Hacking on a laptop
In 2016 nation-state activity hit the headlines - and it shows no signs of slowing down, experts say iStock

In 2016, nation-state hacking went mainstream. Previously confined to the shadows, overt cyber-espionage activities spilled over into the political sphere following high-profile attacks at the Democratic National Committee (DNC) and the World Anti-Doping Agency (Wada).

These government-backed hacking teams - from the Russian group ATP28 to the PLA-backed Unit 61398 - are well-funded, well-resourced and tactically sophisticated. According to the predictions of multiple cybersecurity firms, their cyberattacks are set to continue in the coming year.

"We've seen an increase in overt Russian aggression in 2016 and we expect that to continue in 2017," said FireEye's 2017 prediction report. "Russia has a well-funded cyber capability and excellent operational security to hide the source of their attacks."

It added: "In addition, the complex relationship between the Russian government and private Russian hackers contributes to the difficultly in attributing attacks to Russia and understanding how their hacking groups operate."

Just prior to the 2016 US presidential election, two Russian-backed groups were implicated in a major hacking attack at the DNC. Dubbed Fancy Bear and Cosy Bear, cybersecurity firms produced analysis asserting they were actively working to further the interests of the Vladimir Putin-led government.

Later, the US intelligence community stated publicly said that "senior-most officials" in Russia likely had inside knowledge of the cyberattacks. Experts from FireEye acknowledged attribution remains difficult and said proving anything with 100% certainty is hard by using "non-clandestine means".

Yet Russia is not the only threat highlighted by cybersecurity experts. Many are marking China as a significant danger - despite the dwindling frequency of its hacks this past year. Some argue that Chinese state-sponsored groups will continue to use cyber-operations to further strategic interests.

In September 2015, after the cyberattack at the Office of Personnel Management (OPM), President Barack Obama and Chinese President Xi Jinping agreed that neither government would "conduct or knowingly support cyber-enabled theft of intellectual property" for economic advantage.

And in many respects, this seems to have greatly reduced the scale of China's attacks against the US government and its related infrastructure. However, according to FireEye, this cyber truce may not last very long.

"We have observed an overall decrease in successful network compromises by China-based groups against organisations in the US and 25 other countries since mid-2014 [but] it remains to be seen what impact these possibly temporary factors will have in China's cyber operation policy," it said.

"Outside the US, nations such as Japan, Australia and South Korea are a consistent focus of targeted Chinese cyber espionage activity," the report added. "This focus will continue and relevant geopolitical events will maintain this threat moving into next year."

Meanwhile, according to Proofpoint, a US-based mobile security firm, the nature of state-sponsored cyberattacks will "expand significantly beyond theft of secrets and industrial espionage" in 2017.

"We expect a resurgence of state-sponsored cyberattacks, and, in particular, sophisticated, stealthy intrusions targeting all branches of the US government from a wide range of countries, including renewed action by relatively quiet Chinese state-sponsored actors," it said.

"With the effectiveness of doxing, data theft, embarrassing disclosures, and disinformation already demonstrated in multiple countries, more governments will attempt to use cyberattacks to steal information and leverage social media and news outlets to create discord and disruption."

Hacks are "already underway"

With the New Year a matter of weeks away, it is inevitable that major hacks are already underway that will not come to light for months from now, FireEye warned.

"One sobering thought is that the threat activity we expect to hear about in 2017 may be taking place right now, with adversaries already inside many of the systems and networks necessary to be in for them to achieve their mission," the report said.

It added: "We know that most cyber threat actors operate within environments for many months before they are discovered, and in some instances for longer than a year.

"These adversaries are likely moving through networks at this moment and exfiltrating datasets – activity that could continue into next year. Therefore, most of the events that will make headlines in 2017 – and the many that won't – are already underway."