For the period from H2 2019 to H1 2020, APAC became the most actively attacked region by state-sponsored threat actors: report.

In a roundup of the cybersecurity landscape between H2 2019 and H1 2020, Group-IB has reported what its teams have observed as key shifts in the cybercrime world in the past 12 months.

The most severe financial damage has been detected as a result of ransomware activity. The spike of cybercrime was marked by the rise of underground markets for selling access to corporate networks and a more-than-200% growth of the carding market.

In its latest annual threatreport, the group examines various aspects of cybercrime industry operations and predicts changes in the threat landscape for various sectors, namely for financial industry, telecommunications, retail, manufacturing and energy. The authors also analyze campaigns targeting critical infrastructure facilities, which represent an increasingly frequent target of intelligence services worldwide. Following are some key findings in the report.

  • APAC is a primary target of APT groups
    Military operations conducted by various intelligence services are becoming increasingly apparent, with a continuous trend toward physical destruction of infrastructure replacing espionage being observed.
    • Attackers’ toolkits are being updated with instruments intended for attacks on air-gapped networks.
    • The nuclear industry is turning into the number one target of state-sponsored threat actors. Unlike the previous reporting period, during which no attacks were observed, the current study is marked by attacks on nuclear energy facilities in Iran and India.
    • The Asia Pacificregion (APAC) has become the most actively attacked region by state-sponsored threat actors. A total of 34 campaigns were carried out in this region during the review period, and APT groups from China, North Korea, Iran and Pakistan were most active.

Overall, the majority of state-sponsored threat actors active globally over the review period originated from China (23), Iran (8 APT groups), North Korea and Russia (4 APT groups each), India (3), and Pakistan and Gaza (2 each). South Korea, Turkey, and Vietnam are reported to have one APT group each.

  • The Telecoms sector is another hacker draw
    State-sponsored APT groups continue their keen interest in telecommunications sector: over the review period, at least 11 groups affiliated with intelligence services targeted it. The threat actors’ main goals remained spying on telecommunications operators or attempts to disable infrastructure.

    Threat actors have, in particular, set a new record in DDoS attack power: 2.3Tb per second and 809 million packets per second. BGP hijacking and route leaks remain a serious problem.

    Over the past year, nine significant cases have been made public.
  • Ransomware cost the world over US$1bn
    Late 2019 and H1 2020 were marked by an unprecedented surge in ransomware attacks. Neither private sector companies nor government agencies were immune: over the reporting period, over 500 successful ransomware attacks in more than 45 countries were reported.

    Asia accounted for about 7% of the total number of reported ransomware incidents, with the most frequently attacked countries in the region being India and China.

    According to the firm’s conservative estimates, the total financial damage from ransomware operations worldwide amounted to over US$1bn, while the actual damage may be much higher. Victims often tended to remain silent about the incidents, paying out ransoms quietly, while attackers do not always publish data from compromised networks.

    The Top 5 most frequently attacked industries included manufacturing (94 victims), retail (51 victims), state agencies (39 victims), healthcare (38 victims), and construction (30 victims).

    Maze (now defunct) and REvil groups are considered to have the largest appetite: operators of these two strains are believed to account for over 50% of all the successful attacks. Ryuk, NetWalker, and DoppelPaymer formed the second tier.

    Hackers affiliate programs: The ransomware pandemic was triggered by the active development of private and public affiliate programs bringing together ransomware operators and cybercriminals involved in compromising corporate networks. Ransomware operators buy this access and then encrypt devices on the network; after receiving a ransom from the victim, they pay out a fixed rate to their partners under the affiliate program.

    In late 2019, operators of ransomware adopted extortion as a new technique to increase the chances of ransom being paid. If a victim refuses to pay ransom, they risk not only losing all the data but having it leaked. In June 2020, REvil started auctioning stolen data. 
  • Four-fold increase in sales of stolen data
    The sales of access to compromised corporate networks had been increasing from year to year, peaking in 2020 so far.

    It is difficult to assess the size of the market for selling access, however, as offers published on underground forums often do not include the price, while some of the deals are cut in private. However, from available data, the total market size for the access sold in the review period totaled US$6.2m. This was a four-fold increase compared to the previous review period when it totaled US$1.6m.
    • In H1 2020 alone, 277 offers of access to corporate networks were put up for sale on underground forums. The number of sellers has also grown. During the review period 63 sellers were active, and 52 of them began selling access in 2020. For comparison, during all of 2018, only 37 access sellers were active, while in 2019, there were a total of 50 sellers that put up for access to 130 corporate networks for sale.

      In total, the sales of corporate network access grew by 162% compared to the previous period (138 offers against 362). Group-IB experts found correlations with ransomware attacks: the majority of threat actors offered access to the US companies (27%), while manufacturing was the most frequently attacked industry in 2019 (10.5%).  In 2020, access to the networks of state agencies (10.5%), educational institutions (10.5%) and IT companies (9%) were in demand.
    • Sellers of access to corporate networks increasingly rarely mention company names, their geographical location and industry, which makes it almost impossible to identify the victim without contacting the attackers.
    • In H1 2020, in APAC, the majority of companies which had stolen access data put up for sale were fromChina (2.2%), Australia (1.9%), and India (1.1%). In 2019, top three were represented by the same countries, but with different shares: Australia (4.6%), India (3.8%), and China (1.5%).
    • The sale of access to a company’s network is normally only one stage in the attack implementation: the gained access privileges may be used both for launching ransomware and stealing data with the aim of subsequent selling on forums or for spying.

The threat of bank card data leaks is most acute for retail companies that have online sales channels; e-commerce companies that offer goods and services on the internet; as well as banks that unwittingly get involved in the incident.

The main scenarios for illegally harvesting bank card data as well the most frequently attacked countries (the United States, India, South Korea) remained the same.