Setting Up a Threat Intelligence Program From Scratch in Plain Language: Part 2

Welcome to the second part in our blog series on setting up a threat intelligence program in plain language. In the first installment, we focused on identifying what you have that you want to protect. Now that we understand what aspects of your business you need to protect, let’s consider from whom you need to protect it. This is the second step in the larger thought exercise of establishing your priority intelligence requirements (that we’ve covered previously here). which will require you develop a solid understanding of what threat groups would want. With that knowledge, you should be able to take the next step of identifying and prioritizing what tactics, techniques, and procedures (TTPs) to invest resources in defending against.

EVERONE Wants Money…

Irrespective of your company’s size, industry, intellectual property, or any other differentiating factors, ALL companies are potential targets of ransomware, data exfiltration, and extortion attacks. As a result, when considering what groups you need to protect yourself against, financially motivated cybercriminals (such as ransomware gangs, Initial Access Brokers, and Infostealers) should be at the top of the list. These groups often get their access most frequently through compromised credentials, phishing, and/or vulnerability exploitations. With this solid base of understanding,  you can start to identify what issue, actors, and TTPs you need to actively track.

…But Things Get More Complicated From There

Now here’s where things get interesting… examining your list of assets you want to protect (e.g., intellectual property, connections to larger companies, placement in the critical infrastructure ecosystem, etc.) through the eyes of nation-state threat actors. This will require some basic research to understand what different countries are focused on. From a general cyberespionage perspective, many countries will be interested in information relating to government policies or economic plans relating to them. Even if you work in a field that isn’t considered critical infrastructure or doesn’t seem to have direct links to critical infrastructure, you may still be a target for bad actors to reach downstream victims. Let’s take a quick look at the four major nation-state threat actors (admittedly from a Western perspective):

1. China: Outside of the usual policy and national security-focused efforts related to cyberespionage, China is relatively transparent with its interests in intellectual property and data theft from private sector organizations (as well as government agencies and NGOs). These interests are outlined clearly in China’s Five-Year Plan - a public document passed by the Chinese parliament outlining the goals of the Chinese Communist Party for the development of the country over the next half-decade. The most recent version was released in 2021 and emphasizes an interest in science and technology, energy, quantum computing, and semiconductors. Additionally, China has actively targeted Western critical infrastructure - seeking to infiltrate organizations and establish a persistent presence that would allow them to disrupt power, water, and other services in the event of a conflict. Western governments have warned that not only is China targeting organizations involved in critical infrastructure sectors directly but also smaller organizations that may provide tangential, important support to those sectors or entities as a point of entry for Chinese infiltration efforts into the larger sector ecosystem.
   
   
2. Iran: Iran has faced extensive economic sanctions from Western countries, which have significantly affected its economy. Iran seeks to acquire advanced technology and intellectual property to circumvent limitations imposed by sanctions and enhance its technological capabilities. Disrupting Western companies’ operations can also cause economic damage and instability, which may undermine its adversaries. Iranian cyber actors continue to target individuals, companies and government entities in the United States using a variety of malicious activity - including ransomware attacks against critical infrastructure, malware, spearphishing, and other social engineering campaigns. For instance, Iran-backed hackers using the persona “CyberAv3ngers” targeted multiple US-based water facilities that operate Unitronics Vision Series programmable logic controllers (PLCs) since November 2023. CyberAv3ngers was behind the breach at a water authority outside of Pittsburgh in November 2023 that prompted workers to temporarily disable the compromised machine and switch to backup tools. Iran has also targeted a wide range of private sector entities globally, primarily based in the Middle East. Targeting companies based in adversarial counties can be a form of both political and economic retaliation, which puts many Western organizations at potential risk in the crossfire.
   
   
3. North Korea: Much of North Korea’s cyber activities stem from an underlying desire to ensure its security at a global level, first and foremost, via its nuclear program. This motivates North Korean (DPRK) actors to conduct financially motivated and disruptive attacks and steal information to generate revenue for the regime to support its weapons program and glean strategic insights. North Korea continues to conduct prolific cryptocurrency heists as well as ransomware attacks against a wide range of targets. These funds are often laundered and used to support North Korea’s cyber activities and weapons programs. North Korean hackers reportedly stole at least $600 million in cryptocurrency last year, around a third of the total value of such heists. In total, researchers believe DPRK-backed attackers stole $2.7 billion worth of crypto since 2017. The US and South Korea reported North Korean hackers are also behind ransomware attacks on critical infrastructure, notably using the Maui and H0lyGh0st ransomwarefamilies last year. More recently, DPRK hackers leveraged custom ransomware and elaborate scams against software companies and defense firms, likely for both intelligence collection and revenue generation. For years, DPRK IT workers posing as non-DPRK nationals have also infiltrated and defrauded hundreds of US companies to contribute millions of dollars of their wages to their weapons program.
   
   
4. Russia: Russian hackers are typically well-resourced and use sophisticated methods to infiltrate and compromise systems and are generally known for their stealth. They conduct a wide range of cyber activity, from phishing attacks and supply chain (like the SolarWinds hack) to credential theft and account compromise and everything in between. These attacks highlight the broad and sophisticated nature of operations carried out by Russian APTs, often involving a combination of technical prowess, social engineering, and strategic planning to achieve their objectives. The Russian government's strategic interests in targeting Western companies are driven by a combination of economic, political, and security motivations. While Russia remains heavily focused on the ongoing war in Ukraine, Russia also targeted countries that provided aid to Ukraine to sow fear and discord, including the US and several European countries. In response to Western sanctions, Russia imposed countersanctions on Western companies to exert economic pressure and protect its domestic industries. Cyberespionage campaigns targeting Western companies, especially those in critical sectors like technology and defense, can provide valuable intelligence. Overall, targeting Western companies serves Russia’s broader strategy of asserting its influence, countering Western pressure, and achieving its geopolitical goals.

Ideally, at the end of this exercise, you’ll have a list of what threat actor groups, or at least categories of threat actors, that could target your organization with cyber attacks. In our next entry in this series, we’ll take a look at how to enumerate the tactics, techniques, and procedures used by these threat actors and the resources you can use to find them.