Shawn Elliott,
President, Federal Solutions
Cyber threats have become mainstays in the modern news feed. Nearly every day we learn about the latest ingenious digital tool that maliciously exploits its victims to steal their information or money and disrupt legitimate activities. The frequency and severity of these threats are increasing. Cybersecurity sensors recorded approximately 5.3 trillion attacks worldwide in 2021, higher in virtually every threat category than the year before. While they vary widely due to a range of factors, the Cybersecurity and Infrastructure Security Agency (CISA) – the US government’s primary cybersecurity authority and a wealth of authoritative information and analysis – estimates that the aggregate annual cost of cybersecurity incidents across the U.S. reaches as high as $242 billion. The Center for Strategic and International Studies (CSIS) lists 59 reported major incidents involving government agencies and public organizations worldwide in the first half of 2022 alone.
Even though they’re in the headlines, cyber threats are not new; they’ve developed alongside computer technology almost from the beginning. In fact, the National Institute of Standards and Technology’s (NIST) Cybersecurity Program celebrated its 50th anniversary in March of this year.
Cyber threats have been around a long time and they’re clearly not going away any time soon. So, what are these cyber threats and how do you deal with them? This isn’t a topic to approach lightly. The discussion below should help you weed through the mountains of material out there to build a better understanding. And you don’t have to take our word for it; wherever possible, we’ve included references to recent, reputable sources and news articles – most notably, the CISA – so you can be assured that the information isn’t sensationalized.
What is a Cyber Threat?
A cyber threat is any – though often malicious – circumstance or event that can harm individual, organizational and/or national operations, systems, and/or assets through unauthorized digital activities. These activities include cyber threat vectors such as viruses and worms, data breaches, denials of service (DOS), system hijacks, and other attacks. Cyber threats can come from within an organization or from outside parties that range from individuals to entire countries. Provisions in laws, policies, and regulations like the Federal Information Security Modernization Act (FISMA) mandate that federal agencies comply with NIST standards to safeguard against cyber threats.
7 Common Types of Cybersecurity Threats
Below are seven cybersecurity threats that commonly affect public agencies and their employees. It is important to note that individual vectors rarely fall entirely within a single category. As you will see in the examples below, cyber threats often use elements of more than one category to attack their targets.
Malware
Malware is the collective name given to cyber threats that carry out harmful actions on a victim’s system through malicious files and code without their approval. Virtually all digital devices – particularly those connected to the internet – including computer systems and networks, mobile devices, and Internet of Things (IoT) devices (e.g., printers, cameras, smart speakers) are at risk of being attacked with malware. Malware can be subdivided into several subcategories including ransomware, spyware, Trojans, and cryptojacking (among others; see below).
Ransomware
Ransomware is a form of malware designed to prevent legitimate users from accessing critical files and/or digital infrastructure unless the victim pays a ransom. Ransomware attackers can similarly threaten to publish or sell a victim’s data unless the ransom is paid. Earlier this year, cybersecurity agencies in the US, Australia, and the United Kingdom issued a joint cybersecurity advisory (CSA), warning of the growing global threat of ransomware. Authorities in the CISA, Federal Bureau of Investigations (FBI), and the National Security Agency (NSA) documented ransomware attacks in 14 of 16 U.S. critical infrastructure (CI) sectors.
A Recent Example of Ransomware Cyber Threats: the Karakurt Data Extortion Team
In another recent CSA, the CISA warned of a group of cyber-extortionists called the Karakurt Team/Lair (KT). The KT uses a variety of tactics, techniques, and procedures (TTPs) to infiltrate a victim’s system and steal their data then threaten to publish or sell sensitive files unless a ransom ranging from $25,000 to $13 million in Bitcoin is paid. Until recently, the KT sold their stolen data on an auction website that they operated. Because they use so many different TTPs, the KT is particularly hard to trace and defend against.
Trojans
Trojans are, much like their wooden namesake, malware that access a victim’s system by posing as benign code or embedded in seemingly harmless files like Microsoft Word documents, .jpg image metadata, .zip files, and even (is nothing sacred?!?) fake antivirus software. Once the victim opens the infected file, the malicious code hidden inside activates and carries out its attack.
A Recent Example of Trojan Attacks on Public Agencies
Early in 2022, a group of North Korean cyber attackers named Koni sent Russian diplomats an email with a New Year greeting screensaver file as an attachment. The attackers then gathered intelligence from the victims’ systems through a malicious remote access code embedded in the attachment.
Spyware
Spyware is a form of malware that is designed to secretly access a target’s system for the purposes of data gathering and espionage. Because digital spies and cyber criminals need time to learn about a victim’s digital infrastructure to find and access the most sensitive datasets, spyware typically seeks to avoid attention for as long as possible.
