Understanding the ‘espionage ecosystem’ threat

Cyber risk wears many guises. Every CISO has learned to fear ransomware, but will be aware that threats to systems and data can just as easily strike in the form of malware, phishing attempts or distributed denial of service (DDoS) attacks. Perpetrators vary too, from lone wolf to disgruntled insider to organized crime syndicate.

Over the last few years a new concern has emerged in the form of the so-called ‘espionage ecosystem’.

These are complex organizations, invariably sponsored by an autocratic nation-state. They work by wielding a range of sophisticated technologies with aims that range from disrupting supply chains and stealing information to undermining the security of critical national infrastructure.

Espionage ecosystems are skilled at embedding malicious code in networks, often via unwary employees, enabling them to gain access to the inner workings of legitimate organizations.

Their activities are unlikely to be a swift ‘smash and grab’ strike, and usually work at gaining deep, long-term access to critical networks, having probed for weaknesses by stealth. They are skilled at weaponizing AI at scale to automate their attacks, allowing them to subtly but efficiently exfiltrate and analyze information.

Their target might be product roadmaps, M&A plans, pricing models or details of legal strategy. Sometimes their mission is simply to destroy and disable. Their targets span private sector enterprises with valuable intellectual property through to strategically important public sector infrastructure.

The typical espionage ecosystem wants ultimately to infiltrate an organization's nerve center, its strategic DNA. As they quietly observe decision-making, communications and workflows over time, they will be harvesting insights into how an enterprise thinks and operates.

This can have the effect of draining away competitive advantage long before anybody notices. By the time the alarm is raised, the desired information has already been taken and used.

After the work of these ecosystems has been discovered, trust in systems and data has often been fatally weakened. Senior management is forced to question not only what has been stolen but also what may have been tampered with.

Uncertainty will linger over information such as user credentials, configurations, identity permissions, or decision-support data.

While these attacks can be subtle and slow, their impact can in the long term be disastrous, measured in terms of regulatory risk, loss of market position, and reputational damage. Where government bodies are affected, the cost can be a matter of national security.

The problem of complexity

Complexity is the best friend of the espionage ecosystem. Today’s enterprises rely on sprawling SaaS stacks, an army of AI tools and a mess of cloud platforms. Bad actors can exploit this dense forest to creep laterally through identity systems, email, collaboration tools and APIs, often leveraging legitimate access paths.

Traditional defenses are ineffective since what is being attacked and mimicked is often the behavior of people rather than the structure of systems.

The tools at the disposal of the bad guys are modern and powerful, well suited to the task of navigating secretly through the corporate IT maze. Espionage ecosystems make use of a number of advanced e-weapons, such as Remote Access Trojans (RATs).

A RAT is a form of malware that enables control of an infected computer, letting the hacker leverage user credentials so they can install or remove software and steal files. The typical RAT is a form of malicious code that lives entirely in the memory and not in the main system, making it hard to detect.

Everything looks entirely legitimate to the user who then goes on to activate the payload and spread the infection to the next stage. RAT code has the ability to inject itself into system level processes, starting slow and low in the network, and going undetected.

It ends up being able to exfiltrate information from multiple users, and stays in the system for a long period with nobody knowing.

So how do you know when an espionage ecosystem is active in your network, given that the target is operating at a level of sophistication where it is unlikely to be just discovered on the fly? Organizations need a solution that spots and flags up deviations in behavior. Why is that person accessing that particular system?

The correct security posture involves the constant feeding of intelligence to your security products. Intelligence must be pooled, between organizations and across geographies. You need to share among all your toolsets, on a continuous basis.

The attacks might test various aspects of your defenses, so you require multiple security benchmarks to circumvent that. You need to control the flow of information as much as you can. And you’ll need intelligence from external sources as well. This will let you find a way to break the chain and disrupt the campaign.

The CISO must identify data authorization boundaries, and truly understand how data is flowing inside the system. That way they can ensure that critical data stays within a given boundary. They must take existing security processes and make them continuous.

With the advent of AI, they can enhance those processes. But they need also to be on their guard against the risks posed by shadow AI.

Who is the target?

There is no single type of target favored by these ecosystems. All that matters is that the victim has something worth stealing or damaging. The aim might be hitting public sector bodies to strike a blow against an ‘enemy’ nation.

Or it can be a matter of industrial espionage with a commercial end point in mind. Threats to both types of target seem to be on the increase.

The 2020 attack on Texas-based IT management software firm SolarWinds offers a prominent recent example of a commercial target. This cyber intrusion, in all probability instigated by Russia’s Foreign Intelligence Service (SVR), was one of the most serious espionage ecosystem instances of recent times.

It began when a hacker was able to upload a malicious modification to the SolarWinds Orion product range which led to administrator-level commands being sent to a number of external locations in the supply chain.

The attack, which made several weeks of global headlines, demonstrated to every CISO how a small foothold at the fringes of a network can go on to compromise the most critical applications of a hugely important organization, and affect its customers at scale.

The US’s National Cyber Security Centre (NCSC) investigated the incident and its impact, quickly realizing that a large number of other organizations had been affected. In the end it is estimated that the breach compromised around 18,000 SolarWinds customers.

Demonstrating that public sector bodies can be at least as vulnerable, the Indian government recently fell victim to an espionage ecosystem called Transparent Tribe (APT36). The aim of this attack was long-term intelligence collection through stealthy, resilient access.

The attack was actually made up of multiple active campaigns targeting Indian defense and government-aligned organizations across both Windows and Linux environments. One campaign targeted Windows systems using phishing emails with a remote access trojan and was thus able to evade traditional file-based detection.

The attackers implemented layered startup mechanisms that ensured continued access even when disruption occurred in the infection chain. The result was a lightweight but durable foothold, well-suited for extended reconnaissance and intelligence gathering.

In conclusion

Espionage ecosystems are here to stay, they are active all over the world and their tactics are evolving and getting smarter. The latest generation of ecosystems feature innovations such as cross-platform payloads, memory-resident execution, and covert command-and control channels.

This demonstrates that today’s ecosystem are designed more than ever with patience rather than speed in mind, forcing defenders to adapt continually. When CISOs read of one of these attacks, they should be aware that it may be more than an isolated incident.

It could form part of a pattern of coordinated efforts within a mature threat ecosystem. Detecting and disrupting this level of threat requires visibility across platforms, attention to tiny behavioral anomalies, and a realization that persistence is the attacker’s chosen weapon. Only then can security teams start to take effective action.

We've featured the best endpoint protection software.

This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro