After a few years in which “commercial” cybercrime gained a large share of the eCrime market, the 2021 vintage was marked by a resurgence of interventions sponsored by nation states and aimed at harassing political enemies, or even to generate money to support different regimes. . Understanding these events helps measure the changing dynamics of adversary tactics and provides cybersecurity teams with critical information about an increasingly threatening environment. In the latest edition of its annual Global Threat Report, CrowdStrike offers a cybersecurity inventory by the end of 2021, where here are the key lessons.
Russian threat groups continue their offensive
Russia -supported cyberattacks have dominated cyberspace for some time now. Various groups following Moscow use cyber warfare as a tactic of destabilization, but also to steal information from their political enemies. In 2015, for example, the group VOODOO BEAR launched an offensive against Ukraine’s electricity infrastructure, depriving more than 200,000 citizens of heating and lighting.
Russia’s threats have long used spear phishing (spearphishing), a technique that uses email to send infected documents or links pointing to malicious infrastructure. According to recent information, these groups seem to have changed their tone and are now in favor the collection of identifiers, using sweeping sweeping techniques or creating phishing sites tailored to their targets. The main purpose of these attackers remains the collection of identities to gather information and have initial access to the companies or people targeted. Another technique recently implemented by Russian cybercriminals, theft of authentication cookies avoids obstacles caused by multi-factor authentication (MFA) tools placed to protect access to networks. This technique uses local network access to control privileged accounts and steal victims ’cloud services.
Challenges from China
Over the years, Chinese groups have developed and deployed exploits to carry out their targeted invasion operations. In 2021, however, observers noticed a significant change in methodology. So, after long use of common techniques that require user interaction such as opening malicious documents, China -based groups have significantly refocused their approach on vulnerabilities devices or services that communicate directly with the Internet.
Recent information shows that cybercriminal affiliates in Beijing have paid particular attention to a range of vulnerabilities in Microsoft Exchange. They used them to try to get into many companies around the world. This does not prevent Chinese hackers from continuing to exploit Internet connectivity products — VPNs, routers, and other software hosted on Web-connected servers — whether there is initial access or takeover. the infrastructure control. This activity demonstrates, if necessary, the vitality of this community of hackers.
Iran is gaining momentum
Ransomware is one of the biggest business security threats today. Since the end of 2020, many Iranian state salary groups have adopted this method and launched ” lock-and-leak against many companies located in the United States, Israel, the Middle East and North Africa. Hackers use ransomware to “lock” desired networks before “leaking” victims ’information. The data is then disseminated on dedicated sites, social networks and various instant discussion platforms, making it possible to amplify data leaks and conduct certain operations against target countries.
The use of this type of high-flying operation, as well as the more cautious but equally invasive ransomware, is bringing Tehran the ability to effectively destabilize rivals in the region and beyond. Given the success of these initiatives, it is a safe bet that Iran will continue to use ransomware in the coming months.
North Korea, land of cryptojacking
The Democratic People’s Republic of Korea (DPRK) remains one of the most active jurisdictions within the cybercrime ecosystem. Recent surveys have already revealed North Korea has turned to cryptocurrency -related entities to maintain revenue streams in the economic context plagued by the COVID pandemic and various sanctions. One of the methods associated with cryptocurrencies is known as cryptojacking, an operation that consists in mining bitcoin-type cryptocurrencies using computer resources without the knowledge of their owner, whether it is an individual user. or company. Cryptojacking programs can take the form of malware installed on a computer infected with a phishing attack, an infected website, or other form of malware attack.
Cryptojacking is a particularly effective weapon, as cryptocurrency mining is an activity that consumes electricity and computing power. As a result, threat groups that secretly conduct malicious operations on systems that are not theirs reap the rewards of their wrongdoings at no cost.
New actors entered the scene
This year, the intelligence services identified enemies backed by the two new states, Turkey and Colombia. The emergence of these new adversaries features the increasing attack capabilities of governments not previously associated with cyber operations, proving that companies must show constant vigilance.
In April 2021, cybersecurity experts spotted groups in Turkey targeting data stored in Amazon Web Services (AWS) cloud service after it was successfully infected with a stolen credential.
As we can see, adversaries, whether experienced or new, are constantly thinking of original solutions to circumvent the security measures put in place and compromise IT structures. This is why companies must constantly monitor and inform themselves of the evolution of these threats and deploy appropriate cybersecurity solutions capable of effectively protecting them against known and future threats. attack.
By Zeki TurediTechnical Director of CrowdStrike in the EMEA region
> FIC 2022 – from June 7 to 9, 2022 – Lille, Grand Palais
> Telecom: number one target of cyberattacks sponsored by nation states
> By 2020, 18% of attacks were sponsored by states.
> Cybersecurity and AI, a double -edged sword?
> War in Ukraine: government cybersecurity concerns and a hacked satellite
> French companies feel threatened by cyberwar!
> Is the world in permanent cyberwar? CIOs and CISOs are convinced of this.