2020 CYBER THREAT INTELLIGENCE ESTIMATE - A view of the cyber-threat landscape to help organizations mitigate risk and strengthen their defenses ...

Page created by William Mccormick
 
CONTINUE READING
2020 CYBER THREAT INTELLIGENCE ESTIMATE - A view of the cyber-threat landscape to help organizations mitigate risk and strengthen their defenses ...
SUBTITLE

2020 CYBER THREAT
INTELLIGENCE
ESTIMATE
A view of the cyber-threat landscape
to help organizations mitigate risk and
strengthen their defenses.
2020 CYBER THREAT INTELLIGENCE ESTIMATE - A view of the cyber-threat landscape to help organizations mitigate risk and strengthen their defenses ...
Table of Contents
             1                                                                               7
             Introduction........................................................ 1          Hybrid Threat Actors..................................... 22
                                                                                               Nation-States................................................... 23
             2                                                                               Actors with Criminal Intent................................. 27
             Executive Summary......................................... 2                        Hacktivists..................................................... 29
                                                                                                 Commercial Entities..................................... 29
             3
             COVID-19 Update............................................ 3                   8
                 Impacts............................................................... 3    Data Breaches............................................. 30
                 Strategies........................................................... 4         Worldwide Privacy Regulations...................... 31
                                                                                                   Regulatory Momentum............................... 31
             4                                                                                     Recommendations....................................... 32
             Data Gathering and Analysis........................ 5                               Identity and Data Management..................... 32
                 Threat Trends..................................................... 5              Authentication Uptick.................................. 32
                 Phishing and Brand Misuse, Infrastructure                                         Managing Elevated Credentials................. 33
                 and Data Leakage Incidents............................. 6                         Recommendations....................................... 33
                 Data Leakage Alerts.......................................... 6
                 Vertical Industry Data........................................ 7            9
                                                                                             Zero Trust.......................................................... 35
             5                                                                                   A Practical Path to Zero Trust.......................... 36
             Vertical Industry Breach Highlights............ 9                                   Recommendations........................................... 36
                 Healthcare........................................................ 10
                 Financial............................................................ 10    10
                 Retail/Hospitality.............................................. 11         Notable Breaches........................................... 37
                 Manufacturing.................................................. 11
                 Energy/Utilities................................................. 11        11
                 Recommendations........................................... 11               Dark Web.......................................................... 38
                                                                                                 Dark Web Marketplaces.................................. 39
             6                                                                                   Dark Web by the Numbers............................. 39
             Attack Tools, Techniques and                                                        Recommendations........................................... 39
             Procedures........................................................ 12
                 Cryptomining................................................... 13          12
                    Recommendations....................................... 13                Conclusions....................................................... 40
                 Internet of Things............................................ 14
                    Top IoT Attacker Methods.......................... 15                    13
                    Recommendations....................................... 15                Contributors..................................................... 41
                 Cyber Espionage............................................. 17
                    Tools.............................................................. 17   14
                    Recommendations....................................... 18                References........................................................ 42
                 Malware: Kryptik, Obfuse and Emotet........... 18
                    Recommendations....................................... 19
                 Malware: Ransomware..................................... 20
                    Recommendations....................................... 21

OPTIV | 2020 CYBER THREAT INTELLIGENCE ESTIMATE                                         3                                                                              3
2020 CYBER THREAT INTELLIGENCE ESTIMATE - A view of the cyber-threat landscape to help organizations mitigate risk and strengthen their defenses ...
1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14

             Introduction

             The threat landscape is more intense
             and more complex than ever before.
             COVID-19 and the resulting shift for many of us to work-from-home has
             increased opportunities for threat actors and also increased the burden
             on cybersecurity providers. Many businesses now rely more heavily on
             third-party vendors, as well, and this amplifies the risks that already
             existed for companies contending with identity and data management
             challenges, privacy regulations and the Internet of Things.

             It is vital for business leaders to understand these developments and the
             consequent need to protect a larger, more fluid attack surface that is more
             vulnerable to both internal and external threats than previously was the case.

