Global cybercrime dominated by 50 core groups, CrowdStrike report finds

Reports on under-reported Russian activity

Cybercrime in 2013 was dominated by a core of around 50 active groups, including Russian and Chinese 'threat actors' whose activities are only now coming to light, a report from monitoring firm CrowdStrike has found.

Using an approach that foregrounds the 'threat actors' above the malware itself, the firm divides groups according to whether they are deemed to be motivated primarily by national, political and purely commercial motives

As CrowdStrike's marketing motto puts it: "you don't have a malware problem, you have an adversary problem."

At first, the categorisation system looks more like a blizzard of inscrutable names, with major cyber-groups including 'Numbered Panda', 'Magic Kitten', 'Energetic Bear' and Deadeye Jackal.

But the underlying system - it calls this methodology the 'cryptonym system' - is much simpler. Nation-state groups from China are always 'pandas', groups tied to politics rather than nation are 'jackals' and professional cybercriminals are always 'Spiders'.

The most active groups included the Syrian Electronic Army (SEA) and a range of Chinese groups but this much was already known. More interesting, CrowdStrike thinks it has discovered a few that are less well documented, including 'Emissary Panda' and 'Energetic Bear', as their codenames would suggest the first being a Chinese group the second Russian.

Emissary Panda appears to be a recently-formed group that goes after the high-tech sector, defence firms and embassies in a clutch of targets countries and a complement to the many other Chinese groups doing the same thing.

More significant perhaps is Energetic Bear, which CrowdStrike believes has been going after energy-sector firms. Hitherto, Russia has been seen as the home of overwhelmingly commercial malware, indeed perhaps as the most active commercial cyber-criminal sector in the world bar none. Energetic Bear suggests that this could be changing as the Russian state takes a leaf out rival state-backed cyberjacking activities.

Active since at least 2012 in 23 different countries, Energetic Bear looks significant enough to have created 25 versions of one to its preferred Remote Access Trojans (RATs), Havex. Beyond energy firms, targets have included European governments and defence sector firms, engineering firms, and European, US and Asian academics, CrowdStrike said.

The evidence for this group's Russian provenance included malware build times that corresponded to working hours in the country. Whether this means that this group is operating on behalf of the country's Government is impossible to say.

"Whatever the motivation may be, having private groups carry out malicious activity has advantages for nation-states," said CrowdStrike, which listed a major motivation as being plausible deniability.

"We have been tracking this threat actor for several years and the Energetic Bear objectives map to the Russian Federations use of natural resources as policy tool," said CrowdStrike's vice president of intellligence, Adam Meyers.

What is clear from all this is that cybercrime is becoming a global phenomenon with many more countries likely to see activity from local groups acting as proxies for state subversion in the next year. How the world of diplomacy manages this coming wave of groups remains to be seen.

Join the CSO newsletter!

Error: Please check your email address.

Tags CrowdStrikesecurity

More about indeedPanda

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E Dunn

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts