Cyber-criminal hacking operations are now so skilled that nation-states are using them to carry out attacks in an attempt to keep their own involvement hidden.
A report by cybersecurity researchers at BlackBerry warns that the emergence of sophisticated cybercrime-as-a-service schemes means that nation states increasingly have the option of working with groups that can carry out attacks for them.
This cyber-criminal operation provides malicious hacking operations, such as phishing, malware or breaching networks, and gets paid for their actions, while the nation state that ordered the operation receives the information or access it requires.
It also comes with the added bonus that because the attack was conducted by cyber criminals who use their own infrastructure and techniques, it’s difficult to link the activity back to the nation state that ordered the operation.
“The emergence, sophistication, and anonymity of crimeware-as-a-service means that nation states can mask their efforts behind third-party contractors and an almost impenetrable wall of plausible deniability,” warns the BlackBery 2021 Threat Report.
Researchers point to the existence of extensive hacking operations like Bahamut as an example of how sophisticated cyber-criminal campaigns have become.
Originally detailed by BlackBerry last year, Bahamut uses uses phishing, social engineering, malicious apps, custom malware and zero-day attacks in campaigns targeting governments, private industry and individuals around the world – and had been doing so for years before being uncovered.
Researchers note how “the profiles and geography of their victims are far too diverse to be aligned with a single bad actor’s interests”, suggesting that Bahamut is performing operations for different clients, keeping an eye out for jobs that would make them the most money – and when it comes to funding, certain nation states have the most money to spend on conducting campaigns.
Not only does the client nation state end up gaining the access they require to hacked networks or sensitive information, it allows it to be done with a reduced chance of it being linked back to the nation state – meaning that it will potentially avoid consequences or condemnation for conducting attacks.
“Threat actor identification can be challenging for threat researchers due to several factors, such as overlapping infrastructure, disparate targeting, and unusual tactics. This is especially true when only part of a campaign is outsourced,” said the report.
Bahamut has continued to be active since its initial disclosure last year, with campaigns targeting government agencies linked to foreign affairs and defence across the Middle East. The group has also been conducting campaigns against targets in South Asia, with a particular focus on smartphone attacks.
While protecting networks from determined cyber attackers can be difficult, there are cybersecurity practices that organisations can apply in order help keep intrusions out, such as only providing remote access to sensitive information to those who absolutely need it and constantly examining the network for unusual activity that would be classed as suspicious.