Nation state cyber attacks and more: first officer's blog - week 42

Nation state cyber attacks, multi-purpose malware and more. Here are the latest stories from the world of cyber risk.

Mike Parkin | March 13, 2023

The ship proceeded from [REDACTED] to the conference at standard cruise warp speed, with the delegates and the band embarking. It was an unusual and near-unique experience for us and many of the crew had never been aboard ship for a diplomatic mission before. For many, it was a singular occasion to try and remember the 2nd year Acadamy class on proper etiquette in the presence of dignitaries.

The planet’s diplomatic representative and her staff were professionally gracious, but it was apparent from the start that they were somewhat disappointed to be taken to the conference on a “lowly” support cruiser like ours. The ambassador never actually said it in so many words, but she’d been expecting at least a front-line Destroyer, rather than a functional, but not especially glamorous, support cruiser.

They weren’t rude, but any effort to make the diplomats feel welcome aboard was professionally rebuffed.

Unlike the band. The crew treated them with the same respect they’d shown the delegates, but the members of the band effectively said, “we work for a living just like you, so just treat us like regular folks.” An attitude that was especially welcome by the crew, and even more so when the musicians aboard were invited to join in something they called a “jam session,” which led to an impromptu concert before the actually scheduled concert.

When they played for us officially, the concert was piped throughout the ship over the internal display and audio system. And, while many on the crew still had no idea what Terran Prog Metal was, they had now all gotten a taste of it.

Not everyone was into the music, of course. Being a multi-cultural, multi-ethnic, multi-species crew, there were vast differences in what each crew member found to their taste. But whether it was “their thing” or not, everyone appreciated the effort and generosity of the band in playing for us, and with us.

And the music did have an emotional effect on some of the crew. Case in point. After our arrival at the conference world, and the departure of the diplomatic party, Technical Rating [REDACTED] unexpectedly hugged the band’s lead singer, lifted him bodily off the deck, and stated in her typical straightforward way, “I like your music. We will miss you. Come back.”

For his part, the vocalist mumbled something to the affirmative and made his way to the transporter so he too could beam down – hopefully with unbruised ribs – as the Rating’s team lead cringed visibly at the prospect of explaining to HR, again, how cultural differences regarding “best intentions” sometimes led to unintended consequences.

Not really the Swiss Army

What happened

A reported rise in “multi-purpose” malware gives threat actors more capability to adapt their techniques to the environment they’re in, leveraging multiple functions within their payload to reach their ultimate goal on their target. The average malware payload is reported to leverage 11 separate tactics, while 1/3 includes 20, and a 10th has upwards of 30 TTPs (Tactics, Techniques, and Procedures) at its disposal.

Why it matters

While the most sophisticated and powerful malware is often created by state agencies or state-sponsored threat actors, the reality is that these versatile tools have been coming “down market” for a while. Cybercriminal gangs, even those without state-level involvement, can afford to pay for skilled coders and have the motivation to “spend money to make money,” as the 42nd Rule of Acquisition states. And from there, the tools get sold, rented, or handed down to other cybercriminals.

What they said

Like most malware stories, this one’s getting plenty of attention

Ya’ll ready for this? The rise of nation state cyber attacks

What happened

A newly developed analyst model, addressing the increased involvement of state-level and state-sponsored threat actors, is designed to help organizations manage risk and prepare for increased nation state cyber attacks, or other attacks by well-resourced adversaries. By modeling National level threats that may attack civilian targets, it is easier to deploy defensive tools and policies that will be effective

Why it matters

There are, and have been, models that show the most common ways threat actors go after their targets. Some are admittedly better than others, but most of them loop back to the same core conclusion: organizations need to do a better job of doing what they already know they need to do.

Having better models of attacker behavior doesn’t really help when environments are still suffering from vulnerable misconfigurations, unpatched systems, and users that still make the same mistakes we’ve been training them not to do for years.

The tools exist to manage risk, identify threats, find vulnerabilities, and track assets. The issue is getting them deployed and getting them deployed according to well-established industry best practices.

What they said

nation state cyber attacks

Unsurprisingly, there’s plenty of coverage around the rise of nation state cyber attacks.

But why aren’t you doing this stuff already?

What happened

The Transportation Security Administration has issued directives on cybersecurity aiming to bring airports and aircraft operators up to a higher standard in the face of ongoing and evolving threats. This follows an almost identical set of guidelines issued for the Rail industry and comes shortly after the White House released its National Cybersecurity Strategy document earlier this month.

Why it matters

There may be some confusion as to who, precisely, should be issuing directives here, as TSA is under the Department of Homeland Security (DHS), and was founded under the Department of Transportation (DOT) both of which can, and do, set out similar directives for organizations under their purview. While it seems that either of those larger organizations would be the ones calling the shots, the current set of directives is coming from the TSA.

The deeper issue is that this directive is even required. As mentioned above, there are already tools and processes that can substantially reduce the risk from cyberattacks. It shouldn’t take a government mandate to get organizations to follow industry best practices. It should just be “the way things are done.”

What they said

This story has certainly taken off.


Want to get ahead of the stories?


Free for risk owners

Set up in minutes to aggregate and prioritize cyber risk across all your assets and attack vectors.

"Idea for an overwhelmed secops/security team".

Name Namerson
Head of Cyber Security Strategy