A Recent Example of Spyware Attacks on Public Agencies
Chinese-government-linked hackers used spyware to compromise the email accounts of two Wall Street Journal journalists then use that foothold to gain access to the Journal’s parent company News Corp and its other subsidiaries, including Fox News. The group harvested intelligence beneficial to the Chinese government undetected for at least two years before they were discovered in February of 2022.
Cryptojacking
Cryptojacking is a cyber threat vector where bad actors gain access to a user’s device to harness its processing capacity and electrical power to churn through cryptocurrency algorithms, a process called “mining.” Cybercriminals design cryptojacking tools to remain hidden from the victim for as long as possible, much like spyware.
A Recent Example of Cryptojacking Attacks on Public Agencies
In early 2018, a British security researcher discovered that cybercriminals had installed malicious cryptojacking code in a private company’s accessibility plugin that agencies installed on their websites’ source code. Any visitors to an infected website unknowingly mined cryptocurrency on the criminals’ behalf. The attack infected thousands of websites across the globe including those of the United States Court System and the Washington Metro Area Transit Authority before the plugin was repaired.
Denial of Service (DoS)
A Denial of Service (DoS) is a type of cyber threat that often targets government digital assets (GDA). DoS attackers flood their target’s computer or network with individual scores of requests to the point of overwhelming it so it can’t respond. Cyber attackers can use this induced digital paralysis to carry out other attacks on their target’s system as well. DoS attacks coordinated simultaneously from many locations – often through the use of malware installed as part of a BotNet – is a variant of this threat called a Distributed Denial of Service (DDoS).
Recent Examples of DoS Attacks on Public Agencies
Russian hackers hobbled numerous Italian government websites – including those of Italy’s Senate, the Ministry of Defense, and the National Health Institute – in May 2022 with a DDoS attack in retaliation for NATO’s support of Ukraine. In the same month, the Port of London Authority’s website went offline for several hours following a DDoS attack originating in Iran. Two months earlier, the National Telecommunications Authority of the Marshall Islands fell victim to a DDoS that shut down all of the island’s internet services for more than a week.
Man-in-the-Middle
A Man-in-the-Middle cyber threat involves bad actors inserting themselves into a two-party communication or transaction without either party realizing it. They then pose as one or both of the unwitting parties to carry out malicious attacks. These attacks can come in the form of criminals intercepting digital files being transferred over public WiFi, redirecting legitimate navigation to spoof websites, or compromising communications systems using stolen login credentials.
A Recent Example of a Man-in-the-Middle Attack on a Public Agency: the Norfund Heist
In the spring of 2020, cyber criminals used a sophisticated man-in-the-middle email attack to steal $10 million from Norfund, Norway’s international state investment fund. The criminals exploited an unsuspecting phishing victim to infiltrate Norfund’s email system then posed as both Norfund and their investment recipient in Cambodia. The group used the stolen messaging login credentials to intercept and alter bank routing information then kept both parties unaware of the switch until the thieves could make their escape with the money.
Cyber threat origins: where (and who) do they come from?
Cyber threats originate from every tier of our modern society from virtually every corner of the globe. The CISA has subdivided all cyber threat sources into groups, each with their own motivations, skill sets, resources, and tools. These groups include: National Governments, Terrorists, Industrial Spies, Organized Crime, Hackers, and/or Hacktivists. In addition, insiders within one’s own organization can pose a significant cyber threat as well.
National Governments
National governments typically conduct cyber attacks to benefit themselves – by spying on others or stealing intellectual property, for example – or to hurt their enemies – such as crippling defenses and spurring social unrest. According to the CISA, to date, only nation-state actors have the discipline, long-term vision, commitment, and (most importantly) resources to successfully compromise critical infrastructure; but that could change with time. The CISA lists China, Russia, North Korea, and Iran as key nation-state cyber threats to the US.
Example of Cyber Threat from National Governments
In July 2021, the US, EU, North Atlantic Treaty Organization (NATO), and other world powers released a joint statement condemning the Chinese government for maliciously breaking into more than 100,000 Microsoft Exchange servers worldwide earlier that year.
Terrorists
Terror groups generate mortal fear to achieve their strategic goals. While a cyber attack can be financially or logistically catastrophic, to date they have not produced fatal outcomes on a large scale. CISA reports suggest that terrorists at this time do not pose a significant cyber threat because their ranks do not include cyber attackers who are sophisticated enough to deal a substantial blow to government agencies’ digital infrastructure. They may, however, use phishing schemes, cryptojacking, and other vectors to fund more traditional physical attacks.
