Creation of complex malware and organisation of multi-layered targeted attacks has shifted from financially motivated cyber-criminals to state-sponsored threat actors.
That’s the conclusion of a new report from Group-IB, launched yesterday, at the global conference CyberCrimeCon 2018.
The three highest countries of origin for most active state-sponsored hacker groups are China, North Korea and Iran with espionage a key focus of government hacker groups.
Asia-Pacific has been the target of the most attacks carried out by hackers between H2 2017 - H1 2018, with 21 hacker groups active in the region over the year, more than Europe and the USA combined. Group-IB’s report features about 40 active groups although there are thought to be many more. North Korea, Pakistan, China, USA, Russia, Iran and Ukrainian sponsored groups have been identified though some hacker groups countries of origin were not established. Most newly discovered groups turned out to have been active for several years but had remained unnoticed.
A new hacker group named Silence was exposed in 2018. It is regarded as one of the biggest cyber-threats for banks globally, along with MoneyTaker, Lazarus, and Cobalt groups. These hackers are able to compromise a bank, penetrate into isolated financial systems, and withdraw money. Three out of four are Russian-speaking groups. Typically Russian banks are successfully infiltrated by cyber-criminals every one to two months. Average losses are estimated at £1.5 million, the average time required to cash out the money stolen via ATMs by drops or money mules is as low as eight minutes.
"Group-IB expects that after the leaders of Cobalt and Fin7 (Anunak) have been arrested, the remaining members will start forming new hacker groups. Other most likely regions where new cyber-crime groups may arise are Latin America and Asia, with banks being their most probable targets. Group-IB experts forecast numerous misattributions of hacker groups due to their collaboration, use of legal tools, and deliberate imitation of each other’s tactics."
Approximately 56 percent of all money siphoned off from ICO was stolen through phishing attacks, and in 2017 and 2018 a total of 14 cryptocurrency exchanges were robbed, causing a total loss of £673 million. At least five of those attacks have been linked to North Korean hackers from the Lazarus state-sponsored hacking group; the victims were mainly located in South Korea.
Sarb Sembhi, CTO & CISO of Virtually Informed commented in an email to SC Media UK: "I think it interesting that the top three countries which are identified as the most active state-sponsored hacking activities are China, North Korea and Iran. Whilst the report acknowledges that attribution is difficult, it hasn’t seemed to acknowledge that maybe those other nations we would have expected to see in the top three are there because they are more experienced at not being identified. As skills mature so too do the tools developed to achieve the end result. If the report is to be believed then Western governments have a lot to answer for, for not doing what they are paid to do.
"Secondly, the report does point out a lot of interesting data. What I would have liked to see was some analysis as to where on the maturity curve the authors thought each country was and how that played a part in the type of attacks it participated in. For example, one may consider that North Korea is relatively new into the game, however driven by its failing economy, it would purely focus on attacks on Banks. Whereas, Russia for example, with its more mature experience in several areas may focus on destabilising certain economies etc. So, I would have expected to see some relationship between maturity and the types of attacks in certain economies to achieve a given end.
"As this field becomes more important, we can expect to see many more reports analysing lots more data showing how quickly lessons are being transferred from governments to criminals, and criminals to governments."
Dai Davis, solicitor and chartered engineer, Percy Crow Davis & Co commented "It is well known that Hacktivists target other individuals who are senior employees in target companies of the state targets, e.g. China and Russia attempting to hack into Lockheed Martin, Boeing, British Aerospace as well as other western companies and senior employees at those companies.
"I’m not sure I agree with saying in 2017/2018 hackers turned their attention to to attacks on cryptocurrency exchanges. Cryptocurrency exchanges have always been targets, not just recently. According to a study conducted in April 2013 by Southern Methodist University and Carnegie Mellon University, 45 percent of all cryptocurrency exchanges had then been successfully hacked into.