Know Thy Enemy: unraveling the “Hi-Tech Crime Trends 2022/2023” report

Introduction

The digital space is the biggest conduit for global sectors to grow, diversify, expand their reach, and unlock greater value, however, the increasing number of cyber threats proves to be a destructive barrier to achieving the objective. To beat the enemy (cyber adversaries) at their own game, it is important for organizations to understand threat actors’ core motivations and methods; which forms the very purpose of the comprehensive Hi-Tech Crime Trends Report 2022/2023.

The latest edition of Group-IB’s authoritative, annual report acts as a definitive guide for security professionals worldwide to get a detailed analysis of the current threat landscape backed by the unique data insights of our expert security teams and departments, along with their review of pivotal events over the past year.

To help organizations stay protected, we’ve collated essential findings from the report that can be referenced during efforts to build effective cybersecurity strategies, prioritize defense tools and implement better operational frameworks.

Key 2022 Trends: Group-IB tracks unconventional and sophisticated threat activity across the globe

The shift in the threat landscape has been multi-faceted and constantly evolving. Over the past year, Group-IB experts have been working on capturing insights from multiple sources – including dark web forums, digital channels, underground marketplaces, etc, to identify new and emerging threats. Here are some of our key insights:

State-sponsored attacks slip through the political cracks

The political heat from the Russia-Ukraine conflict was felt within the region and beyond. It inadvertently paved the way for state-sponsored groups to initiate attacks as per their stance. Several dormant threat groups used the conflict as a jump-off point to resume their activities and carry out a string of disruptive attacks. Read more about how APT groups seized the opportunities that arose from the conflict.

The nature of attacks

• At least 19 state-sponsored groups conducted attacks in relation to the conflict and used it as a topic for spear phishing. The threat actors used impersonation methods such as domain spoofing and identity theft to target nation-state bodies, notable government authorities, financial institutions, etc.
• During the ongoing crisis, state-sponsored groups used at least seven different wipers (WhisperKill, WhisperGate, HermeticWiper, IsaacWiper, CaddyWiper, DoubleZero, and AcidRain) to target Ukrainian companies and infrastructure.
• Hacktivist attacks (attacks preceded by a social or political agenda that usually target industries, governments, or businesses that don’t abide by their political view) increased considerably. Group-IB experts detected several prominent threat actors (Anonymous, IT Army of Ukraine, disBalancer, etc) hawk-eyeing Russian organizations – primarily in the governmental, financial, energy, and resource extraction sectors to initiate DDoS and data leak attacks. They used Telegram as their primary channel for coordinating efforts, exfiltrating data, and distributing tools for conducting the attacks.
• On the other hand, pro-Russia hacktivists, such as the group RedBandits, diversified their attacks to advance their motives of exploiting the Ukrainian government. They also targeted companies in Germany, the UK, Italy, France, Ukraine, Poland, the US, and other countries with the aim of leaking sensitive data, which they gained access to through initial phishing attacks.

Ransomware was still the most persistent cyber threat in the world

Ransomware operators are becoming increasingly aggressive. Gone are the days when small hacker groups were satiated with small ransom payments: ransomware is now its own industry that has the capabilities to attack thousands of businesses yearly.

Ransomware industry to see continued growth in 2023?

• Higher ransom demands: until recently, ransom demands amounting to hundreds of thousands of dollars seemed shocking, but in H2 2021 – H1 2022, they reached tens of millions of dollars. In July 2021, for example, the criminal group Hive attacked the MediaMarkt chain of consumer electronics stores and demanded a ransom of $240 million.
• Double extortion techniques: ransomware gangs intend on creating greater destruction for their victims, and the double extortion technique is a step in that direction. The technique involves both encrypting the victim’s data and publishing it on a Dedicated Leak Site (DLS). Today, ransomware operators usually first publish a small amount of data to show the scope of the attack and promise to delete the data after the ransom is paid. However, there have been cases where the links that lead to compromised files located on servers used by other hackers remain available even after the demand is met.
• Using DLS to publish data: as the number of Dedicated Leak Sites (DLS) keeps growing, so does the amount of victim data posted. During the analyzed period (H2 2021 – H1 2022), data linked to 2,886 companies was leaked on DLS, a 22% increase from the 2,371 companies affected in H2 2020 – H1 2021.
• Affiliate programs using Ransomware as a Service (RaaS): Group-IB found that ransomware gangs are actively looking for partners to join various affiliate programs (also known as RaaS, or Ransomware-as-a-Service), to launch a greater number of attacks and discover new attack vectors.
• Improved Techniques, Tactics, and Procedures (TTP): there were several new trends detected, including but not limited to the exploitation of zero-day vulnerabilities, living-off-the-land (LotL) techniques, external remote services, phishing campaigns using bots, new malware threats, and post-exploitation frameworks.