             Beyond that, threat actors also constantly develop and acquire new tools,
             techniques and procedures, and refine existing ones, in their efforts to
             identify and exploit vulnerabilities. The best way to protect effectively against
             malicious activity is to take a comprehensive, integrated and managed
             approach to cybersecurity, a key component of which is up-to-date threat
             intelligence. In fact, the most efficient and effective threat countermeasures
             are based on a detailed understanding of the ever-evolving threat landscape.

             This Cyber Threat Intelligence Estimate summarizes key threat
             activities, threat actors and topics crucial to data breach prevention.
             It also provides recommendations that business leaders and security
             practitioners should consider as they make decisions about cybersecurity
             programs and investments, as well as risk management.

                                     General David Petraeus,
                                     US Army (Retired),
                                     Partner, KKR and Chairman,
                                     KKR Global Institute,
                                     Optiv Board Member

OPTIV | 2020 CYBER THREAT INTELLIGENCE ESTIMATE                                                                                          1
2020 CYBER THREAT INTELLIGENCE ESTIMATE - A view of the cyber-threat landscape to help organizations mitigate risk and strengthen their defenses ...
1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14

             Executive Summary
             The 2020 Cyber Threat Intelligence Estimate (CTIE) is inspired by national
             intelligence estimates, which are analytic reports produced by the
             intelligence community of the United States for consumption by Congress.

             Evolving technology, threat actors and regulations require security leaders
             and security practitioners to be familiar with their own environment
             and assets and stay abreast of the latest global threat trends. This
             report comprises contributions from Optiv’s Global Threat Intelligence
             Center (gTIC); VMware Carbon Black; Digital Shadows; Palo Alto
             Networks global threat intelligence team, Unit 42; and SailPoint.

             This CTIE summarizes the following information:

                  Vertical                            Attack Tools,
                  Industry Breach                     Techniques and                           Hybrid
                  Highlights                          Procedures                               Threat Actors

                  9                                   12                                       22

                                       Data                             Dark Web
                                       Breaches                         Practices

                                       30                               38

             Additionally, a special section on COVID-19 offers insights
             into security concerns as well as actions that business
             leaders can take to bolster cybersecurity.

             By applying the best-practice recommendations provided in
             the CTIE, decision-makers and influencers can strengthen their
             cybersecurity strategies and operations. For organizations that
             collect and analyze their own threat intelligence, the intelligence
             assembled in the CTIE can validate and augment their findings.

OPTIV | 2020 CYBER THREAT INTELLIGENCE ESTIMATE                                                                                            2
2020 CYBER THREAT INTELLIGENCE ESTIMATE - A view of the cyber-threat landscape to help organizations mitigate risk and strengthen their defenses ...
1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14

             COVID-19 Updates
             The COVID-19 pandemic has had and will          » Compliance and regulatory risk result
             likely continue to have profound, long-           from third-party security breaches.
             lasting effects on companies and people.
             The following insights and guidance may be      During these uncertain times, an enterprise’s
             useful to business leaders whose employees      security roadmap and objectives remain
             are working from home. Remote access            the best framework within which to make
             support via phone, chats and video create       decisions. Existing cybersecurity principles
             new and different vulnerabilities. This         apply now more than ever, especially for
             massive expansion of the attack surface is      industries at high risk for cyber attacks.
             a necessity for business continuity, but it
             comes with security and risk concerns.
                                                             IMPAC TS
             Workers often are unaware of threats, further   Organizations and industries most crucial
             increasing risk.                                to the COVID-19 response, or those already
                                                             affected by the economic fallout caused
                                                             by the pandemic, are likely most at risk
                                                             of being targeted by cyber-threat actors.
                Since January 2020, more than
                                                             Digital Shadows analysts point to warnings
                4,000 coronavirus-themed web                 from governmental and intergovernmental
                domains have popped up, and                  agencies, directed particularly to healthcare
                around 5% were suspicious and                businesses and manufacturers of critical
                3% malicious.1                               medical equipment and personal protective
                                                             equipment, stating that a disruptive cyber
             Digital Shadows blogs describe phishing and     attack will amplify their struggles.
             social engineering scams, sale of fraudulent
             or counterfeit goods and COVID-19 cures,        The VMware Carbon Black team analyzed
             and general misinformation.                     financial services firms and discovered that
                                                             the cybercriminal community took advantage
             Many businesses have turned to third-party      of COVID-19 in tandem with the news
             vendors – for collaboration solutions, for      cycle, escalating their coordinated criminal
             example – to support productivity. Digital      conspiracies. Everyone should pay close
             Shadows analysts identified potential third-    attention to these threat actors and thwart
             party risks:                                    their goal: hijacking digital transformation
                                                             efforts via island hopping.
             » Operational risk involves potential
               losses resulting from inadequate or failed
               procedures, systems or policies.

