A report on high-tech crime trends shows up 2019’s alarming growth of state-sponsored threats and other innovative attack vectors coming our way.

The most frustrating cyberattack trend of 2019 was the use of cyberweapons in military operations and attacks on various key industries and critical infrastructure facilities (CII), as well as campaigns aimed at destabilization of the Internet in certain countries.

This was the finding of a report “Hi-Tech Crime Trends 2019-2020” by Group-IB, a Singapore-based cybersecurity company that specializes in preventing cyberattacks. The new report examines attacks conducted for espionage and sabotage purposes by the most notorious cybercriminal groups and state-sponsored attackers. In total, 38 different state-sponsored threats were active throughout the review period, including seven new ones.

Group-IB’s report was presented at the CyberCrimeCon 2019 international Threat Hunting and Intelligence conference in Singapore. Compared to its predecessors, the sixth annual “Hi-Tech Crime Trends” report is the first to contain chapters devoted to the main industries attacked and covers the period from H2 2018 to H1 2019, as compared to the period from H2 2017 to H1 2018. Group-IB analysts highlighted the key high-tech crime trends and have concluded that 2019 heralds a new era of cyberattacks.

According to Dmitry Volkov, Group-IB’s CTO and Head of Threat Intelligence, the past three years have clearly shown just how fast threats in cyberspace are escalating. “While 2017 was the year of WannaCry, NotPetya, and BadRabbit ransomware epidemics, 2018 revealed a lack of preparedness for side-channel attacks and threats related to microprocessor vulnerabilities. As for 2019, it has become the year of covert military operations in cyberspace. Conflicts between states have taken on new forms, and cyber activities play a leading role in this destructive dialog.”

Researchers worldwide are gradually shifting their focus from financially motivated cybercriminals to state-sponsored threat actors, said Volkov. Groups acting in their own national interest fly under the radar for many years. Only a few such incidents have become known, but most indicate that the critical infrastructure of many countries has already been compromised. “This means that a peaceful existence is no longer possible while being out of touch with cybersecurity. The latter cannot be ignored by any state, corporation, or individual.”

Confrontation between states

In 2019, cybersecurity became a heavily debated topic in politics. The Venezuela blackout, open military operations in cyberspace between conflicting states, and targeted destabilization of the Internet in certain countries have all set extremely dangerous precedents that could lead to social and economic damage and destabilize the situation in the counties affected.

Throughout the second half of 2018 and the first half of 2019, security experts identified numerous previously unknown state-sponsored groups. Group-IB researchers focused on 38 hacker groups, of which seven were new cyberespionage groups. One of the groups, called RedCurl, was uncovered by Group-IB in late 2019. The threat actor mainly targets insurance, consulting, and construction companies. The group’s distinctive features are the high quality of their phishing attacks and the use of legitimate services, which makes it very difficult to detect its malicious activity.

Many APTs analyzed in the report have been conducting their operations for several years and gone unnoticed for a long time. Some groups attack similar targets, which leads to competition between them and means that their actions are detected quicker. One of the trends related to the active confrontation between attackers has been hacking back, i.e. when attackers become the victims of hacking. Today, private companies cannot legally conduct such operations.

Internet destabilization at state level 

In the past, scenarios in which a country could be disconnected from the Internet seemed unrealistic, yet they are becoming increasingly likely. Disrupting the Internet in a certain country requires long preparation, but Group-IB’s analysis of attacks described in its report proves that it is technically feasible.

Domain name registrars are part of a country’s CII. Disrupting their work affects the Internet, which is why registrars are targeted by state-sponsored threat actors. The past months have shown that the most dangerous hacks involved DNS hijacking, which helped attackers manipulate DNS records for MITM attacks. Researchers also mention traffic manipulations and BGP hijacking attacks, during which threat actors intercept routes and redirect the network traffic of certain prefixes of an autonomous system (IP address pools) through the threat actor’s equipment. The most common objective of such attacks is cyberespionage and disruption of major telecommunications companies’ work.

Are telco providers ready for 5G threats? 

In its report, Group-IB describes nine groups (APT10, APT33, MuddyWater, HEXANE, Thrip, Chafer, Winnti, Regin, and Lazarus) that posed a major threat to the telecommunications sector during the period investigated. The telecom industry has become a key target for state-sponsored attackers. If they manage to compromise a telecommunications company, they can then also compromise its customers for surveillance or sabotage purposes.