North America was the most often attacked region during the period under review. In total, 50% of global ransomware attacks were launched against companies in North America in H2 2021 – H1 2022.

Victims of ransomware operators included large fintech and IT companies. In some cases, this led to large-scale supply-chain attacks. Learn more about the regions, industries targeted, most active threat actors, and their inconspicuous maneuvers.

Initial Attack Brokers: better victim scouting, quicker attack initiations

Lately, more and more corporate and individual access has been put up for sale on the dark web and underground forums, giving the attackers a window of opportunity to penetrate a target’s network better, by finding victims more quickly and skipping the first stages of an attack.

• Dark web forums: access brokers put up ads for the following access – RDP and VPN
  Accounts (which combined accounted for 70% of the access type that was sold), access to web panels (CMS, cloud solutions, etc.), web shells on compromised servers, access with administrator rights, access to corporate emails belonging to top management, FTP servers and web access to RMM.
  In the reporting period, access with administrator rights (local administrators in the case of Active Directory) was the most widely offered: it accounted for 47% of all ads in which rights were specified. It was followed by access with domain administrator (28%) and standard user rights (23%).
  Whereas, in the underground forums, despite the growing popularity of access credentials, textual bank card data and stealer logs remain the best sellers.
• Stealer logs: an increasingly sought-after way to gain access to corporate networks is stealer logs. While ‘stealer’ is a type of malware designed to steal sensitive information from a victim’s device, the stealer logs are the record of the stolen information. These logs are either sold for low prices or can be obtained from open sources. The three most popular conduits to sell the logs are underground marketplaces, underground Cloud of Logs*, and manual sales. Owners of logs can use them to gain access to corporate networks.

*Clouds of Logs are repositories of data that provide threat actors with access to compromised confidential information, usually obtained using stealers.

Employees on the radar of attackers

Social engineering is one of the most effective techniques available to threat actors. Lately, threat actors have been using old attack methods such as spear phishing to a greater degree. A great case study is the 0ktapus phishing campaign that led to the theft of employee identification data and 2FA codes for the purpose of carrying out supply chain attacks.

The attackers used employees as a rudimentary source for penetrating further into a company’s network and stealing credentials for companies’ internal services and authentication systems to make them public. The trading of these stolen digital credentials contributes significantly to the underground economy.

Group-IB Threat Intelligence monitors for such data and informs customers if their data emerges in underground stores. For example, during the reporting period, we discovered that 1,988 corporate accounts for the domain on elogin.com were put up for sale.

Moving away from Cobalt Strike to unknown and hard-to-detect post-exploitation tools

Since the summer of 2022, threat actors (both ordinary cybercriminals and nation-state groups) showed an inclination towards using post-exploitation toolkits other than Cobalt Strike. Group-IB specialists learned that adversaries were looking for alternatives that weren’t as well-researched and were hard-to-detect, such as Brute RatelC4 (or BRc4).

Group-IB analysts also noticed that hackers were especially interested in cross-platform, open-source frameworks such as Sliver.

Cybersecurity consequences of the geopolitical situation

This year, the largest number of attacks conducted by nation-state groups took place in the Asia-Pacific region. A considerable increase was also noticed in the number of nation-state hackers behind various military operations.

The motive of many nation-state threat actors was to disrupt or disable target parties’ command and control systems, gather intelligence, or conduct other activities that support traditional military objectives. Attacks on China, compromising Sunwater’s (an Australian water supplier) infrastructure, and Iranian state-linked hackers attacking Albania were a few of the targeted attacks witnessed.

Heightened insecurity: threats across industries

Insights reported during the period H2 2021 to H1 2022

Concluding thoughts

For security evangelists, leaders, and professionals, The Hi-Tech Crime Trends Report 2022/2023 presents the complete picture of the current and forthcoming state of cybercrime. The past year saw an uptick in tribulations, such as geopolitical tensions, increased economic instability, war-related threats, and the continued impact of the COVID-19 pandemic, all of which motivated threat actors to increase the frequency and severity of attacks.

With cyber threats proving to be one of the biggest growth and continuity inhibitors for organizations, strong measures need to be adopted to cultivate a security-driven mindset and build formidable defenses.

With Group-IB’s report, national and international organizations can understand and validate the most posing threats specific to their sector, get a better understanding of the threat landscape and refer to the expert-approved cybersecurity recommendations and practices that can be adopted to avert cybercrime.