             » Transactional risk involves potential
               losses due to problems with a service
               and/or its delivery.

OPTIV | 2020 CYBER THREAT INTELLIGENCE ESTIMATE                                                                                    3
2020 CYBER THREAT INTELLIGENCE ESTIMATE - A view of the cyber-threat landscape to help organizations mitigate risk and strengthen their defenses ...
1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14

             S T RAT E G I E S                                   Fortunately, providing expanded
                                                                 access services for employees and
             Optiv cybersecurity experts find that               customers dovetails with common
             employers are pursuing three basic                  organizational priorities:
             strategies to combat COVID-19:

             » Expand existing access                            » Moving workloads to the cloud

             » Create alternate access methods                   » Migrating to software as-a-service (SaaS)
                                                                   applications
             » Redesign infrastructure
                                                                 » Retooling identity governance

                                                                 » Enabling mobility/bring your own device
                                                                   (BYOD)

                                                                 » Applying Zero Trust access methods

             O T HE R A C T I O N S Y O U C AN TAKE TO
             M IN IM I Z E T H E I MPA C T OF C OVID -19
             »   Provide security awareness training.            »   Include SecOps management in business-
                 Make it easy for workers to find                    line decision planning related to remote
                 documentation about remote access and               workforce enablement. Your SecOps/
                 how to be safe online. Publish a list of            cybersecurity teams need to stay on top of
                 approved collaboration tools for chat and           changes in traffic flows, peak operating times
                 online meetings. Supply guidance on which           and new sources of telemetry to incorporate
                 applications can be accessed remotely.              into monitoring tools. A tiger team can best
                                                                     implement the acquisition and monitoring
             »   Deploy and update endpoint security                 of new telemetry for net-new applications
                 agents. Validate and publish the steps              and access methods. Be prepared to coach
                 to enroll your remote endpoint security             employees on how working from home
                 agent. Implement host validation checks to          will change usual business practices
                 ensure a minimum standard is met before             and behavioral monitoring systems.
                 allowing access to sensitive information.
                 And, determine the level of access that         »   Vet suppliers thoroughly. Make sure
                 will be permitted for personal devices.             security practices match your requirements
                                                                     and monitor third-party applications so
             »   Manage user identities properly, including          incidents can be tracked and resolved.
                 accurate, accessible directory services.
                 Leverage a single-sign-on (SSO) dashboard for             As you decide how your business will
                 application distribution and use multifactor              operate during this fluid situation,
                 authentication wherever possible. Enhance                 keep cybersecurity top of mind as you
                 and expand monitoring and reporting                       respond to the increased threat level.
                 on access to sensitive information.                       COVID-19 checklists are available from
                                                                           Optiv upon request.

OPTIV | 2020 CYBER THREAT INTELLIGENCE ESTIMATE                                                                                          4
2020 CYBER THREAT INTELLIGENCE ESTIMATE - A view of the cyber-threat landscape to help organizations mitigate risk and strengthen their defenses ...
1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14

               Data Gathering and Analysis
               Security analysts gather, weigh and                    THREAT TRENDS
               synthesize data sources to prepare the
               intelligence analysis that appears in the              A comparison of 2018 and 2019 threat
               CTIE. Some of the data is circumstantial,              activity observed by Optiv reveals patterns
               and it is up to the analysts to find multiple,         that indicate shifting trends. In this
               corroborating intelligence data points to              comparison, a threat is any event that may
               assemble a clear picture that describes                cause a security incident.
               the threat landscape. Experts from the
               contributing companies collect cyber-activity              16% fewer threats in 2019 than
               statistics from thousands of clients, and the
                                                                          2018 in total on average
               data is summarized here so you can easily
               understand key activities, events and trends.

