Group-IB, an international company that specializes in preventing cyber attacks, introduced a new paradigm of information security on the global conference CyberCrimeCon18 conference. It is embodied in Group-IB’s annual «Hi-Tech Crime Trends 2018» report, which analyzes global cybercrime trends and provides a forecast on the future targets of state-sponsored hacker groups and financially motivated hackers. Switching the focus from defense to hunting for cybercriminals is now a major trend on information security market.
Sabotage and Espionage: Major Goals of State Sponsored Hacker Groups
The focus of innovations and research on the creation of complex malware, as well as organisation of multi-layered targeted attacks, has now shifted from financially motivated cybercriminals to state-sponsored threat actors. Their actions are aimed at achieving long-term presence in the critical infrastructure’s networks with the purpose of sabotage and espionage targeting companies in the power, nuclear, commercial, water, aviation, and other sectors.
The top 3 countries of origin of the most active state-sponsored hacker groups include China, North Korea and Iran. Espionage also remains a key focus of hacker groups sponsored by governments of different countries. APAC has been the target of most attacks carried out by hackers from multiple countries over the period of H2 2017 — H1 2018. 21 different hacker groups have been active in the region over the year, which is more than USA and Europe combined. The Group-IB experts point out a new espionage vector: hacking home and personal devices belonging to state officials.
Group-IB’s report features about 40 active groups, however their total amount is thought to be much higher. Such groups are financed by different governments, such as North Korea, Pakistan, China, USA, Russia, Iran, and Ukraine. For some of the hacker groups, the country of origin is yet to be established. In general, newly discovered groups or government campaigns turn out to have been active for some years, remaining unnoticed for a number of reasons. The section of Group-IB’s report dedicated to the attacks on critical infrastructure concludes: the unique regions’ specific APTs (Advanced Persistent Threats) landscape changes constantly; hackers tend to use widespread tools, including for penetration tests, making the researchers’ work more difficult. The lack of data about discovered cyberattacks in a specific country or economic sector most likely means that such attacks have not been detected yet, and not that there are no attacks.
Financial Sector at Risk
Traditionally, one of the largest sections of Hi-Tech Crime Trends 2018 report is dedicated to the attackers’ tactics as well as the damage to financial institutions. A new hacker group named Silence was exposed in 2018. It is one of the biggest cyber threats for banks globally, along with the MoneyTaker, Lazarus, and Cobalt groups. These hackers are able to compromise a bank, penetrate into isolated financial systems, and withdraw money. Three out of four are Russian-speaking groups.
On average, every month 1-2 Russian banks get successfully attacked by cybercriminals. Average losses are estimated at $2 million (132 million rubles). Group-IB experts observed that the number of targeted attacks on via SWIFT has tripled over the reviewed period. Average time required to cash out the money stolen via ATMs by means of drops or money mules is as low as 8 minutes.
Group-IB expects that after the leaders of Cobalt and Fin7 (Anunak) have been arrested, the remaining members will start forming new hacker groups. Other most likely regions where new cybercrime groups may arise are Latin America and Asia, with banks being their most probable targets. Group-IB experts forecast numerous misattributions of hacker groups due to their collaboration, use of legal tools, and deliberate imitation of each other’s tactics.
Attacks on Banks’ Clients
Credit card fraud remains one of the most dangerous threats to private citizens: failure to use behavioural analytics for transactions’ validation results not only in direct money losses, but also in fraudulent «card shop» industry growth. Every month, the data on about 686000 compromised bank cards and 1.1 million card dumps are downloaded for sale in «card-shops». The overall
value of the carding industry market over the review period was estimated at $663 million.
The number of threats caused by banking PC Trojans in Russia has been decreasing since 2012. Attacks on private citizens are a thing of the past, while the damage to companies was estimated at $8.3 million RUR (RUR 547 800 000) went down by 12% within the reporting period.
After several years of growth, the market of Android Trojans in Russia has stopped growing, but it continues to gain momentum internationally. The number of daily thefts using Android trojans in Russia has dropped almost threefold. A decrease in the average amount stolen is also worth noting. Last year, it accounted for $164 (11000 RUR), while this year it dropped to $104 (7000 RUR).
The international market is drastically different: six new PC trojans have been discovered during the analyzed period (IcedID, BackSwap, DanaBot, MnuBot, Osiris и Xbot) and source codes for five more have been shared or sold.
Web phishing has grown both in Russia and internationally this year. The number of hacker groups creating phishing websites imitating Russian brands went up from 15 to 26. In Russia, the number of successful phishing attacks per day has reached 1274 (compared to 950, previously). The damage from web phishing was estimated at $3.7 million (251 million rubles), which is 6% more than in the previous year.
Globally, unlike in the previous year, the leading phishing groups focused on cloud storages and not on the financial sector. The largest amount of phisihng websites are registered in the USA. They account for 80% of all phishing sites. France is in second place, followed by Germany. According to Group-IB’s report, 73% of all phishing resources fall into one of three categories: cloud storage (28%), finance (26%), and online services (19%).
Crypto Industry: New Markets, Old Threats
Approximately 56% of all money siphoned off from ICO were stolen through phishing attacks. In 2017 and 2018, hackers turned their attention to attacks on cryptocurrency exchanges. A total of 14 cryptocurrency exchanges have been robbed, suffering a total loss of $882 million. At least five attacks have been linked to North Korean hackers from Lazarus state-sponsored group. Their victims were mainly located in South Korea. Following in their footsteps, the most likely cryptocurrency exchange attackers are Silence, MoneyTaker, and Cobalt. Targeted phishing remains the major vector of attack on corporate networks.
Cryptojacking (hidden mining) became most widespread in 2017–2018. After the launch of Coinhive, a hidden mining software, seven more similar software programs have come out. Group-IB experts predict that the biggest miners may become the target not only of cybercriminals, but also of state-sponsored groups. Given the necessary preparations, they can gain control over 51% of the network mining power and capture control of cryptocurrency. Five successful «51% attacks» were registered in H1 of 2018 with direct financial losses ranging from $0.55 million to $18 million.
New Hacking Technologies
Last year, cyber security experts were focused on the epidemic of WannaCry, NotPetya, and BadRabbit, but at the beginning of 2018 a new global IT security threat emerged involving side-channel attacks and vulnerabilities that were discovered in microprocessors of different vendors. Group-IB’s report analyses multiple examples, demonstrating the actual threat of the firmware vulnerabilities and their key problem: it is impossible to eliminate all these vulnerabilities quickly and efficiently by just updating the software or reinstalling the operation system. That is exactly why research activity is focused now on vulnerability search in BIOS/UEFI grows each year proportionally to the increased number of threats used in targeted attacks. And the information about these threats becomes available thanks to leaks, not attack research: currently the market has no solutions to effectively detect such threats.
Chief Technology Officer and Head of Threat Intelligence at Group-IB
Group-IB experts state that the current research dedicated to vulnerability discovery in BIOS/UEFI and development of actual exploits are quite time-consuming and expensive processes: there are not so many hackers capable of carrying out these attacks but the situation might change, which will transform the approach to cyber security in the coming years.