What does state sponsored hacking mean?

04 January 2018

What does it mean?

Whether it’s the leaking of Hillary Clinton’s emails ahead of the 2016 US presidential elections or cyber attacks against critical infrastructure in Ukraine, politics and cyber are increasingly becoming entwined.

The past year has seen an increasing focus on the cyber activities of foreign governments, whether it’s meddling in elections, global ransomware attacks or Distributed Denial of Service (DDoS) attacks.

Investigators in the US revealed that Russian-backed cyber groups accessed voter databases and software systems during the presidential elections. A similar story emerged during the French elections in May when Emmanuel Macron’s campaign was hacked. In the UK Brexit referendum, a voter registration website was hit by a DDoS attack.

Many of the largest hacks of recent years have also been associated with groups linked to foreign states. The UK government said that North Korea may have been behind the global WannaCry ransomware attack in May while a Russian-backed group was allegedly responsible for the NotPetya ransomware attack in June.

Why does it matter?

Interstate conflicts are increasingly being played out in cyber space, and targeting critical infrastructure, companies and public sector organizations.

Ukraine has suffered multiple attacks on critical infrastructure in recent years, blaming the Russian state. In 2015 a cyber attack took down part of the Ukrainian power grid, the first successful attack of its kind. Cyber space has also been a feature of conflict in the Middle East. Iranian state-backed hackers were said to have attacked Saudi Aramco Oil Company while Iranian backed cyber unit, the Hezbollah Cyber Group is suspected of being responsible for cyber attacks against oil and gas companies in the Middle East.

Iranian hackers have also launched attacks against US banks, telecoms companies and the New York Stock Exchange, as well as conducting cyber espionage against US energy and aviation companies. In 2016 the US Justice Department accused Iranian hackers of taking control of a flood control dam in the state of New York. Iran was blamed for a cyber attack on the email accounts of British members of Parliament, including the Prime Minister.

Western governments are also engaged in cyber activities. The US and Israel have been associated with cyber attacks against Iran, including the 2010 Stuxnet virus, which targeted the Iranian nuclear program. In 2017, Iran shut down several oil terminals following a suspected cyber attack.

Some of the most sophisticated and well-resourced cyber groups operating today are state-sponsored. There are an estimated 91 state-sponsored cyber groups known to exist, mostly in Russia, China, North Korea, Iran and the US. They include well-known Russian groups like Fancy Bear and Energetic Bear as well as North Korea linked Lazarus and China’s Comment Crew.

Cyber criminals and hacktivist groups are also sometimes affiliated with governments – the group that leaked the exploits behind WannaCry, known as Shadow Brokers, is said to be linked to Russia.

Security services in some countries are also said to maintain close links to cyber criminals.

Governments are now looking at ways to declare state-sponsored cyber attacks as acts of war. For example, the EU is currently working on a framework for a Joint EU Diplomatic Response to Malicious Cyber Activities in response to the growing threat from state and non-state actors.

Attributing a cyber attack is extremely challenging, but it can influence the recoverability of losses under a cyber insurance policy. Cyber insurance policies contain exclusions for acts of war, so insureds should identify their relevant exposures and work with their broker to push the boundaries of coverage.

For further information please contact Martin Delaney, Senior VP, Leader, Cyber & Risk Management Services at ClientFirst@jltcanada.com