Why SMBs are Being Targeted by Nation State Threat Actors

SMBs are increasingly becoming targets for threat actors because of the complex supply chains they are a part of. Critical infrastructure providers such as utilities, transport companies and emergency services have complex supply chains and usually count several SMBs amongst their suppliers. In order to protect both their own businesses and also their customers, SMBs need to pay closer attention to the security of their IT estates. While critical infrastructure providers typically have well-developed cybersecurity practices, threat actors are counting on SMBs that supply them to be less prepared. Nation state threat actors in particular are starting to use poorly secured SMBs as a pathway into the critical infrastructure of adversary states.

Why threat actors are targeting critical infrastructure

Critical infrastructure providers are increasingly reliant on Operational Technology (OT) for their operations. This means that it is no longer necessary to gain physical access to their plant and equipment in order to disrupt them. Threat actors can instead target them by attacking their OT systems as a way to cause disruption. This is increasingly becoming a modus operandi adopted by nation states looking for ways to cause disruption and chaos for their adversaries.

Reasons for targeting critical infrastructure include:

• Economic Gain: Attacking critical infrastructure can lead to financial benefits for cybercriminals. They may extort money from the affected organizations or disrupt services to cause economic harm.
• Political or Ideological Motives: Some threat actors target critical infrastructure as a form of protest or to further their political or ideological agendas. This could be motivated by nationalism, terrorism, or other extremist beliefs.
• Espionage: Nation-states or state-sponsored threat actors may target critical infrastructure to gather intelligence or disrupt the operations of rival nations. This could involve stealing sensitive data or sabotaging systems.
• Cyber Warfare: In conflicts between nations, cyber warfare may involve targeting critical infrastructure to weaken an adversary's capabilities. This could include disrupting power grids, transportation networks, communication systems or even critical industry. One of the first potential documented cases of the use of cyber attacks in this way was the introduction of the Stuxnet worm into the SCADA systems responsible for controlling centrifuges at Iran’s Natanz uranium enrichment facility in 2010. It is alleged that Israeli operatives may have introduced the malware into the Iranian facility in order to disrupt Iran’s attempts to develop nuclear weapons.
• Disruption of Services: Disrupting critical infrastructure can cause chaos, panic, and inconvenience to the population. This could be a goal in itself for certain threat actors, aiming to sow discord or undermine trust in government institutions.
• Supply Chain Attacks: Targeting critical infrastructure can also be a part of a broader supply chain attack aimed at compromising interconnected systems and organizations that support essential services.
• Testing and Training: Some threat actors target critical infrastructure to test their skills or experiment with new attack techniques. This can help them refine their capabilities for future attacks or to sell their expertise to other malicious actors.

How SMBs are becoming a route into critical infrastructure

Many of the goods and services used by larger enterprises, including critical infrastructure providers, are delivered by SMBs. In order to make these increasingly complex supply chains more efficient, they are increasingly becoming digitally integrated. As a result, a vulnerability at an SMB that is a supplier to an organization like an electrical utility could become a route of attack for a threat actor.

Recently the US government disrupted a Russia-linked botnet which was engaged in cyber-espionage by exploiting unpatched Ubiquiti EdgeRouter devices which were still configured with default passwords. Routers from the Ubiquiti EdgeRouter range are very popular with SMBs because of their cost effectiveness and solid performance. Companies that did not pay proper attention to properly configuring the security of these devices may have unwittingly exposed themselves to attack.

Another route of attack that threat actors are increasingly exploiting against SMBs is the targeting of obsolete network and security devices which are no longer supported by their vendors and which are no longer receiving security updates. SMBs that are sweating IT assets in order to reduce costs are often unknowingly exposing themselves to the vulnerabilities lurking in old routers and firewalls that they are still operating. In one example, the group “Volt Typhoon” was found by the FBI to be exploiting vulnerabilities in obsolete Cisco and Netgear hardware and using these devices as “launchpads” for attacks. By using devices in countries like the USA to “launder” their connections and hide their source IP address, threat actors sponsored by nation states try to hide their identities.

How SMBs can defend themselves

To prevent these kinds of attacks it is critical to ensure that all systems and infrastructure receive patches and security updates. To make this possible, all installed hardware and systems need to be under support and receiving security updates from their vendors. Even SMBs need to make technology lifecycle management a conscious part of their IT Service Management.

There are a few critical steps that SMBs must take in order to ensure that their infrastructure remains current and secure:

• Ensure that hardware is supported, and replace end-of-life hardware. This does not only apply to network and security gear like routers and firewalls, but even mobile phones which are often the targets of threat actors. Similarly it is important to upgrade and replace software that is end-of-life and no longer receiving updates. This is especially true for operating systems. For Linux distributions like Ubuntu, preference should be given to “Long Term Support” (LTS) releases which receive patches and security updates for longer periods of time. It is critical to install patches, especially security updates, when they become available. There have been notable cases of organizations failing to install patches from vendors such as Citrix and Vmware and being breached as a result. This is not only an issue for SMBs - even large enterprises are being breached as a result of delaying the installation of security updates.

While technology lifecycle management is of critical importance, it is also essential to have a means to deal with threats that manage to breach even well-maintained defenses. Detection and response across your entire infrastructure represents an important weapon in your cyber defense arsenal. XDR is an example of a key technology in this space, allowing you to bring security alerting and threat detection into a single pane of glass, giving you a single interface for all your detection and response processes. Even SMBs need to ensure that they have the capability to perform threat detection and response. To address this need, Samurai XDR provides a full detection and response capability at a price point that even small SMBs can afford.

To experience the full capabilities of Samurai XDR without any commitments, begin your Free 30 Day Trial today.