Executives must face down state-sponsored hacking groups targeting firmware

State-backed groups have ratcheted up the pressure for cyber security professionals and executives. But that’s not an excuse to cede them the territory.

Michael Marcotte

Published: 12 Feb 2024

The geopolitical landscape is increasingly fractured, and corporations are being sucked into the vortex. Senior executives aren’t just facing down threats from uncoordinated criminals – they’re increasingly the target of cyber attacks from state-backed hacking groups.

For CIOs, this is a very different beast, and they’re chronically underprepared for the looming threat it poses.

They not only need to get ready – they need to be ready for cyber attacks of increasing sophistication and breadth. This new war footing must involve increased cyber security spending across the board, and especially for defending vulnerable corporate firmware, which has been left under-protected for too long.

State-backed hacking groups are nothing new and have been a mainstay in the rogue nation toolshed for decades now. China, Russia, North Korea and Iran have all deployed them regularly against state institutions in the West.

In 2014, Charming Kitten, a group associated with Iran’s Islamic Revolutionary Guard Corps, targeted US and Israeli military personnel. Throughout 2015 and 2016, a group linked to the Russian SVR consistently targeted various US government networks.

By far the most significant of these was by Fancy Bear, a group attached to the GRU, the KGB’s modern-day successor. In 2016, they hacked into the Democratic National Committee (DNC) servers and leaked emails. We’re still reeling from the political turmoil from this today.

CEOs thought that this was beyond their remit. This is the world of spies, geopolitics and statecraft, not accounts, clients and board meetings. They were wrong.

As the geopolitical pressure continues to escalate, whether it’s in Ukraine, Taiwan or the Middle East, corporations are increasingly and rapidly finding themselves the target of sophisticated and coordinated attacks from government hacking groups. No longer are these attacks the sole concern of government bodies.

Last week, even Microsoft discovered an attack from Russian state-sponsored hackers, Nobelium, that successfully spied on its executives for nearly two months.

That’s Microsoft, a multinational firm and decades-long leader in software development with a highly advanced cyber security team. They were completely exposed for two whole months. It’s safe to say then that most companies simply aren’t prepared for this new kind of threat.

The problem is that corporate cyber defence is usually centred around compliance. Employees are told to change their passwords and taught how to spot a phishing email, which is usually enough to prevent unsophisticated attacks from lone-wolf malicious actors.

But now they’re facing groups with the financial and technical heft of a nation-state behind them. Relying on compliance-driven defence here is like preparing for a hurricane by buying an umbrella.

Whilst management makes sure that employees update logins, groups backed by the Chinese or Russian state could have compromised their most fundamental systems, like their firmware.

Compliance-based strategies have left firmware completely exposed. Devices in peripheral offices can be pried open. This provides a trusted domain relationship with which to blend in with normal traffic and pivot to the corporate head office. This completely bypasses defensive systems structured around employee best practice.

This open goal hasn’t gone unnoticed. Late last year, a joint cyber security advisory published by the US Cybersecurity and Infrastructure Security Agency (CISA), NSA and FBI, detailed attacks made by a cyber group known as BlackTech, backed by the Chinese state. BlackTech modified Cisco routers and installed custom firmware to gain persistent and undetected administrator access.

Executives are operating in a new cyber security landscape, and they’re outgunned. This attack was a warning shot. State-backed groups targeting corporate firmware pose a threat that is orders of magnitude greater than previous cyber security concerns. But how do they close the gap?

The first step is to increase cyber security funding across the board. Poorly funded and understaffed IT teams pose an unacceptable and unnecessary level of risk. These hacking groups have state finances behind them. The first line of defence for corporates needs to be comprehensively resourced cybersecurity teams, staffed by leading technicians.

The second step is to change strategy. Compliance-based tactics are neolithic in the face of AI-powered side-channel, backdoor and cross-site scripting attacks that target firmware. Corporate leaders need to implement pre-emptive strategies that comprehensively protect their systems.

With a healthier budget, CIOs can deploy a range of measures to fortify their firmware. These might include code signing to prevent the installation of tampered firmware, comprehensive network segmentation to minimise the risk posed by a single breach or regular secure boot processes to verify the authenticity of the firmware.

State-backed groups have ratcheted up the pressure for cyber security professionals and executives. But that’s not an excuse to cede them the territory.

Executives need to immediately step up to the challenge and start properly funding cyber security. It’s their fiduciary duty. Their CIOs can then be let off the leash and develop and implement comprehensive firmware defences. These hackers might then be the ones to find themselves struggling under the pressure.

Michael Marcotte is an expert in digital identity, cyber security and business intelligence technology. He pioneered the role of CDO in the enterprise at satellite comms firm EchoStar. Since 2014 he has worked across multiple roles in cyber and venture capital, and cofounded the US’ National Cybersecurity Center (NCC).

Read more on Hackers and cybercrime prevention

How Iranian cyber ops pivoted to target Israel after 7 October attacks