                   2018

                   80,000
                                                                                                                   20 18

                   60,000
          EVENTS

                   40,000

                   20,000

                          0
                              J   F    M          A     M        J    J      A       S         O         N          D
                                                                     MONTH

               Figure 1 - Observed threat activity in 2018 (Optiv)

                   2019

                                                                                                                   20 19
                   80,000

                   60,000
          EVENTS

                   40,000

                   20,000

                          0
                              J   F    M        A       M        J    J      A       S         O         N         D
                                                                     MONTH

               Figure 2 - Observed threat activity in 2019 (Optiv)

OPTIV | 2020 CYBER THREAT INTELLIGENCE ESTIMATE                                                                                             5
2020 CYBER THREAT INTELLIGENCE ESTIMATE - A view of the cyber-threat landscape to help organizations mitigate risk and strengthen their defenses ...
1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14

             At the end of 2018, overall threat activity gradually increased before dropping
             off for a few months. This trend continued throughout 2019 in two large cycles,
             each made up of two smaller cycles. On a standard fiscal year quarterly basis,
             aspects of the threat landscape reset and then gradually started to climb.
             Cumulative highs at the beginning and end of the year point to the idea that
             threats will continue to occur around specific events and timing-oriented attack
             patterns to maximize damage. In total, the average threats per day in 2019
             appear to be about 16% lower than the threats in 2018.

             PHISHING AND BRAND
             MISUSE, INFRASTRUCTURE                                                                      9%
                                                                      24%                                Data leakage
             AND DATA LEAKAGE                                   Infrastructure

             INCIDENTS
             As organizations and their brands continue
             to grow, their attack surfaces also grow.
             Attackers are increasingly targeting and
             impersonating organizations across all
             channels. Digital Shadows classifies this
             activity into three main incident categories:
             phishing and brand misuse, infrastructure                                                         67%
                                                                                                               Phishing and
             and data leakage. Phishing and brand misuse                                                       brand misuse
             include malicious and impersonating web
             domains, as well as spoof social media             Figure 3 - Breakdown of 2019 incidents
             profiles. Infrastructure includes domain           (Digital Shadows).
             certificate issues and port exposures. Data
             leakage covers the exposure of sensitive
             documents, customer details and code on
             unwanted or unintended sources.

                                                                                      10%           3%
             DATA LEAKAGE ALERTS                                                    Technical       Internally
                                                                                     Leakage        Marked Document
             Data leakage alerts include unmarked
             documents, customer details, protectively                                                             3%
             marked documents, technical leakage and                                                               Unmarked
             internally marked documents.                                                                          Document

                                                                   39%                                            45%
                                                              Protectively                                        Customer Details
                                                         Marked Document

                                                                Figure 4 - Breakdown of 2019 data leakage alerts
                                                                (Digital Shadows).

OPTIV | 2020 CYBER THREAT INTELLIGENCE ESTIMATE                                                                                          6
2020 CYBER THREAT INTELLIGENCE ESTIMATE - A view of the cyber-threat landscape to help organizations mitigate risk and strengthen their defenses ...
1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14

             VERTICAL INDUSTRY DATA
             For all incidents reported by Digital Shadows, the majority, 66%, belong to
             organizations in the technology and financial services sectors. These include
             alerts for impersonating domains, spoof social media profiles, data breaches
             and credential exposure, and exposed documents.

                                                                                  66% of incidents belong
                                                                                     to organizations in the
             Figure 5 - 2019 Alerts by Vertical (Digital Shadows).                technology and financial
                                                                                           services sectors
             LEGEND

                                   FINANCIAL
                TECHNOLOGY                            OTHER          HEALTHCARE       RETAIL                 OIL AND GAS
                                   SERVICES

                TRAVEL AND                                           FOOD AND                                AUTOMOBILES
                                   UTILITIES          EDUCATION                       INSURANCE
                LEISURE                                              BEVERAGE                                AND PARTS

                                   PERSONAL AND       EQUITY/NON-    LEGAL            BASIC
                GOVERNMENT
                                   HOUSEHOLD          EQUITY         SERVICES         RESOURCES
                                   GOALS              INVESTMENT
                                                      INSTRUMENTS

