6 min

The world of cybercrime is gaining a stronger grip on business. Cybercriminals are becoming smarter, using more advanced techniques and attacking more frequently. Many security experts no longer question if a company will be hacked, but when a company will be hacked. In order to get a better picture of the current state of affairs, we spoke to John Shier, Senior Security Advisor at Sophos.

It is clear that cybercriminals are becoming increasingly sophisticated and successful. About ten years ago, they worked very opportunistically — for example, by attacking regular consumers via email. Often, thousands of emails would be sent for a ransomware campaign, with the malicious file hidden in a link or an attachment. If a victim fell for the trap, the cybercriminals demanded several hundred euros as ransom. It only takes a few dozen victims for them to earn much money.

While such campaigns still happen, the world of cybercriminality is evolving. Today, a successful campaign can generate millions of dollars for the attacker. Entire communities are affected by attacks. The recent hacks on SolarWinds, Microsoft Exchange Server, JBS, Kaseya and Colonial Pipeline all fit into that mould. To highlight an example: the Colonial Pipeline hack took down the entire oil pipeline network of the largest oil transporter on the east coast of the United States. The victim paid out millions, citizens hoarded fuel and fuel prices rose.

Organized cybercrime

Shier confirms that cybercrime as a whole is professionalizing. This is reflected in the relationships of hacker groups. Carrying out an attack and putting the pieces of the puzzle together is proceeding smoother and smoother, for which cooperation between hacker groups and cybercriminals can be crucial. In practice, this includes scanning corporate networks for open Internet services in order to get in and resell access to larger ransomware groups. These groups then carry out sophisticated attacks based on their specialism.

Such collaboration was apparent in the Colonial Pipeline hack, Shier points out. By relying on an affiliate program, DarkSide (the group behind the campaign) provided hacker tools to cybercriminals. These tools included the infrastructure for payment and code. The ‘affiliates’, or hackers, performed the work for DarkSide as a third-party.

Nation-state activities

In addition to organized cybercrime, there are so-called nation-state hacking activities. These groups, often sponsored and assisted by a country, frequently focus on gaining access to systems and information of a nation-state. For example, they target a specific government organization or critical infrastructure for geopolitical reasons. “Nation-state hackers have always been very proficient at gaining initial access and ultimately inflicting damage”, Shier says.

Furthermore, Certain governments actively use nation-state hackers when they gain access to a company or organization from a hostile country. They ask the hackers to obtain highly classified documents, Shier clarifies. This confidential information can be used by a country to fine-tune political policies. Because of their resources and expertise, hackers are able to find that kind of information. The nation-states themselves go much further than regular cybercriminals. For example, by placing a person in a large company. That’s when it gets really dangerous, as meanwhile, they have access to highly confidential information and connections from the country of origin.

There are no companies that are too small. Don’t think that you don’t have anything of interest to a cybercriminal.

Some obvious nation-states practising the latter are Russia, China, Iran and North Korea. While those countries are dominant, Shier argues that cybercriminals can come and operate from any country. As an example, the Sophos Senior Security Advisor cites the NetWalker ransomware attacks, in which a Canadian was arrested for attacks on Americans.

Shier observes a trend among these nation-state hackers. In Shier’s view, the group is getting better at staying off the radar by disguising themselves as regular cybercriminals. They use the same tooling and tactics, Shier asserts. “By doing so, they try to convey that there is nothing to see and that they are regular cybercriminals.” Detecting nation-states thus becomes more challenging.


According to Shier, the key for companies and people is to be aware of the risks and changing tactics. He isn’t calling for fear, but caution. “There are no companies that are too small. Don’t think that you don’t have anything of interest to a cybercriminal. They are seeking information. If they get into a company that isn’t able to pay millions in ransom, they may find interesting information to resell. Or maybe, in the case of a small company, interesting connections and partners. Such supply chain attacks are happening more and more.”

While the distinction between organized cybercrime and nation-state activities is important, a mindset in which you deem yourself a target of both camps doesn’t hurt. Doing so prepares for both scenarios. Nation-state hackers know exactly what they want to get their hands on, and tailor their activities accordingly. In turn, regular cybercriminals work more opportunistically, gladly stumbling upon assets valuable to someone.

According to Shier, it is important for companies to realize that misconceptions should be actively avoided. For example, based on the figures, it looks like cybercriminals mainly target Americans. In reality, many attacks take place in Europe too. If a company is hacked in our region, the malicious parties potentially have access to 27 EU member states. From the perspective of a nation-state hacker, that’s an extremely interesting target.

Tip: Linux security firm Capsule8 is acquired by Sophos

Tip of the iceberg

At the end of the day, most of the attention for cybersecurity isn’t focused on universal risks, but cyberattacks with the greatest impact. “However, at Sophos, we encounter victimized companies ranging from 10 employees to more than 10,000. From all different countries and sectors. Not all attacks reach the public through the media because it’s not always interesting to read about a small furniture store that is victimized.”

Not all attacks reach the public through the media because it is not always interesting to read about a small furniture store that is victimized.

In general, for IT professionals and the general public only the tip of the iceberg is visible, Shier states when asked. He is surprised at exactly what the general public does and doesn’t know. Ransomware awareness rose significantly due to major incident reporting in the media. As a result, lots of people anticipate a ransomware attack. However, when looking at cybercrime that is not related to ransomware, it becomes a different story. There is still plenty of awareness to be gained in areas such as log-in data and information theft.

Foundation, tooling and collaboration

For companies, Shier has advice on how to combat cybercriminals and nation-state hackers. Much of his advice can be divided into building a solid security foundation. Patching systems, backups and a contingency plan all belong to the foundation, Shier says. It’s just as important to make the entire organization aware of security so that every employee always acts safely, even outside of office hours. This is how Shier envisions the ideal world.

In addition to getting the basics in order, it’s important to bring the security strategy up to standard with the right tools. Traditional endpoint security such as antivirus helps, but should not cause advanced tools for threat hunting and research to be overlooked. If an attacker does manage to get into your organization, action must be taken quickly. Shier also sees zero-trust — an approach based on a distrust of every user — as a development that’s making good progress. Zero-trust verification allows organizations to be sure that the right person has access to data and software.

While companies should carefully think about their security strategy to respond to organized cybercrime and nation-state activities, the cybersecurity industry can also do something through collaboration as a whole. Sophos is betting on the latter too. It affiliates with international collaborations, which include government agencies and competing security companies. Working together against cybercriminals works best because participants’ combined insight is invaluable.

In conclusion, we can say that cybercrime is becoming an increasingly dominant part of our daily lives. However, with the right steps, society and business can become more secure. We are curious to see how the battle will unfold in the coming period.

Tip: Sophos sees a golden future in Managed Services model