The Risks of State-Sponsored Cyberattacks
State-sponsored cyberattacks, and cyber threats in general, are complex issues that many may choose to overlook due to a lack of expertise. However, in today’s digitally interconnected world, no one is immune; whether you are a government, a business, or a private citizen, you can become a target.
To gain deeper insight into this evolving threat landscape, we are joined by John Bruce, a leading expert in cybersecurity law and policy. In this podcast episode (listen here), he explores the evolution of cyberattacks and what can be done to mitigate them. While we have previously discussed cyber threats in general, this episode focuses on the implications of cyberattacks when states are involved, shedding light on the complexities of cybersecurity in geopolitics.
State sponsored cyber attacks
State-sponsored cyberattacks are carried out or supported by nation-states with strategic goals, such as undermining adversaries’ critical infrastructure or gaining geopolitical leverage. These attacks are dangerous due to the scale, planning, and resources behind them.
There has been an evolution of sponsored state cyber attacks through time. In the 1990s and the first two decades of this century, state-sponsored cyber activities were finely calibrated cyber espionage operations targeting intelligence targets and having little impact on ordinary citizens. the exploitation of computer systems was the sole purview of intelligence agencies, with professionals in the same technical weight class engaging in spy vs. spy competition. Objectives were focused on intelligence collection and targets were state enterprises or proxies to those enterprises. Nowadays, state-sponsored cyber threat activity is distinguished by how indiscriminate and audacious it is and by how potentially destructive it can be, creating havoc well beyond the level of access states require.
Cyber attacks now:
The Hafnium attack on Microsoft Exchange email servers began as a sophisticated cyber espionage campaign by Chinese state-sponsored hackers, targeting organizations discreetly to steal entire email mailboxes. This operation escalated dramatically in late February 2021, when hackers ramped up activity after realizing that Microsoft was preparing to release a patch. The campaign evolved into a massive and indiscriminate hacking spree, impacting tens of thousands of servers globally and involving multiple hacking groups, most of which were government-backed teams.Hackers exploited four zero-day vulnerabilities, leaving web shells on compromised systems to maintain persistent access. These shells opened the door for other hackers, including ransomware operators, to exploit the vulnerabilities, creating widespread chaos. Unlike the more targeted SolarWinds attack, the Hafnium campaign was reckless and expansive, prompting concerns about long-term vulnerabilities and increasing pressure on governments, particularly the U.S., to hold China accountable while addressing the fallout from this global security breach.
The Salt Typhoon campaign, attributed to Chinese state-sponsored hackers, represents a months-long cyber espionage operation targeting at least eight U.S. telecommunications providers. The attackers infiltrated networks to gain access to sensitive data, including wiretap request systems under the Communications Assistance for Law Enforcement Act (CALEA), and targeted political campaign officials. This breach reflects a structural compromise of essential U.S. communications infrastructure relied upon by millions of Americans.While the campaign focused on intelligence gathering, it highlighted systemic vulnerabilities within the telecommunications industry, such as outdated technologies, inadequate cyber defenses, and poor cyber hygiene practices. The operation underscored the sophistication and persistence of Chinese cyber actors, who exploited interconnected networks and legacy systems to maintain long-term access. The campaign serves as a wake-up call for policymakers to prioritize cybersecurity resilience, address legacy vulnerabilities, and improve collaboration between the private and public sectors. Despite recent advancements in cybersecurity practices, the Salt Typhoon attack emphasizes that significant gaps remain in safeguarding critical infrastructure against evolving cyber threats.
It was one of the largest and most sophisticated supply chain cyberattacks in history. In March 2020, state-sponsored hackers infiltrated SolarWinds’ widely used Orion IT network management software by injecting a backdoor, known as SUNBURST, into software updates. This malicious update was distributed to approximately 18,000 customers globally, including U.S. federal government agencies and major private companies. The attackers used this backdoor to selectively target high-profile organizations, executing advanced espionage and deploying custom malware.The attack revealed vulnerabilities in supply chain security, as SolarWinds’ Orion software, often configured with extensive administrative privileges, was exploited to gain deep access to victim networks. The incident highlighted the need for better logging, incident response plans, and strengthened supplier controls to mitigate such risks. U.S. authorities attributed the attack to Russian state-sponsored actors, emphasizing the growing geopolitical implications of cyber espionage. This attack underscored the importance of robust cybersecurity practices to protect critical infrastructure and sensitive information globally.