Industrial Spies and Organized Crime
Malicious actors outside of governmental organizations can also pose a significant cyber threat to high-profile targets. With that said, industrial spies and organized crime groups are invariably financially motivated meaning that government agencies and critical infrastructure are less likely to be their primary targets. These criminals build attacks that steal money from victims or steal their intellectual property to use for themselves or to sell on the black market. The Norfund Heist described above is a recent example of a cyber threat carried out by organized crime.
Hackers
Hackers are individuals or groups who build cyber threats for financial gain, for bragging rights, or even simply as a personal hobby but they are not affiliated with a larger organization. They are often the most reported and certainly the most numerous of the cyber threat originators. The CISA suggests that individual malicious hackers do not have the skillset nor the resources to pose a significant threat to critical infrastructure or governmental agencies. Collectively, hackers are significant cyber threats because of their sheer numbers and the resulting volume and variety of cyber threats they can generate.
Examples of Cyber Threats Originating from Hackers
The Emotet worm, a Trojan targeting banks, dealt significant damage to many financial institutions worldwide in the mid-to-late 2010s. The hacker group Mealybug developed Emotet in 2014 then built a crimeware development ring upon the virus’s success, ultimately selling Malware as a Service (MaaS) on the open market.
Hacktivists
Hacktivists are individuals or groups not specifically affiliated with any national governments who develop cyber threats to bring about political or social change. They often seek broader public action by publicizing their targets’ purported bad deeds or threatening to do so.
Examples of Cyber Threats Originating from Hacktivists
The hacktivist group Anonymous recently infiltrated Russian state television for 12 minutes to broadcast video and commentary from the Ukrainian invasion that was banned by the Russian government. An Iranian hacktivist group called Edalat-e Ali sought the release of political prisoners by stealing compromising documents, photographs and video footage of abuse in the Iranian prison system and publishing it online.
Insiders
Not all cyber threats come from outside of an organization. The Government Accountability Office (GAO) places insiders first among their list of increasing cybersecurity threats in the US. Well-meaning employees may unwittingly install a malicious email attachment in critical digital infrastructure, behind firewalls and other protective layers. Disgruntled employees may use their access privileges and intimate knowledge of operations to deal substantial blows without the skills that outside actors would need.
An Example of Cyber Threats Originating from Insiders
Two disgruntled engineers at General Electric (GE) stole thousands of turbine design files from GE’s servers before quitting to form their own firm. The thieves then used the stolen intellectual property to compete against – and often beat – their former employer for lucrative government contracts. Additionally, the thieves who pulled off the Norfund heist described above could not have been successful had an employee not fallen for a phishing email.
What should you do if you suspect you’ve fallen victim to a cyber attack?
If you suspect that a cyber attack is under way you should initiate strategic Incident Response Procedures (IRP) to maximize your chances of protecting crucial GDA and isolate the cyber threat before they can cover their tracks. Cybersecurity authorities from five nations, including the US’s CISA, collaboratively developed a list of Best Management Practices (BMP) to uncover and mitigate a cyberattack, collectively.
Step 1:
Collect and remove relevant artifacts, logs, and data for further analysis. Indicators of Compromise (IOC) might be excessive .zip files or files with suspect names, or activity logs with excessive records of login failures. Make copies of these records for further analysis in the hopes that they may contain breadcrumbs that lead to the attacker.
Step 2:
Take mitigation steps to protect your assets but don’t tip off your adversary that they have been discovered. After the responder has collected the digital fingerprints of the incident, consider restricting or discontinuing FTP or VPN services. Disable and remove any end of life (EOL) GDA. Block bad web domains and sanitize removable media.
Step 3:
Solicit incident response support from an outside IT security specialist. A compromised GDA is a serious matter that should not be handled like other IT issues. Bring on subject-matter experts to analyze the collected IOCs, ensure that the bad actor has been eradicated from your assets, and to effectively assess and adjust your implemented security controls and (as necessary) Risk Management Framework (RMF) to avoid follow-up attacks. It is also critical to report cyber incidents to the CISA.
Do NOT:
- try to block the adversary or reset the credentials they are using before all evidence of their activities have been collected.
- explore the adversary’s infrastructure
- communicate about the incident over the same network as the incident itself
Failure to do so could lead to the adversary escaping to attack again or it could spur retaliatory counterattacks.
Protect yourself from cybersecurity threats with IPKeys
IPKeys Technologies can improve your cybersecurity programs with our innovative products and services, all designed to help you defeat modern cybersecurity threats. Our core competencies are developed under DoD-specific NIST Cybersecurity Risk Management Framework guidance. Cyber-Lab-as-a-Service (CLaaS) is our unified, AI-fueled RMF automation analytics and reporting platform that will help you make better cybersecurity decisions while staying NIST compliant.