Research | Our Q3 report details what's new in the world of ransomware.
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Find cyber threats that have evaded your defenses.
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Brands of the world trust ReliaQuest to achieve their security goals.
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
The latest threat research report from ReliaQuest Threat Research research team.
The latest white papers focused on security operations strategy, technology & insight.
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
November 30, 2023
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
In December 2020, the world was rocked by an enormous supply chain attack against software provider Solarwinds, which provided unprecedented access to thousands of the company’s corporate clients. This included several key organizations within the US government and other companies within the private sector. Attackers were able to monitor SolarWinds’ network traffic and maintain persistence on affected systems and environments by leveraging trojanized versions of product updates. The campaign likely began between March and June 2020, and was not detected until December 2020.
Investigation of the Solarwinds supply chain attack pointed the finger squarely towards the direction of Russia, and specifically the Foreign Intelligence Service (SVR). The response from Moscow has been predictable, in denying any association with the attack, and vowing to retaliate to any sanctions imposed by the US, which it deems illegal.
A significant challenge for respective governments in the aftermath of cyber attacks is not only attributing to a known attacker—which may assist with determining the actor’s specific objectives and motivations—but also providing a meaningful response. With no clear rules of engagement for dealing with cyber attackers, judgment over what is an appropriate and proportionate response can often be debatable, and have notable consequences on the cyber threat landscape.
Providing attribution is normally extremely challenging. Despite the confidence in which the FBI, NSA, and CISA have provided in attributing the Solarwinds attack to Russia, this has come after a thorough investigation from multiple governmental intelligence and security agencies; a response of this magnitude will only typically be conducted in the aftermath of the largest and most serious of incidents. Gaining an understanding of who is responsible for malicious activity in the majority of cyber incidents is incredibly challenging, particularly for companies with limited resources, budgets, and understanding of the cyber threat landscape.
When attempting to work out who may be behind an attack, incident responders typically assess both indicators of compromise (IoCs) and attackers tactics, techniques, and procedures (TTPs) that had been observed during the respective attack. While IoCs are often a good place to start, attacker infrastructure like IP addresses, domains, can easily be spoofed or generated in a manner which will obfuscate the attackers real identity. In addition to this, Russian attackers have even been observed hijacking infrastructure used by Iranian state sponsored groups. This was likely to piggyback from their cyber espionage campaign and to attack government and industry organizations, all while masquerading as attackers from the Islamic Republic. This highlights the complexity in providing a confident attribution to individual attacks, given attackers clearly place precedence on covering their tracks .
Individual attacker TTPs are also becoming harder to distinguish, with the use of ‘off the shelf malware’ and other tools becoming more widespread, and more difficult to attribute to distinct threat actors and groups. The technical threshold between cybercriminal groups and nation state actors is also getting closer. The initial actors behind another supply chain attack affecting software provider Accellion, which involved the chaining of 4 zero-day vulnerabilities, was thought to have been conducted by FIN11, a cybercriminal group with ties into the Clop ransomware variant. The identification, exploitation, and chaining of 3 distinct bugs is no mean feat, and from my perspective I don’t think I’d seen a cybercriminal group conduct an attack using such sophistication and initiative before.
Sun Tzu, the famous Chinese military general and strategist once said, “The supreme art of war is to subdue the enemy without fighting”. In the struggle for global hegemony, cyber attacks can be viewed as a method to wield favorable outcomes on a number of issues. For Chinese state sponsored actors, targeting computer networks of interest and enabling persistence can provide significant access to intellectual property and other sensitive data that can bolster their own technological advancements. This in turn greatly enhances China’s goals of emerging as the world’s biggest economy and superpower.
Iran and North Korea—which are commonly thought as 2 of the 4 countries with the most capable and active offensive threat groups—also use cyber attacks either as a means to exert regional dominance, or in the case of North Korea, provide financial assistance to the regime. Perhaps the best example of this was observed in 2016, in which North Korean APT Lazarus Group stole USD 81 million from the Bank of Bangladesh.
Russia on the other hand arguably wields a far more complicated offensive cyber security program. On one hand Russian actors are known to be rather loud and brash, using deliberate malicious acts like denial of service (DoS) and other computer network attacks (CNA), which often coincide with Russian military action. This was observed in the Russian invasion of South Ossetia and Abkhazia in Georgia in 2008, and also against the Ukraine during the leadup to the invasion of the Crimea in 2014.
Russian actors have also engaged in several highly advanced espionage and influence campaigns, with debatable motivations. The most obvious place to start is the 2016 U.S presidential election, in which Russian state sponsored group FancyBear infamously compromised the Democratic National Convention (DNC), wedging a divide in the political party by leaking internal emails to Wikileaks that painted Democratic candidate Hillary Clinton in an unfavourable light. This has been talked about to death—and while I think the actual effect this had on the election is at least debatable—it shows that Russian actors are absolutely interested in sowing discontent and otherwise influencing democratic elections. Similar activity had also been seen in other Western democratic elections, including influence campaigns during the 2020 US election.
The most significant Russian state sponsored attack of recent years has to be the supply chain attack referenced at the start of this article, which Microsoft CEO Brad Smith referred to as the ‘largest and most sophisticated attack’ ever. We’ve gone into detail on this attack on a fantastic blog back in December, however subsequent investigation of the event has demonstrated the ingenuity and huge scale of the attack; estimates vary, however it is likely that hundreds of companies’ networks were compromised by the attackers activity.