The attack exploited a zero-day SQL injection vulnerability in Sophos XG firewalls at the end of April. Hackers used this vulnerability to deploy the Asnarök Trojan, which stole sensitive data such as firewall license details, user accounts, email addresses, hashed administrator credentials, and VPN user information. This data could have allowed attackers to compromise the targeted networks remotely. Sophos quickly responded by issuing a hotfix that patched the vulnerability and removed malicious scripts. However, the attackers adapted, attempting to use a “dead man switch” to activate a ransomware attack on unpatched devices if a specific file was deleted and the firewall rebooted. Sophos’ hotfix preemptively blocked this attempt without requiring a reboot, forcing the attackers to modify their strategy again.
Subsequently, the attackers tried to distribute the Ragnarok ransomware to vulnerable Windows machines on the network. They planned to exploit EternalBlue and DoublePulsar vulnerabilities to inject the ransomware into the explorer.exe process, encrypt files, and leave ransom notes for payment. However, Sophos’ hotfix successfully thwarted these attempts. This incident highlights the importance of securing perimeter devices with up-to-date security patches to prevent breaches and mitigate evolving cyber threats.
The West’s Vulnerability in Cyberspace Is compounded by two additional factors:
| Efforts by Russia and China to “Balkanise” the Internet | Russia’s efforts to establish a closed national internet segment, often referred to as the “Russian national segment,” as part of its broader goal of achieving “digital sovereignty” by 2024. This initiative seeks to create a state-controlled and technologically independent internet capable of being disconnected from the global network if necessary. The primary objective is to shield the country from internal and external threats while enhancing its geopolitical and military power. Ultimately, Russia’s efforts reflect its strategic vision to secure its national interests in cyberspace by emphasizing sovereignty, control, and strategic asymmetry. While the initiative enhances Russia’s resilience and limits the operational freedom of adversaries, it also raises concerns about escalating conflicts, undermining global internet openness, and redefining international cybersecurity norms. |
| Efforts by autocratic states led by Russia and China to establish a UN Convention ensuring International Information Security | This convention seeks to regulate the use of information and communication technologies (ICTs) to maintain international peace and security, prevent interstate conflicts in cyberspace, and promote the peaceful use of ICTs globally. The document emphasizes equitable cooperation among states and aims to create a framework for trust-building and capacity development. The convention outlines multiple threats to international information security, including using ICTs for military or political purposes, monopolization of technological markets by specific states, dissemination of harmful information, and cyberattacks on critical infrastructure. It emphasizes the principles of sovereignty, non-interference in domestic affairs, and the inadmissibility of attributing cyber incidents to states without substantial evidence. Additionally, it advocates for mechanisms to resolve conflicts peacefully, promote public-private partnerships, and foster global cooperation to improve cybersecurity resilience. The proposal has sparked significant criticism from Western democracies and other nations. Opponents argue that it prioritizes state control over fundamental human rights, including freedom of expression, and could enable authoritarian governments to justify censorship and surveillance under the guise of national security. The proposal also discourages attribution of cyberattacks without substantial evidence, potentially undermining accountability for state-sponsored operations. Critics further contend that existing frameworks, such as the applicability of the UN Charter to cyberspace, already provide sufficient legal guidance, making this new treaty unnecessary. Instead, they view the proposal as a move to delay global efforts to implement stronger norms and accountability mechanisms, as well as a strategy to shift control of cyberspace governance toward authoritarian states. |
→Both of these developments complicate the ability of the West to defend its interests in cyberspace and requires a re-evaluation of the West’s determination to maintain cyberspace as an open, free and inclusive domain.
Responsible use of Cyber Capabilities
The concept of responsible state behavior in cyberspace is rooted in accountability, restraint, and adherence to international norms. Western democracies advocate for these principles to prevent reckless and destabilizing cyber operations. However, the Salt Typhoon case highlights a growing reality: relying on operators to act in their own best interest and that of their customers is no longer a credible cybersecurity strategy.
A shift is needed toward clear, enforceable obligations for service providers to protect cybersecurity interests. A “New Deal” approach should replace outdated neo-liberal principles, ensuring that managed service providers have obligations beyond contractual commitments. Cybersecurity should be treated as a shared responsibility rather than an individual burden.
Key priorities:
- Develop active measures to contain irresponsible state behaviour in cyberspace while promoting the concept of responsible state behaviour in cyberspace.
- Better define the boundary between acceptable cyber espionage and irresponsible intelligence operations that increase vulnerabilities in critical infrastructure.
- Clarify wrongful, counter-normative, and irresponsible state actions in peacetime and determine when such behaviors undermine global cybersecurity norms.
- Establish mechanisms to counter wrongful and irresponsible cyber activities in peacetime, ensuring they do not escalate into broader conflicts or threaten global security.
Cybersecurity governance must evolve beyond voluntary commitments to proactive and enforceable measures that ensure stability, security, and accountability in cyberspace.
For a refresher on cyber risks, listen to our episode with Kailyn Johnson here.
To explore the complexities of state-sponsored cyberattacks, tune in here now!
