Most companies will be familiar with the main adversaries of the nation-state, Porcelain, RussiaIran and North Korea, also known as CRINK. But recently, the threat from state-sponsored attackers has expanded to include a new frontier of adversaries from Turkey and Vietnam, along with increased activity from Iran-based groups.
In the past, adversaries of nation-states have attacked so-called critical infrastructure such as energy, water, finance, manufacturing and defense to steal confidential secrets and cause maximum damage. But today the threat is broader and more complex.
While state-sponsored groups typically focus their energy on government targets, attacks often extend to the private sector. Enterprise security teams must stay informed about the broader threat landscape to anticipate all potential threats.
The new generation of adversaries is already attacking organizations including research institutions, IT service providers and media companies. So who are the new frontier of nation-state adversaries, what are their tactics and objectives, and what can be done to secure their business?
Sea Turtle – Türkiye
Some of the new nation-state groups come from Turkey, such as Sea Turtle, which has been observed targeting telecommunications, media and technology companies in the Netherlands. Tracked by Microsoft as Marbled Dust, the group's goal is to acquire economic and political intelligence through espionage, says Philip Ingram, a former colonel in British military intelligence.
The group has evolved over time. When it first emerged between 2017 and 2019, it carried out DNS kidnapping campaigns against the Middle East and North Africa. “It gained access to organizations by redirecting user traffic to attacker-controlled instances and obtaining valid encryption certificates,” says Adam Price, an intelligence analyst at Cyjax.
Later the group began to use a malware strain called SnappyTCP, as tracked by PwC. Sea Turtle used the strain to commit and establish persistence in linuxNetherlands-based systems as it added Europe to its target geographies.
It also targets non-governmental organizations and steals information from public and private entities linked to Kurdish political groups such as the Kurdistan Workers Party, Ingram says.
Sea lotus – Vietnam
Another promising and notable adversary is OceanLotus, a state-sponsored threat group based in Vietnam, also known as APT32, SeaLotus, CanvasCyclone, and CobaltKitty. The group has been active since 2012 and focuses on cyberespionage targeting organizations of interest to the Vietnamese government, such as human rights and research institutes, Price says.
The group is also believed to have attacked the Chinese government during Covid-19, according to principal investigation.
APT36 – Pakistan
Another new adversary is a Pakistan-aligned group called APT36, which has a history of conducting targeted espionage operations in South Asia. “The group's primary target is Indian government personnel and the Pakistani political opposition,” says Richard Bate, CTO at Goldilock.
The group's modus operandi is Social engineeringwith the aim of tricking targets into installing remote access trojan (RAT) on your Android device or computer to collect data.
While this new generation of attackers represents a growing threat, traditional CRINK adversaries are also evolving. Iran – a minor CRINK attacker compared to China, Russia and North Korea – is increasingly active, with state-sponsored groups carrying out targeted attacks against sectors such as information technology, infrastructure and government .
Many Iranian groups, including ImperialKitten and MuddyWater, use phishing attacks for initial access, Price says.
This technique is also used by a recently identified threat group based in China, known as Earth Krahang. This promising adversary has conducted phishing campaigns against various government entities in Southeast Asia and has targeted organizations in Europe, the Americas and Africa, Price says.
TrendMicro has tracked Earth Krahang since 2022, indicating in recent research post that the group favors using compromised government networks to launch more attacks and builds virtual private network (VPN) servers on infected public servers as a starting point for brute force attacks.
North Korea also poses a major threat to businesses, with groups like Lazarusa state-sponsored attacker accused of breaching Sony in 2014 and the I want to cry viruses in 2017.
Another lesser-known North Korean state-sponsored attacker is Kimsukya cyberespionage group that carries out phishing campaigns as part of North Korea's Reconnaissance General Office, Price says.
More broadly, there has been a shift in what would be considered a “pure” nation-state threat actor, says Ian Thornton-Trump, CISO at Cyjax. “The recent revelations of I soon The data breach reveals that Chinese nation-state threat actors are supported by an ecosystem of contractors. Iran has front companies and some nations have outsourced aspects of cyber operations to proxies, as is the case with Russia's relationship with Anonymous Sudan.”
In fact, many hackers from China, Russia, Iran and North Korea are predominantly outsourced to other nations, says Jamie Moles, senior technical manager at ExtraHop. North Korea in particular is known for outsourcing hacking talent, he says. “These hackers often operate from bedrooms using VPNs and accept government contracts along with other rewards and targets of opportunity.”
It is increasingly common for cybercriminals to merge into state-sponsored groups. Some countries allow groups to operate criminal enterprises, as long as they also carry out activities on behalf of the state, Ingram says.
“The advantage is that criminal organizations can usually afford better hackers, and they remain plausible because they are still one step away from full state ownership.”
While Data ransom remains a major threat, nation-state tactics are evolving as adversaries take advantage of new technologies, such as Generative AI more advanced models and iterations of traditional AI such as machine learning (ML). Both have the potential to fuel quick, targeted attacks. For example, Chinese state-sponsored attacks use AI-generated images in politically motivated campaigns.
In the wrong hands, AI can pose a threat as it can automate tasks such as reconnaissance, identification of exploits and the development of malware that can evade traditional detection methods. Microsoft and OpenAI have warned that state-backed threat actors are already using generative AI to launch cyberattacks
Nadir Israel, CTO and co-founder of Armis, tells ITPro that AI can make attacks faster and more advanced.
Threat actors often take advantage of basic vulnerabilities that they have not been patched as an entry point into organizations, Izrael says. Distributed Denial of Service (DDoS) The attacks remain popular due to “their ability to disrupt critical infrastructure and cause significant financial damage,” he adds.
The landscape of attacks on nation-states is certainly evolving, but experts say the basics of protecting yourself remain the same. It's more important than ever to ensure your business has a basic level of protection, says Richard Breavington, partner at RPC. Measures such as suitable patches and multi-factor authentication (MFA) They are useful in reducing vulnerability to attacks, he says.
The risk of impact from state-sponsored attacks can be mitigated through defense in depth and by creating and following strict policies and procedures, Price says. Additionally, it recommends protecting sensitive data and implementing endpoint protection and Disaster recovery.
It's also important to have effective internal policies in place to manage the risk of a cyber incident, Breavington says. “These should include specific processes to protect against potential human error.”