North Korean, China-linked state actors reported to focus on espionage and cryptocurrency interests in Big Game Hunting.

During 2019, financially motivated cybercrime activity occurred on a nearly continuous basis, with an increase in incidents of ransomware, maturation of the tactics used, and increasing ransom demands from threat actors.

Increasingly, these actors had begun conducting data exfiltration, enabling the weaponization of sensitive data through threats of leaking embarrassing or proprietary information. Beyond cybercrimes, nation-state adversaries continued unabated throughout 2019, targeting a wide range of industries. Another key trend was the telecommunications industry being targeted with increased frequency by threat actors, such as China and DPRK. Various nations, particularly China, have an interest in targeting this sector to steal intellectual property and competitive intelligence.

These are some of the findings of the 2020 CrowdStrike Global Threat Report released on 4 Mar 2020.

Other notable highlights from report:

  • The trend toward malware-free tactics accelerated, with malware-free attacks surpassing the volume of malware attacks. In 2019, 51% of attacks used malware-free techniques, compared to 40% using malware-free techniques in 2018, underscoring the need to advance beyond traditional antivirus (AV) solutions.
  • China continues to focus many operations on supply chain compromises, demonstrating the nation-state’s continued use of this tactic to identify and infect multiple victims. Other targeting of key US industries deemed vital to China’s strategic interests—including clean energy, healthcare, biotechnology, and pharmaceuticals—is also likely to continue.
  • The industries at the top of the target list for enterprise ransomware (Big Game Hunting) observed were local governments and operational technology, academic institutions, the technology sector, healthcare, manufacturing, financial services and media companies.
  • In addition to supporting currency generation, DPRK’s targeting of cryptocurrency exchanges could support espionage-oriented efforts designed to collect information on users or cryptocurrency operations and systems. In addition, CrowdStrike Intelligence suspects that DPRK has also been developing its own cryptocurrency to further circumvent sanctions.

Said Adam Meyers, vice president of Intelligence at CrowdStrike: “2019 brought an onslaught of new techniques from nation-state actors and an increasingly complex eCrime underground filled with brazen tactics and massive increases in targeted ransomware demands. As such, modern security teams must employ technologies to detect, investigate and remediate incidents faster with swift preemptive countermeasures, such as threat intelligence, and follow the 1-10-60 rule.”

The aforementioned 1-10-60 guidelines involve:

  1. detect intrusions in under 1 minute
  2. investigate in 10 minutes
  3. contain and eliminate the adversary in 60 minutes

Organizations that meet this benchmark are much more likely to eradicate the adversary before an attack spreads from its initial entry point, ultimately minimizing organizational impact, say Crowdstrike experts. Said Jennifer Ayers, vice president of OverWatch at CrowdStrike: “This year’s report indicates a massive increase in eCrime behavior that can easily disrupt business operations, with criminals employing tactics to leave organizations inoperable for large periods of time. It’s imperative that modern organizations employ a sophisticated security strategy that includes better detection and response and 24/7/365 managed threat hunting to pinpoint incidents and mitigate risks.”

For additional information, read a blog on report findings from George Kurtz, CrowdStrike’s co-founder and chief executive officer.