Chinese state-sponsored hackers conducted as many “intrusion campaigns” against vertical industries in the first half of 2019 than Russia, Vietnam, North Korea and Iran combined, a new report from cybersecurity provider CrowdStrike said.
CrowdSrike’s Overwatch 2019 Mid-Year Report, which measured attacks only against the company’s customers, indicated that between January and June, 39 percent were attributed to state-backed actors while 61 percent could be tied to ecrime hacking. That is a turnabout from the whole of 2018 when nation-state adversaries accounted for 75 percent of cyber attacks.
Overwatch is CrowdStrike’s managed threat hunting service built on the company’s Falcon threat intelligence platform. The report covers only state-sponsored and targeted eCrime activity but not the full spectrum of attacks that hit the Falcon platform.
The transposed threat figures from 2018 to 1H 2019 do not indicate a reduction in state-sponsored activity, CrowdStrike said, but instead reflect a continued increase in ecrimes. Those actors are “maturing their ability to provide commercial access to their tactics, techniques and procedures on a 'TTPs-for-hire' basis, and their ongoing pursuit of ‘Big Game Hunting’ operations, the endpoint security specialist said.
Overall, malicious campaigns hit 13 of 19 vertical sectors in the period, including aviation, financial, law enforcement, technology and telecommunications. Chinese hackers also attacked the technology and telecom verticals. By comparison, activity by Russian bad actors was confined to non-governmental organizations. Threat actors from Vietnam targeted only the automotive industry, while Iranian hackers focused on the aviation, transportation and logistics verticals.
Here are more findings from the report
Campaigns by vertical 1H 2019:
- Technology 20%
- Telecom 9%
- Non-governmental organizations 8%
- Retail 7%
- Financial 5%
- Manufacturing 5%
- Transportation 4%
- Gaming 4%
- Entertainment 4%
- Engineering 2%
Notes: OverWatch does not expect telecom to lose its ranking as a popular target. Despite hospitality’s decline in the number of intrusions in 1H 2019, OverWatch expects the segment to move back to the top 10 list by the end of 2019.
The most commonly seen non-native tools used for nation-state attacks and ecrime:
- PsExec
- ProcDump
- PC Hunter
Top three tools typically associated with penetration testing used for attacks:
- Mimikatz
- PowerShell Empire
- Cobalt Strike
Top three tools used to employ custom implants: China Chopper, Winnti, BabyShark
Top three malware variants associated with non-targeted eCrime activity: Emotet, Trickbot, Cryptocurrency miners
Recommendations:
- User awareness programs should be initiated to combat the continued threat of phishing and related social engineering techniques.
- Asset management and software inventory are crucial to ensuring that each organization understands its own footprint and exposure.
- Vulnerability and patch management can verify that known vulnerabilities and insecure configurations are identified, prioritized and remediated.
- Multifactor authentication (MFA) should be established for all users because today’s attackers have proven to be adept at accessing and using valid credentials, leading quickly to deeper compromise. Also, MFA makes it much more difficult for adversaries to gain privileged access.
- A robust privilege access management process will limit the damage adversaries can do if they get in, and reduce the likelihood of lateral movement.
- Implement password protection to prevent disabling or uninstalling endpoint protection that provides critical prevention and visibility for defenders. Disabling it is always a high-priority for attackers looking to deepen their foothold and hide their activities.