Motivation and techniques of world’s most sophisticated cyber attackers

CrowdStrike released “CrowdStrike Global Threats Report: 2013 Year in Review,” the product of its year-long study of more than 50 groups of cyber threat actors.

The 30-plus page report offers insight on the activities of several sophisticated groups of attackers, including:

• DEADEYE JACKAL, commonly known as the Syrian Electronic Army (SEA);
• NUMBERED PANDA, a group of China-based attackers, who conducted a number of spear phishing attacks in 2013;
• MAGIC KITTEN, an established group of cyber attackers based in Iran, who carried on several campaigns in 2013, including a series of attacks targeting political dissidents and those supporting Iranian political opposition;
• ENERGETIC BEAR, a Russia-based group that collects intelligence on the energy industry; and
• EMISSARY PANDA, a China-based actor that targets foreign embassies to collect data on government, defense, and technology sectors.

It also offers a look at some of these attackers’ most popular tactics and techniques for breaching the defenses of a targeted organization.

For example, the report offers a detailed analysis of how several organized threat groups are using strategic web compromise (SWC) – sometimes called “watering holes” – to penetrate a target by infecting the websites most frequently surfed by its members. SWC attacks on the Council on Foreign Relations, the U.S. Department of Labor, and several foreign embassies are described in detail in the report.

“Organizations need to take an intelligence driven approach to security – proactively responding to advanced threats by prioritizing their limited resources,” said George Kurtz, CEO/President & Co-Founder of CrowdStrike. “The information in this report allows security professionals to differentiate between targeted and commodity attacks, thus saving time and focusing on the most critical threats to the enterprise.”

“With this report, we’re going above and beyond the traditional “threat report’ that simply analyzes malware trends,” said Dmitri Alperovitch, co-founder and CTO of CrowdStrike. “This report focuses on what’s most important — the adversary — rather than just the exploits they create. This is a great step toward fighting cyber security threats on a new battleground — by identifying and defending against human adversaries, rather than simply trying to block malicious code.”

CrowdStrike predicts that 2014 will bring increased targeting of third-party vendors, abuse of the Internet’s new generic top-level domains (gTLDs), and vulnerabilities in Windows XP, which will reach end-of-life from Microsoft this April.

The report predicts increased use of encryption to help protect and obfuscate malware; greater use of black markets for buying and selling custom-made malware; and increased targeting of attacks around major events, such as the Olympics, the 2014 G20 Summit, and major national elections.

In the wake of the recent breaches of major retailers, the CrowdStrike team also discusses the evolution of cyber criminals, who are beginning to develop capabilities to identify and breach specific targets in pursuit of sensitive account data.

The report is available for download here (registration required).