Written by: Michael Busselen of Crowdstrike
The CrowdStrike® 2019 Global Threat Report: “Adversary Tradecraft and the Importance of Speed,”includes the combined work of CrowdStrike’s skilled and seasoned teams that engage in global intelligence gathering and analyzing, proactive threat hunting, and incident response investigations. The threat report also reveals the trends that these teams have seen in 2018 — trends that show no signs of waning in 2019.
In CEO George Kurtz’s blog introducing the threat report, he emphasized the need for speed in combating global adversaries. CTO Dmitri Alperovitch provided a deeper dive into what’s driving the necessity for accelerating incident response activities in his blog about “breakout” time and the 1-10-60 Rule, and what these metrics reveal about our adversaries and our own defensive capabilities.
This blog focuses on the trends put forth in the 2019 threat report and how they can inform your security strategies for the current year and beyond.
Trends Observed in 2018
In many respects, 2018 appeared to be a markedly different year than the one before. Absent some of the high-profile events observed in 2017, such as WannaCry and NotPetya, headlines in 2018 were defined instead by a series of U.S. Department of Justice (DoJ) indictments against individuals linked to named, state-sponsored adversaries.
Possibly affected by these public disclosures and stepped-up law enforcement activity, ongoing tool development and changes in tactics, techniques and procedures (TTPs) seem to indicate 2018 was a transition year for many adversaries. One thing was clear: Law enforcement efforts have not yet halted or deterred nation-state sponsored activities.
eCrime Was Prominent
The eCrime adversaries tracked by CrowdStrike Intelligence conducted a variety of criminal operations, including crimeware distribution, banking Trojans, ransomware, point of sale compromises and targeted spear-phishing campaigns:
- The most prominent trend in eCrime for 2018 was the continued rise of “Big Game Hunting,” which combines targeted, intrusion-style TTPs with the deployment of ransomware across a large organization, all in pursuit of a bigger financial payoff. BOSS SPIDER (Samas, SamSam), INDRIK SPIDER (Dridex) and GRIM SPIDER (Ryuk) all raked in huge profits in these campaigns.
- Additional evidence of a changing eCrime ecosystem came from prolific ransomware-as-a-service (RaaS) adversary PINCHY SPIDER (GandCrab) and the solidification of MUMMY SPIDER (Emotet) as a professional malware distribution operation.
- Meanwhile, targeted eCrime adversaries COBALT SPIDER (Cobalt Group) and CARBON SPIDER (Carbanak) have remained active, despite arrests of individuals linked to their operations.
Rising Nation-State Activities
Nation-state adversaries were continuously active throughout 2018 — targeting dissidents, regional adversaries and foreign powers to collect intelligence for decision-makers:
- North Korea (aka the Democratic People’s Republic of Korea, or DPRK) remained active in both intelligence collection and currency-generation schemes, despite participating in diplomatic outreach.
- Iran maintained focus on operations against other Middle Eastern and North African (MENA) countries, particularly regional foes across the Gulf Cooperation Council (GCC). Additionally, it is suspected that Iranian adversaries are developing new mobile malware capabilities to target dissidents and minority ethnic groups.
- As for China, CrowdStrike observed a significant rise in U.S. targeting, likely tied to increased tensions between the two countries.
- Russian adversaries were active across the globe in a variety of intelligence collection and information operations.
Other Nation-State Trends
Other nation-state adversaries tracked by CrowdStrike, but not prominently featured in the 2019 Global Threat Report, include:
- Adversaries linked to Pakistan and India maintained an interest in regional affairs with a rise in activity on the Indian subcontinent, observed in the summer of 2018.
- The Vietnam-based adversary OCEAN BUFFALO appeared to focus on domestic — possibly internal law enforcement — operations; however, CrowdStrike has also identified the possible targeting of Cambodia, as well as activity against the manufacturing and hospitality sectors.
- Recent technical analysis, as well as the reported zero-day use of CVE- 2018-8174, suggests the South Korean-based adversary SHADOW CRANE continues to actively develop its toolkit. The target scope of SHADOW CRANE’s campaigns appears to primarily focus on victims in China, Japan, South Korea, Russia, India and the DPRK — particularly those involved in the government, think tanks, media, academia and nongovernmental organization (NGO) sectors.
Create an Informed Cybersecurity Strategy
Download the 2019 Global Threat Report to gain a deeper understanding of these trends from the analysis offered by the CrowdStrike Intelligence, Falcon OverWatch™ managed hunting and the CrowdStrike Services teams. In the report, they highlight the significant events in the past year of cyberthreat activity across the world.
Their reporting and analysis demonstrates how threat intelligence, proactive hunting and swift proactive countermeasures can provide a deeper understanding of the motivations, objectives and activities of the adversaries that are targeting your organization. Armed with this information, you can create security strategies that will help you better defend your organization and its valuable data now and in the future.