In the Nation-State Crosshairs: France, Germany & the United Kingdom

By Trellix · March 28, 2022

Today Trellix and the Center for Strategic and International Studies (CSIS) released a global report, In the Crosshairs: Organizations and Nation-State Cyber Threats, examining security professionals’ mindsets towards nation-state actors, the extent to which they are being targeted, how these state actors differ from cybercriminals and what the role of government should be in confronting these threats. The report, written by CSIS and based on research conducted by Vanson Bourne, surveyed 800 IT decisions makers in Australia, France, Germany, India, Japan, the United Kingdom and the United States.

This blog highlights the survey findings for the NATO nations of France, Germany and the United Kingdom.

Perceptions of Nation-State Threats

The Vanson Bourne survey asked participants if they suspected having ever been targeted by a cyber-attack by a nation-state or a threat actor acting on behalf of a nation-state. There are always challenges in cyber-attack attribution, and Trellix has long advised technical evidence of cyber-attacks be complemented with traditional intelligence before attribution can be reliably established. The adversary behind an attack could be a nation-state, a ransomware gang, a hacktivist group, or one of these masquerading as another to enjoy plausible deniability (or enhance their profile) should the campaign be exposed and investigated.

Globally, 86 percent of respondents believed they had been targeted by a cyber-attack by an organization acting on behalf of a nation-state. The same percentage of German organizations believed is it somewhat to highly likely they had been targeted by a threat actor acting on behalf of a nation-state. This compared to 80 percent of British respondents and 75 percent of French participants.

Seventy-nine percent of German respondents believed their organization was the target of nation-states in the previous 18 months. This compares with 65 percent of their French peers and 64 percent of the British.

Among these respondents, the survey attempted to quantify how many attacks had been detected. Twenty-eight percent of British respondents reported being the target of three cyber-attacks over the previous 18 months. This is the highest “three attack” count of any of the seven nationalities surveyed. Thirty-three percent reported two attacks and another 33 percent reported one attack.

Fifty-three percent of Germans surveyed believed they had been targeted by two nation-state cyber-attacks over the previous 18 months. Forty-six percent reported being the target of one such attack.

Forty-nine percent of French respondents reported being the target of one nation-state attack over the previous 18 months. Forty percent reported two attacks and only 9 percent reported three attacks.

Know Thy Enemy: Who is the Adversary

Eighty-four percent of Germans and 82 percent of British and French surveyed believed nation-states are working through cybercriminal groups to acquire tools, techniques and even their hired services to execute their cyber campaigns.

Based on the information assets targeted within their organizations, their industry role and country of origin, survey participants were asked which nation-state actors they suspected were most likely to have targeted them in the past.

Forty-two percent of U.K. respondents could not identify what they believed to be nation-state actors, 39 percent suspected Russia, 34 percent China, 23 percent Iran and 22 percent North Korea. Twenty percent suspected unknown western governments.

Forty-four percent of German participants suspected the Russians, 34 percent could not identify the nation-state actors, 30 percent suspected unknown western governments, 24 percent the North Koreans, 22 percent the Iranians and 20 percent the Chinese.

Among the French surveyed, 40 percent could not identify the actors, 35 percent identified the Russians, 29 percent the Chinese and 25 percent the North Koreans.

Among the British survey participants, 57 percent identified both the Chinese and Russians as the most likely actors to target them in the future. Thirty percent anticipated the North Koreans, 26 percent the Iranians and 22 percent western governments.

Half of German respondents identified the Russians as most likely attackers, followed by the Chinese (22 percent), North Koreans (22 percent), Iranians (17 percent) and other western governments (17 percent).

Forty-six percent of French respondents identified both China and Russia as threats moving forward, followed by North Korea at 31 percent.

Know Thyself: Targeted Assets & Weaknesses

Vanson Bourne asked survey participants what they believed the motivations were for the state adversaries targeting them.

Fifty-six percent of British respondents believe the attraction was personally identifiable information (PII) held in records by their businesses and government agencies. After consumer and citizen PII, 53 percent believed their business or government confidential information is the draw. Only 36 percent believed the objective of targeting them was the access to and exfiltration of intellectual property (IP).

Just over half (51 percent) of French participants believed the objective was access to business or government confidential information. Forty percent believe the objective was more one of sabotage or disruption of their organizations’ operations. Thirty-seven percent believe the lure was consumer or citizen PII, and 35 percent and 31 percent view general espionage and IP theft as objectives.

The reasons for being targeted among the Germans surveyed is more evenly distributed among access to consumer or citizen PII data (38 percent), sabotage/disruption of services (38 percent), damage to reputation (37 percent) and IP theft (29 percent).

When asked whether they thought the attacks targeting their organizations were unique attacks or part of a larger campaign targeting multiple organizations, 69 percent of French and 58 percent of British respondents believe they were targeted as part of a larger campaign. Fifty-nine percent of Germans surveyed believe they were targeted by unique attacks.

When asked which factors make them particularly vulnerable to nation-state actors, respondents interestingly did not identify lack of cybersecurity budget or low organizational appreciation of cyber-threats.

British respondents identified the lack of advanced cybersecurity skills in their organizations (46 percent) and the use of outdated, legacy IT infrastructure (40 percent) as the greatest reasons they feel susceptible to nation-state threats.

The Germans also identified cyber talent deficits (36 percent) and outdated systems (36 percent), but also a lack of collaboration between same-sector organizations (33 percent) and the use of outdated cybersecurity tools (29 percent).

The French identified a lack of collaboration between their sector and their national government (37 percent), a lack of cyber hygiene across their organizations (36 percent), the use of outdate security technologies (34 percent) and the cyber talent shortage (34 percent).

Perceived Impact of Attacks

The survey also gauged the perceived impact of suspected nation-state attacks.

When asked about the consequences of the suspected nation-state attacks, 58 percent of U.K. respondents claimed a loss of data and 44 percent reported damage to their data. Half of Germans surveyed experienced an exposure of data. Fifty-one percent of French surveyed reported experiencing loss of data and data exposure.

Among British respondents, 40 percent said IP was targeted, as well a business process operations data (33 percent), employee PII (33 percent) and financial data (33 percent).

Forty-one percent of Germans surveyed said business strategy documents and IP were targeted, followed by PII (38 percent) and business operations data (33 percent).

Among the French, 44 percent acknowledged attacks on personal data and IP, 41 percent saw financial data targeted and 38 percent sustained attacks on their business process operations data.

When asked to estimate the total financial impact related to a nation-state cyber-attack, impact across all seven countries’ respondents was estimated $1.6 million and $1.8 million among U.S. respondents.

British respondents estimated the cost at $1.7 million, compared to $1.4 million among the French and $1.3 million among the Germans.

What is significant about the survey’s findings on financial impact is that the numbers are specific to suspected nation-state attacks. Such estimates usually encompass a wide variety of security incidents, as minimally sophisticated and common as a lost or stolen laptop and organized cybercrime attacks (i.e. ransomware, etc.).

To Disclose, or Not Disclose

Of the details British respondents said they chose not to disclose, 49 percent said they didn’t disclose the data affected, followed by the mistakes their staff made (43 percent), the methods used by the malicious actors (40 percent), the financial costs to the organizations (40 percent), and the nations they expected to be involved.

Among the Germans, 38 percent admit withholding details on the mistakes their staff made, followed by the weaknesses in their infrastructure (35 percent), the nations suspected (33 percent) and the methods used in the attack (33 percent).

French respondents were most resistant to share about the data affected (47 percent), the length of time their organization was exposed (41 percent), followed by mistakes by staff (38 percent) and the financial cost of the incident (32 percent).

But, from the perspective of preparing industries for future attacks, the lack of corporate transparency in reporting the details of attacks makes it difficult for organizations to learn from their collective experiences with nation-state attacks.

National governments can play a constructive role in this area with incident reporting liability protection policies and public-private partnerships that anonymize the sharing of cyber-attack data. In this way, governments can foster greater understanding of these sophisticated attacks, the actors behind them, and the development of not only best practices in cyber defense and risk management, but also in the key area of critical incident response.

