In the last few months the cyber security community has witnessed the propagation of new organized hacktivist groups spurred on by the innovations used by nation-states. Pascal Geenens, director of threat intelligence at Radware, provides the low down.
In the second quarter of 2021, companies were fending off each month on average around 5000 malicious events. Compared to the second quarter of 2020, this represents a jump in blocked attacks of around 30 percent and an increase of more than 40 percent in average blocked volume. Companies based in America and Europe, Middle East and Africa had to defend against twice as much volume compared to Asia Pacific.
Numbers like this are never easy to swallow and remind us that malicious actors are organized and full of intent. While many would assume the attacks are designed to steal money, that is only part of the picture. In May and June, hacktivist groups motivated by political ideologies caused problems for government and financial services companies in Brazil and the Middle East.
It also reinforces why corporate boards must ensure as part of their governance structures that they get regular briefings on the threats and understand the motivations, tactics, techniques and procedures being used. In doing so, they can formulate a very focused strategy that takes into account their geography and sector so that the company’s most valuable assets are protected.
So, what are the main threats every board needs to be aware of today?
Threat actors, who can be a person, group or organization with malicious intent, can be broadly classified into five groups: Nation-State or state-sponsored, organized crime, hacktivists, hackers, and disgruntled insiders and customers.
One thing to note is that there are patterns in behavior, including an overlap between the tactics groups employ, and it’s not uncommon for one group to pose as another to cover up its tracks. This form of deception is often used by nation-state groups which is a good place to start when it comes to analyzing the landscape.
- Check out the best antivirus solutions on the market today
Nation-state or state-sponsored
Nation-State actors, which could have close links to military or state intelligence services, are some of the most notorious in terms of their vast scale of operation and their ability to influence, disrupt, or politically/economically compromise another nation. Nation-States will run missions in such a way that they can’t be identified, so it can be difficult to attribute any single attack to a specific nation. That said there are some hallmarks that can help trace the origins.
There have been numerous headlines over the last five years that point the finger at nations for their interference in presidential voting and referendums. That’s because Nation States use technology as a lever of war, where cyber espionage is the high-tech version of a cold-war craft.
For instance, espionage is used to infiltrate leading research facilities, with no concept of borders or regulation. USA, UK, Russia, Iran, China and North Korea are leading nations in cyberwarfare capability, with Russia and China topping most nation’s risk charts. Russia’s motivations revolve around targeting critical infrastructure and using tactics that influence public opinion on a grand scale. China is more involved in espionage and intelligence gathering and out to gain a foothold in the world’s largest corporations and governments.
In contrast, North Korea’s Bureau 121 is geared more towards financially motivated attacks. Iran is also motivated by money but does not shy away from political actions by targeting dissidents using contractors hired to work on behalf of the Islamic Republic of Iran’s Ministry of Intelligence and Security (MOIS) or the Islamic Revolutionary Guard Corps (IRGC).
The actions of these nations may be unsurprising to observers given the regular press reports we see of the origins of successful espionage campaigns. However, what many overlook is that the US is home to some of the most advanced and sophisticated Nation State actors in the world. The Office of Tailored Access Operations is a cyber warfare unit of the US National Security Agency that focuses on gathering intel and sustaining defenses against other nation-states.
On the other hand, the US Cyber Command, initially created for defensive purposes, is increasingly viewed as an offensive force. Primary objectives consist of espionage and targeting of critical infrastructure. The UK plays a similar role by harnessing diverse talent from around the world to conduct information warfare.
While it’s important to understand this global context, most companies will not encounter Nation State attacks directly unless they are linked to the government, financing major infrastructure or are heavily involved in programs that effect society – like the Covid-19 vaccination race.
That said, they may feel the knock-on effects as organized crime groups copy the tactics used. Society and companies are also making the job easier – the more devices we connect to the network at home and work, the more opportunities there are to attack.
- These are the best Windows 10 antivirus software right now
Investment in ‘cybercrime-as-a-service’ is growing intensely because it represents a very lucrative revenue stream. Savvy criminals have built entire business models around the strategy, realizing that they can develop advanced tools and services and sell or rent them to other cybercriminals who don’t want the development overheads.
There are four types of services: bulletproof hosting, crimeware-as-a-service, hacking-as-a-service and DDoS-as-a-service.
Bulletproof hosting is a form of Infrastructure-as-a-Service, which includes virtual private servers, domain hosting and web hosting. Bulletproof hosts turn a blind eye to the activity their services are used for of which illegal gambling, spamming, pornography are typical activities. The platforms are often used to launch cyber-attacks or serve as command-and-control services for botnets.
