Group-IB Presents its Annual Report on Global Threats to Stability in Cyberspace

SINGAPORE, Nov. 29, 2019 /PRNewswire/ — Group-IB, a Singapore-based cybersecurity company that specializes in preventing cyberattacks, has analyzed key recent changes to the global cyberthreat landscape. According to Group-IB’s experts, the most frustrating trend of 2019 was the use of cyberweapons in military operations. The new Hi-Tech Crime Trends 2019-2020 report describes attacks on various industries and critical infrastructure organizations, as well as campaigns aimed at destabilization of the Internet in certain countries, and attacks conducted for espionage and sabotage purposes by state-supported threat actors.

Group-IB’s annual report was presented at CyberCrimeCon 2019 in Singapore and covers the period from H2 2018 to H1 2019, as compared to the period from H2 2017 to H1 2018.

Confrontation between states: espionage and sabotage

In 2019, cybersecurity became a heavily debated topic in politics. Throughout the second half of 2018 and the first half of 2019, cybersecurity experts identified numerous state-sponsored threat actors. Group-IB researchers focused on 38 active state-sponsored groups, of which seven were new cyberespionage groups. One of them, called RedCurl, was uncovered by Group-IB in late 2019. The threat actor mainly targets insurance, consulting, and construction companies. The group’s distinctive features are the high quality of their phishing attacks and the use of legitimate services, which makes it difficult to detect its malicious activity.

Domain name registrars are part of a country’s critical infrastructure. Disrupting their work affects the Internet, which is why registrars are targeted by government-sponsored threat actors. The past months have shown that the most dangerous hacks involved DNS hijacking, which helped attackers manipulate DNS records for MITM attacks. Researchers also mention traffic manipulations and BGP hijacking attacks, during which threat actors intercept routes and redirect the network traffic of certain prefixes of an autonomous system (IP address pools) through the threat actor’s equipment. The most common objective of such attacks is cyberespionage and disruption of major telecommunications companies’ work.

The telecommunications sector: Are providers ready for 5G?

Group-IB describes nine groups (APT10, APT33, MuddyWater, HEXANE, Thrip, Chafer, Winnti, Regin, and Lazarus) that posed a major threat to the telecommunications sector during the period investigated. The telecom industry has become a key target for state-sponsored attackers. If they manage to compromise a telecommunications company, they can then also compromise its customers for surveillance or sabotage purposes.

The development of 5G networks will create new to this industry. The architectural features of 5G (compared to 1/2/3/4G), such as superfast data transfers and other advantages of the new technology, are mainly implemented using software rather than hardware platforms. This means that all threats to server and software solutions are becoming relevant to 5G network operators. Such threats, including traffic manipulation and DDoS attacks, will become much more frequent and effective due to the large number of insecure devices connected and wide bandwidth. The same can be said of BIOS/UEFI-related attacks, side channel attacks, and supply chain attacks.

The energy sector: hidden threats

Seven groups (LeafMiner, BlackEnergy, Dragonfly, HEXANE, Xenotime, APT33, and Lazarus) carry out attacks for espionage purposes. Yet in some cases, their attacks involved shutting down energy infrastructures or certain facilities in various countries. For example, in 2019, Lazarus attacked a nuclear organization in India, which led to the power plant’s second unit being shut down. The non-typical choice of victim indicates that rival countries may have been interested in these attacks.

With the exception of the above-mentioned example, the tools used by these groups remain under the radar. In recent years, only two frameworks capable of affecting processes within such organizations were detected: Industroyer and Triton (Trisis). Both were found as a result of an error on the part of their operators. It is likely that there is a significant number of similar undetected threats. Among attacks that are typical of the energy industry, Group-IB experts highlight supply-chain attacks conducted through software and hardware vendors.

The financial sector: the “Big Russian Three” goes global

Hitting banks around the world is the prerogative of Russian-speaking hackers: three (Cobalt, Silence, MoneyTaker) out of five cybercriminal groups that pose a genuine threat to banks worldwide are Russian-speaking. After using Russia as a testing ground, the Russian-speaking groups continued their expansion by multiplying attacks outside the country.

In 2018, a new group from Kenya, called SilentCards, joined the “Big Russian Three” (Cobalt, MoneyTaker, and Silence, all Russian-speaking) and the North Korean group Lazarus. Cobalt, Silence, and MoneyTaker continue to be the only owners of Trojans that can control ATM dispensers. However, over the period investigated, Silence was the only threat actor that carried out attacks through ATMs. Silence and SilentCards used card processing, while Lazarus used SWIFT (two successful thefts in India and Malta amounting to $16 million in total). From the aforementioned groups, only the North Korean APT Lazarus uses a theft method called FastCash. Silence reduced the use of phishing mail-outs, instead purchasing access to targeted banks from other groups, in particular TA505.

According to Group-IB’s forecasts, in order to withdraw money, these groups will continue to carry out attacks on card processing systems and use Trojans for ATMs. They will shift their focus away from SWIFT. Lazarus will remain the only group to steal money through SWIFT and ATM Switch. SilentCards may remain local and focus on African banks; the group is likely to expand its list of targets by attacking other industries. Its main vector will be blackmailing as part of ransomware attacks.

Bank card compromise, carding, and data leaks

In recent years, threat actors have been gradually abandoning sophisticated banking Trojans, while attacks on banking customers have become simpler from a technical point of view. Over the period investigated, the carding market size grew by 33% to reach $879,680,072. The number of compromised cards released on underground forums increased from 27.1 million to 43.8 million. The average price for raw card data (card number, expiration date, cardholder name, address, CVV) rose from $9 to $14, while the average price for a dump fell from $33 to $22. The lowest price is usually set for compromised data stolen from US banks; on average, they cost $8-10 for up-to-date raw card data and $16-24 for dumps. The average price of raw card data stolen from European banks is much higher and amounts to $18-21; the cost of dumps is $100-120.

Bank card dumps continue to make up around 80% of the carding market. Over the period investigated, cybersecurity specialists detected 31.2 million dumps put up for sale, i.e. 46% more than last year. The sale of raw card data is also on the rise, with a 19% growth. The largest bank card data leaks are related to compromises of US retailers. The United States is far ahead and comes first, with 93% of all cards compromised. Middle Eastern countries (Kuwait, Pakistan, the UAE, and Qatar) together account for 2.38% in this ranking.