Earlier this month, the global cybersecurity firm, CrowdStrike, released their 2021 Global Threat Report, which provides a detailed, in-depth picture of the current threat landscape facing organizations today, an overview of threat activity from the past year, and recommendations for how cybersecurity professionals and cyberwarriors from across the public and private sector can better protect their networks.
This year’s Global Threat Report focused on what was a very unique and eventful year for cyberattacks and cybersecurity, in general. The ongoing COVID-19 pandemic which shut down businesses, quarantined civilians, sent companies reeling to embrace the technologies needed for effective work-from-home initiatives, and left many people around the globe steeped in fear and uncertainty created an opportunity for malicious actors. And they clearly pounced on it.
To gain some additional insights and discuss some of the more interesting – and in some cases, surprising – findings in this year’s report, we sat down with James Yeager, the VP of Public Sector at CrowdStrike. During our discussion, we asked about how a pandemic could create opportunities for hackers, why big game hunting attacks are increasing in popularity, and why industries like pharmaceuticals and manufacturing are increasingly being targeted for cyberattacks.
Here is what James had to say:
GovCyberHub (GCH): Why were malicious actors targeting COVID-19 related entities? What types of organizations were they attacking and were there any notable breaches?
James Yeager: Malicious actors, from both the eCrime sector and from a nation-state perspective, took massive advantage of COVID-19 starting back in March 2020.
In the early days of the pandemic, objectives for targeted intrusion actors may have included acquiring information on infection rates or country-level responses to the treatment of COVID-19. However, as the pandemic accelerated, the search for a vaccine became of paramount importance, and the scientific information that could lead to a vaccine for COVID-19 was a high-priority collection requirement for many targeted intrusion adversaries.
We saw threat actors leverage a variety of tactics to exploit vulnerabilities that the COVID-19 crisis dredged up: phishing campaigns, targeting remote services, vishing robocalls, and more. CrowdStrike also observed nation-state actors from China, North Korea, and India conducting campaigns to use COVID lures against targets. From a vaccine targeting perspective, we saw DPRK and China target entities involved with the research, production, or distribution of COVID-19 therapeutics.
We expect these entities to continue to target entities involved with vaccine research in 2021.
GCH: How did malicious actors leverage the societal and political difficulties of 2020 for human engineering techniques? How successful were these in 2020?
James Yeager: The COVID-19 pandemic provided the perfect nesting ground for both eCrime actors and nation-state actors, as adversaries are always looking for the lowest barrier to entry and often take advantage of current news to launch threats. They took advantage of COVID-19 fears and widespread panic by ramping up pandemic-related lures and spear-phishing techniques.
In the early days of the pandemic, we saw successful phishing campaigns spoof organizations such as the World Health Organization (WHO) and the Center for Disease Control and Prevention (CDC) to take advantage of the public’s confusion and panic.
GCH: Why are Big Game Hunting (BGH) attacks so prevalent? Do they actually net large rewards for the risk?
James Yeager: We first saw BGH – targeted enterprise ransomware – really start to ramp up in proliferation in 2019. BGH is so popular because there is a low risk for cyber adversaries but a high reward.
In general, we’ve seen the eCrime landscape explode over the last two years. Out of all the intrusions CrowdStrike tracked in 2020, eCrime ones made up 79 percent of all intrusions uncovered by OverWatch – via hands-on-keyboard activity. We expect 2021 to be just as prolific.
The healthcare industry, in particular faces a significant threat from BGH groups deploying ransomware, including the disruption of critical care facilities in the midst of the pandemic. In fact, CrowdStrike Intelligence confirmed 18 BGH ransomware families infected 104 healthcare organizations in 2020, with the most prolific being TWISTED SPIDER with Maze and WIZARD SPIDER with Conti. In some cases, adversaries may have avoided targeting hospitals but proceeded with attacks against pharmaceutical and biomedical companies.
Regarding the risk vs. reward with BGH, CrowdStrike data indicates that rewards are very high. On a global scale, organizations that choose to pay the ransom are paying, on average, more than $1 Million per ransomware attack. We expect this number to continue to increase in 2021.
GCH: The industrial engineering and manufacturing industries were among the most affected by data leaks. Why is that? And, of what value are these targets?
James Yeager: Data leaks are a tactic used primarily by ransomware actors as a means to threaten their victims. We’ve seen this escalate in popularity among eCrime actors over the last year, with many cybercriminals turning to double extortion methods. The double extortion or the double ransom model is where threat actors will encrypt the target’s data and not only demand a ransom for its return, but leverage additional payment incentives to add pressure on the victim to pay the ransom.
Both the industrial engineering and manufacturing industries would suffer greatly if hit with a potential ransomware incident. A disruption of day-to-day operations – in either industry – would greatly affect the core business if a company were unable to meet production demands due to system outages. This makes them an alluring target to adversaries – once again it comes down to low risk with a high reward.
GCH: What are access brokers? And, how do they enable e-crime? What’s the impact of these threats?
James Yeager: The eCrime ecosystem remains vast and interconnected, with many criminal enterprises existing to support big game hunting operations. In 2020, we saw the emergence of access brokers who are threat actors that gain backend access to various organizations – corporations and government entities – and sell this access either on criminal forums or through private channels.
When criminal malware operators purchase access, it eliminates the need to spend time identifying targets and gaining access, allowing for increased and quicker deployments as well as a higher potential for monetization. Some access brokers escalate privileges to the domain administrator level – often advertised as “full access” – while other access brokers just provide the credentials and endpoints necessary to gain access.
The use of access brokers has become increasingly common among BGH actors and aspiring ransomware operators. CrowdStrike Intelligence has observed some access brokers associated with affiliates of Ransomware-as-a-Service (RaaS) groups. Ultimately, they make the eCrime ecosystem more complex and difficult for defenders to combat.
To download a complimentary copy of the full 2021 Global threat Report courtesy of CrowdStrike, click HERE.
Global Threat Report Shows Malicious Actors Went Big Game Hunting in 2020
