In the second quarter of 2021, companies were fending off each month on average around 5000 malicious events. This represents a jump in blocked attacks of around 30 percent quarter on quarter and an increase of 40 percent in average blocked volume, with companies based in America and Europe, Middle East and Africa defending against twice as much volume compared to Asia Pacific.
Numbers like this are never easy to swallow and remind us that malicious actors are organized and full of intent. While many would assume the attacks are designed to steal money, that is only part of the picture. In May and June, hactivist groups motivated by political ideologies caused problems for government and financial services companies in Brazil and the Middle East.
It also reinforces why the board must ensure as part of its governance structures it gets regular briefings on the threats and understand the motivations, tactics, techniques and procedures being used. In doing so they can formulate a very focused strategy that takes into account their geography and sector so that the company’s most valuable assets are protected.
So what are the main threats every board needs to be aware of today?
Threat actors, who can be a person, group or organization with malicious intent, can be broadly classified into five groups: Nation-State or state-sponsored, organized crime, hacktivists, hackers, and disgruntled insiders and customers.
One thing to note is that there are patterns in behavior, including an overlap between the tactics groups employ, and it’s not uncommon for one group to pose as another to cover up its tracks. This form of deception is often used by nation-state groups which is a good place to start when it comes to analyzing the landscape.
Nation-state actors
Nation-State actors, which could have close links to military or state intelligence services, are some of the most notorious in terms of the vast scale of operation and their ability to influence, disrupt, or politically/economically compromise another nation. Nation-States will run missions in such a way that they can’t be identified so it can be difficult to attribute any single attack to a specific nation. That said there are some hallmarks that can help trace the origins.
There have been numerous headlines over the last five years that point the finger at nations for their interference in presidential voting and referendums. That’s because Nation States use technology as a lever of war, where cyber espionage is the high-tech version of a cold-war craft.
For instance, it’s used to infiltrate leading research facilities, with no concept of borders or regulation. USA, UK, Russia, Iran, China and North Korea are leading nations in terms of capabilities, with Russia and China topping the risk charts. Russia’s motivations revolve around targeting critical infrastructure and using tactics that influence public opinion on a grand scale. China is more involved in espionage and intelligence gathering and out to gain a foothold in the world’s largest corporations and governments.
In contrast, North Korea’s Bureau 121 is geared more towards financially motivated attacks. Iran is also motivated by money, but does not shy away from political actions by targeting dissidents using contractors hired to work on behalf of the Islamic Republic of Iran’s Ministry of Intelligence and Security (MOIS) or the Islamic Revolutionary Guard Corps (IRGC).
While none of that may be surprising given the regular press reports we see of the origins of successful espionage campaigns. However, what many overlook is that the US is playing them at their own game and is therefore home to the most advanced and sophisticated Nation State actors in the world.
Knock-on effects
The US objectives focus on gathering intel and sustaining defenses against other nation-states. However, they are increasingly involved in targeting of critical infrastructure and political interference. The UK plays a similar role by harnessing diverse talent from around the world to conduct information warfare.
While it’s important to understand this global context, most companies will not encounter Nation State attacks directly unless they are linked to government, financing major infrastructure or are heavily involved in programs that effect society – like the Covid-19 vaccination race.
That said, they may feel the knock-on effects as organized crime groups copy the tactics used. Society and companies are also making the job easier – the more devices we connect to the network at home and work so the more opportunities there are to attack.
Organized crime
Investment in ‘cybercrime-as-a-service’ is growing intensely because it represents a very lucrative revenue stream. Savvy criminals have built entire business models around the strategy, realizing that they can develop advanced tools and services and sell or rent them to other cybercriminals who don’t want the development overheads.
There are four types of services: bulletproof hosting, crimeware-as-a-service, hacking-as-a-service and DDoS-as-a-service.
Bulletproof hosting is a form of infrastructure as a service, which includes virtual private servers, domain hosting and web hosting. Bulletproof hosts turn a blind eye to the activity their services are used for of which illegal gambling, spamming, pornography are typical activities. The platforms are often used to launch cyber-attacks or serve as command and control services for botnets.
Hacking-as-a-service effectively turns hacking skills into a commodity. Hackers for hire will offer to hack into just about anything such as social media accounts, education systems to manipulate grades, or to change bank account balances. But they can do more serious harm with malware and distributed denial of service attacks (DDoS).
That said, DDoS-as-a-service also known as ‘booter’ or ‘stresser’ services, has its own industry. Operators of the service provide professionally designed portals that allow anyone to perform an attack with just a few clicks.
