Lately, I have been writing about what the Cyberthreat landscape looks like for 2019. I have mentioned such things as more sophisticated Ransomware attacks, Cryptojacking, and attacks on Critical Infrastructure to just name a few. But with all of this discussion going on, does anybody even remember what happened in 2018? Well let us have a recap of it in this blog, at the last major events.
In this year, there were of course some major Cyberattacks happening on a very large scale. There never went by a day when I wouldn’t read a headline where some restaurant Point of Sale terminal was hacked into with malware, and all of the credit information was stolen.
Probably the biggest Cyberattack that I can recall to cap this year off was the recent breach at the Marriott hotel chain. Then of course there was the BritishAirways.com hack, and so do forth.
Many new breeds of Cyberattackers have come and gone this year, with some oldies but goodies coming and making their mark yet once again. Some of the them maintained their old ways of hacking, while many other Cyberattack groups came out with newer variants on some of the oldest forms of attack vectors.
Probably the best example of this is Phishing, where we saw a huge uptick in the number of Business Email Compromise (BEC) attacks, which is a Phishing variant.
So, who were the biggest Cyberattackers of this year? Here is the breakdown:
This by far has been rated by Kaspersky Labs as the most active Cyberattack group out there. They also go by other aliases, such as “Fancy Bear” and “APT28”. But rather than hitting targets in North America, they shifted their attention to the Far and Middle East in 2018. Its targets included both government and military agencies. To launch their attacks, Sofacy used three dominant Malware Variants known as “SPLM”, “GAMEFISH”, and “Zebrocy”.
The SPLM has been deemed to be the flagship of Sofacy. For example, in early 2018, this Cyber-attack group impacted the major air defense contractors in China. They then used Zebrocy across a wide geographic area which included: Armenia, Turkey, Kazakhstan, Tajikistan, Afghanistan, Mongolia, China, and Japan.
Sofacy was also primarily responsible for deploying the OlympicDestroyer Malware Variant at the Winter Olympics, which were held this year in Pyeongchang, South Korea.
*Lazarus (aka HIDDEN COBRA):
This Cyberattack group primarily hit the major financial institutions located in the geographic regions of Turkey, Asia, and Latin America. Their main intent was to launch various forms of Cryptojacking attacks on the Cryptocurrency market there. Their newest Malware Variant is called “ThreatNeedle”.
The primary geographic target of this Cyberattack group was Germany. With their various Malware packages, such as “LightNeuron”, they impacted Microsoft Exchange Servers used in the various government agencies of Germany, such as the Federal Foreign Office. It has also developed a new form of Malware known as the “Carbon” which was also used to target mostly foreign embassies around the world.
So, now what about the new kids on the block? The ones that have emerged and made their presence known in 2018 include the following:
These groups are located in the Middle East and Southeast Asia. They are deemed not to be to technically saavy, but for the most part, they were able to reach their hacking objectives.
Other, more sophisticated Cyberattack groups to emerge from the Middle East include:
The primary targets of the above-mentioned newbies included those of government and military agencies.
Now, how about those Cyberattack groups that took a long hibernation period and made a comeback in 2018? These include the following:
*The Kimsuky APT:
This Cyberattack group targets are those in South Korea, hitting mostly upon think tanks, political activist groups. Their main objectives are to launch Cyberespionage campaigns.
This is a Cyberattack group based in China. They launched what are known as “watering hole attacks” at data centers in Central Asia and Oman.
This is a Japanese based Cyberattack group, and they created a new Malware Variant called the “Poor Web”, which targeted the Android OS running on Samsung based devices.
My thoughts on this?
Well, there you have them. The major Cyberattack groups, the newbies, and the oldies of 2018. Have you recognized some common themes here? First, is that although a couple of them have created brand new forms of Malware packages, many of the Malware attacks that these groups have launched are known as “Variants”. Meaning, these newer forms of Malware are simply the latest and revised editions of an earlier Malware package.
Second, there has been an explosion in the number of newbies Cyberattack groups coming out. Notice that they are not too tech saavy, but they can still get the job done with all of the hacking tools that are available both on the Internet and the Dark Web.
Third, many of these Cyberattack groups have not engaged in what are known as “Smash and Grab” campaigns. The attacks that have been described in this blog have been very carefully planned, have been deliberate and slow. The objective here (and as I have written about yesterday) is that is to try to penetrate a target as covertly as possible, and stay in as long as possible, for an extended period of time.
This does not mean that they linger in there forever and ever, but the Cyberattacker may leave after the first few months of initial penetration and come back in again to the same target via a secret backdoor that they have created.
Fourth, there is no mention of an IT Infrastructure being a target (except for the Data Centers). So, this means that anything and everything is fair game in the eyes of the Cyberattacker.
Fifth, there is no mention of any Cyberattack groups originating here out of the United States. It seems like that all of these organizations have their originations in Asia, China, the Middle East, Russia, and North Korea. It is quite likely that most of the existing and future Cyberattack groups will be concentrated in these geographic locations.
So, 2019 may not see a lot of attacks on IT Infrastructures. I think the targets will be those that are heavily technology dependent, such as devices in the world of the Internet of Things (IoT). Also, the days of simply hacking into a database to get passwords are now far gone.
The Cyberattacker of today and tomorrow want to do a lot more damage – such as physical destruction to property, mass public chaos, and large scale extortionism.