Cybersecurity threats against government agencies have been increasing in frequency and intensity. As agencies identify new ways to improve their cybersecurity defense postures, threat actors are developing new exploits that put the mission at risk. So, what can agencies do to protect data and networks from these persistent threats? We talked with Luke McNamara, Mandiant’s Principal Analyst, whose experience in analyzing and combating emerging cyberthreats provides expert guidance for agencies on optimizing threat preparedness budget and positioning.
Government Technology Insider (GTI): What are the most significant emergent cybersecurity threats facing government agencies?
Luke McNamara (LM): The most significant threat activity government agencies need to be aware of are nation state threat actors. The predominant nation state threat actors we see targeting US government agencies continue to come from China, Russia, Iran and North Korea.
There has understandably been a large focus on Russia because of conflict in Ukraine and concerns that we would see an escalation in the conflict through cyber capabilities. We’ve observed Russia employ these capabilities in Ukraine, and there’s a lot that we can learn in terms of how they’re employing those capabilities and their tools, tactics, and procedures (TTPs).
Beyond carrying out destructive cyberattacks, state-affiliated Russian threat actors also have an important intelligence collection mission that is focused on the United States and NATO, specifically on government agencies and international organizations that have any role with Ukraine conflict, particularly when it comes to policy and sanctions implementation. But the collection requirements and activity by other nation state actors — going after information and intelligence often housed within government organizations — doesn’t stop just because the focus is on the conflict in Ukraine and what Russia is doing. While it’s important to have an eye towards how activity might spill over from Ukraine and how it could escalate in terms of Russian threats, it’s equally important to keep an eye on what we’re seeing from Chinese, Iranian, and North Korean threat actors. These nation state threat actors are still very active.
In our report from last year, we found that the most common infection vectors for agencies are threat actors leveraging exploits. At the end of 2021, we were tracking over eighty Zero Day vulnerabilities which was more than double the previous high of observed Zero Days in 2019. While nation state actors contribute significantly to this trend, what is also interesting is that a growing percentage of this problem is driven by financially motivated threat actors—including ransomware groups that are very well resourced with the money that they have stolen over the years. Beyond understanding the criticality of the vulnerability, intelligence around specific threat actors or the volume of such groups not only employing Zero Day exploits but also rapidly weaponizing vulnerabilities that have been disclosed can help better guide agencies in the patching prioritization process.
GTI: How can government agencies keep pace with evolving cybersecurity risks?
LM: It goes back to understanding not just the broader threat landscape, but who would be interested specifically in targeting you and why. Agencies must first understand the categories of threat actors they should be most concerned with in order to build their own threat model. External threat intelligence can play a useful role in not only shaping that initial view of the landscape, but on an ongoing basis allow organizations to better understand how these threat actors may be evolving in terms of capability or what campaigns they may be currently conducting domestically and abroad.
By studying ongoing intrusion campaigns and cyberattacks in other countries, we can better prepare for cyberattacks on U.S. government agencies here. To go back to the Ukraine example, visibility into Russian operations there can help us understand how their TTPs are evolving. We can look at such things like how they’re propagating malware in a target environment and learn from those operations.
In terms of other regions, we’ve often seen Iranian threat activity focus on targets in the Gulf region before targeting entities in the United States. Similarly, we’ve seen threat actors in North Korea carry campaigns with new malware against South Korean organizations before targeting U.S. government agencies. Having regional awareness of cyberattack trends around the globe can provide an early warning indicator to U.S. government agencies.
GTI: Ransomware attacks have been a particularly persistent threat. What can agencies do to better protect themselves against these threats?
LM: Understanding a specific ransomware group’s playbook, and how they might be organized on the back end, changes how agencies should respond both from a technical standpoint and from a crisis communication perspective. It is an evolving space where different criminal actors within the ransomware ecosystem will employ different tactics and work with different ransomware developers. Variance between which targets they may be willing to go after, what their primary mission or goal is in extortion, and how they’re going to go about operations can be useful for better defending your organization. By being able to differentiate those groups, government agencies can modify how they respond to various attacks.
Multifaceted extortion still often involves the deployment of ransomware and the encryption of files and data. But we have also increasingly observed threat actors that will steal data and then threaten to leak that data to the public if the victim organization doesn’t provide payment. In some cases, threat actors may even skip encryption and focus on data theft instead. While particular sectors might see a comparatively greater deal of targeting, many financially motivated ransomware groups are more agnostic about the sector they’re seeking to target.
One of the threat actors that we tracked last year was a ransomware group called FIN12. FIN12 is an aggressive, financially motivated threat actor that stands out in part because they do not typically engage in data theft or multifaceted extortion. They’re able to move much faster because they’re not focused on trying to find information that they could leverage against the victim entity.
We may be in a period right now where a number of factors — such as the increasing law enforcement action to even the conflict in Ukraine — have caused disruption within the ransomware ecosystem landscape. This ecosystem is made up of many different threat actors that are involved in ransomware operations. These threat actors move around in partnership with various developers, initial access providers, and operators that are all a part of the ransomware ecosystem. There are a lot of changes happening right now, and as we see claims by some groups that they are shuttering operations it’s important that we pay attention to see what sort of ecosystem emerges out of this period of change.
GTI: What are your best suggested practices for optimizing cybersecurity efforts?
LM: One of the things that we looked at in last year’s M-Trends report categorizes the techniques we witnessed in the frontline breaches we responded to and then applied those to the MITRE ATT&CK framework. The MITRE ATT&CK framework has provided a useful way for the cybersecurity sector to think about and categorize different granular elements of threat actor intrusion activity.
One of the things that we called out in the report was that in 2021, 40 percent of the intrusion techniques observed were used in more than 5 percent of intrusions. For example, obfuscation was used in more than half the intrusions that we responded to last year. We saw a large percentage of intrusions using Command or Scripting Interpreter to further intrusions and leveraging things like PowerShell.
We have a diverse ecosystem of threat actors that are carrying out attacks in different ways. These high-level metrics and insights can help network defenders and security practitioners focus on the most common avenues of attack, intrusion TTPs, and better focus their efforts. By focusing on this, agencies can better apply limited resources to scope how to best approach these threats and better secure themselves from attack.
GTI: Is there anything else you’d like to share with our readers?
LM: We published research earlier this year on a group called UNC3524. This is a group that is incredibly stealthy and difficult to track. We believe they’re an espionage actor with suspected Russian sponsorship. Top-tier espionage threat actors always exist out there in the landscape and can present a challenge to security defenders, who also have to contend with the more routine “blocking and tackling” in their work to protect their organization.
It’s important to recognize that these threat actors will always exist and it’s essential to be prepared to handle those risks when they arise. Government agencies have to deal with and respond to threat activity at any time because they are such high-profile targets.
Another area that is important for security practitioners and government agencies to think about is disinformation or information operations (IO). IO campaigns and messaging by foreign actors can potentially be indicative of changes that are impacting the threat landscape. Historically, we’ve mostly seen IO activities focus on government agencies and policies, specifically campaigns that appear to be supporting Iran, Russia, and China’s strategic interests.
Understanding what IO activity is and how it’s evolving can be another potential early warning indicator of follow-on intrusion-based activity.
By looking at activity in other sectors and researching those attacks and intrusions, government agencies can incorporate relevant defense methods and proactively anticipate where the threat landscape will evolve next.
Learn more about optimizing threat preparedness here.