Bridewell, a supplier to the UK government critical network infrastructure, endorsed the severity of this approach. He said, “it’s like when a device is compromised, the only way to truly be sure there are no remnants, or unidentified backdoors is to restore the asset to a known good state. In the physical realm, in particular a data centre, to sweep and verify there is no enduring threat actor / spy presence is much more difficult, and at a state secrets level the required effort to treat or terminate the risk requires a huge amount of effort and cost to bring risks down to an acceptable level.”While it’s not clear exactly how the data hub had been compromised, Martin Riley, CTO at Bridewell, said, “The main point of entry may have been a VPN, as is common with Chinese actors, but if they have already moved across the environment and escalated privileges, then the impact would be wider.”Riley noted that when the government said it had discovered another way to protect the data, it was likely that it had patched a vulnerability “after performing incident response to understand the breadth of the breach and how it was initially accessed.”
Organizations can’t ignore the supply chain: Because of the constant threat from state-backed attackers, organizations everywhere need to be on constant alert, said Knapp, adding, “CISOs across government must assume they’re already being targeted, particularly by state-linked advanced persistent threats (APTs). These groups are difficult to detect because they prioritize stealth and long-term access over disruption. This raises key questions around how well organizations detect insider threats and hunt for compromises on edge devices, especially where vendors manage the hardware, making forensics more complex.”Knapp warned that it was not sufficient to make government infrastructure more secure while ignoring the supply chain. “Even the most secure networks can be breached when attackers exploit users, contractors, or third-party systems to gain a foothold. They often compromise edge devices or exploit misconfigurations to move laterally within environments,” he said.”Remember, state-backed attackers play a long game, embedding themselves within critical networks for months or years,” he said. “Techniques such as Operational Relay Boxes (ORBs) allow them to mask their activity and bypass endpoint detection tools, making attribution extremely difficult.”
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4074876/government-considered-destroying-its-data-hub-after-decade-long-intrusion.html
