Hacking groups with suspected ties to the Russian or Chinese government have engaged in more than 50 major cyberattacks so far in 2022, according to a U.S. think tank.
Hacking groups linked to the Russian government have conducted 27 cyberattacks so far this year, and hacking groups linked to China have conducted 24, according to data from the Council on Foreign Relations. Virtual private network, or VPN, provider Atlas VPN broke the numbers down recently.
“Cyberattacks carried out with the support of governments are typically well-resourced and highly sophisticated, allowing them to inflict tremendous harm on their victims,” Atlas VPN wrote in the blog post.
Ukraine has been the most targeted nation for state-sponsored cyberattacks in 2022, according to the data, with 23 attacks so far. For example, the Council on Foreign Relations noted that in March, Russian hacking group InvisiMole conducted a phishing campaign targeting Ukrainian organizations. It installed a back door that allowed hackers to run surveillance software and other malware on infected systems.
Meanwhile, government agencies were targeted by 44 attacks, the private sector was targeted by 37, and there were six military breaches, according to the council.
The council’s tracker “focuses on state-sponsored actors because its purpose is to identify when states and their proxies conduct cyber operations in pursuit of their foreign policy interests,” it noted. “Furthermore, state-sponsored incidents generally have the most accurate and comprehensive reporting. Reporting on nonstate actors, such as hacktivist groups, tends to be murkier and makes for less reliable data.”
Hacking groups tied to the Chinese government targeted U.S., Indian, and Taiwanese organizations, Atlas VPN noted. North Korea, tied to nine state-sponsored cyberattacks this year, tended to target the United States and South Korea.
The danger of state-sponsored hacking groups is that they can be well financed and have access to the best hacking tools, several cybersecurity experts said.
State-sponsored hacking groups are persistent, said Mike Fleck, senior director of sales engineering at anti-phishing vendor Cyren.
“Criminal gangs want to make money quickly and at low risk to their personal freedom,” Fleck added. “State-sponsored attackers are more patient. While a cybercrime gang may quickly move on to another target if you mount a stiff defense, the state-sponsored attacker will keep attacking.”
In addition, state-sponsored groups can find vulnerabilities that are not yet known to users, added Tim Morris, chief security adviser for the Americas at the firm Tanium. Instead of using so-called zero-day vulnerabilities, those that are just disclosed, these attackers can find “negative-day” vulnerabilities, those unknown to or undisclosed by security researchers.
“State-sponsored operations are well funded with actors that are both large in quantity and quality,” Morris added. “They are highly skilled and motivated and difficult to deal with due to the sophisticated nature of attacks and their resilience.”
These attackers generally have a specific reason for attacking a target, such as intelligence-gathering. “From a discipline perspective, when a nation-state targets a given organization, it does so because it fulfills an intelligence requirement,” said Jake Williams, executive director of cyber threat intelligence at Scythe, maker of a cyberattack emulation platform. “If the organization uniquely fulfills that requirement, state-sponsored threat actors will typically be persistent in their targeting until they are successful.”
As a result, it’s difficult for a government agency or company to defend against a determined state-sponsored attacker. “No organization is 100% secure, so if a well-funded and persistent attacker wants to break in, they eventually will, usually through phishing,” Fleck said.
Still, organizations can make it more difficult for cyberattackers. They should know what devices are on their networks, should keep software patched, keep network and device access rights current, enable multifactor authentication, and “get good at threat-hunting and incident response,” Fleck recommended.
Organizations that may be targeted need to respond with sophisticated threat-hunting abilities, added Williams. “Organizations should understand that while nation-state threat actors may have zero-day vulnerabilities that can get them inside a network, they can’t hide all their activity after gaining entry,” he said. “It is imperative that organizations evaluate their security controls to ensure they function appropriately to detect threat actor activity.”
