Spies spy: CrowdStrike report says cyberspooks are EVERYWHERE

And where state spies lead, criminals soon follow

The essential guide to IT transformation

CrowdStrike has confirmed that governments across the world are spying on everyone online with a new report on cyber-espionage.

A year-long study by the security intelligence firm has identified more than 50 groups of cyber threat actors, blaming groups in China, Iran, Russia, North Korea, and Syria for high profile attacks.

Among the groups profiled in the report is a Russian group (dubbed Energetic Bear) that collects intelligence on the energy industry.

CrowdStrike reckons that the groups it is tracking make up the majority of the sophisticated threats attacking enterprises across the globe. Groups can be distinguished by the differences in their tactics, techniques, and procedures, such as the tools and infrastructure they use for attacks, their level of sophistication and the working hours hackers put in to running attacks.

All this doesn't point to a "smoking gun" as such but does provide more than enough circumstantial evidence for CrowdStrike researchers to have a high degree of confidence in the theories they put together.

Other cyberespionage crews of note include Magic Kitten, an established group of cyber attackers based in Iran who carried on several campaigns in 2013, including a series of attacks targeting political dissidents and those supporting the Iranian political opposition in the run-up to the country's May elections last year.

A lot of the information points to cyber-espionage activity being economically driven but it can also be a spillover from political disputes, according to CrowdStrike. Cybercrooks and hacktivists, such as the Syrian Electronic Army with loose ties to government, also play a part in the threat landscape.

Attacks by cyber-espionage players are rarely destructive – with some notable exceptions that may became a pattern, in the case of the sabre-rattling North Koreans. The North Korean state's winter training cycle may result in increased cyber-activity from the rogue Communist country. This could include destructive attacks against South Korea along the lines of the Windows-wiping malware that hit banks and media organisations.

CrowdStrike also reckons that net infrastructure hosted outside the country, but abused by the Norks in cyberespionage attacks, is also being used for cybercrime.

CrowdStrike's report is notable for lacking incidents attributable to the NSA's elite TAO hacking crew. Revelations from NSA whistleblower Edward Snowden revealed TAO was responsible for installing “50,000 malware sleeper cells” in computer networks worldwide.

GCHQ, outed by Snowden for APT-style attacks against Belgacom, is also absent. "We haven't seen any customers victimised by anything that ties back to those countries [USA and UK]," Adam Meyers, VP of intelligence at CrowdStrike, told El Reg.

Popular tactics of Russian and Chinese attackers include watering hole style-attacks that assault targets by infecting the websites most frequently surfed by workers at a targeted organisation. Attacks of this type were successfully used last year against the Council on Foreign Relations, the U.S. Department of Labor and several foreign embassies, CrowdStrike reports.

“Compromising and weaponising a legitimate website has significant advantages over spear phishing, which historically has been the most common method of launching a targeted attack,” CrowdStrike's Meyers explained. “A strategic web compromise does not require social engineering a victim, which can expose an adversary to detection. We believe this will tactic will be used with increasing frequency among the adversaries that we are tracking.”

Meyers told El Reg that the methods and tactics of cyberspies are starting to be applied by cybercriminals. For example, the high profile breach against supermarket chain Target.

"The Target attackers got in elsewhere before moving across the network to hit cash registers with a malicious update," Meyers explained. "This is straight out of the cyber-espionage actors' playbook."

"Cyber criminals are often ahead of cyberspies in the sophistication of their malware but behind in their tradecraft," Meyers added.

CrowdStrike’s Global Threats Report: 2013 Year In Review document (summary available here, registration required for full download ) - which focuses on adversaries rather than the malicious code they use - is designed to allow security professionals to differentiate between targeted and commodity attacks, thus saving time and focusing on the most serious threats to their business.

An infographic here summarises how the web has become an arena of conflict for spies worldwide.

“One of the advantages of focusing on adversaries, rather than malicious code, is that humans have detectable habits and often make mistakes,” Meyers added. “We believe that the data we have collected here is not only a good summary of what happened in 2013, but a harbinger of the attacks to come in 2014. This is the type of information that enterprises can use to develop better, more effective defenses.”

CrowdStrike predicts that 2014 will bring increased targeting of vulnerabilities in Windows XP, which will reach end-of-life from Microsoft this April; greater use of black markets for buying and selling custom-made malware; and increased targeting of attacks around major events, such as the Winter Olympics in Sochi, the US withdrawal from Afghanistan, the World Cup in Brazil, the 2014 G20 Summit, and major national elections.

Windows XP will reach end-of-life on 8 April 2014, meaning that Microsoft will no longer release security patches for Windows XP after that date. Vulnerability researchers are likely sitting on backlogs of unreported Windows XP vulnerabilities with plans to publicly release or privately sell the vulnerabilities’ details after this date. As such, CrowdStrike expects to see a rise in XP-targeted exploits and a resulting rise in XP infections by the middle of this year. ®

Next gen security for virtualised datacentres

More from The Register

next story
Ice cream headache as black hat hacks sack Dairy Queen
I scream, you scream, we all scream 'DATA BREACH'!
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
New Snowden leak: How NSA shared 850-billion-plus metadata records
'Federated search' spaffed info all over Five Eyes chums
Three quarters of South Korea popped in online gaming raids
Records used to plunder game items, sold off to low lifes
Oz fed police in PDF redaction SNAFU
Give us your metadata, we'll publish your data
prev story


5 things you didn’t know about cloud backup
IT departments are embracing cloud backup, but there’s a lot you need to know before choosing a service provider. Learn all the critical things you need to know.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Backing up Big Data
Solving backup challenges and “protect everything from everywhere,” as we move into the era of big data management and the adoption of BYOD.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?