Feeds

Spies spy: CrowdStrike report says cyberspooks are EVERYWHERE

And where state spies lead, criminals soon follow

The Power of One eBook: Top reasons to choose HP BladeSystem

CrowdStrike has confirmed that governments across the world are spying on everyone online with a new report on cyber-espionage.

A year-long study by the security intelligence firm has identified more than 50 groups of cyber threat actors, blaming groups in China, Iran, Russia, North Korea, and Syria for high profile attacks.

Among the groups profiled in the report is a Russian group (dubbed Energetic Bear) that collects intelligence on the energy industry.

CrowdStrike reckons that the groups it is tracking make up the majority of the sophisticated threats attacking enterprises across the globe. Groups can be distinguished by the differences in their tactics, techniques, and procedures, such as the tools and infrastructure they use for attacks, their level of sophistication and the working hours hackers put in to running attacks.

All this doesn't point to a "smoking gun" as such but does provide more than enough circumstantial evidence for CrowdStrike researchers to have a high degree of confidence in the theories they put together.

Other cyberespionage crews of note include Magic Kitten, an established group of cyber attackers based in Iran who carried on several campaigns in 2013, including a series of attacks targeting political dissidents and those supporting the Iranian political opposition in the run-up to the country's May elections last year.

A lot of the information points to cyber-espionage activity being economically driven but it can also be a spillover from political disputes, according to CrowdStrike. Cybercrooks and hacktivists, such as the Syrian Electronic Army with loose ties to government, also play a part in the threat landscape.

Attacks by cyber-espionage players are rarely destructive – with some notable exceptions that may became a pattern, in the case of the sabre-rattling North Koreans. The North Korean state's winter training cycle may result in increased cyber-activity from the rogue Communist country. This could include destructive attacks against South Korea along the lines of the Windows-wiping malware that hit banks and media organisations.

CrowdStrike also reckons that net infrastructure hosted outside the country, but abused by the Norks in cyberespionage attacks, is also being used for cybercrime.

CrowdStrike's report is notable for lacking incidents attributable to the NSA's elite TAO hacking crew. Revelations from NSA whistleblower Edward Snowden revealed TAO was responsible for installing “50,000 malware sleeper cells” in computer networks worldwide.

GCHQ, outed by Snowden for APT-style attacks against Belgacom, is also absent. "We haven't seen any customers victimised by anything that ties back to those countries [USA and UK]," Adam Meyers, VP of intelligence at CrowdStrike, told El Reg.

Popular tactics of Russian and Chinese attackers include watering hole style-attacks that assault targets by infecting the websites most frequently surfed by workers at a targeted organisation. Attacks of this type were successfully used last year against the Council on Foreign Relations, the U.S. Department of Labor and several foreign embassies, CrowdStrike reports.

“Compromising and weaponising a legitimate website has significant advantages over spear phishing, which historically has been the most common method of launching a targeted attack,” CrowdStrike's Meyers explained. “A strategic web compromise does not require social engineering a victim, which can expose an adversary to detection. We believe this will tactic will be used with increasing frequency among the adversaries that we are tracking.”

Meyers told El Reg that the methods and tactics of cyberspies are starting to be applied by cybercriminals. For example, the high profile breach against supermarket chain Target.

"The Target attackers got in elsewhere before moving across the network to hit cash registers with a malicious update," Meyers explained. "This is straight out of the cyber-espionage actors' playbook."

"Cyber criminals are often ahead of cyberspies in the sophistication of their malware but behind in their tradecraft," Meyers added.

CrowdStrike’s Global Threats Report: 2013 Year In Review document (summary available here, registration required for full download ) - which focuses on adversaries rather than the malicious code they use - is designed to allow security professionals to differentiate between targeted and commodity attacks, thus saving time and focusing on the most serious threats to their business.

An infographic here summarises how the web has become an arena of conflict for spies worldwide.

“One of the advantages of focusing on adversaries, rather than malicious code, is that humans have detectable habits and often make mistakes,” Meyers added. “We believe that the data we have collected here is not only a good summary of what happened in 2013, but a harbinger of the attacks to come in 2014. This is the type of information that enterprises can use to develop better, more effective defenses.”

CrowdStrike predicts that 2014 will bring increased targeting of vulnerabilities in Windows XP, which will reach end-of-life from Microsoft this April; greater use of black markets for buying and selling custom-made malware; and increased targeting of attacks around major events, such as the Winter Olympics in Sochi, the US withdrawal from Afghanistan, the World Cup in Brazil, the 2014 G20 Summit, and major national elections.

Windows XP will reach end-of-life on 8 April 2014, meaning that Microsoft will no longer release security patches for Windows XP after that date. Vulnerability researchers are likely sitting on backlogs of unreported Windows XP vulnerabilities with plans to publicly release or privately sell the vulnerabilities’ details after this date. As such, CrowdStrike expects to see a rise in XP-targeted exploits and a resulting rise in XP infections by the middle of this year. ®

Designing a Defense for Mobile Applications

More from The Register

next story
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
Putin: Crack Tor for me and I'll make you a MILLIONAIRE
Russian Interior Ministry offers big pile o' roubles for busting pro-privacy browser
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.