Costing from as little as $9.99 per month for an unlimited number of 5 minutes of attack time at low volume, through to thousands of dollars for unlimited attack time at high volume. In 2017, two young Israelis were caught having earned over $600,000 this way. Their service supported around 150,000 attacks in little more than two years.
Crimeware-as-a-service uses a similar business model, whereby people can rent or buy a ransomware package or a zero-day attack to cause havoc by gaining remote access, running reconnaissance, and stealing sensitive data. Trickbot and Emotet are two very well-known malware platforms offered to malware operators through a paying subscription.
But this is just the tip of the iceberg when it comes to cybercrime. Many criminals are running their own operations for extortion by using ransomware and ransom denial-of-service tactics. Ransomware-as-a-Service (RaaS) affiliates have evolved into using a ‘profit-sharing’ approach where operators pay the affiliates a cut of 30 percent, 40 percent or even 80 percent depending on the service and paid ransom.
In September 2020, there was a proliferation of extortion requests from groups posing as ‘Fancy Bear’, ‘Armada Collective’ and ‘Lazarus Group’. They were behind the renewed interest in Ransom DDoS at the start of 2021 as actors revisited targets, especially in the financial sector, that didn’t pay first time around. And more recently a group posing as ‘Fancy Lazarus’ started hunting for unprotected assets and extorting the owners to pay up or become a public victim through their DDoS weapons.
While these maybe the most famous groups, there are other threat actors who specialize in financial organized crime. They are using tactics to infiltrate organizations and scam them out of substantial sums of money through hard to detect stings. Toyota Subsidiary famously lost $37milllion after employees were duped by criminals posing as a business partner of Toyota Boshoku.
Hackers
This term generally describes someone who is well versed in computer technology and electronics. Not all hackers are malicious – white hat hackers use hacking for ethical reasons and will publish findings on vulnerabilities so companies can address them. The two to be most aware of are black and grey hat hackers.
Black hat hackers will use hacking for criminal activities and have no moral or ethical boundaries. They will access, modify, steal or destroy data and degrade services, and will happily use published findings from white hat hackers for their own gain. Indeed the window between a manufacturer or vendor disclosing a vulnerability and the speed to exploit it is getting very slim. In some cases, we observed less than 24 hours between a manufacturer publishing a patch and malicious activity trying to exploit the vulnerability.
In contrast, grey hat hackers operate slightly differently. They might break the law but aren’t operating maliciously. They seek to identify exploits and vulnerabilities in network systems, with or without permission and will try and get paid for pointing out and fixing the problem. Respectfully dealing with them is generally the best approach.
Hacktivists
Then there are hacktivists who are driven by ideology. While generally considered low-risk threats compared to the types described above, they have what is known as a ‘hive’ mindset they can very quickly galvanize others to join a cause in reaction to an incident and amplify activity to overwhelm a target. #OpsBedil used by DragonForce Malaysia recently gathered momentum very quickly attracting thousands of supporters pretty much overnight. Other famous campaigns include #OpOlympicHacking, #OpKillingBay, #OpISIS and #OpParis which were used by hacktivists to galvanize rebels with a cause around the world.
Disgruntled insiders
While hacktivist have a united cause, disgruntled insiders usually operate alone and act on emotion caused by something that has happened directly to them. With access already available to them, an employee who believes they are the victim of malpractice might intentionally sabotage operations, expose secrets or attempt theft or fraud. It’s difficult to mitigate against this threat but it does need to be taken seriously and everyone needs to be able to spot the warning signs. It’s not unthinkable for one person to bring an entire company down either operationally or reputationally.
Why does this matter?
Every company will have a different risk profile related to the sector it operates in, the size of the company, the geographic and sociological environment, products offered and customers targeted. At the moment healthcare, financial services and the tech sector are most at risk of attack because of the world they operate in. However, government agencies, ISPs, utilities, food suppliers and e-commerce sites through to gambling and gaming service providers have all had their fair share of attacks through the pandemic reminding everyone, no company is immune.
What’s important to note at board level, is that the threats can change quickly based on social and geopolitical tensions and so it’s important to keep on top of the latest developments and reappraise the level of exposure the company has. In doing so, it’s a little easier to determine the best strategy for detecting unusual behavior and dealing with it and ensuring the right blend of cyber-skills and technology is in place.
Pascall Geenens, director of threat intelligence, Radware
