Up to 79% of detected activity targeting nation-states in one cybersecurity platform was linked to APTs like Mustang Panda and UNC4191.

Based on Q1 2023 telemetry on its eXtended Detection and Response (XDR) platform, a cybersecurity firm has summarized several findings linked to ransomware and nation-state-backed APT actors; threats to email safety; malicious use of legitimate security tools; and other cyber risks.

The firm’s data showed that advanced persistent threat groups linked to China — including Mustang Panda and UNC4191 — were the most active, generating 79% of all activity detected on its platform involving cyber espionage, possibly in tandem with physical military activity.

Also, motivations for ransomware attacks were still found to be linked to financial motives, reflected in the insurance (20%) and financial services (17%) sectors in the XDR platform having the most detections of potential attacks. The most common leak site victims were US-based (48%) mid-sized businesses with 51–200 employees (32%) and US$10–50m in revenue (38%).

Other findings include:

    • Despite attempts in 2022 to make it harder for threat actors to abuse the tool, Cobalt Strike was being used in 35% of APT activity and 28% of ransomware incidents: almost double that of data from the platform in the previous quarter.
    • Many critical vulnerabilities consisted of bypasses to patches for older CVEs, supply chain bugs utilizing outdated libraries, or long-patched vulnerabilities that were never properly addressed. A disclosed Apple vulnerability in February 2023 had roots as far back as the FORCEDENTRY exploit disclosed in 2021.
    • On the platform, cloud infrastructure attacks on Amazon, Microsoft, and Google were rising in Q1 2023. Though more sophisticated attacks with multifactor authentication, proxy penetration, and API execution continued, the dominant attack technique discerned on the XDR platform involved usage of valid accounts (especially those in remote-working environments), at 2x more detections than any other vector.

Said John Fokker, Head of Threat Intelligence, Trellix Advanced Research Center, the firm that released the Q1 findings: “Offensive cyber capabilities are being leveraged strategically by nation-states for espionage and disruption. For both leading and developing countries, we see risks to critical infrastructures like telecommunications, energy, and manufacturing by notable APT groups — a warning to public and private organizations to deploy modern protections to stay ahead of rapidly evolving threats.”