Among high-profile cybersecurity incidents over the past decade, several were reportedly the work of nation-state actors. The actors leveraged tactics, techniques, and procedures to take advantage of known vulnerabilities – technical and human – to undertake actions that compromised personal information, risked human health, and paralyzed the global supply chain. Left unchecked, the scale and breadth of such actions can threaten international stability. Yet, an examination of high-level cases suggests that basic cyber hygiene is an accessible and practical approach to mitigate such incidents, enhance confidence in the use of information and communications technology (ICTs) and, ultimately, advance cyber peace.
Ninety-one percent of cybersecurity incidents begin with a phishing email (FireEye, 2018). In a phishing attack, a malicious actor poses as someone else and sends an email to a victim in order to trick the victim into taking a particular action – often clicking a link that can give the malicious actor account credentials or access to the victim’s device. In the absence of multifactor authentication, accounts and devices compromised via phishing or other means can be leveraged for further exploitation. Actors attributed to nation-states have successfully deployed these tactics in a number of high-profile incidents, including the phishing attacks against staff of the Office of Personnel Management (OPM) in 2015, the Democratic National Committee in 2016, and various organizations in 2020.
1 Office of Personnel Management
In 2015, the global community learned that actors attributed to China were allegedly accessing the email accounts of top US government officials. Also in 2015, information technology staff at the Office of Personnel Management (OPM) discovered that personnel files had been compromised (Fruhlinger, Reference Fruhlinger2020). Among the personnel files that were accessed were approximately 4 million SF-86 forms, which contain extremely personal information, as well as fingerprint records, gathered in background checks for people seeking US government security clearance (Fruhlinger, Reference Fruhlinger2020). After initially obtaining copies of manuals and other network architecture documents the actors moved laterally throughout the network, which had not implemented multifactor authentication. Public reports suggest the actors explored the network for three years before they were discovered and that the incident affected more than 21.5 million individuals (Starks, Reference Starks2016).
Further exacerbating the initial breach, after the OPM discovered the compromise, it offered employees a credit and identity protection plan. Almost immediately after OPM sent email notifications to register for their credit monitoring services phishing messages appeared (Vaughan-Nichols, Reference Vaughan-Nichols2015). Malicious actors with knowledge of the planned offering leveraged it to obtain account credentials and personal information from OPM staff. While some staff did login and gave the actors access to their personal information, others stopped before entering their data. Cybersecurity awareness training is said to have, in part, limited the impact of the credit monitoring phishing campaign (Rein, Reference Rein2015).
2 Democratic National Committee
On March 19, 2016, John Podesta, the then chair of Hillary Clinton’s presidential campaign, received an email purporting to be a Google security alert. Podesta clicked on the link and entered his password into a fake Google log on page through which the actors collected his username and password. As a result, the actors gained access to a decade of his emails (Lipton, Reference Lipton, Sanger and Shane2016). Months later, on October 9, WikiLeaks began publishing thousands of Podesta’s compromised emails. Subsequently, several cybersecurity firms attributed the attack to a Russian intelligence unit code-named “Fancy Bear,” which has been active since the mid-2000s, and is known among other things for its technique of registering domains that closely resemble domains of legitimate organizations they plan to target. Fancy Bear has also been linked publicly to intrusions into the German Bundestag in 2015, among other intrusions.
3 “Mustang Panda”
January 2020 witnessed a surge in registered domains related to the coronavirus, followed by a spike of cyber incidents. According to Recorded Future’s report (Gorey, Reference Gorey2020), malicious actors use COVID-19 as phishing lures for malware, and at least three cases have potential links to nation-state actors. Among them, the “Mustang Panda” campaign has alleged ties to a Chinese government-linked group. The lure used in this campaign was a file discussing COVID-19, purporting to be from the Vietnamese prime minister, Nguyen Xuan Phuc. Once opened, a malicious code could take over the system. Additionally, countries such as the United States, Italy, Ukraine, and Iran have been the focus of related phishing attempts. Malicious actors used trusted organizations as lures for their scam emails, such as pretending to be the World Health Organization and US Centers for Disease Control and Prevention. The malicious emails often use language creating a sense of urgency, or attachments, or links that are said to contain additional information.
