On Wednesday, news about a fresh hack against the German government broke. According to reports, the German government is attributing breaches at the German Ministries of Interior and Defense to a group known as Sofacy (also known as Fancy Bear, APT28, and several other names) – an advanced persistent threat group that’s widely believed to be supported by the Russian government.
Sofacy is a known threat actor in cyber security, and several infamous attacks have been attributed to the group. Recent victims of activity generally linked to Sofacy include the World Anti-Doping Agency, the Democratic National Committee, and groups involved with the 2017 elections in France and Germany.
With such notoriety, attributing the more recent attack against the German government to Sofacy is certainly plausible. But F-Secure’s Principal Security Consultant Tom Van de Wiele says these reports shouldn’t surprise anyone.
“The attacks themselves are unsurprising and not really news. Governments are experiencing these attacks with regularity that might surprise some, but it’s something the cyber security industry is used to and basically expects,” explains Tom. “There are clear trends with government attacks that make them predictable, but unfortunately, attackers have many advantages over defenders that explain why it keeps happening.”
Here a few trends in government attacks that help explain why they keep happening, and why they’re not slowing down.
Attribution is hard
Attributing specific attacks to an individual, group, movement, or country in an age where toolkits and resources are bought and sold is no trivial task. And when it comes to figuring out who is executing or financing attacks, it’s often a crapshoot.
“Spanish IP addresses assigned to Spanish endpoints performing attacks are not necessarily backed or endorsed by the Spanish government, neither do they represent official policy,” says Tom. “Evidence linking these recent attacks to Sofacy or Russia might exist, but I haven’t seen anything public that can be used to confirm or refute that. That element of plausible deniability is pretty common and makes cyber attacks an attractive tool for espionage, data theft and more.”
Legacy Systems ensure the same old tricks keep working
Mainframes, old software and hardware, services that have yet to be written off with service providers for which lengthy contracts exist and for which security was never a requirement, are a significant problem for governments. One example would be the 2015 OPM hack, in which legacy systems were singled out as a significant underlying cause.
“Governments have IT budgets, and securing systems against everything in a particular government’s or department’s threat model isn’t always covered,” says Tom.
Cyber defenses often lack depth
Patching vulnerabilities after they’re disclosed is a sort of race: can defenders patch their systems before attackers develop exploits? In most cases, the answer is no, because most organizations can’t do this in a cost-efficient way. So what do the defenders have to fall back on?
“Network compartmentalization, application and operating system hardening, logging and alert mechanisms. But in the real world, there’s not enough of this,” explains Tom. “Containment strategies don’t work very well without these layers, which leads to core assets like email, active directory, and backup or cloud infrastructure being compromised.”
Not enough cyber security expertise to keep up with attacks
It’s no secret that the cyber security workforce is facing a significant skills shortage.
“An unpopular truth is that as long as the public sector struggles to match the private when it comes to information security experience, salaries and skills, new and capable talent will be difficult to recruit for public sector positions,” says Tom. “Until that changes, choices and decisions in design, implementation and maintenance of large information security projects and the future digitalization efforts of governments around the world will stall or produce mediocre results.”
Employees are part of the attack surface
“A lot of the public sector puts effort into testing their ability to spot phishing or other basic attacks, employees are generally not able to spot more sophisticated threats like APTs,” says Tom. “It’s really impractical to provide cutting edge cyber security training to anyone with an email address that also has access to vital resources on internal networks. Companies with security layers baked into their networks don’t have to worry about this as much, as they’ll be counting on more than endpoint protection to keep the critical stuff protected.”
Last year’s WannaCry and NotPetya attacks demonstrated how important these layers are. Following WannaCry, Tom suggested treating employees working in externally-facing roles as a sort of DMZ where they’re isolated from more critical parts of a network.
Logging and incident response capabilities aren’t as popular as they could be
Knowing what is and what isn’t a security incident is vital to both detection and response efforts. Unfortunately, they’re also not prioritized in the same way as prevention.
“Organizations typically take advantage of default options for logging in operating systems and network devices but that’s not enough. Putting more effort into monitoring their networks, such as by having off-box central logging, is a quick-win that’s often overlooked,” says Tom. “Without centralized monitoring on the health and security status of IT infrastructure by someone taking responsibility for security, organizations can’t monitor the progress of attacks, respond quickly or effectively, or signal to management where more resources are needed.”