Hacking-as-a-service effectively turns hacking skills into a commodity. Hackers for hire will offer to hack into just about anything such as social media accounts, education systems to manipulate grades, or to change bank account balances. But they can do more serious harm with malware and distributed denial of service attacks (DDoS).
That said, DDoS-as-a-service also known as ‘booter’ or ‘stresser’ services, has its own industry. Operators of the service provide professionally designed portals that allow anyone to perform an attack with just a few clicks.
The costs run from as little as $9.99 per month for an unlimited number of 5 minutes of attack time at low volume, through to thousands of dollars for unlimited attack time at high volume. In 2017, two young Israelis were caught having earned over $600,000 this way. Their service supported around 150,000 attacks in little more than two years.
Crimeware-as-a-service uses a similar business model, whereby people can rent or buy a ransomware package or a zero-day attack to cause havoc by gaining remote access, running reconnaissance, and stealing sensitive data. Trickbot and Emotet are two very well-known malware platforms offered to malware operators through a paying subscription.
But this is just the tip of the iceberg when it comes to cybercrime. Many criminals are running their own operations for extortion by using ransomware and ransom denial-of-service tactics. Ransomware-as-a-Service (RaaS) affiliates have evolved into using a ‘profit-sharing’ approach where operators pay the affiliates a cut of 30 percent, 40 percent or even 80 percent depending on the service and paid ransom.
In September 2020, there was a proliferation of extortion requests from groups posing as ‘Fancy Bear’, ‘Armada Collective’ and ‘Lazarus Group’. They were behind the renewed interest in Ransom DDoS at the start of 2021 as actors revisited targets, especially in the financial sector, that didn’t pay first time around. And more recently, a group posing as ‘Fancy Lazarus’ started hunting for unprotected assets and extorting the owners to pay up or become a public victim through their DDoS weapons.
While these may be the most famous groups, there are other threat actors who specialize in financial organized crime. They are using tactics to infiltrate organizations and scam them out of substantial sums of money through hard to detect stings. Toyota Subsidiary famously lost $37milllion after employees were duped by criminals posing as a business partner of Toyota Boshoku.
This term generally describes someone who is well versed in computer technology and electronics. Not all hackers are malicious — white hat hackers use hacking for ethical reasons and will publish findings on vulnerabilities so companies can address them. The two to be most aware of are black and grey hat hackers.
Black hat hackers will use hacking for criminal activities and have no moral or ethical boundaries. They will access, modify, steal or destroy data and degrade services, and will happily use published findings from white hat hackers for their own gain. Indeed, the window between a manufacturer or vendor disclosing a vulnerability and the speed to exploit it is getting very slim. In some cases, we observed less than 24 hours between a manufacturer publishing a patch and malicious activity trying to exploit the vulnerability.
In contrast, grey hat hackers operate slightly differently. They might break the law but aren’t operating maliciously. They seek to identify exploits and vulnerabilities in network systems, with or without permission and will try and get paid for pointing out and fixing the problem. Respectfully dealing with them is generally the best approach.
Then there are hacktivists who are driven by ideology. While generally considered low-risk threats compared to the types described above, they have what is known as a ‘hive’ mindset. They can very quickly galvanize others to join a cause in reaction to an incident and amplify activity to overwhelm a target. #OpsBedil used by DragonForce Malaysia recently gathered momentum very quickly attracting thousands of supporters pretty much overnight. Other famous campaigns include #OpOlympicHacking, #OpKillingBay, #OpISIS and #OpParis, which were used by hacktivists to galvanize rebels with a cause around the world.
- Keep your organization safe with the best business antivirus solutions right now
While hacktivist have a united cause, disgruntled insiders usually operate alone and act on emotion caused by something that has happened directly to them. With access already available to them, an employee who believes they are the victim of malpractice might intentionally sabotage operations, expose secrets or attempt theft or fraud. It’s difficult to mitigate against this threat but it does need to be taken seriously and everyone needs to be able to spot the warning signs. It’s not unthinkable for one person to bring an entire company down either operationally or reputationally.
Why does this matter?
Every company will have a different risk profile related to the sector it operates in, the size of the company, the geographic and sociological environment, products offered, and customers targeted. At the moment healthcare, financial services and the tech sector are most at risk of attack because of the world they operate in. However, government agencies, ISPs, utilities, food suppliers and e-commerce sites through to gambling and gaming service providers have all had their fair share of attacks through the pandemic — reminding everyone, no company is immune.
What’s important to note at board level, is that the threats can change quickly based on social and geopolitical tensions. That’s why it’s important to keep on top of the latest developments and reappraise the level of exposure the company has. In doing so, it’s a little easier to determine the best strategy for detecting unusual behavior and dealing with it as well as ensuring the right blend of cyber-skills and technology is in place.
Pascal Geenens, Director, Threat Intelligence, Radware