At least three cyber hygiene resources can prevent or reduce attacks like the three just mentioned. These resources include deploying Domain-based Message Authentication, Reporting, and Conformance (DMARC), using a protective Domain Name System (DNS), and enabling multifactor authentication. None of these resources alone can prevent a significant cyber incident 100 percent of the time, and they do require investment in human capital. Nonetheless, when implemented across the ecosystem they can have a significant impact. At a minimum, their use can force malicious actors to change targets, tactics, techniques, and procedures. By limiting the impact of phishing and the incidents that may follow, the ecosystem can stabilize, which can support cyber peace.
DMARC is an email authentication, policy, and reporting protocol. DMARC builds on the widely deployed SPF and DKIM protocols, adding linkage to the author (“From.”) domain name, published policies from recipient handling of authentication failures, and reporting from receivers to senders, to improve and monitor protection of the domain from fraudulent email. DMARC allows the sender to indicate that their messages are protected and tells the receiver what to do if one of the authentication methods passes or fails – either send the message on or reject the message to junk. DMARC also prevents the dissemination of fraudulent email from an organization’s domain. DMARC deployment is a public sector requirement in Australia, Canada, Denmark, the Netherlands, the United Kingdom, and the United States. Moreover, beyond good policy, DMARC prevents significant losses to the global economy. A 2018 study found that the estimated value to the 1,046 surveyed organizations that deployed DMARC at a policy level of “reject” or “quarantine” approached $19 million (USD) (Shostack, Jacobs, & Baker, Reference Shostack, Jacobs and Baker2018).
The use of multifactor authentication (MFA) provides an additional effective, low-cost barrier to phishing attacks. A recent survey found that 74 percent of breaches were the result of abuse of privileged credentials (Columbus, Reference Columbus2019). Phishing attacks are one technique used to obtain passwords for use in future exploitation. MFA involves the use of a password plus an additional source of validation, such as a one-time token, to verify a user before granting access to an account. Where enabled, MFA can prevent a malicious actor from using a compromised password to access an account or, in the case of OPM, moving practically uninhibited throughout a vast organizational network.
Additionally, configuring a protective DNS on home and organizational routers can help protect Internet-connected devices against malicious activity. A protective DNS prevents access to known malicious domains by not resolving the DNS query. In doing so, the protective DNS prevents access to a range of threats including malware, ransomware, phishing attacks, viruses, malicious sites, and spyware. Furthermore, using a protective DNS can provide organizations with metrics about the health of their networks and can inform organizational, including national level, incident response functions in the event of a successful attack. One such service, Quad9, protects users from accessing known malicious websites by leveraging threat intelligence from multiple industry sources and blocks an average of over 15 million threats per day for users in over 88 countries. A 2019 study found that the use of DNS firewalls can prevent more than 33 percent of cybersecurity data breaches from occurring (Shostack, Jacobs, & Baker, Reference Shostack, Jacobs and Baker2019). The UK Cabinet Office has mandated the use of protective DNS by the public sector. The US Cybersecurity and Infrastructure Security Agency (Nyczepir, Reference Nyczepir2020) and the National Security Agency are also piloting similar services for their communities of interest (Baksh, Reference Baksh2020).
More recently, actors attributed to nation-states have also capitalized on organizations’ failure to patch software and backup data to cause unprecedented losses to the global economy. The Wanna Cry and NotPetya cyberattacks are examples of these incidents. In light of these tactics, two additional best practices can further limit the ability of malicious actors, acting on their own behalf or on behalf of nation-states, from using ICTs to destabilize international order.
