CrowdStrike has confirmed that governments across the world are spying on everyone online with a new report on cyber-espionage.
A year-long study by the security intelligence firm has identified more than 50 groups of cyber threat actors, blaming groups in China, Iran, Russia, North Korea, and Syria for high profile attacks.
Among the groups profiled in the report is a Russian group (dubbed Energetic Bear) that collects intelligence on the energy industry.
CrowdStrike reckons that the groups it is tracking make up the majority of the sophisticated threats attacking enterprises across the globe. Groups can be distinguished by the differences in their tactics, techniques, and procedures, such as the tools and infrastructure they use for attacks, their level of sophistication and the working hours hackers put in to running attacks.
All this doesn't point to a "smoking gun" as such but does provide more than enough circumstantial evidence for CrowdStrike researchers to have a high degree of confidence in the theories they put together.
Other cyberespionage crews of note include Magic Kitten, an established group of cyber attackers based in Iran who carried on several campaigns in 2013, including a series of attacks targeting political dissidents and those supporting the Iranian political opposition in the run-up to the country's May elections last year.
A lot of the information points to cyber-espionage activity being economically driven but it can also be a spillover from political disputes, according to CrowdStrike. Cybercrooks and hacktivists, such as the Syrian Electronic Army with loose ties to government, also play a part in the threat landscape.
Attacks by cyber-espionage players are rarely destructive – with some notable exceptions that may became a pattern, in the case of the sabre-rattling North Koreans. The North Korean state's winter training cycle may result in increased cyber-activity from the rogue Communist country. This could include destructive attacks against South Korea along the lines of the Windows-wiping malware that hit banks and media organisations.
CrowdStrike also reckons that net infrastructure hosted outside the country, but abused by the Norks in cyberespionage attacks, is also being used for cybercrime.
CrowdStrike's report is notable for lacking incidents attributable to the NSA's elite TAO hacking crew. Revelations from NSA whistleblower Edward Snowden revealed TAO was responsible for installing “50,000 malware sleeper cells” in computer networks worldwide.
GCHQ, outed by Snowden for APT-style attacks against Belgacom, is also absent. "We haven't seen any customers victimised by anything that ties back to those countries [USA and UK]," Adam Meyers, VP of intelligence at CrowdStrike, told El Reg.
Popular tactics of Russian and Chinese attackers include watering hole style-attacks that assault targets by infecting the websites most frequently surfed by workers at a targeted organisation. Attacks of this type were successfully used last year against the Council on Foreign Relations, the U.S. Department of Labor and several foreign embassies, CrowdStrike reports.
“Compromising and weaponising a legitimate website has significant advantages over spear phishing, which historically has been the most common method of launching a targeted attack,” CrowdStrike's Meyers explained. “A strategic web compromise does not require social engineering a victim, which can expose an adversary to detection. We believe this will tactic will be used with increasing frequency among the adversaries that we are tracking.”
Meyers told El Reg that the methods and tactics of cyberspies are starting to be applied by cybercriminals. For example, the high profile breach against supermarket chain Target.
"The Target attackers got in elsewhere before moving across the network to hit cash registers with a malicious update," Meyers explained. "This is straight out of the cyber-espionage actors' playbook."
"Cyber criminals are often ahead of cyberspies in the sophistication of their malware but behind in their tradecraft," Meyers added.
CrowdStrike’s Global Threats Report: 2013 Year In Review document (summary available here, registration required for full download ) - which focuses on adversaries rather than the malicious code they use - is designed to allow security professionals to differentiate between targeted and commodity attacks, thus saving time and focusing on the most serious threats to their business.
An infographic here summarises how the web has become an arena of conflict for spies worldwide.
“One of the advantages of focusing on adversaries, rather than malicious code, is that humans have detectable habits and often make mistakes,” Meyers added. “We believe that the data we have collected here is not only a good summary of what happened in 2013, but a harbinger of the attacks to come in 2014. This is the type of information that enterprises can use to develop better, more effective defenses.”
CrowdStrike predicts that 2014 will bring increased targeting of vulnerabilities in Windows XP, which will reach end-of-life from Microsoft this April; greater use of black markets for buying and selling custom-made malware; and increased targeting of attacks around major events, such as the Winter Olympics in Sochi, the US withdrawal from Afghanistan, the World Cup in Brazil, the 2014 G20 Summit, and major national elections.
Windows XP will reach end-of-life on 8 April 2014, meaning that Microsoft will no longer release security patches for Windows XP after that date. Vulnerability researchers are likely sitting on backlogs of unreported Windows XP vulnerabilities with plans to publicly release or privately sell the vulnerabilities’ details after this date. As such, CrowdStrike expects to see a rise in XP-targeted exploits and a resulting rise in XP infections by the middle of this year. ®