The importance of protecting credential thefts from nation-state attackers

Nation-state attacks saw heightened activity during the period 2017 to 2020. In 2019, cyberattacks increased by 42% and were attributed to malicious attackers in foreign countries.  Nearly 25% of the cyber breach was linked to espionage, and another 24% was accounted for by Ransomware. Cybercriminals targeted login credentials by targeting cloud-based email accounts. And yes, the most vulnerable accounts were belonging to the C- level executives of organizations. 

The Objective of Non-state actors

The threat from non-state actors and the espionage link have highlighted the threat landscape regarding a sensitive data breach.     

The approach of attackers is evolving with every passing day. Conventional hacking and phishing, and ransomware for monetary gains is widespread knowledge publicly, and organizations have taken steps to secure their systems.  Now organizations are being targeted for theft of another kind.  Secret thefts, including intellectual thefts, are now being pursued by cybercriminals. Nation-state actors place greater emphasis on credential theft than money.  They leverage credentials and secretly gain access over a while.     

What is credential theft?

It is a form of cybercrime that attackers use to steal the identity details of the victim. Once the attacker successfully steals the credentials, they have the same privileges as the victim for accessing the system.  This is the first stage of the long-term planning of a credential-based attack. 

Attackers handle credential thefts in two ways. One is to reset the password, lockout the victim from the account, download the victim's private data, wipe out the data and backup of the victim, and gain access to other systems in the network. The other type of attack is to clandestinely gain remote access into the system using a legitimate password. This is done by login into third-party services like Microsoft 365, Dropbox, etc., that are used for regular business operations. 

Modus operandi of Credential theft 

Attackers usually indulge in phishing to get passwords from victims.  This is an inexpensive way to steal passwords as users are often careless and thus vulnerable to attackers who use many methods such as credential leaks, brute force, or guessing. The credentials are extracted in the form of plain text or hashes, or tickets. Unlike malware that breaches through the organization system's security defense, phishing is more based on human interaction.  

Attackers also search on social media sites of users whose critical information can help them attack corporate credentials. Attackers make fake emails and websites that look like official communication and send them to users who fall for the trap of clicking on those invites.   

Cybercriminals usually sell stolen credentials on the dark web to nation-state attackers looking for an uncomplicated and quick way to get information.  The dark web is encrypted and cannot be accessed on the internet easily as they are not found on indexed search engines. A malicious attacker who uses malware usually purchases stolen credential and quietly attack the system. This has the advantage of making less noise not likely to be detected initially. 

Attackers who plan high money heist operations like ransomware often use this method.  This is similar to a robber who prefers having duplicate keys to the house or access code to the alarm system that does not make any noise when breaking into the house. The cybercriminals who are individuals, groups part of nation-state attack buy the credentials to gain silent entry and wait till the ransom is successfully concluded. 

Though cyber-attacks happen purely for financial gains where attackers prefer making big gains in one swift operation, the longer game of credential theft is to make safe money from selling the credentials on the dark web and coming out unscathed.  The other motive for such attacks is to target educational and research organizations where the objective of the nation station cybercriminals is to get hold of data, web applications, software chain supply, emails, and intellectual property (IP) on about anything sensitive that matters to a country. Post Covid-19, many nations are trying to get vaccine's intellectual property information from other countries who have developed it. 

Protection from credential theft

Whether small or big, private or state-owned, all organizations need to have a high-priority policy on addressing suspicious logins. In recent times, some of the biggest cyber breaches have involved credential thefts and disrupting the supply chain operations for days, leading to substantial operational, and financial loss. Also, acknowledgment from the victim organizations, that a ransom was paid to the attackers to reopen the system. 

Ways to Protect against cyber attacks 

They are many ways to secure an organization system, such as 

• Training the employees to create strong passwords, keep changing them regularly, and be alert from any spear phishing.
• IT departments should ensure compulsory two-factor authentication (2FA)  as any suspicious logins will be detected in real-time.
• Implement identity access management and outsource it to third-party services to constantly monitor and handle password management systems and block users from unknown websites and applications.
• Management should have a hierarchy policy on who can access corporate credentials from approved applications.
• Update and upgrade operating systems and devices regularly.
• Conduct regular threat or vulnerability assessments of the system and report to management on potential gaps in the system.
• Use tools for monitoring traffic, especially as the network is cloud-based and susceptible to encryption.
• Subscribing tools that check whether an email address and password are compromised or not. Today, there are many tools available in the market and used by   IT security teams of organizations and external cybersecurity services. Even individuals can use this tool to find if their online credentials have been stolen or not. The services apart from checking emails also provide notification and protection services. 

Conclusion 

Nation-state attackers are increasingly using sophisticated and divergent methods to steal login credentials.  They harvest the stolen credentials and wait for the right moment to strike. As per Microsoft reports, credential theft is now on top of the attacking techniques used by nation-state cyber attackers over the past year. The only way to protect from cyber attackers is to use some of the tips mentioned above and ensure that security teams successfully slow down credential theft attacks on critical infrastructure and keep important systems from getting locked.