22 February 2019

Cyber espionage warning: The most advanced hacking groups are getting more ambitious

By Danny Palmer

The most advanced hacking groups are becoming bolder when conducting campaigns, with the number of organisations targeted by the most biggest campaigns rising by almost a third.

A combination of new groups emerging and threat actors developing successful strategies for breaking into networks has seen the average number of organisations targeted by the most active hacking groups rise from 42 between 2015 and 2017 to an average of 55 in 2018.

The figures, detailed in Symantec's annual Internet Security Threat Report suggest that the top twenty most prolific hacking groups are targeting more organisations as the attackers gain more confident in their activities.

Groups like Chafer, DragonFly, Gallmaker and others are all conducting highly-targeted hacking campaigns as they look to gather intelligence against businesses they think hold valuable information.


Once attackers might have needed the latest zero-days to gain access to gain entry into corporate networks, but now it's spear-phishing emails laced with malicious contents which are most likely provide attackers with the initial entry they need.

And because these espionage groups are so proficient at what they do, they have well tried-and-tested means of conducting activity once they're inside a network.

"It's like they have steps which they go through which they know are effective to get into networks, then for lateral movement across networks to get what they want," Orla Cox, director of Symentec's security response unit told ZDNet.

"It makes them more efficient and for organizations, it makes them harder to spot because a lot of the activity looks like traditional enterprise activity," she added.

In many of the cases detailed in the report, attackers are deploying what Symantec refer to as 'living-off-the-land' tactics: the attackers uses everyday enterprise tools to help them travel across corporate network and steal data, making the campaigns more difficult to discover.

Not is only is the number of targeted campaigns on the rise, but there's a larger variety in the organisations being targeted. Organisations like utilities, government and financial serviceshave regularly found themselves targets of organised cyber criminal gangs, but increasingly, these groups are expanding their attacks to new targets.

"Often in the past they'd have a clear focus on one sector, but now we see these campaigns can focus on a wide variety of targets, ranging from telecoms companies, hotels, universities. It's harder to pinpoint exactly what their end goal is," said Cox.

While intelligence gathering remains the key goal of many of these campaigns, some are beginning to expand their campaigns by also displaying an interest in compromising systems.

This is a particularly worrying trend, because while stealing data in itself is bad enough, attackers with the ability to operate cyber-physical systems could be much worse.

One group Symantec has observed conducting this activity is a hacking operation dubbed Thrip, which expressed particular interest in gaining control of satellite operations – something which could potentially cause major disruption.

In the face of a rise in targeted attacks, governments are increasingly pointing the finger not just at nations but individuals believed to involved in cyber espionage. For example, the United States named individuals it claims are responsible for conducting cyber attacks: they include citizens of Russia, North Korea, Iran and China. Symantec's report suggests the indictment might disrupt some targeted operations, but it's unlikely that cyber espionage campaigns will be disappearing anytime soon.

No comments: