Spies spy: CrowdStrike report says cyberspooks are EVERYWHERE

And where state spies lead, criminals soon follow

SANS - Survey on application security programs

CrowdStrike has confirmed that governments across the world are spying on everyone online with a new report on cyber-espionage.

A year-long study by the security intelligence firm has identified more than 50 groups of cyber threat actors, blaming groups in China, Iran, Russia, North Korea, and Syria for high profile attacks.

Among the groups profiled in the report is a Russian group (dubbed Energetic Bear) that collects intelligence on the energy industry.

CrowdStrike reckons that the groups it is tracking make up the majority of the sophisticated threats attacking enterprises across the globe. Groups can be distinguished by the differences in their tactics, techniques, and procedures, such as the tools and infrastructure they use for attacks, their level of sophistication and the working hours hackers put in to running attacks.

All this doesn't point to a "smoking gun" as such but does provide more than enough circumstantial evidence for CrowdStrike researchers to have a high degree of confidence in the theories they put together.

Other cyberespionage crews of note include Magic Kitten, an established group of cyber attackers based in Iran who carried on several campaigns in 2013, including a series of attacks targeting political dissidents and those supporting the Iranian political opposition in the run-up to the country's May elections last year.

A lot of the information points to cyber-espionage activity being economically driven but it can also be a spillover from political disputes, according to CrowdStrike. Cybercrooks and hacktivists, such as the Syrian Electronic Army with loose ties to government, also play a part in the threat landscape.

Attacks by cyber-espionage players are rarely destructive – with some notable exceptions that may became a pattern, in the case of the sabre-rattling North Koreans. The North Korean state's winter training cycle may result in increased cyber-activity from the rogue Communist country. This could include destructive attacks against South Korea along the lines of the Windows-wiping malware that hit banks and media organisations.

CrowdStrike also reckons that net infrastructure hosted outside the country, but abused by the Norks in cyberespionage attacks, is also being used for cybercrime.

CrowdStrike's report is notable for lacking incidents attributable to the NSA's elite TAO hacking crew. Revelations from NSA whistleblower Edward Snowden revealed TAO was responsible for installing “50,000 malware sleeper cells” in computer networks worldwide.

GCHQ, outed by Snowden for APT-style attacks against Belgacom, is also absent. "We haven't seen any customers victimised by anything that ties back to those countries [USA and UK]," Adam Meyers, VP of intelligence at CrowdStrike, told El Reg.

Popular tactics of Russian and Chinese attackers include watering hole style-attacks that assault targets by infecting the websites most frequently surfed by workers at a targeted organisation. Attacks of this type were successfully used last year against the Council on Foreign Relations, the U.S. Department of Labor and several foreign embassies, CrowdStrike reports.

“Compromising and weaponising a legitimate website has significant advantages over spear phishing, which historically has been the most common method of launching a targeted attack,” CrowdStrike's Meyers explained. “A strategic web compromise does not require social engineering a victim, which can expose an adversary to detection. We believe this will tactic will be used with increasing frequency among the adversaries that we are tracking.”

Meyers told El Reg that the methods and tactics of cyberspies are starting to be applied by cybercriminals. For example, the high profile breach against supermarket chain Target.

"The Target attackers got in elsewhere before moving across the network to hit cash registers with a malicious update," Meyers explained. "This is straight out of the cyber-espionage actors' playbook."

"Cyber criminals are often ahead of cyberspies in the sophistication of their malware but behind in their tradecraft," Meyers added.

CrowdStrike’s Global Threats Report: 2013 Year In Review document (summary available here, registration required for full download ) - which focuses on adversaries rather than the malicious code they use - is designed to allow security professionals to differentiate between targeted and commodity attacks, thus saving time and focusing on the most serious threats to their business.

An infographic here summarises how the web has become an arena of conflict for spies worldwide.

“One of the advantages of focusing on adversaries, rather than malicious code, is that humans have detectable habits and often make mistakes,” Meyers added. “We believe that the data we have collected here is not only a good summary of what happened in 2013, but a harbinger of the attacks to come in 2014. This is the type of information that enterprises can use to develop better, more effective defenses.”

CrowdStrike predicts that 2014 will bring increased targeting of vulnerabilities in Windows XP, which will reach end-of-life from Microsoft this April; greater use of black markets for buying and selling custom-made malware; and increased targeting of attacks around major events, such as the Winter Olympics in Sochi, the US withdrawal from Afghanistan, the World Cup in Brazil, the 2014 G20 Summit, and major national elections.

Windows XP will reach end-of-life on 8 April 2014, meaning that Microsoft will no longer release security patches for Windows XP after that date. Vulnerability researchers are likely sitting on backlogs of unreported Windows XP vulnerabilities with plans to publicly release or privately sell the vulnerabilities’ details after this date. As such, CrowdStrike expects to see a rise in XP-targeted exploits and a resulting rise in XP infections by the middle of this year. ®

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
prev story


Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.