OPTIV | 2020 CYBER THREAT INTELLIGENCE ESTIMATE                                                                                            7
2020 CYBER THREAT INTELLIGENCE ESTIMATE - A view of the cyber-threat landscape to help organizations mitigate risk and strengthen their defenses ...
1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14

                                           41%
                                     40                                              C RE D ENTIAL TH E FT BY VERTIC AL
           PERCENTAGE OF INCIDENTS

                                     30
                                                         26%

                                     20

                                     10                               8%
                                                                                6%          5%        4%        3%           2%           2%           2%
                                      0

                                                                                        INDUSTRY VERTICAL

                             Figure 6 - 2019 credentials by vertical (Digital Shadows).

                                     45

                                     40                                         P H ISH ING INC ID ENTS BY VERTIC AL
                                          35%
                                     35
           PERCENTAGE OF INCIDENTS

                                     30

                                     25

                                     20

                                     15
                                                   10%    10%     10%
                                     10
                                                                           6%    5%     4%       3%   3%
                                     5                                                                         2%      2%       2%      2%       2%      2%

                                                                                        INDUSTRY VERTICAL

                             Figure 6 - 2019 phishing by vertical (Digital Shadows).

                              LEGEND

                                                          FINANCIAL
                                      TECHNOLOGY                                OTHER             HEALTHCARE           RETAIL                 OIL AND GAS
                                                          SERVICES

                                      TRAVEL AND                                                  FOOD AND                                    AUTOMOBILES
                                                          UTILITIES             EDUCATION                              INSURANCE
                                      LEISURE                                                     BEVERAGE                                    AND PARTS

                                                                                EQUITY/NON-
                                      GOVERNMENT          MEDIA                 EQUITY
                                                                                INVESTMENT
                                                                                INSTRUMENTS

OPTIV | 2020 CYBER THREAT INTELLIGENCE ESTIMATE                                                                                                                             8
1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14

             Vertical Industry
             Breach Highlights
             Industries at high risk from certain          TLS is a protocol that provides
             vulnerabilities and threats are discussed     authentication, privacy and data integrity
             below. Optiv’s threat actor risk metric       between communicating applications.
             system2 can help you assess risk and          There are several vulnerabilities in older
             develop appropriate countermeasures.          versions of TLS. Several certificate
                                                           authorities have largely deprecated
             Companies across industries increased their   versions 1.0 and 1.1, making it advisable for
             risky use of Secure Shell (SSH), Remote       organizations to support only v1.2 and 1.3.
             Desktop Protocol (RDP) and Transport
             Layer Security (TLS). According to Palo       For cloud operations, a Zero Trust approach
             Alto Networks analysts, attackers target      is the best practice, regardless of industry
             SSH when it is configured to use password     type. Cloud service providers are not
             authentication, creating a low barrier to     responsible for managing an organization’s
             entry. To thwart these attacks, use public    cyber risk. Organizations using the cloud
             key authentication (RSA, ECDSA or Ed25519     must protect their applications and data,
             key pairs) for all SSH-enabled systems.       but unauthorized access and inconsistent
                                                           security policies make this challenging. Also,
             RDP operates over port 3389 to enable         organizations typically use more than one
             remote administration of Windows              cloud platform. Zero Trust frameworks
             environments. RDP is frequently used          are built on the notion of “never trust,
             as an initial vector for ransomware.          always verify,” meaning that no access is
             Instead of exposing RDP to the public         permitted without identification. However,
             internet, use alternatives such as Virtual    identification alone is not sufficient.
             Desktop Infrastructure (VDI) or virtual       After access is established, traffic flow
             private networks (VPNs) that provide          should be inspected continuously.
             connectivity without exposing public IPs.