Working with National Governments

The report reveals a sentiment that private organizations feel outmatched by highly resourced, highly sophisticated nation-state actors or proxies working on their behalf. They are not entirely sure how to go about fending off this daunting threat and they look to government for guidance and support. They are not entirely sure how to go about fending off this daunting threat and they look to government for guidance and support.

When asked whether national governments should do more to support organizations in defending them against nation-state cyber-attacks, 89 percent of British, German and French respondents agreed.

Fifty-seven percent of French surveyed would like their national government to provide provision of real-time, machine-based threat intelligence. Fifty-two percent of British respondents would like government to provide them cyber tools. Forty-nine percent of Germans surveyed would like greater strategic guidance on preparation and incident response.

The survey also asked if they have partnered or would partner with their national government’s law enforcement authorities as a result of being targeted by a nation-state attack.

Seventy-three percent of British, 64 percent of French and 62 percent of German respondents said they have or would contact these authorities due to government requirements. This suggests that some aspects of public-private collaboration may have to be mandated for the defense of the nation.

As these nation-state attacks continue to grow in number and severity, we believe it quite likely that organizations will be more likely to work more closely with their national government law enforcement community.

Countering Nation-State Threats

The CSIS report proposes a number of areas of focus for private sector organizations seeking to better protect themselves from nation-state actors:

Cyber hygiene is critical

Incidents like SolarWinds showed that the absence of basic measures will greatly increase risk. These measures include routine patching and updating (even though there is a degree of “patch fatigue”), maintaining logs, using encryption for sensitive data and requiring multifactor authentication for all users. Easily implemented actions like these would go far in reducing an attacker’s chance of success.

Update defense capabilities

The success of nation-state cyber-attacks is often linked to lack of cybersecurity skills and the use of outdated IT infrastructure or cybersecurity tools. With threat actors’ tools and techniques growing more sophisticated, there is a real need for organizations to modernize and improve their defenses at a similar (or faster) rate.

Identify what needs to be protected

Data is one of the most valuable assets that nation-states usually want. If the intent behind most state-backed attacks is to acquire information on customers or staff, organizations need to take extra steps to ensure the security of this data and build resilience in their use of it. In an ever-expansive threat environment, identifying high- and low-priority data targets should guide internal cybersecurity planning and processes.

Assess actual capacity

An interesting insight from the survey data is the dissonance, in some cases, between a respondent’s assessment of their capacity and the actual implementation of that capability. For instance, while many expressed high confidence in their ability to conduct successful attribution without assistance, other results reveal most organizations rely on external assistance to identify a perpetrator. An overestimation or misunderstanding of actual technical capacity could lead to increased vulnerabilities and inefficient processes or solutions.

Review third-party service providers

Incidents such as the SolarWinds and Microsoft Hafnium illustrate that the targeting of IT service providers is a trend for nation-state actors. This allows state actors to gain access to multiple victims by only targeting one provider. Unfortunately, the exploitation of third-party service providers is not a new threat — all of which makes it more concerning and suggests that as a reliance on things like software-as-a-service (SaaS) and similar services implies a necessity for an additional level of effort in defense.

Increase communication to address threats

Communication between the public and private sectors is crucial to face state-backed threats. Governments can provide advice and information that identify both specific threats and vulnerabilities as well as broader trends, and notify companies of developments, but this can only be improved if there is sufficient information sharing from the private sector to ensure the government is up to speed on the threat environment.

For Historical Perspective on Cyber Activity in Europe

In closing, the Center for Strategic and International Studies (CSIS) maintains a timeline of cyber incidents thought to be instigated directly or indirectly by nation-state actors. This includes attacks on targets in France, Germany, the U.K., and the rest of Europe, the Middle East and Africa.

The 67-page list noting incidents going back to the early 2000s dramatically illustrates that nation-state activity is by no means a new development and should by no means be downplayed or minimized as a threat.