From July 2017 through June 2018, Secureworks Counter Threat Unit® (CTU®) researchers analysed incident response outcomes and conducted original research to gain insight into threat activity and behaviour across 4,400 companies.
Among their findings was evidence that a small subset of professional criminal actors is responsible for the bulk of cybercrime-related damage, employing tools and techniques as sophisticated, targeted and insidious as most nation-state actors. These sophisticated and capable criminal gangs operate largely outside of the dark web, although they may leverage low-level criminal tools occasionally when it serves their purposes.
At the same time, there has been no lull in the overall volume of threats, and low-level cybercriminal activity remains a robust market economy, often taking place in view of security researchers and law enforcement on the dark web. While relatively simple in their approach, these activities can still deal widespread damage.
“Cybercrime is a lucrative industry, and it’s not surprising it’s become the arm of powerful, organised groups,” says Don Smith, Senior Director, Cyber Intelligence Cell, Secureworks Counter Threat Unit. “To understand the complete picture of the cybercriminal world, we developed insights based on a combination of dark web monitoring and client brand surveillance with automated technical tracking of cybercriminal toolsets.”
Among the CTU researchers’ key findings were the following:
The boundary between nation-state and cybercriminal actors continues to blur.
- Nation-state actors are increasingly using tools and techniques employed by cybercriminals, and vice versa. In August 2018, CTU researchers determined the Democratic People’s Republic of Korea was likely responsible for a Gandcrab ransomware campaign against the South Korean population and infrastructure, as part of a broader pattern of attacks. GandCrab is developed and sold ‘as-a-service’ and is more commonly associated with financially motivated criminal actors.
- In March 2018, a threat actor likely associated with the Iranian government used access that had previously been leveraged for espionage to deploy a cryptocurrency miner across the environment. CTU researchers have also observed other government-backed espionage groups deploying cryptocurrency miners within compromised networks.
- The assumption that nation-state-sponsored Advanced Persistent Threats (APTs) are dimensionally different from advanced cybercrime threats is fundamentally flawed.
Ransomware continues to be a serious threat.
- There has been no significant decrease in the volume of ransomware, banking malware, point-of-sale (POS) memory scrapers or other threats available for purchase on underground forums.
- The threat actors who developed SamsamCrypt and BitPaymer, the two most impactful ransomware threats observed by CTU researchers during the reporting period, have retained them for their exclusive and targeted use, showing the distinct threat these sophisticated cybercriminal groups pose.
- The developers of Gandcrab -- a new piece of ransomware identified by CTU researchers in January and offered for sale on Russian-language underground forums – have been observed offering a partner program in which the developers received 30–40 percent of any resulting revenue from successful attacks.
- There is no clear evidence that ransomware has been displaced by other capabilities such as cryptocurrency mining, and targeted ransomware attacks continue to be a worrying trend.
- The growth of traditional file-encrypting ransomware did slow, but CTU researchers nevertheless observed no less than 257 new and distinct ransomware families during the reporting period.
- Some of the more popular new ransomware-as-a-service families release regular updates and feature new additions.
Sophisticated criminal gangs are earning millions of dollars of revenue through stolen payment card data.
- Sophisticated criminal gangs have combined advanced social engineering (expertise in deception and manipulation) and network intrusion techniques with point-of-sale (POS) malware to generate millions of dollars of revenue through stolen payment card data.
- The price of credit card details on underground forums incentivises criminals to target POS terminals, where credit card details can be extracted from the memory of the running device using specialist malware.
- Cybercriminals are also clever about monetising card data even after the theft has been discovered, and credit card dump sites such as JokerStash have come under scrutiny as a possible way for sophisticated criminals to do just that.
The dark web is not the darkest depth of the cybercriminal world.
- Sophisticated, organised criminal groups are quietly dealing most of cybercrime’s damage each year, and they avoid the dark web where possible to evade detection by law enforcement and threat researchers.
- These more sophisticated criminals may use simple and readily available tools in some cases, but their highly organised approach and evolving capabilities represent a significant threat.
“The observations of CTU researchers over the last 12 months show that the threat from cybercrime is adaptive and constantly evolving,” the report concludes. “To stay ahead of it, it is imperative that organisations develop a holistic understanding of the landscape and how it relates to them, and tailor their security controls to address both opportunistic and more highly targeted cybercriminal threats.”