OPTIV | 2020 CYBER THREAT INTELLIGENCE ESTIMATE                                                                                  9
1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14

             HEALTHCARE                                      FINANCIAL
             Palo Alto Networks analysts conclude that       In recent months, as COVID-19
             risk for healthcare companies is elevated       disordered many businesses, VMware
             because Internet of Things (IoT) device         Carbon Black analysts observed a 148%
             security has declined, leaving organizations    increase in ransomware attacks and a
             vulnerable to new IoT-targeted malware          238% increase in attacks against the
             as well as older attack techniques. Analyst     financial sector. The research shows:
             research reveals these key IoT concerns:
                                                                              of surveyed banks said they
             » Outdated software. 83% of medical                              saw an increase in cyber
               imaging devices run on unsupported                80%          attacks over the past 12
               operating systems – a 56% jump from 2018                       months, marking a 13%
               as a result of the Windows® 7 operating                        increase over 2019.
               system reaching its end of life. Just over
               half (51%) of threats involved imaging
               devices, disrupting the quality of care and                    of surveyed financial
               allowing attackers to exfiltrate patient                       institutions reported increased
               data stored on these devices. This general        64%          attempts of attempted
               decline in security posture opens the door                     wire fraud transfer, a 17%
               to new attacks, such as cryptojacking,                         increase over 2019.
               and brings back threats like Conficker.
                                                                               of surveyed financial
             » Poor network hygiene. 72% of                                    institutions said cybercriminals
               healthcare VLANs mix IoT and IT assets,
                                                                  82%          have become more
               allowing malware to spread from users’                          sophisticated, leveraging highly
               computers to vulnerable IoT devices                             targeted social engineering
               on the same network. 41% of attacks
                                                             attacks, advanced TTPs for hiding malicious
               exploit device vulnerabilities, as IT-borne
                                                             activity, and exploiting weaknesses in people,
               attacks scan through network-connected
                                                             processes and technology to gain a foothold
               devices to exploit known weaknesses.
                                                             and persist in the network enabling the ability
               Attacks are shifting from IoT botnets
                                                             to transfer funds and exfiltrate sensitive data.
               conducting denial-of-service attacks to
               more sophisticated attacks targeting
               patient identities, corporate data and
               monetary profit via ransomware.                  Analysts observed a
             » Inadequate security function. Biomedical
                                                                148% increase in ransomware
               engineers who maintain medical devices           attacks and a 238% increase
               often lack the training and resources            in attacks overall
               to follow IT security best practices:
               password rules, secure password storage
               and maintaining up-to-date patches.

OPTIV | 2020 CYBER THREAT INTELLIGENCE ESTIMATE                                                                                   10
1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14

             RETAIL/HOSPITALITY                                  MANUFACTURING
             Retail was heavily targeted during the past         According to a recent study, 40% of
             year by cyber-based attacks. The most               manufacturers were affected by a cyber
             common observed malware families included           incident.4 Verizon provides additional insights:
             Emotet, Obfuse and Kryptik. E-commerce
             sites are favorite targets for cybercriminals
             that commonly leverage skimming scripts                            of manufacturing
             such as Magecart to scrape and exfiltrate              1/3         attacks were made
             payment card information. Criminal threat                          up of internal actors
             actors commonly attempt to spoof a
             legitimate vendor or exploit a vulnerability
             on the e-commerce vendors' payment page
             to inject a crafted JavaScript skimmer.
                                                                                of organizations report
             VMware Carbon Black research reveals:                  49%         having credentials
                                                                                compromised
                              of retailers lost
                 40%          revenue in 2019 due
                              to cyber attacks                                  of documented
                                                                                cases were financially
                                                                    68%         motivated and 27% were
                              saw increasingly sophisticated                    espionage related5
                              cyber attacks as the year
                 73%          progressed, and 33% of these
                              organizations experienced          ENERGY/UTILITIES
                              an island-hopping attack
                                                                 Energy and utilities companies were
                                                                 affected by some of the most high-profile
                                                                 cyber attacks between 2015 and 2018. In
                              of the surveyed                    March 2019, a Utah-based utility company
                 66%          organizations experienced          became the first American energy company
                              a ransomware attack3               to see grid operations get disrupted
                                                                 by a cyber attack.6 Dragos and E-ISAC
                                                                 observed an increase in scans of U.S. and
                                                                 East Asia-based industrial control systems
                                                                 (ICS) by the XENOTIME threat actor.

                 RE C O MME N D AT I O NS
                      Implement network segmentation to             Develop system access policies following
                      limit the attack surface available to an      the least-privilege principle
                      insider threat
                                                                    Implement patch management to
                      Apply multi-factor authentication             ensure systems are updated to the
                                                                    latest version

OPTIV | 2020 CYBER THREAT INTELLIGENCE ESTIMATE                                                                                       11
1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14

             Attack Tools,
             Techniques and
             Procedures
             Tools, techniques and procedures (TTPs)
             are common topics in threat intelligence
             circles because they are some of the simpler
             aspects to study. Threat actors use TTPs –
             which describe the “how” and “what” – to
             carry out their attacks. The correlation and
             analysis of TTPs help analysts figure out the
             “who” and “why.” Important TTPs involve
             cryptomining, IoT attack methods, cyber
             espionage and malware.

OPTIV | 2020 CYBER THREAT INTELLIGENCE ESTIMATE                                                                    12
1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14

             CRYPTOMINING                                      » 8220 Mining Group. The tell-tale
                                                                 signs of 8220 operations within network
             Palo Alto Networks analysts found that nearly       environments involve the use of port
             9% of cloud organizations showed signs              8220. While port 8220 is an uncommon
             of connecting to, and likely performing,            port for default networked environments,
             mining operations via public Monero                 it is possible for port 8220 to be used for
             (XMR) mining pools. Public mining pools             custom purposes. Researchers paired
             are systems or networks that coordinate,            network connections like PE-Miner
             manage and distribute mining operations.            and XMRig from organizations with
             Remote systems connect to these pools               connections over port 3333, which is a
             to receive mining instructions and, upon            commonly used port by 8220 and known
             completion of the operations, receive a             to be used by cryptomining software.
             share of the resulting financial proceeds.          Based on known 8220 indicators of
                                                                 compromise (IOCs), Palo Alto Networks
             Nearly 60% of all public XMR mining                 analysts found that 21% of cloud
             network connections to XMR pools are                organizations had network connections
             located within the United States. Mining            that appeared to have 8220 signatures
             operations can evade geographic blacklisting
             or whitelisting based solely on country              The pattern of cloud system connections
             or region criteria. They take place often            over ports 3333 and 8220 to external
             over ports such as 80 and 443, which are             systems is suspicious because a
             meant to avoid corporate firewall rules.             single destination system was being
                                                                  connected to using two separate ports.
             Frequently used tools include:                       And, it is suspicious for destination
                                                                  IP addresses used in the connections
             » Rocke. This tool has evolved cyber                 not to be routed through DNS
               operations beyond cryptomining with                name resolutions and instead called
               another tool called Godlua, which                  directly through their IP addresses.
               performs proxy Lua (a programming               » Pacha. Pacha competes with Rocke for
               language designed primarily for                   cryptocurrency mining in the cloud, but
               embedded use in applications) scripting           activities in 2019 declined significantly.
               operations and various shell operations           93% of Pacha cryptocurrency traffic
               within cloud infrastructure. Network              was destined for China, although the
               connections to known Rocke infrastructure         specific types of network operations
               trended downward, in part because cloud           being performed are unknown.
               environments are less reliant on native
               cloud service provider network controls.

                 RE C O MME N D AT I O NS
                      Use Layer 7 packet inspection                Apply virtual next-generation
                      signatures via virtual next-generation       firewalls (NGFWs) to block connections
                      firewalls                                    to known Rocke infrastructure

                      Integrate virtual network traffic            Block 8220 communications by
                      inspection tools                             preventing communications with
                                                                   known malicious IP addresses

OPTIV | 2020 CYBER THREAT INTELLIGENCE ESTIMATE                                                                                    13
1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14

