Securing the House from state sponsored cyber threats

State-sponsored cyber-attackers are emerging as one of the preeminent threats targeting not just individuals, but foreign organisations and governments. From espionage with the intent to steal trade secrets, to influencing elections worldwide, to military/national defence impacts - state-sponsored cyber-attacks are wide reaching and increasing. There is no doubt that information is becoming one of the hottest commodities that attackers can get their hands on - with our digital world being more connected than ever, a breach in one corner of the globe can send tidal waves across the world.

State sponsored cyber-attackers are continuously and rigorously trying to line up their crosshairs on governments, government agencies and their suppliers across the globe. What can New Zealand businesses do to protect themselves from a state-sponsored cyber-threat? Simple: get the basics right. Protecting yourself from a state-sponsored attack is the same as protecting yourself from a general data breach. The New Zealand government is no exception, as the recent Government Communications Security Bureau ('GCSB') report revealed.

The report comes in time for Michael Jagusch's, Director of Mission Enablement at National Cyber Security Centre's ('NCSC'), presentation at the Trans-Tasman Business Circle event 'State-Sponsored Cyber Threats: Strategies for CISOs', where he spoke to the work behind the NCSC's new four-year strategy, the current cyber threat landscape and provide information to help organisations stay ahead of state-sponsored threats.

What is a state-sponsored attack?

A state-sponsored cyber-attack is an event that occurs when a government sponsors or carries out a cyber-attack against another government, or foreign organisation or individual.

An Advanced Persistent Threat('APT') is a sustained cyber-attack whereby an attacker establishes an undetected presence in a network to steal information over a period of time. A common indicator of a sophisticated APT attack is a phishing email which targets high-level individuals, as was the case for New Zealand in 2021.

The People's Republic of China ('PRC') has been in hot water over the last few years, with authorities from both the UK and the US accusing hacking group nicknamed 'APT31' of being an arm of the PRC Ministry of State Security. The state-sponsored attackers have reportedly targeted defence contractors, security companies, White House staffers, US senators, British parliamentarians and government officials across the world who have outspokenly criticised Beijing.

New Zealand are no exemption - we are the second member of the 'Five Eyes' global intelligence-gathering partnership to explicitly condemn such behaviours, and identify ourselves as the target of a breach by attackers backed by the government of the PRC in 2021.

2021 attack

In March this year (2024), Security Minister Judith Collins and GCSB boss Andrew Clark publicly announced that a state-sponsored cyberattack targeted New Zealand Parliament in 2021, mainly through phishing emails which were found to not have compromised email accounts.

The Government confidently linked the cyber-attack to a PRC state-sponsored group known as Advanced Persistent Threat 40 ('APT40'), who breached parts of the Parliamentary Services' IT systems which provides IT services to all members of Parliament, and the Parliamentary Counsel Office, where New Zealand's laws are drafted.

The attack targeted the then-co-chairs of the Inter-Parliamentary Alliance on China ('IPAC'), MP's Simon O'Connor and Louisa Wall, as well as Canterbury University professor Anne-Marie Brady served as an advisor to IPAC. For context, the IPAC is an international, cross-party alliance of parliamentarians from democratic countries focused on relations with the PRC, and specifically, the Chinese Communist Party.

Report

Complaints from the IPAC, who were not informed of the targeted attack at the time, prompted a review into the GCSB's cyber security arm, the NCSC, practices and process that relate to the incident triage and response function which focuses on identifying and responding to malicious cyber activity impacting nationally significant organisations or that otherwise has national level of harm. On 14 June 2024, the GCSB released a report setting out their findings and recommendations on its review, which include:

• the NCSC developing guidance on training staff to better identify incidents that may have 'wider implications' on New Zealanders;
• considering engagement with affected individuals and factoring this into the NCSC's response to an incident;
• and reconfirming the NCSC's approach to briefing the Minister responsible for the GCSB.

Key findings and recommendations

Taking a 'wider' implication view

The report recommends that NCSC develop guidance for NCSC staff on bringing incidents to the attention of agencies so as to not only focus on the "technical" responses to cyber security incidents but a broader focus to circumstances where the incident may have "wider implications for New Zealand's interests". The report found that NCSC's current policies, practices and standard operating procedures relating to cyber security incidents focus on understanding and responding to the 'technical' cyber security threat posed by malicious cyber activity, however, any information exchange and co-ordination was reported to occur because of initiative and experience of NCSC staff rather than being required as part of a clear procedure or practice.

