The pandemic didn’t slow targeted cyberattacks by criminals and nation-states, according to the 2021 Global Threat Report by cybersecurity firm CrowdStrike. And the firm predicts adversaries in 2021 will be as prolific as ever.
CrowdStrike said that during COVID-19 it saw a lot more “big game hunting,” where criminal organizations turned to stealing data from big institutions such as hospitals and then held that data for ransom. The most disturbing thing about the report is that it describes a whole criminal ecosystem headed by large organizations, rather than just a collection of individual and opportunistic attacks.
A total of 104 health care organizations were targeted with attacks from 18 different parties in 2020, and the industry will continue to face an onslaught of ransomware attacks, risking disruption to critical care facilities. CrowdStrike said that fear, concern, and curiosity surrounding COVID-19 provided the perfect cover for a record-setting increase in social engineering attacks from both e-crime actors and targeted intrusion adversaries. One group dubbed Twisted Spider was responsible for 26 attacks on health care organizations.
“The allure of big game hunting (BGH), ransomware campaigns aimed at high-value targets, dominated the ecosystem of eCrime enablers in 2020, spurring the market for network access brokers,” the report said. “BGH trends also disrupted traditional targeted eCrime behavior — as seen by threat actor Carbon Spider’s shift away from the targeting point-of-sale (POS) systems to join the BGH ranks.”
China and North Korea
Above: Cybercriminal groups are interconnected.
Image Credit: CrowdStrike
As such, the COVID-19 vaccine will be a primary target for multiple China-based and North Korean adversaries. Economic espionage from these adversaries is predicted to increase in 2021, with a special focus on entities involved in the research, production, or distribution of COVID-19 therapeutics. Technology in the agriculture sector was another area of focus.
North Korea is expected to be particularly motivated, in part through its need to obtain resources and currency to deal with a pandemic-related food shortage. The blending of e-crime and targeted intrusion tactics previously associated with these North Korean actors and some Russian adversaries was also observed in an Iran-focused group dubbed Pioneer Kitten.
China’s cybersecurity hackers will focus on supply chain compromises and the targeting of key Western verticals when it comes to COVID-19 vaccines, as well as targets in academic, health care, technology, manufacturing, and aerospace sectors. Chinese adversaries targeted telecommunications, with a group dubbed Wicked Panda having another prolific year, despite indictments against individuals associated with its operations.
In July 2020, the U.S. Department of Justice (DOJ) indicted two Chinese nationals with alleged ties to the Chinese Ministry of State Security (MSS) for wide-ranging cyber operations, the most recent of which reportedly included targeting U.S.-based COVID-19 research centers. Intelligence officials in Spain also claimed that a China-nexus actor had successfully stolen information relating to COVID-19 vaccine development from Spanish research institutes in September 2020. In addition to this reported activity, CrowdStrike identified five suspected China-originated campaigns targeting health care entities in 2020.
Russia was also active. In July 2020, the U.S., U.K., and Canadian governments released information describing a campaign from a group dubbed Cozy Bear that targeted COVID-19 research facilities. This campaign was reportedly conducted throughout 2020 and was likely intended to steal information relating to the development and testing of vaccines targeting the virus. CrowdStrike also identified the rise of Latin American hacking groups, with malware families that include Culebra Variant, Salve, Caiman, and Kiron.
Supply chain attacks
A popular vector for cybercriminals is the supply chain, as it allows malicious actors to propagate multiple downstream targets from a single intrusion. Nation-state adversaries have also infiltrated networks to steal valuable data — particularly seeking COVID-19 vaccine research — and have done so while evading detection within the networks for a period of time.
Supply chain attacks are expected to amplify in 2021 as cybercriminals seek financial payouts and nation-states deploy espionage-driven tools.
Supply chain attacks are nothing new. CrowdStrike cited them as a rising threat as far back as 2018 and believes they will continue to be a major intrusion vector. Supply chain attacks represent a unique initial access tactic that provides malicious actors with the ability to propagate from a single intrusion to multiple downstream targets of interest. In addition to software-based attacks, such as the one that affected SolarWinds (a suspected Russian spying campaign that broke into nine federal agencies and at least 100 businesses), supply chain attacks can take the form of hardware or third-party compromises.
CrowdStrike Intelligence has identified supply chain and trusted relationship compromises originating from both e-crime and targeted intrusion adversaries. While e-crime actors commonly use the access from these compromises for financial gain, generally deploying ransomware and mineware, targeted intrusion adversaries primarily use compromises to deploy espionage-driven toolsets to a broad set of users. Given the potential high return on investment for threat actors, CrowdStrike Intelligence anticipates these attacks will continue to threaten organizations across all sectors in 2021.
Sunnyvale, California-based CrowdStrike said its new e-crime index will measure the attacks in weekly updates based on 18 indicators of criminal activity. Of all the attacks uncovered, CrowdStrike said e-crime accounted for 79%.
CrowdStrike senior VP Adam Meyers said in a statement that companies and institutions need to deploy cloud-native technology to prevent attacks and gain better visibility.
Extortion is expected to continue, with the introduction of Dedicated Leak Sites (DLS). In June 2020, following an explosion of dedicated leak sites in the first half of the year, Twisted Spider branded itself the leader of Maze Cartel, which was a cooperative effort between Twisted Spider, Viking Spider, and the operators of LockBit ransomware, as well as unconfirmed involvement from the operators of SunCrypt and Wizard Spider. The Maze Cartel shared leaked data from their operations on each of their DLSs, likely in an effort to reach a wider audience, thus putting more pressure on victim companies.
Another part of the ecosystem is access brokers, who gain backend access to various organizations (corporations and government entities) and sell this access — either on criminal forums or through private channels.
CrowdStrike collects data on attacks via its various products, processing 4 trillion events per week across 176 countries.
Recommendations
Above: Health care institutions have been attacked by ransomware crime families.
Image Credit: CrowdStrike
CrowdStrike said that as threat actors add new tools, techniques, and procedures to their arsenals and form new alliances to bolster their strength and extend their reach, visibility and speed are more critical than ever. Security teams must become more versatile, proactive, and productive to stay ahead of threats.
As their operations mature, both e-crime and targeted intrusion adversaries will continue to develop and implement new methods to bypass detection and impede analysis by researchers, CrowdStrike said. Whether driven by public reporting or motivations internal to their respective organizations, the pursuit of operational security will almost certainly include improved obfuscation methods, use of commodity tooling and living-off-the-land (LOTL) techniques.
The challenges of 2020, including the rapid pivot to “work-from-anywhere,” have caused a level of social and economic upheaval that is unprecedented in modern times. The widespread impact has not deterred cyber adversaries — in fact, quite the opposite. In 2020, CrowdStrike observed adversaries exploiting the situation, preying on the public’s fear and escalating attacks. CrowdStrike’s recommendations are aimed at proactively addressing potential weaknesses before they can be leveraged by attackers.
For security teams operating in today’s environment, visibility and speed are critical for blocking attackers that have the capability and intent to steal data and disrupt operations. Security teams must understand that it is their responsibility to secure their cloud environments, just as they would on-premises systems. They must establish consistent visibility for all environments and proactively address potential vulnerabilities before they can be leveraged by attackers, CrowdStrike said.
Organizations must consider multifactor authentication (MFA) on all public-facing employee services and portals as mandatory. In addition to MFA, a robust privilege access management process will limit the damage adversaries can do if they get in and reduce the likelihood of
lateral movement.
And CrowdStrike said “Zero Trust” solutions should be implemented to compartmentalize and restrict data access, thus reducing the potential damages from unauthorized access to sensitive information.