The motivations of these attackers are all different, as are the methods and ramifications of their activity. It’s extremely difficult to provide a meaningful framework for responding to a wide array of attacks, which is also undoubtedly influenced by geopolitics. If an impactful cyber attack was attributed to China, would it elicit the same response from the West as a similar attack conducted by a state sponsored group from Russia, or North Korea? Possibly not.
Although countries make their own assessments of what can constitute an act of war or an otherwise offensive action, generally such decisions are shaped by the Laws of Armed Conflict (LOAC). These are usually drawn from the United Nations Charter, the North Atlantic Treaty Organisation (NATO) and the Hague and Geneva Conventions. Determining a set of laws to apply for cyber attacks however becomes extremely difficult. Whilst most attacks do not result in physical harm or damages, some have caused legitimate damages or possible threats to life. The classic example is the Stuxnet worm, which was used to target supervisory control and data acquisition systems and famously was responsible for causing substantial damage to the nuclear program of Iran. Many have suggested a number of parties could have been responsible for this attack including the U.S government or work of Israeli intelligence agencies. Somewhat conveniently for the title of this blog, this has never been confirmed with any real conviction.
Recent attacks against critical national infrastructure (CNI) have also resulted in significant damages that could represent a genuine threat to life. In February, an unknown attacker compromised the network of a water treatment plant in Oldsmar, Florida, and attempted to interfere with the water supply, by changing the levels of sodium hydroxide to lethal levels. Thankfully this was stopped by a combination of the plant’s controls and an observant worker who spotted his cursor moving on his screen. Who committed this intrusion and the reasons why are still not clear.
Attacks against CNI also occurred on 7 May 21, when a Darkside ransomware attack against Colonial Pipeline resulted in significant disruptions to the energy providers operations. The impact in the U.S was significant; fuel prices skyrocketed, individuals were unable to fuel their vehicles at several petrol stations, which in turn led to some reports of panic buying. The incident also had a demonstrable impact on the criminal landscape, with prominent cybercriminal forums XSS and Exploit banning users from hosting ransomware related content. The attack has served as a wake up call to both the susceptibility of CNI, and also the implications caused by the runaway freight train that has been ransomware in the past 18 months. It also raises the same question, with the attackers likely based in Russia, but not associated to the state (not directly anyway), how can the U.S respond in any meaningful manner?
In response to the Solarwinds attack—in addition to Russia’s occupation of Crimea and other reported election interference—US President Biden placed sanctions on “companies operating in the technology sector of the Russian Federation economy that support Russian Intelligence Services.” This was accompanied by the expelling of 10 Russian diplomats from the U.S, and other broader sanctions.
The actual impact these sanctions will have on Russia, and other nation states conducting similar malicious activity, is debatable. While the US has to be seen to be actively responding to Russia’s activity, it is extremely unlikely that the imposition of sanctions will result in a deterrent or lowering of the risk associated with Russia’s nation state groups. It could even be argued that the sanctions may result in a spike in activity from other Russian cybercriminal and lower skilled actors; Russian criminals actors are known to be firecely patriotic, with many Russian ransomware and other criminal groups refusing to target companies based in the Commonwealth of Independant States (CIS), i.e. former Soviet bloc countries (also conveniently avoiding scrutiny from authorities in which they reside). These sanctions could result in opportunistic attacks being conducted as a reprisal for what they deem to be an unproportionate response form the U.S.
Whether sanctions work or not, it’s likely that their use is here to stay. Not only with the Biden administration, but also with Europe. In July 2020, the EU imposed their first sanctions against 6 individual and 3 entities known to have conducted cyber attacks, which include the WannaCry, CloudHopper, and NotPetya incidents. Sanctions are likely to be an increasingly used playbook within Europe, alongside an escalation in law enforcement activity; in 2021, law enforcement operations have already targeted criminal groups operating the Emotet, Egregor and Netwalker ransomware, and dark web marketplace DarkMarket. I would expect significant activity in attempting to bring charges against operators of the Darkside ransomware in the aftermath of the Colonial Pipeline incident.
Determining ‘why’, is often just as important as ‘who’ in the aftermath of an attack: Biden’s administration have realistically gone as far as they can, and while sanctions are unlikely to result in a significant decreased risk from Russian threat actors, it does demonstrate that such attacks will yield a response. In the past month, Biden has also signed an executive order (EO) aiming at strengthening the security of networks for companies working with the federal government. This has been issued in order to reduce the likelihood and impact of future attacks.
For private sector companies, in the chaos of incident response I’ve often found there is too much emphasis placed on determining the ‘who’ rather than finding out why the attack may be occuring, or how. Whilst answering these questions is important—and of course these issues are closely linked—ascertaining the objectives of the attack may often provide a more effective method of protecting your assets. As I highlighted earlier, due to the advanced nature of many of these actors, for many companies without significant resources or manpower, determining exactly which actor is targeting you can be an extremely difficult task.
This is where Digital Shadows (now ReliaQuest) can help. We have an extensive library of known threat actors, groups, and their respective TTPs. Our team issue daily updates on every external incident you need to know about, in addition to other trends on the cyber threat landscape that allow our clients to stay one step ahead of the game. Recently, our platform has also been enhanced with the addition of the MITRE ATT&CK framework into profile tagging and Intel Update tagging. This makes tracking active campaigns and understanding attribution that much easier. Get a 7-Day free trial of our Threat Intelligence library including MITRE detection and mitigations here, or book of demo of the SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) platform for a custom consultation on prevent and protecting your organization’s digital risk.