Nation-State Hackers and Western Vulnerability

I watched this amazing video from the cybersecurity legend, Mikko Hyppönen: DEF CON 31 War Stories - Living Next Door to Russia - Mikko Hypponen. Although it’s two years old, this type of message from people with such deep insight into the issue doesn’t age. On the contrary, these are insights that should help us better understand the broader context.

What actually captured my attention the most was the inconspicuous Q&A session at the end. During the video, Mikko mentioned one crucial point that we may not fully grasp yet. Large-scale ransomware attacks and other similar activities are-or at least until recently were-largely based on “chance”.

What do I mean by this? The principle of such attacks, like other “business activities”, is built on standard economic principles: ideally, acquire cheaply and sell with added value. In this case, that means minimizing the cost of the “breach” and then “selling” dearly. This is why massive scans for all available vulnerabilities are performed across the internet, and these vulnerabilities are subsequently exploited for penetration-you know the rest. Therefore, these business models essentially allowed for the creation of SaaS platforms for ransomware and the scaling of these criminal activities, following the pattern of “more traditional” business opportunities.

In essence, it’s actually relatively cheap to defend against such attacks. They aren’t targeting you specifically; no one is meticulously focusing on your weaknesses. They’re just passing by, and if all your windows are closed, they move on. They might try to see if one is unlocked, but if not, they try the next house. How little effort is needed to defend yourself, right?

However, the dynamics are changing. Nation-state actors have entered the game in recent years. They have different interests, and their capabilities are not constrained by mundane economic principles. Hacking groups sponsored by states like Russia, China, and Iran focus on their geopolitical interests. These groups are often integrated into official structures within the military or other state agencies. Experts agree that China, for instance, has more than 50,000 people actively involved in cyber warfare programs.

This dynamic naturally has a fundamental impact on the concept of cyber defense. Previously, simply locking the window was enough to give you a high chance of nothing happening. Now, however, you can become a strategic target even if you are, for example, just a supplier of hospital beds in Central Europe. Targeted attacks can take years before anything happens. Targeted attacks are difficult to defend against, as evidenced by Russian cyber activities at the start of the Russian-Ukrainian conflict.

And now, I circle back to that Q&A part of the video, where an audience member asked why, unlike Russian or Chinese activities, we don’t hear about Western ones. Does this mean they aren’t happening? Or are they so good that we don’t know about them? (The question is raised at in the video, where Mikko Hyppönen explains the difference between Russia/China—who don’t care about being caught—and the West, for whom it would be an embarrassment).

I don’t have the answer. The West currently possesses the best cyber capabilities, which is due to many factors. The West is a target, an attractive one. The news that a German state-sponsored hacking group had penetrated a Russian space agency would provoke significantly greater global outrage than if we reversed the news to say that a Russian state-sponsored hacking group had penetrated a European space agency. Perhaps this is because the Western world moralizes and sets examples of proper conduct, which, on the other hand, ties its hands in this dangerously evolving world.

In closing, I’ll share a personal experience from a security conference. A representative from a European agency, during the final Q&A session, posed a question to the speaker: “How would you recommend we train for offensive hacking operations? Russia and China do it live. How are we supposed to do it?”