4 WannaCry
In 2017, actors reportedly affiliated with the government of North Korea used ransomware to cripple computer systems around the world (Latto, Reference Latto2020). The attack was an example of crypto-ransomware, a type of malicious software used by cybercriminals and other actors to extort money. Ransomware accomplishes this by either encrypting valuable files, rendering them unreadable, or by locking the computer, rendering the computer unusable. Like other types of crypto-ransomware, this attack, dubbed WannaCry, took data hostage, promising to return it upon payment of the ransom.
WannaCry began in May 2017 and spread through computers operating Microsoft Windows (Latto, Reference Latto2020). Users’ files were held hostage, and the actors demanded a Bitcoin ransom for their return. The cybercriminals responsible for the attack took advantage of a previously disclosed vulnerability for which a patch was available. Unfortunately, many individuals and organizations had not regularly updated their operating systems and so were left exposed to the attack. The WannaCry ransomware attack impacted approximately 230,000 computers across 150 countries in just one day – many of them belonging to government agencies and hospitals, including thousands of National Health Service (NHS) hospitals and surgery centers across the United Kingdom (Latto, Reference Latto2020). The attack affected a third of NHS hospitals, with estimated costs of £92 million after 19,000 appointments were canceled as a result of the attack (Field, Reference Field2018). Globally, losses due to WannaCry have topped $8 billion USD (Lemos, Reference Lemos2020).
5 NotPetya
The 2017 NotPetya attack offers another example of the importance of maintaining up-to-date software. In NotPetya, actors attributed to Russia launched destructive malware adapted from a series of vulnerabilities common to unpatched Windows operating systems. More specifically, they combined the exploit used in WannaCry together with a password harvesting tool called MimiKatz (Greenberg, Reference Greenberg2018). By exploiting vulnerabilities in applications in wide use by the private and public sectors, the NotPetya attack quickly spread from targeted Ukrainian banks, payment systems, and federal agencies to power plants, hospitals, and other systems worldwide. Global companies, including Maersk, Merck, and Mondelez, found their systems impacted, with total losses approaching $10 billion USD (Greenberg, Reference Greenberg2018). To date, NotPetya is the costliest attack to ever occur. Yet, had the computers been patched, NotPetya likely would have had far less of an impact because it would have had fewer unpatched systems to leverage into patched systems.
Most recently, in September 2020, a woman in Germany reportedly died after the hospital proximate to her was the victim of a ransomware attack, leading to delay in her care. This incident is the first death publicly attributed to a ransomware attack. Unfortunately, a 2020 study found that 80 percent of observed ransomware attacks in the first half of 2020 used vulnerabilities reported and registered in 2017 and earlier – and more than 20 percent of the attacks used vulnerabilities that were at least seven years old (CheckPoint, 2020). Thus, without a significant shift by key stakeholders within the ecosystem, particularly governments and entities that develop and maintain connected systems, it will likely not be the last.
These ransomware incidents highlight the importance of enabling automatic software updates where appropriate for the operating environment, and otherwise establishing policies for the prioritization and installation of updates. In addition to ensuring software is up to date, appropriately maintained file backups can also mitigate the risk of ransomware. Ransomware targets that maintain clean and timely backups are often able to avoid significant impact from an attack and continue operations without major delays.
6 Conclusion
These cases illustrate that the threat from the malicious use of ICTs is real and that known, effective, accessible, and low-cost resources exist to prevent and limit this threat. Still, reducing cybersecurity risk is a continuous process that requires the use of multiple tools together with human capital. Unfortunately failure to employ cyber hygiene collectively has contributed to significant losses globally, including human life. With the increasing, unavoidable dependence on ICTs for everything from governance and economic development to social engagement, inaction becomes increasingly perilous, especially for governments.
Promisingly, an increasing number of national policies are beginning to require the use of cyber hygiene measures in the public sector. This trend reflects a future reality where use of these capabilities is no longer an option, it is the norm. As a result, a state failing to support their implementation may eventually become the cyber equivalent of a safe harbor. Ultimately, despite what society is often led to believe, what stands in the path of cyber peace is not technology, but political will.