Targeted, state-sponsored e-criminality is back in business.
After several years in which commercially motivated cybercrime has ranked highest in eCrime league tables, the last year has seen a resurgence in targeted, state-sponsored intrusion activity aimed at disrupting political enemies and/or generating currency to support various regimes.
Understanding these events gives visibility into the shifting dynamics of adversary tactics and provides crucial insights into what security teams need to know about an increasingly ominous threat landscape. CrowdStrike’s latest Global Threat Report dives deep into the international web of cyberthreats. These are some of the highlights.
Russia-nexus adversaries continue to wage cyber warfare
Russian state-sponsored attacks have been prevalent in the cyber world for a long time. Various Russia-nexus adversaries have consistently used cyber warfare as a tactic to cause instability and steal information from political enemies. For example, in 2015, Russian-based adversary VOODOO BEAR executed an attack on the Ukrainian power grids, resulting in the loss of heat and light for over 200,000 citizens.
In the past, Russian threat actors would extensively use spear-phishing emails containing malicious documents or links that redirected to malicious infrastructure. However, recent intelligence has revealed that they have begun shifting towards increased use of credential-harvesting tactics, including large-scale scanning techniques and victim-tailored phishing websites. The fundamental goal of these attackers remains credential harvesting to acquire intelligence and primary access into target organizations or individuals. Another technique Russian cybercriminals have recently been deploying is authentication cookie theft to bypass multifactor authentication (MFA) restrictions implemented on target networks. This technique uses existing local network access and has been used to access user accounts in possession of enterprise cloud service privileges.
Challenges from China
Chinese actors have long developed and deployed exploits to facilitate targeted intrusion operations. However, in 2021 there was a significant shift in their preferred exploitation methods. For years, China-nexus actors relied on standard exploits that required user interaction, such as opening malicious documents. But in 2021, they have focused heavily on vulnerabilities in internet-facing devices or services.
Recent intel reveals that Chinese cyber criminals, in 2021, focused significant attention on a series of vulnerabilities in Microsoft Exchange and used them to launch intrusions against multiple enterprises across the globe. China-based threat actors are also continuing to exploit internet-routing products such as VPNs and routers and even software products hosted on internet-facing servers for both infrastructure acquisition and initial access purposes. It’s clear the talent pool continues to flourish within the China hacker community.,
Iran ramps up cyber tactics
Ransomware is one of the biggest security threats to modern enterprises.
Since late 2020, multiple Iranian state-sponsored adversaries have adopted the use of ransomware and "lock-and-leak" operations that have targeted multiple organizations within the U.S., Israel and the greater Middle East and North Africa (MENA) region. Lock-and-leak operations are characterized by criminals using ransomware to encrypt target networks and subsequently leak the victim's information. The data is distributed through dedicated leak sites, social media and chat platforms, which allows these actors to amplify data leaks and conduct multiple operations against target countries.
The use of high-profile lock-and-leak operations, as well as the more subdued but pervasive ransomware activity, provides Iran with an effective capability to disruptively target its rivals in the region and abroad. Given the success of these operations, Iran will likely continue to use disruptive ransomware into 2022.
North Korea’s Crypto
North Korea remains one of the most active threats in the cybercriminal ecosystem. Recent research has revealed that the Democratic People's Republic of Korea (DPRK) has shifted to cryptocurrency-related entities to maintain revenue generation during economic disruptions caused by the COVID pandemic and other sanctions. One of these crypto-related techniques is known as cryptojacking. This is the unauthorized use of a person's or organization's computing resources to mine cryptocurrency. Cryptojacking programs may be malware installed on a victim's computer via phishing, infected websites, or other methods common to malware attacks.
Cryptojacking is particularly effective because cryptocurrency mining requires a considerable amount of computational power and electricity. Therefore, these threat actors can conduct secret malicious crypto mining on other people's systems, allowing them to reap the rewards while incurring none of the expenses.
The new players
This year, intelligence has identified two new government-sponsored adversaries emanating from Turkey and Colombia. The presence of these new adversaries shows the increase in attacking capabilities of governments outside of the ones traditionally associated with cyber operations and highlights that enterprises need to remain vigilant in their cybersecurity.
For example, in April 2021, cybersecurity intelligence experts detected Turkish-based adversaries targeting victim data stored within the Amazon Web Services (AWS) cloud environment. The threat actors managed to compromise the AWS environment via a stolen credential.
It is clear that both old and new adversaries are continuously looking at novel ways to bypass security measures and conduct successful initial infections. This is why it is vital for organizations to stay on top of new threat intelligence and deploy the highest quality cybersecurity solutions that have the capability to protect the enterprise against current or future attacks effectively.
Zeki Turedi is CTO of EMEA at CrowdStrike
The Renaissance Of Nation-State Cybercrime