The development of 5G networks will create new threats to this industry. The architectural features of 5G (compared to 1/2/3/4G), such as superfast data transfers and other advantages, are mainly implemented using software rather than hardware platforms. This means that all threats to server and software solutions are becoming relevant to 5G network operators. Such threats, including traffic manipulation and DDoS attacks, will become much more frequent and effective due to the large number of insecure devices connected and wide bandwidth. The same can be said of BIOS/UEFI-related attacks, side channel attacks, and supply chain attacks.

In the coming years, the cybersecurity level of 5G market players will be a factor that determines their market share, according to the report. Cybersecurity problems faced by a 5G platform provider will give other providers a competitive advantage. Many telecom operators are Managed Service Providers and provide security services to government and commercial organizations. Threat actors will attack operators to penetrate the networks they protect.

Hidden threats in the energy sector

The “Hi-Tech Crime Trends 2019-2020” report describes seven groups (LeafMiner, BlackEnergy, Dragonfly, HEXANE, Xenotime, APT33, and Lazarus) that usually carry out attacks for espionage purposes. Yet in some cases, their attacks involved shutting down energy infrastructures or certain facilities in various countries.

For example, in 2019, Lazarus attacked a nuclear organization in India, which likely led to the power plant’s second unit being shut down. The atypical choice of victim indicates that military departments of rival countries may have been interested in these attacks. From the times of Stuxnet, the Middle East has been the main testing ground for tools used in attacks on energy organizations. Compromising IT networks using traditional techniques and malware—including living off the land attacks—is the main vector for penetrating isolated segments of OT networks.

With the exception of the abovementioned example, the tools used by these groups remain under the radar. According to the report, in recent years only two frameworks capable of affecting processes were detected: Industroyer and Triton (Trisis). Both were found as a result of an error on the part of their operators. It is highly likely that there is a significant number of similar undetected threats. Among attacks that are typical of the energy industry, Group-IB experts highlight supply-chain attacks conducted through software and hardware vendors. Management companies are attacked first and then used to penetrate networks belonging to energy companies.

The financial sector: the “Big Russian Three” goes global

Hacking banks around the world is the prerogative of Russian-speaking hackers: They still make up the majority of attacking groups. In 2018, a new group called SilentCards from Kenya joined the “Big Russian Three” (Cobalt, MoneyTaker, and Silence, all Russian speakers) and the North Korean group Lazarus. Cobalt, Silence, and MoneyTaker continue to be the only owners of Trojans that can control ATMs. However, over the period investigated, Silence was the only threat actor that carried out attacks through ATMs. Silence and SilentCards used card processing, while Lazarus used SWIFT (two successful thefts in India and Malta amounting to USD 16 million in total).

From the aforementioned groups, only the North Korean advanced persistent threat (APT) group Lazarus uses a theft method called FastCash. Silence reduced the use of phishing mail-outs, instead purchasing access to targeted banks from other groups (especially TA505). As of today, SilentCards has poor technical skills (compared to other groups) and therefore carries out successful targeted attacks only on banks in Africa.

After using Russia as a testing ground, the Russian-speaking groups continued their expansion by multiplying their attacks outside the country. Since July 2018, attacks have been conducted in India (Silence and Lazarus), Vietnam (Lazarus), Pakistan (Lazarus), Thailand (Lazarus), Malta (Lazarus), Chile (Lazarus, Silence), Kenya (SilentCards), Russia (MoneyTaker, Cobalt, Silence), and Bulgaria (Cobalt, Silence). Silence also carried out single attacks in Costa Rica, Ghana, and Bangladesh.

According to Group-IB’s predictions, in order to withdraw money, these groups will continue to carry out attacks on card-processing systems and use Trojans for ATMs. They will shift their focus away from SWIFT. Lazarus will remain the only group to steal money through SWIFT and ATM Switch. Infrastructure disruption to cover tracks will be the final stage of successful attacks. SilentCards may remain local and focus on African banks; the group is likely to expand its list of targets by attacking other industries. Its main vector will be blackmailing as part of ransomware attacks.