As they say, actions speak louder than words. It is important for organisations to have clear procedures in place when it comes to identifying, triaging and responding to cybersecurity threats at all levels. Identifying a breach and addressing the technical issue is only part of the response issue; effective communication and response plans are vital to controlling the narrative around how an organisation is perceived during and after the incident. If your business has a policy and it is not being followed or isn't understood, it is probably a good indication the policy needs to be updated.

Engagement with individuals

It is understandable that an individual who is being targeted by a state-sponsored cyber-attacker would have an interest in knowing about it so that the individual can protect themselves, their organisation, and even offer information to assist NCSC. The report identified that while NCSC has a range of policies and practices to engage with nationally significant organisations in the event of a cyber security incident, there is a lack of influence for NCSC to engage with the targeted individual directly (as was the case with the IPAC co-chairs in the 2021 attack who were not alerted that they were targeted until right before it was announced to the media).

The report recommends NCSC consider engaging with individuals who may be targeted by a foreign state-sponsored cyber actor and that the implications of that activity for affected individuals is factored into the NCSC's response. However, it makes clear that this will be on a case-by-case basis, in which the reasons for engagement must be weighed against the NCSC's capacity and capability to undertake such direct individual engagement.

Guidelines for individuals at increased risk of being targeted

It is easy for an individual to feel helpless if they are a target of a state-sponsored cyber-attack. Being proactive rather than reactive in the event of an inevitable breach can alleviate the feeling of helplessness and replace it with preparedness. The report recommends the NCSC create guidelines for individuals who may be at increased risk of targeting by state-sponsored attackers so that they can easily access such information to protect themselves.

This is especially relevant as the fact that an individual is targeted is unlikely to lift the NCSC's overall categorisation of an incident; an incident would need to affect a large number of individuals or relate to a significant compromise of a high-profile individual (such as a government minister) to result in a higher categorisation, and as set out above, direct engagement with a targeted individual by NCSC is not guaranteed.

Appropriately briefing the Minister

A key takeaway from the 2021 attack is the importance of a coordinated response. While the report acknowledges that it is not always possible to prescribe all of the circumstances in which it may be appropriate for the NCSC to brief the minister, it does recommend NCSC 'reconfirm its approach to briefing the Minister Responsible for the GCSB' and incorporating the Minister's expectations about when incidents should be escalated to her office, as the 'no surprises' rule has previously resulted in incidents flying under the Minister's radar.

Where things might go

The New Zealand Government have condemned China for its attack, with Prime Minister Christopher Luxon indicating New Zealand will increasingly disclose cases of Chinese espionage as part of a strategy to boost awareness in the country about the security threat.

As we reported late last year, the New Zealand Government is merging our Computer Emergency Response Team ('CERT NZ') and the NCSC to create a super-cybersecurity agency dealing with national matters. As noted in the report, the review of the NCSC's processes is related to the processes pre-incorporation with CERT NZ. This integration work will continue for several years and effectively streamline New Zealand's response to cybersecurity threats. The NCSC are also creating their new four-year strategy for assurance and cyber security in New Zealand which will replace the current strategy which expires this year.

Key takeaways for businesses

The report and its recommendations serve as a stern reminder for organisations, especially those who supply technology or other infrastructure services to the Crown and its agencies,(as they are likely to have an increased risk of being targeted by state-sponsored groups) to get the basics right.

With our increasing reliance on technology, the chance of a state-sponsored threat or cyber breach is becoming inevitable; however, affected organisations have control over their response, which can make a critical difference to the management of reputational and financial fallout.

Businesses can mitigate risk and protect their sensitive information, whether personal or commercial in nature, by taking proactive measures such as having an incident response plan in place in order to respond quickly and effectively. For information on how to plan and respond to a data breach, read our article 'There's plenty of phish in the sea: How to plan for and respond to a data breach', or better yet, get in touch with one of our experts - contact Hayden Wilson, Campbell Featherstone, or Hayley Miller to find out more.

This article was written by Melissa Tahere, a Solicitor and Gunes Haksever, a Senior Associate in our commercial, technology and privacy team.

Public link

Please use the above public link if you want to share this noodl on another website.