Secureworks finds majority of cyber crime damage “inflicted by powerful covert criminal threat groups”
Secureworks, a global cyber security company that protects organisations in the digitally connected world, has just released the findings of its State of Cyber Crime Report 2018 which is designed to illuminate the cyber crime trends and events that shaped the year. From July last year through to June 2018, Secureworks Counter Threat Unit researchers analysed incident response outcomes and conducted original research to gain insight into threat activity and behaviour across 4,400 companies.
Among the findings was evidence that a small subset of professional criminal actors is responsible for the bulk of cyber crime-related damage, employing tools and techniques as sophisticated, targeted and insidious as most nation state actors. These sophisticated and capable criminal gangs operate largely outside of The Dark Web, although they may leverage low-level criminal tools occasionally when it serves their purposes.
At the same time, there has been no lull in the overall volume of threats. Low-level cyber crime activity remains a robust market economy, often taking place in view of security researchers and law enforcement on The Dark Web. While relatively simple in their approach, these activities can still result in widespread damage.
“Cyber crime is a lucrative industry, and it’s not at all surprising that it has become the arm of powerful organised groups,” said Don Smith, senior director of the Cyber Intelligence Cell within the Secureworks Counter Threat Unit. “To understand the complete picture of the cyber crime world, we developed insights based on a combination of Dark Web monitoring and client brand surveillance with automated technical tracking of cyber criminal toolsets.”
Key findings of the research
Among the Counter Threat Unit researchers’ key findings are the following observations:
*The boundary between nation state and cyber criminal actors continues to blur
Nation state actors are increasingly using tools and techniques employed by cyber criminals and vice versa. In August this year, Counter Threat Unit researchers determined the Democratic People’s Republic of Korea was likely responsible for a GandCrab ransomware campaign against the South Korean population and infrastructure as part of a broader pattern of attacks. GandCrab is developed and sold ‘as-a-Service’ and is more commonly associated with financially motivated criminal actors.
In March, a threat actor likely associated with the Iranian Government used access that had previously been leveraged for espionage to deploy a cryptocurrency miner across the environment. Counter Threat Unit researchers have also observed other Government-backed espionage groups deploying cryptocurrency miners within compromised networks.
The assumption that nation state-sponsored Advanced Persistent Threats are dimensionally different from advanced cyber crime threats is, according to Secureworks, fundamentally flawed.
*Ransomware continues to be a serious threat
There has been no significant decrease in the volume of ransomware, banking malware, Point of Sale memory scrapers or other threats available for purchase on underground forums.
The threat actors who developed SamsamCrypt and BitPaymer, the two most impactful ransomware threats observed by Counter Threat Unit researchers during the reporting period, have retained them for their exclusive and targeted use, showing the distinct threat these sophisticated cyber crime groups pose.
The developers of GandCrab have been observed offering a partner program in which the developers received 30% to 40% of any resulting revenue from successful attacks.
There is no clear evidence that ransomware has been displaced by other capabilities such as cryptocurrency mining, while targeted ransomware attacks continue to be a worrying trend.
The growth of traditional file-encrypting ransomware did slow, but Counter Threat Unit researchers nevertheless observed no less than 257 new and distinct ransomware families during the reporting period.
Some of the more popular new Ransomware-as-a-Service families release regular updates and feature new additions.
*Sophisticated criminal gangs are earning millions of dollars of revenue through stolen payment card data
Sophisticated criminal gangs have combined advanced social engineering (ie expertise in deception and manipulation) and network intrusion techniques with Point of Sale malware to generate millions of dollars of revenue through stolen payment card data.
The price of credit card details on underground forums incentivises criminals to target Point of Sale terminals, where credit card details can be extracted from the memory of the running device using specialist malware.
Cyber criminals are also clever about monetising card data even after the theft has been discovered, while credit card ‘dump sites’ such as JokerStash have fallen under intense scrutiny as a possible way for sophisticated criminals to do just that.
The Dark Web isn’t the darkest depth of the cyber criminal world
Sophisticated and organised criminal groups are quietly dealing most of cyber crime’s damage each year, and they avoid The Dark Web where possible to evade detection by law enforcement and threat researchers.
These more sophisticated criminals may use simple and readily available tools in some cases, but their highly organised approach and evolving capabilities represent a significant threat.
“The observations of Counter Threat Unit researchers over the last 12 months show that the threat from cyber crime is adaptive and constantly evolving,” the report concludes. “To stay ahead of the threat, it’s imperative that organisations develop an holistic understanding of the landscape and how it relates to them, and then tailor their security controls to address both opportunistic and more highly targeted cyber crime threats.”
*To download copies of the full report isit www.secureworks.com