             INTERNET OF THINGS
                                                                Use Cases
             IoT adoption grew to an estimated 4.8 billion
             devices, up 22.5% from the end of 2018.7 Palo
             Alto Networks analysts found that 98% of
             IoT traffic is unencrypted, exposing personal
             and confidential data on the network and
             that 57% of IoT devices are vulnerable to
             medium- or high-severity attacks. IoT offers
             low-hanging fruit due to the vulnerabilities       Ryuk Ransomware
             created by low patch levels and aging              The Ryuk ransomware took down a
             operational technology (OT) protocols.             United States Coast Guard facility for
                                                                more than 30 hours in late 2019. The point
             According to Optiv IoT experts, IoT                of entry was a malicious email sent to an
             cybersecurity received more attention during       employee. After the employee clicked on a
             the past year, in part because ownership           link, a threat actor accessed and encrypted
             shifted to chief information security officers     critical IT network files, blocking staff
             (CISOs). In the past, IoT security belonged        access to the information. The virus spread
             to several groups, resulting in isolated           throughout the facility, also impacting
             initiatives. With greater responsibility and       industrial control systems that monitor
             budget control in the hands of CISOs,              and control cargo transfer and encrypted
             they can be stronger IoT champions.                files critical to process operations.8 Ryuk
                                                                attackers, which reportedly target firms
             An immediate enterprise priority is a              with annual revenue between $500 million
             unified incident response (IR) platform that       and $1 billion, also targeted oil and gas
             incorporates both IT and OT. The lack of a         companies, including Mexico’s Pemex.9
             unified IR platform continues to hamstring
             business continuity and business recovery
             efforts. Some companies lump IT and OT
             into the IoT bucket, but OT goes beyond the
             usual security concerns to include product/
             manufacturing protection requirements.
             Attackers tunnel through from IT to OT
             using paths of least resistance. Once inside,
             they can linger and eventually access entire
             environments depending on security maturity.       Urgent/11
                                                                Urgent/11 is a suite of network protocol
             Some decision makers are pursuing                  bugs that creates vulnerabilities in TCP/
             Zero Trust fundamentals to improve IoT             IP stacks by allowing devices to connect
             cybersecurity. Device visibility received a        to networks like the internet. The code
             boost from new tools capable of pulling out        has been around for many years, and
             vulnerability data. Segmentation gained            the bugs exist in far more platforms
             momentum, but it was limited due to cost,          than originally believed. Always-on
             complexity and resource constraints. An            devices common in industrial control
             alternative is cloaking – a duplicate, disguised   settings and the healthcare industry
             network that allows authorized traffic.            are particularly vulnerable to attacks or
                                                                takeovers. At least seven affected operating
                                                                systems run in countless IoT devices.10

OPTIV | 2020 CYBER THREAT INTELLIGENCE ESTIMATE                                                                                    14
1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14

             Top IoT Attacker Methods                           » Unclosed backdoors. WannaCry
                                                                  ransomware attacks spread through
             The Palo Alto Networks analysts scrutinized
                                                                  backdoors left open by previous
             cross-industry research and identified these key
                                                                  DoublePulsar malware infections. The use
             methods used by attackers to compromise IoT:
                                                                  of unpatchable devices, such as those
                                                                  running Windows 7, allow these two-stage
             » Exploits target device vulnerabilities.
                                                                  attacks to continue happening.
               IoT devices are used as stepping stones in
               lateral movement to attack other systems         » Unsegmented networks. WannaCry cases
               on a network. Attacker activities include          in healthcare spreads in mixed networks
               network scans, IP scans, port scans and            with devices such as PCs, scanners
               vulnerability scans on networks that               and nuclear imaging devices. With
               attempt to identify potential next-step            strong self-propagation and infection
               targets.                                           capability, WannaCry cross-infects devices
                                                                  throughout IoT and IT.
             » Password attacks. These attacks are
               fueled by default, manufacturer-set              » Botnet attacks. The Mirai malware turns
               passwords, poor password security                  networked devices running Linux into
               practices and operational misalignment.            remotely controlled bots that can be used
               For example, passwords chosen by                   as part of a botnet in large-scale attacks.
               OT staff are not in line with the more             Primary targets are online consumer
               advanced password policies and password            devices such as IP cameras and home
               management practices used by IT.                   routers. Mirai has grown into a framework
               California’s SB-327 IoT law now prohibits          to which developers can add new device
               the use of default credentials, which will         exploits as new variants.
               help reduce password attacks.

                 RE C O M ME N D AT I O NS
                      Develop an IoT security strategy             Implement active around-
                      that encompasses the entire IoT              the-clock monitoring.
                      lifecycle and all IoT devices

                      Discover IoT devices on                      Use a vulnerability management
                      your network                                 process that encompasses:

                      Patch printers and other                     » Asset discovery
                      easily patchable devices                     » Identification of vulnerabilities
                                                                     in the assets
                      Segment IoT devices across VLANs             » