Increasingly capable nation-state actors are reshaping the tenor of the cybersecurity landscape, a new analysis has warned, as they look past politically sensitive events like the PyeongChang Olympics and borrow new attack methods and tools from successful cybercriminal gangs.
The recent conclusion by the US, UK and Australia that Russia was responsible for last year’s NotPetya attack highlighted the new normal, in which nation state-affiliated hackers have raised their profile in the overall threat environment.
Other notable revelations – including North Korea’s role in WannaCry, a crypto-mining kit that sends Monero cryptocurrency to North Korea, and the discovery that North Korean spearphishers were targeting cryptocurrency executives – led CrowdStrike analysts to conclude that nation-state hackers “are taking note of what is successful in the eCrime marketplace”.
Writing in the firm’s recently released 2018 Global Threat Report, analysts warned that the “intermingling and cross-pollination” of criminal and nation-state behaviour was creating a more disruptive cybersecurity threat than ever.
“North Korea has been amazingly active,” CrowdStrike vice president of technology strategy Mike Sentonas told CSO Australia. “There are groups within the country that have been motivated for different reasons, and they are largely focused on espionage and generating revenue for the current regime using cryptocurrency attacks. Corporates do need to be aware of this, and do need to take this side of things seriously.”
CrowdStrike’s analysis team identified 16 new threat actors in 2017, raising the total number of identified groups to 95.
Fully 61 percent of attacks detected within the company’s customer environments were malware, reflecting a surge in volumes of conventionally-delivered malware as opposed to fileless or other malware-free attacks.
CrowdStrike’s analysis also noted growth in targeting of the hospitality sector over the past year, with cybercriminal gangs being joined by nation-state adversaries in an “unsettling turn” that suggests politically-minded attackers may be tracking individuals as well as working to complete more pedestrian cybercriminal breaches.
The firm’s findings resonate with the work of other threat-intelligence groups. FireEye, for one, recently flagged expanded activity by the North Korea-based APT37 team with a toolset that include access to zero-day vulnerabilities and wiper malware.
“We assess with high confidence that this activity is carried out on behalf of the North Korean government,” that team concludes, noting malware development artefacts and malware targeting “that aligns with North Korean state interests”.
Symantec, for its part, this week announced new research suggesting that an Iranian group called Chafer has been expanding its operations with “ambitious attacks” against nine new Middle Eastern targets, using a new infection method based on malicious Excel documents, and a trend towards attacks on the supply chain.
Significantly, Symantec warned, Chafer has been increasingly reliant on freely available software tools such as Remcom, Non-sucking Service Manager, GNU HTTPTunnel, UltraVNC and NBTScan.
These changing tactics reflect a growing commitment to continuous improvement on the part of nation-state groups that are borrowing tactics – and patience – from established cybercriminal operations. The result, CrowdStrike’s Sentonas said, has been a rising tide of low-and-slow infections that can leave target organisations exposed for months before they even know they’ve been penetrated.
“Attackers are becoming incredibly resilient in terms of their ability to do different things that will give them greater opportunity of compromising their targets,” he said. “The net result of someone being on your network for several months is that it’s going to be very difficult to understand what an attacker has done to your network in that time. You’re going to have to wipe your machines and rebuild them.”
Shipping giant Maersk, it was recently revealed, had to do just that – replacing 45,000 PCs in 10 days after its operations were devastated by NotPetya in a breach that was estimated to cost the company up to $US300 million ($A384m).