Group-IB presents cybercrime trends 2018 report urging the market to hunt for threats

Group-IB, an international company that specializes in preventing cyber attacks, introduced a new paradigm of information security on the global CyberCrimeCon18 conference. It is embodied in Group-IB’s annual «Hi-Tech Crime Trends 2018» report, which analyzes global cybercrime trends and provides a forecast on the future targets of state-sponsored hacker groups and financially motivated hackers. Switching the focus from defense to hunting for cybercriminals is now a major trend on information security market.

Sabotage and Espionage: Major Goals of State Sponsored Hacker Groups

The focus of innovations and research on the creation of complex malware, as well as organisation of multi-layered targeted attacks, has now shifted from financially motivated cybercriminals to state-sponsored threat actors. Their actions are aimed at achieving long-term presence in the critical infrastructure’s networks with the purpose of sabotage and espionage targeting companies in the power, nuclear, commercial, water, aviation, and other sectors.

The top 3 countries of origin of the most active state-sponsored hacker groups include China, North Korea and Iran. Espionage also remains a key focus of hacker groups sponsored by governments of different countries. APAC has been the target of most attacks carried out by hackers from multiple countries over the period of H2 2017 H1 2018. 21 different hacker groups have been active in the region over the year, which is more than USA and Europe combined. The Group-IB experts point out a new espionage vector: hacking home and personal devices belonging to state officials.

Group-IB’s report features about 40 active groups, however their total amount is thought to be much higher. Such groups are financed by different governments, such as North Korea, Pakistan, China, USA, Russia, Iran, and Ukraine. For some of the hacker groups, the country of origin is yet to be established. In general, newly discovered groups or government campaigns turn out to have been active for some years, remaining unnoticed for a number of reasons. The section of Group-IB’s report dedicated to the attacks on critical infrastructure concludes: the unique regions’ specific APTs (Advanced Persistent Threats) landscape changes constantly; hackers tend to use widespread tools, including for penetration tests, making the researchers’ work more difficult. The lack of data about discovered cyberattacks in a specific country or economic sector most likely means that such attacks have not been detected yet, and not that there are no attacks.

Financial Sector at Risk

Traditionally, one of the largest sections of Hi-Tech Crime Trends 2018 report is dedicated to the attackers’ tactics as well as the damage to financial institutions. A new hacker group named Silence was exposed in 2018. It is one of the biggest cyber threats for banks globally, along with the MoneyTaker, Lazarus, and Cobalt groups. These hackers are able to compromise a bank, penetrate into isolated financial systems, and withdraw money. Three out of four are Russian-speaking groups.

On average, every month 1-2 Russian banks get successfully attacked by cybercriminals. Average losses are estimated at $2 million (132 million rubles). Group-IB experts have observed that the number of targeted attacks against banks which has resulted in illicit SWIFT payments has has tripled over the reviewed period. Average time required to cash out the money stolen via ATMs by means of drops or money mules is as low as 8 minutes.

Group-IB expects that after the leaders of Cobalt and Fin7 (Anunak) have been arrested, the remaining members will start forming new hacker groups. Other most likely regions where new cybercrime groups may arise are Latin America and Asia, with banks being their most probable targets. Group-IB experts forecast numerous misattributions of hacker groups due to their collaboration, use of legal tools, and deliberate imitation of each other’s tactics.

Attacks on Banks’ Clients

Credit card fraud remains one of the most dangerous threats to private citizens: failure to use behavioural analytics for transactions’ validation results not only in direct money losses, but also in fraudulent «card shop» industry growth. Every month, the data on about 686000 compromised bank cards and 1.1 million card dumps are downloaded for sale in «card-shops». The overall
value of the carding industry market over the review period was estimated at $663 million.

The number of threats caused by banking PC Trojans in Russia has been decreasing since 2012. Attacks on private citizens are a thing of the past, while the damage to companies was estimated at $8.3 million RUR (RUR 547 800 000) went down by 12% within the reporting period.

After several years of growth, the market of Android Trojans in Russia has stopped growing, but it continues to gain momentum internationally. The number of daily thefts using Android trojans in Russia has dropped almost threefold. A decrease in the average amount stolen is also worth noting. Last year, it accounted for $164 (11000 RUR), while this year it dropped to $104 (7000 RUR).

The international market is drastically different: six new PC trojans have been discovered during the analyzed period (IcedID, BackSwap, DanaBot, MnuBot, Osiris и Xbot) and source codes for five more have been shared or sold.

Web phishing has grown both in Russia and internationally this year. The number of hacker groups creating phishing websites imitating Russian brands went up from 15 to 26. In Russia, the number of successful phishing attacks per day has reached 1274 (compared to 950, previously). The damage from web phishing was estimated at $3.7 million (251 million rubles), which is 6% more than in the previous year.

Globally, unlike in the previous year, the leading phishing groups focused on cloud storages and not on the financial sector. The largest amount of phisihng websites are registered in the USA. They account for 80% of all phishing sites. France is in second place, followed by Germany. According to Group-IB’s report, 73% of all phishing resources fall into one of three categories: cloud storage (28%), finance (26%), and online services (19%).

