Secureworks finds majority of cyber crime damage “inflicted by powerful covert criminal threat groups”

Secureworks, a global cyber security company that protects organisations in the digitally connected world, has just released the findings of its State of Cyber Crime Report 2018 which is designed to illuminate the cyber crime trends and events that shaped the year. From July last year through to June 2018, Secureworks Counter Threat Unit researchers analysed incident response outcomes and conducted original research to gain insight into threat activity and behaviour across 4,400 companies.

Among the findings was evidence that a small subset of professional criminal actors is responsible for the bulk of cyber crime-related damage, employing tools and techniques as sophisticated, targeted and insidious as most nation state actors. These sophisticated and capable criminal gangs operate largely outside of The Dark Web, although they may leverage low-level criminal tools occasionally when it serves their purposes.

At the same time, there has been no lull in the overall volume of threats. Low-level cyber crime activity remains a robust market economy, often taking place in view of security researchers and law enforcement on The Dark Web. While relatively simple in their approach, these activities can still result in widespread damage.

“Cyber crime is a lucrative industry, and it’s not at all surprising that it has become the arm of powerful organised groups,” said Don Smith, senior director of the Cyber Intelligence Cell within the Secureworks Counter Threat Unit. “To understand the complete picture of the cyber crime world, we developed insights based on a combination of Dark Web monitoring and client brand surveillance with automated technical tracking of cyber criminal toolsets.”

Key findings of the research

Among the Counter Threat Unit researchers’ key findings are the following observations:

*The boundary between nation state and cyber criminal actors continues to blur

Nation state actors are increasingly using tools and techniques employed by cyber criminals and vice versa. In August this year, Counter Threat Unit researchers determined the Democratic People’s Republic of Korea was likely responsible for a GandCrab ransomware campaign against the South Korean population and infrastructure as part of a broader pattern of attacks. GandCrab is developed and sold ‘as-a-Service’ and is more commonly associated with financially motivated criminal actors.

In March, a threat actor likely associated with the Iranian Government used access that had previously been leveraged for espionage to deploy a cryptocurrency miner across the environment. Counter Threat Unit researchers have also observed other Government-backed espionage groups deploying cryptocurrency miners within compromised networks.

The assumption that nation state-sponsored Advanced Persistent Threats are dimensionally different from advanced cyber crime threats is, according to Secureworks, fundamentally flawed.

*Ransomware continues to be a serious threat

There has been no significant decrease in the volume of ransomware, banking malware, Point of Sale memory scrapers or other threats available for purchase on underground forums.

The threat actors who developed SamsamCrypt and BitPaymer, the two most impactful ransomware threats observed by Counter Threat Unit researchers during the reporting period, have retained them for their exclusive and targeted use, showing the distinct threat these sophisticated cyber crime groups pose.

The developers of GandCrab have been observed offering a partner program in which the developers received 30% to 40% of any resulting revenue from successful attacks.

There is no clear evidence that ransomware has been displaced by other capabilities such as cryptocurrency mining, while targeted ransomware attacks continue to be a worrying trend.

The growth of traditional file-encrypting ransomware did slow, but Counter Threat Unit researchers nevertheless observed no less than 257 new and distinct ransomware families during the reporting period.

Some of the more popular new Ransomware-as-a-Service families release regular updates and feature new additions.

*Sophisticated criminal gangs are earning millions of dollars of revenue through stolen payment card data

Sophisticated criminal gangs have combined advanced social engineering (ie expertise in deception and manipulation) and network intrusion techniques with Point of Sale malware to generate millions of dollars of revenue through stolen payment card data.

The price of credit card details on underground forums incentivises criminals to target Point of Sale terminals, where credit card details can be extracted from the memory of the running device using specialist malware.

Cyber criminals are also clever about monetising card data even after the theft has been discovered, while credit card ‘dump sites’ such as JokerStash have fallen under intense scrutiny as a possible way for sophisticated criminals to do just that.

The Dark Web isn’t the darkest depth of the cyber criminal world

Sophisticated and organised criminal groups are quietly dealing most of cyber crime’s damage each year, and they avoid The Dark Web where possible to evade detection by law enforcement and threat researchers.

These more sophisticated criminals may use simple and readily available tools in some cases, but their highly organised approach and evolving capabilities represent a significant threat.

“The observations of Counter Threat Unit researchers over the last 12 months show that the threat from cyber crime is adaptive and constantly evolving,” the report concludes. “To stay ahead of the threat, it’s imperative that organisations develop an holistic understanding of the landscape and how it relates to them, and then tailor their security controls to address both opportunistic and more highly targeted cyber crime threats.”

*To download copies of the full report isit www.secureworks.com

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts