In an era defined by the rise of AI, deep fakes, and other easily accessible forms of digital deception, cybercriminals increasingly have access to tools that can supercharge more advanced scams.

They’re becoming the preferred cyberattack method for more than just money-hungry scammers, with claims of false riches - now, state-sponsored espionage groups are relying on phishing scams to infiltrate governments and other nationally important organizations.

Article continues below

These Advanced Persistent Threat (APT) groups aren’t looking for money but, as the name suggests, for long-term access to state secrets. The desired outcome of their infiltration campaigns is primarily access to important strategic intelligence and the ability to later disrupt their adversaries from the inside.

And it all starts with a seemingly innocuous link.

Muddying the waters

Espionage-driven phishing isn’t a rare occurrence. Group-IB researchers are actively tracking state-sponsored cyber espionage groups who regularly use phishing as a method to gain access to the government secrets of their adversaries.

These groups use compromised payloads hidden in false communications to gain access to systems, where they hide out and siphon information for as long as they can.

Two such APT groups are codenamed MuddyWater and OilRig. In recent months, MuddyWater conducted a phishing campaign which targeted more than 100 governments and several international organizations, with the goal of gathering geopolitical intelligence across the Middle East and North Africa region.

Emails may seem an innocuous threat in comparison to advanced hacking or ransomware, yet phishing remains one of the most effective routes to forced access. That’s because it relies less on breaking strict digital security paradigms, and more on manipulating human behavior and trust.

These phishing attacks are methodical - they use professional-sounding emails and documents which appear to come from legitimate sources to deliver their payloads - so even well-trained professionals can be deceived.

Don’t believe your eyes…

Assumed legitimacy is a big reason why phishing attacks are successful. APT groups are exploiting all avenues where people’s guards are lowered, such as job applications, event invitations, seminar links, and document sharing requests. It’s a game of illusion.

Attackers have learned that the surest way to bypass defenses - especially in these highly-alert spaces - is to look as real as possible, to ensure that access is given mindlessly, without hesitation. Increasingly, this means that they use familiar logos, sometimes even compromising legitimate applications or software providers.

Emails can originate from real, trusted addresses which have just been compromised, giving no indication of any sign of attack.

When APTs target service providers, the damage can be widespread. In 2021, for example, a US cybersecurity firm found that an attacker had been able to add a malicious modification to SolarWinds Orion products.

This modification allowed them to send administrator-level commands to any affected installation - and approximately 18,000 organizations had downloaded the compromised update.

Phishing attacks are so successful because of the veneer of authenticity they hide behind. And, as they become harder and harder to spot, it’s becoming virtually impossible for victims to trust their own eyes. To stay safe, a strong, layered defense is crucial - but they’re only as strong as the people relying on them.

The supply chain of attacks

Of course, that isn’t to say that government systems aren’t highly-protected. In fact, state-sponsored cyber espionage groups are well aware of the inherent difficulty of breaching a governmental system.

But they don’t have to.

Instead, they look to the supply chain. Every supplier, contractor, and service provider can provide an entry point.

Private companies connected to government agencies, no matter how remotely, can represent a potential backdoor for cyber espionage groups to exploit - hackers use these businesses as a stepping stone to gain access into government systems through advanced phishing attacks.

In this way, the private sector is increasingly becoming an unwitting participant in state-sponsored attacks by adversaries. It raises a vital question - can private companies confidently claim that their cyber defenses are as robust as the strongest link in their supply chain?

If not, they themselves can become the weak link which allows an APT to compromise the entire system.

How to keep safe

When dealing with state sponsored APTs, a strong defense is essential, one that combines active and proactive measures to maintain constant protection.

Cyber hygiene, constant patching, and remaining up-to-date with new techniques being used by threat actors are the basics, but organizations can do more to protect against state-aligned actors by implementing the following:

• Strengthening threat intelligence and monitoring: conduct continuous threat hunts, and subscribe to trusted threat intelligence feeds for information on the most up to date Indicators of Compromise (IOC) and Tactics, Techniques and Procedures (TTPs).
• Enhancing your email and phishing defenses: conduct regular simulations to help staff be prepared and aware, and deploy sandboxing and attachment scanning.
• Implementing endpoint and access controls: enforce MFA across all accounts to prevent unauthorized mailbox access.
• Strengthening your network and infrastructure security: monitor outbound traffic, and restrict the use of remote monitoring and management tools.
• Staying up-to-date: periodically review information on TTPs, and ensure security solutions and systems are kept updated.
• Building a long-term strategic defense: enforce least-privilege principals for all critical systems, deploy behavior-based anomaly detection for accounts and emails, and periodically review your incident response and crisis playbooks.

Stay alert, stay secure

As geopolitical tensions rise globally, apparent legitimacy is no longer a trustworthy marker of digital safety. Attackers increasingly rely on manipulating human trust - the recognition of a logo, a name, or a vendor - to smuggle compromised payloads into secure systems. Safety must therefore start with education.

Spotting the spyware will become harder as cybercriminals evolve. Now, securing the supply chain against state-sponsored espionage groups means ensuring every link within it has the same level of protection, and the same awareness that, today, what you see isn’t always what you can believe.

We've featured the best secure email provider.

This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro

Head of International Business Development and Sales of Group-IB.