Crypto Industry: New Markets, Old Threats

Approximately 56% of all money siphoned off from ICO were stolen through phishing attacks. In 2017 and 2018, hackers turned their attention to attacks on cryptocurrency exchanges. A total of 14 cryptocurrency exchanges have been robbed, suffering a total loss of $882 million. At least five attacks have been linked to North Korean hackers from Lazarus state-sponsored group. Their victims were mainly located in South Korea. Following in their footsteps, the most likely cryptocurrency exchange attackers are Silence, MoneyTaker, and Cobalt. Targeted phishing remains the major vector of attack on corporate networks.

Cryptojacking (hidden mining) became most widespread in 2017–2018. After the launch of Coinhive, a hidden mining software, seven more similar software programs have come out. Group-IB experts predict that the biggest miners may become the target not only of cybercriminals, but also of state-sponsored groups. Given the necessary preparations, they can gain control over 51% of the network mining power and capture control of cryptocurrency. Five successful «51% attacks» were registered in H1 of 2018 with direct financial losses ranging from $0.55 million to $18 million.

New Hacking Technologies

Last year, cyber security experts were focused on the epidemic of WannaCry, NotPetya, and BadRabbit, but at the beginning of 2018 a new global IT security threat emerged involving side-channel attacks and vulnerabilities that were discovered in microprocessors of different vendors. Group-IB’s report analyses multiple examples, demonstrating the actual threat of the firmware vulnerabilities and their key problem: it is impossible to eliminate all these vulnerabilities quickly and efficiently by just updating the software or reinstalling the operation system. That is exactly why research activity is focused now on vulnerability search in BIOS/UEFI grows each year proportionally to the increased number of threats used in targeted attacks. And the information about these threats becomes available thanks to leaks, not attack research: currently the market has no solutions to effectively detect such threats.

Today providers of cybersecurity products offer quite efficient methods of battling malicious programs used to penetrate computer networks. However no antivirus software can help, when the problem is located at the firmware level, at the level of the hardware. First, hardware compromised via an existing vulnerability is harder to detect. Second, this problem is hard to eliminate. The combination of side-channel attack with firmware vulnerabilities, which allows to perform multiple actions in the operating system, opens new possibilities to infect devices and remain unnoticed. If a device is compromised in such a way, then reinstalling the operating system or even getting rid of the hard disk will not solve the problem. It does not matter where you are, but as soon as you are connected to the Internet, a criminal will have full control of this device.

Dmitry Volkov
Dmitry Volkov

Chief Technology Officer and Head of Threat Intelligence at Group-IB

Group-IB experts state that the current research dedicated to vulnerability discovery in BIOS/UEFI and development of actual exploits are quite time-consuming and expensive processes: there are not so many hackers capable of carrying out these attacks but the situation might change, which will transform the approach to cyber security in the coming years.

About Group-IB

Group-IB, with its headquarters in Singapore, is one of the leading providers of solutions dedicated to detecting and preventing cyberattacks, identifying online fraud, investigating high-tech crimes, and protecting intellectual property. The company’s Threat Intelligence and Research Centers are located in the Middle East (Dubai), the Asia-Pacific (Singapore), and Europe (Amsterdam).

Group-IB’s Unified Risk Platform is an ecosystem of solutions that understands each organization’s threat profile and tailors defenses against them in real-time from a single interface. The Unified Risk Platform provides complete coverage of the cyber response chain. Group-IB’s products and services consolidated in Group-IB’s Unified Risk Platform include Group-IB’s Threat IntelligenceManaged XDRDigital Risk ProtectionFraud ProtectionAttack Surface ManagementBusiness Email ProtectionAudit & ConsultingEducation & TrainingDigital Forensics & Incident ResponseManaged Detection & Response, and Cyber Investigations.

Group-IB’s technological leadership and R&D capabilities are built on the company’s 19 years of hands-on experience in cybercrime investigations worldwide and more than 70,000 hours of cybersecurity incident response accumulated in our leading DFIR Laboratory, High-Tech Crime Investigations Department, and round-the-clock CERT-GIB.

Group-IB is an active partner in global investigations led by international law enforcement organizations such as Europol and INTERPOL. Group-IB is also a member of the Europol European Cybercrime Centre’s (EC3) Advisory Group on Internet Security, which was created to foster closer cooperation between Europol and its leading non-law enforcement partners.

Group-IB’s experience in threat hunting and cyber intelligence has been fused into an ecosystem of highly sophisticated software and hardware solutions designed to monitor, identify, and prevent cyberattacks. Group-IB’s mission is to protect its clients in cyberspace every day by creating and leveraging innovative solutions and services.

Group-IB’s experience in threat hunting and cyber intelligence has been fused into an ecosystem of highly sophisticated software and hardware solutions designed to monitor, identify, and prevent cyberattacks. Group-IB’s mission is to fight high-tech crime while protecting our clients in cyberspace and helping them achieve their goals. To do so, we analyze cyber threats, develop our infrastructure to monitor them, respond to incidents, investigate complex high-tech crimes, and design unique technologies, solutions, and services to counteract adversaries.