China leads nation-state sponsored hacktivity rise

News by Mark Mayne

The vast majority of intrusions tracked in a new report were conducted by nation-state level actors, with China leading the pack...

A new report has uncovered a significant rise in nation-state sponsored activity, with 48 percent of intrusion cases identified involving targeted intrusions from adversaries with a nation-state nexus, while 19 percent were conducted by eCrime actors.

Of the nation-state threat actors, China was fingered by the report as being the most prolific, making targeted intrusion attempts against multiple sectors of the economy, including biotech, defence, mining, pharmaceutical, professional services and transportation.

However, a key theme noted by the annual report, Observations From the Front Lines of Threat Hunting, from CrowdStrike, is the ongoing blurring of the lines between criminal and nation state actors, as less skilled criminal actors adopt the more advanced techniques used by well known nation-state actors. One example in particular saw the malicious use of TeamViewer software, initially pioneered by TEAM BEAR in 2013 to facilitate remote access to targets, as well as maintain persistence on victim machines, assimilated by criminals too. Indeed, malicious use of TeamViewer installations continues to plague organisations across the spectrum of industry verticals.

Perhaps inevitably, the technology (36 percent), professional services (17 percent), and hospitality sectors (eight percent) were targeted most often by cyber-attackers, although defence and NGO organisations came in close behind at seven percent each.

The actors used a variety of tactics, demonstrating considerable creativity in using existing tools and attributes to facilitate credential theft, such as the use of Windows Internal tool, Active Directory Explorer, for one-time credential dumping.

"Today’s adversaries are persistent in their mission to target and infiltrate all types of industries. Organisations can no longer rely on reactive approaches to stay protected. Instead, they need to start with an assumption that someone might have already breached the perimeter and proactively hunt for them 24/7/365 on systems," said Dmitri Alperovitch, CrowdStrike’s chief technology officer and co-founder in a statement.

The report also found that attackers are still interested in cryptomining, with multiple intrusions against victims in the legal and insurance industries where criminals gained privileged access to internal networks, then attempted to install mining software - often the open-source XMRig Monero miner.  

In potentially better news, the current average breakout time is still 1 hour and 58 minutes (compared to 2017’s average) which means that if defenders are able to detect, investigate and remediate an intrusion within two hours, they can stop the attacker before other laterally connected systems are compromised in addition to the initial point of entry.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews