Nation-state actors are increasingly launching cyberattacks on businesses and critical infrastructure. How should your organization prepare?

Cybersecurity threats have long been a part of doing business. But driven in part by the ongoing war with Iran, a new threat vector has ramped up: cyberattacks carried out by rival governments rather than criminals looking for money.

What’s happening and how should your organization take action to prepare? Keep reading to find out.

How are cyberattacks conducted by nation-state actors different than traditional cybersecurity threats?

The goal of most cyberattacks is to make money for the attacker. For example, a ransomware attack will seek to lock down your systems so you’re forced to pay a ransom if you want to resume normal business operations.

Nation-state-supported cyberattacks have a different goal entirely — chaos. Governments don’t launch cyberattacks because they need the money, but to disrupt their geopolitical opponents.

This means that attacks may prioritize damage, including by targeting critical infrastructure or businesses that are deeply embedded in supply chains.

The Stryker attack illustrates the difference between regular and government-led cyberattacks

For example, a hacking group linked to the Iranian government recently hit the medical supply company Stryker. During the first stage of the attack, hackers gained access to some of Stryker’s core systems, just like a ransomware attacker would, by compromising domain-level credentials for Styker’s Microsoft 365 environment.

 However, instead of simply locking Stryker employees out of their systems and demanding a ransom, the attack destroyed critical data. Attackers abused Stryker’s Microsoft Intune and endpoint management tools to remotely wipe data from between 80,000 to 200,000 laptops and phones.

As a result, the attack caused a severe, global disruption to Styker’s core enterprise IT and operational systems, including its ability to order, manufacture and ship products. Patient-facing medical devices were not impacted. 

Critical infrastructure cyberattacks can even threaten fundamental services

In a war, nation-state actors may target even the most fundamental services that you probably take for granted. For example, hackers can seek to shut down utilities like water and power, healthcare facilities, payment systems and telecommunications channels.

Some of these types of attacks would violate laws of armed conflict like the Geneva Conventions, which broadly prohibit striking critical civilian infrastructure. But enforcing those laws is challenging at best.

Considering the reduction in Department of Homeland Security funding, it is imperative that companies have heightened vigilance regarding cybersecurity and business continuity preparedness. 

Mid-market businesses are both direct and indirect targets for government-led cyberthreats

If you run a mid-sized business or organization, you may assume that you’re too small to attract the attention of hostile government cyberattacks. But that’s a risky assumption to make. Consider that you may be exposed to both direct and indirect cybersecurity risks like:

• Direct attack: Your business may get hit directly by nation-state actors who are trying to cause economic disruption. You might not be as high-profile, but you could also represent a softer target than larger competitors with bigger cybersecurity budgets.
• Attack on a critical service vendor: You’re also at risk of ripple effects from an attack on a critical vendor. The Stryker attack specifically targeted Stryker’s Microsoft systems. If hackers shut down the servers that run the cloud-based ERP you use, for example, what would that do to your operations?
• Supply chain disruption: Similarly, if an upstream company in your supply chain is suddenly forced to halt operations to deal with an attack, your ability to get materials or goods could be disrupted as well.
• Broad infrastructure damage: Finally, a major attack on water, power or other critical societal infrastructure is also possible. You can’t do anything to prevent this type of attack from occurring, but you should incorporate the possibility into your planning.

How should mid-market CFOs and COOs protect their organizations against nation-state-led cyberattacks?

Mid-market businesses and organizations, especially those that operate in areas involving critical infrastructure, should prioritize action to bolster their cyber defenses and mitigate risks. Key steps include:

1. Speak with a cybersecurity advisor

The cyberthreat environment is constantly evolving. Unless you already have a large internal cybersecurity team in place, you will likely benefit from an experienced third-party perspective. An advisor can review your existing defenses and controls and then recommend (or even manage) additional security measures when needed.

Look for an advisory firm that understands not just cybersecurity, but your specific industry.

2. Do baseline security review

With your advisor, take a look at the internal controls you already have in place. These should include locking down identity and administrative access, 24/7 proactive security monitoring, data backups that are separate from your network, an active incident response plan and regular tabletop exercises to practice responding to a cyberattack or other critical incident.

3. Assess your cloud vendor controls

The Styker attack illustrates how a vendor’s cloud-based systems can expose your business to an attack. Assess the security controls you have in place around your vendor systems, including administrative access to key platforms like your ERP and CRM.

This could include limiting system access to only those who need it, patching or disabling any unnecessary ports or services and isolating management systems from the rest of your network.

4. Review your insurance policy

Taking out a cybersecurity insurance policy is always a good idea. But review yours carefully to determine whether a cyberattack by a nation-state actor may be considered an act of war by your insurance carrier and potentially exclude coverage.

5. Implement additional controls or contingency planning

Based on your security review, work with your advisor to implement additional controls as needed. Be sure your incident response playbook is up to date and that your team is conducting regular tabletop exercises to stress-test your response capabilities.

Also, do additional contingency planning to prepare for potential supply chain, vendor or critical infrastructure disruptions. How would your business respond if a key supplier or vendor was targeted?

How Wipfli can help

We advise businesses and organizations on cybersecurity, including security reviews, attack simulations and risk mitigation strategies. Let’s talk about how we can make your business and core systems safer. Start a conversation.

Let’s make your business safer

Read more

• How to mitigate ransomware attacks on financial institutions
• Does standalone PIMS certification make sense for you?
• The right cybersecurity framework boosts a business’s value