Global cybercrime dominated by 50 core groups, CrowdStrike report finds

Reports on under-reported Russian activity

Cybercrime in 2013 was dominated by a core of around 50 active groups, including Russian and Chinese 'threat actors' whose activities are only now coming to light, a report from monitoring firm CrowdStrike has found.

Using an approach that foregrounds the 'threat actors' above the malware itself, the firm divides groups according to whether they are deemed to be motivated primarily by national, political and purely commercial motives

As CrowdStrike's marketing motto puts it: "you don't have a malware problem, you have an adversary problem."

At first, the categorisation system looks more like a blizzard of inscrutable names, with major cyber-groups including 'Numbered Panda', 'Magic Kitten', 'Energetic Bear' and Deadeye Jackal.

But the underlying system - it calls this methodology the 'cryptonym system' - is much simpler. Nation-state groups from China are always 'pandas', groups tied to politics rather than nation are 'jackals' and professional cybercriminals are always 'Spiders'.

The most active groups included the Syrian Electronic Army (SEA) and a range of Chinese groups but this much was already known. More interesting, CrowdStrike thinks it has discovered a few that are less well documented, including 'Emissary Panda' and 'Energetic Bear', as their codenames would suggest the first being a Chinese group the second Russian.

Emissary Panda appears to be a recently-formed group that goes after the high-tech sector, defence firms and embassies in a clutch of targets countries and a complement to the many other Chinese groups doing the same thing.

More significant perhaps is Energetic Bear, which CrowdStrike believes has been going after energy-sector firms. Hitherto, Russia has been seen as the home of overwhelmingly commercial malware, indeed perhaps as the most active commercial cyber-criminal sector in the world bar none. Energetic Bear suggests that this could be changing as the Russian state takes a leaf out rival state-backed cyberjacking activities.

Active since at least 2012 in 23 different countries, Energetic Bear looks significant enough to have created 25 versions of one to its preferred Remote Access Trojans (RATs), Havex. Beyond energy firms, targets have included European governments and defence sector firms, engineering firms, and European, US and Asian academics, CrowdStrike said.

The evidence for this group's Russian provenance included malware build times that corresponded to working hours in the country. Whether this means that this group is operating on behalf of the country's Government is impossible to say.

"Whatever the motivation may be, having private groups carry out malicious activity has advantages for nation-states," said CrowdStrike, which listed a major motivation as being plausible deniability.

"We have been tracking this threat actor for several years and the Energetic Bear objectives map to the Russian Federations use of natural resources as policy tool," said CrowdStrike's vice president of intellligence, Adam Meyers.

What is clear from all this is that cybercrime is becoming a global phenomenon with many more countries likely to see activity from local groups acting as proxies for state subversion in the next year. How the world of diplomacy manages this coming wave of groups remains to be seen.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Follow our new CSO Australia LinkedIn
Follow our new social and we'll keep you in the loop for exclusive events and all things security!
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

More about indeedPanda

Show Comments

Featured Whitepapers

Editor's Recommendations

Brand Page

Stories by John E Dunn

Latest Videos

More videos

Blog Posts