wide in scope. There is speculation that Russian intelligence might permit cybercrime to occur within its borders, and that information taken from this might sometimes be useful to the state.
And in 2015 China and the US reached a cyber agreement to reduce espionage in private sector firms – signalling the frequency with which these attacks took place.
The FBI filed a federal indictment that accused five hackers from China’s People’s Liberation Army Unit 61398 of stealing information from corporations including US Steel and Westinghouse, as well as breaking into the United Steelworkers union. And an indictment from the Justice Department accuses two Russian spies and two cybercriminals of being behind the enormous Yahoo email breach attack – the largest data breach in history.
Most cyber espionage is undertaken by state actors or state-affiliated actors, typically chasing information that is politically or militarily expedient. But there are cases where pure commercial information has been obtained, quite possibly leaked to friendly people within companies and in exchange for some other favour.
"[Stolen data] is being used as currency," Niemela says. "As long as you are doing something that has some kind of value that can be replicated for information you are a target. Even if you are not interesting, it's very likely that one of your customers is."
Cyber espionage attacks often start at affiliated businesses rather than the main prize – perhaps first infiltrating a sub-contractor before finding their way to the ultimate target.
"We saw a case where an alarm systems provider was hit," he says. "The final target was somebody operating a larger company. There have also been cases where a subcontractor providing some software component was breached, and their documentation was poisoned with exploits so their customers getting the documentation were hit."
Most large-scale espionage has state affiliation, but not all, says Niemela. There are also instances where criminals breach an organisation and put the information up for sale on the darkweb – so businesses themselves aren't engaging in espionage but are happy to pay money for it.
Matters become decidedly more complicated when attribution is factored in – it is very difficult to say with certainty where an attack came from. Educated speculation and gluing together various pieces of evidence is about as good as it gets: nothing can be 100 percent certain.
The methods used by state or state-sponsored groups are really not very different to the kinds of attacks criminal gangs would put into the wild. The goals can be similar too: compromise systems to monitor networks and collect as much useful information as possible.
"If you have a server with interesting information visible to the internet and it has a vulnerability they will hack in there, monitor what happens in that server, and spread into your internal organisation," Niemela says. "If that doesn't work they will use phishing, watering holes, browsing exploits or some other method of getting access to a workstation, and from there they'll obtain credentials of administrators and move between machines.
"They will get the domain administrator's credentials then they are in your network, once again, observing and collecting information.
"It all depends on how interesting a target you are because even spies have budgets and bosses," Niemela explains. "And they need to make their bosses happy."
Those budgets might be bigger and those bosses more politically powerful but they are budgets and bosses all the same.
"What we have gathered from Snowden and other prior evidence is that it's rare an espionage agency is given a mandate at a certain company – they operate on sectors of industry," Niemala says. "For example, some intelligence team is tasked with trying to access the energy sector operating in the Middle East, or the banking sector in Syria. It's extremely rare to be the only target."
"There's an old joke: when you are in the savannah, you don't need to be faster than the lion – you need to be faster than the friend next to you."
That means organisations that don't take security quite so seriously are low-hanging fruit for intelligence gathering.
"You need to pay a lot of attention to the various aspects of security and you need to make your security layered," Niemala explains. "There needs to be passive preventative measures, active preventative measures, limiting measures, containment measures, detection and response.
"When you have your security stack and layers in place you are going to be a hard target – which means that then, provided you are significantly harder than targets of equal value, it's very likely that you will not be hit with sufficient resources to cause a significant breach."
"They are going to try you, but if you detect them and kick them out, pretty soon they are going to decide that guy is more trouble than it's worth."