Most businesses will be familiar with the main nation-state adversaries, China, Russia, Iran, and North Korea, also known as CRINK. But recently, the threat from state-sponsored attackers has been widening to include a new frontier of adversaries from Turkey and Vietnam, alongside an increase in activity from Iranian-based groups.
In the past, nation-state adversaries have targeted so-called critical infrastructure such as energy, water, finance, manufacturing, and defense to steal sensitive secrets and cause maximum damage. But today, the threat is broader and more complex.
While state-sponsored groups typically focus their energy on government targets, attacks frequently spill over into the private sector. Enterprise security teams need to stay informed on the wider threat landscape to anticipate all possible threats.
The new breed of adversaries is already attacking organizations including research institutions, IT service providers, and media companies. So, who are the new frontier of nation-state adversaries, what are their tactics and aims, and what can be done to secure your business?
The new groups behind state-sponsored cyber attacks
Sea Turtle – Turkey
Some of the new breed of nation-state groups come from Turkey such as Sea Turtle, which has been observed targeting telecom, media, and tech companies in the Netherlands. Tracked as Marbled Dust by Microsoft, the group’s focus is on acquiring economic and political intelligence through espionage, says Philip Ingram a former colonel in British military intelligence.
The group has evolved over time. When it first emerged between 2017 and 2019, it conducted DNS hijacking campaigns against the Middle East and North Africa. “It gained access to organizations by redirecting user traffic to attacker-controlled instances and obtaining valid encryption certificates,” says Adam Price, intelligence analyst at Cyjax.
Later the group started using a malware strain named SnappyTCP, as tracked by PwC. Sea Turtle used the strain to compromise and establish persistence on Linux-based systems in the Netherlands as it added Europe to its targeted geographies.
It also targets non-government organizations and steals information from public and private entities linked to Kurdish political groups such as the Kurdistan Workers’ Party, says Ingram.
Ocean Lotus – Vietnam
Another notable up-and-coming adversary is OceanLotus, a Vietnam-based state-sponsored threat group also known as APT32, SeaLotus, CanvasCyclone, and CobaltKitty. The group has been active since 2012 and focuses on cyber espionage targeting organizations of interest to the Vietnamese government, such as human rights and research institutes, Price says.
The group is also believed to have targeted the Chinese government during Covid-19, according to Mandiant research.
APT36 - Pakistan
Another new adversary is a Pakistan-aligned group named APT36, which has a history of conducting targeted espionage operations in South Asia. “The group's primary target is Indian government personnel and Pakistani political opposition,” says Richard Bate, CTO at Goldilock.
The group's modus operandi is social engineering, with the goal of tricking targets into installing a remote access trojan (RAT) on their Android device or computer to gather data.
State-sponsored attacks: The CRINK adversaries
While this new breed of attackers poses a growing threat, the traditional CRINK adversaries are also evolving. Iran – a lesser CRINK attacker when compared to China, Russia, and North Korea – is increasingly active, with state-sponsored groups conducting targeted attacks against sectors including IT, infrastructure, and government.
Many Iranian groups, including ImperialKitten and MuddyWater, use spear-phishing attacks for initial access, says Price.
This technique is also used by a newly identified China-based threat group, referred to as Earth Krahang. This up-and-coming adversary has conducted spear-phishing campaigns against several government entities in South East Asia and targeted organizations in Europe, America and Africa, says Price.
TrendMicro has tracked Earth Krahang since 2022, stating in recent research post that the group favors using compromised government networks to launch further attacks and builds virtual private network (VPN) servers on infected public servers as a jumping-off point for brute force attacks.
North Korea also poses a major threat to businesses, with groups including Lazarus, a state-sponsored attacker blamed for breaching Sony in 2014 and the WannaCry virus in 2017.
Another lesser-known North Korean state-sponsored attacker is Kimsuky, a cyber-espionage group that conducts spear phishing campaigns as part of the North Korean General Reconnaissance Bureau, Price says.
Shifting tactics for state-sponsored cyber attacks
More broadly, there has been a shift in what would be considered a “pure” nation-state threat actor, says Ian Thornton-Trump, CISO at Cyjax. “The recent revelations from the i-Soon data breach reveal that Chinese nation-state threat actors are supported by a contractor ecosystem. Iran has front companies and some nations have outsourced aspects of cyber operations to proxies – as is the case with Russia’s relationship with Anonymous Sudan.”
Indeed, many hackers from China, Russia, Iran, and North Korea are predominantly outsourced from other nations, says Jamie Moles, senior technical manager at ExtraHop. North Korea in particular, is known for outsourcing hacking talent, he says. “These hackers are often operating from bedrooms using VPNs, and take government contracts alongside other bounties and targets of opportunity.”
It is increasingly common for cyber-criminals to merge into state-sponsored groups. Some countries allow groups to operate criminal enterprises, provided they also carry out activities on behalf of the state, says Ingram.
“The advantage is, the criminal organizations can usually afford better hackers – and they remain plausibly deniable because they’re still one step away from complete state ownership.”
New technology behind state-sponsored cyber attacks
While ransomware remains a major threat, nation-state tactics are evolving as adversaries take advantage of new technology such as generative AI models and more advanced iterations of traditional AI like machine learning (ML). Both carry the potential to power rapid, targeted attacks. For example, Chinese state-sponsored attacks are using AI-generated images in politically motivated campaigns.
In the wrong hands, AI can pose a threat as it can automate tasks such as reconnaissance, exploit identification, and the development malware that can evade traditional detection methods. Microsoft and OpenAI have warned that state-backed threat actors are already using generative AI to launch cyber attacks
Nadir Izrael, CTO and co-founder of Armis, tells ITPro that AI can make attacks faster and more advanced.
Threat actors often take advantage of basic vulnerabilities that haven't been patched as a point of entry into organizations, says Izrael. Distributed denial-of-service (DDoS) attacks remain popular due to “their ability to disrupt critical infrastructure and cause significant financial damage”, he adds.
The nation-state attack landscape is certainly evolving, but experts say the basics to secure yourself remain the same. It is more important than ever to ensure your business has a base level of protection in place, says Richard Breavington, partner at RPC. Measures such as proper patching and multi-factor authentication (MFA) are helpful for reducing vulnerability to attack, he says.
Mitigating the risk of impact from state-sponsored attacks can be achieved through defense-in-depth and creating and following strict policies and procedures, says Price. In addition, he recommends protecting sensitive data and implementing endpoint protection and disaster recovery.
It is also important to have effective internal policies in place to manage the risk of a cyber incident, says Breavington. “These should include specific processes to protect against potential human error.”
