Early last year, the world was slowly waking up to the pandemic that has since disrupted lives. While governments continued to wage a battle against COVID19 and economies took a beating, different trouble was brewing online. SolarWinds, a Texas-based systems was victim to one of the most elaborate cyber attacks in recent times. Its proprietary system Orion was hacked and malicious code was added to it. The code essentially worked as a backdoor to information technology systems that hackers subsequently used to install more malware, allowing them to spy on organisations. SEC documents verified that more than 33,000 customers used Orion, including Fortune 500 companies and several US government agencies. 

The news of the SolarWinds hack broke only in December 2020 - the break-in and consequent online snooping had gone undetected for months on end, especially at a vulnerable time as companies and governments were busy managing the COVID19 situation onground. According to Wall Street Journal, US agencies including the Pentagon, Department of Homeland Security, the State Department, the Department of Energy, the National Nuclear Security Administration and the Treasury; and tech companies like Microsoft, Cisco, Intel, Deloitte, Kent State University and California Department of State Hospitals - were under siege. 

This is a classic case of cyber espionage - where hackers are in for the long haul, committed to the cause of stealing data, where motives exceed financial outcomes and involves a nation state "going rogue" to compromise critical infrastructure and data banks. Former US Homeland Security Officer Tom Bossert commented in an article that it would be years before these networks could be made secure again, leaving them wide open for hackers to alter data, destroy them or even impersonate important officials. 

As Ashish Thapar, Managing Principal & Head, APJ Region at Verizon Threat Research Advisory Center, says, "These hackers are not looking for smash-and-grab, but are in for long term gains that far exceed money. These threat actors move slow, hide in the background noise and when they find an opening, they make a move." Thapar is among the several co-authors of Verizon's Cyber Espionage Report (CER), the first data-driven publication on advanced cyberattacks, published in November 2020. It was almost like the writers had a premonition of the events that would come to be reported a month after launch, but Thapar says they had been working on these findings for months, as incidents like SolarWinds were shockingly common, and it was high time organisations paid heed to these adversaries. "We're seeing a definite shift towards elaborate ploys to compromise organisational data, executed by nation states. The spying has moved from the battlefield to online - this provides anonymity, is low risk, has high returns with minimal investment and offers actors to the chance to carry out nefarious activities simultaneously across locations, without the risk of getting caught," says Thapar. In the report, it is revealed that time to discovery of breaches is between months and years, and time to containment ranges from hours to weeks. The methodical process employed by threat actors in comparison to the "plodding response" from cyber defenders indicates the complexity of these attacks and the diligence of these threat actors. 

There are countless instances of cyber espionage attacks such as the Equifax data breach in 2017, JP Morgan's data breach in 2014, Kaspersky's Slingshot Report in 2018, Pakistan's Foreign Ministry's website hack after the Pulwama attack in 2019 and Bangladesh Bank Robbery of 2016. Yet, there isn't sufficient awareness within organisations or even governments, says Thapar. "It is a tough battle to fight - one of the reasons the awareness and consequent action is insufficient is no one wants to admit that they have been hacked. The consequences of a blame game can be far and wide, and often doesn't help the problem on hand. Unlike financial hacks like the Bangladesh Bank Robbery which had to be reported for regulatory purposes, other incidents rarely get reported so awareness is limited."

Particularly, these attacks are very common in certain industries - public sector undertakings, manufacturing and professional services were the top three industries most impacted by cyber espionage. Public sector organisations store public information, manufacturing sectors own a lot of IP and professional services like law firms possess personal data of clients - and these are notably prime targets for hackers. Recently, telecom major Singtel was a victim of the Accellion hack, where Accellion's File Transfer App was hacked, and compromised the financial data of thousands of users and employees. Telecom networks and wireless communications are the conduits to these attacks on the primary entities. Given that telecom is a critical infrastructure today, telcos have to be particularly watchful of their firmware. Thapar says with the advent of 5G, which has low latency and offers high speeds, safeguards in telecom networks need to be ramped up. 

As far as India is concerned, there is plenty of risk to public sector organisations and manufacturing industries. With these sectors adopting digitisation for improved productivity and efficiency, the flipside remains lax security measures. "With the advent of AI in manufacturing, pharma, education and healthcare, there is heightened involvement of government agencies to drive these plans. It also means public data risks getting exposed, so cybersecurity measures to safeguard these data reserves must be a top priority for the government." In addition, India's financial services industry had a windfall thanks to the rise in digital payments since 2016. The drawback of this progressive move is the lack of regulatory control over payment intermediaries. For instance, payment provider JusPay reported a breach of data of 35 million accounts, incidentally for whom Verizon Business is conducting an independent forensic investigation. While the RBI has stated it will launch a full-fledged investigation to determine the vulnerabilities of the IT infrastructure supporting the payments industry, there need to be tighter controls in place. Thapar recommends drawing inspiration from laws like GDPR and the California Consumer Privacy Act, and hopes the Personal Data Protection Bill will address these points. 

In the meantime, it's up to companies to ramp up their own countermeasures against threat actors. While Machine Learning has been applied extensively in the cyber domain to assess and detect threats, its still early days of advanced AI technologies to help with decision making more actively, says Thapar.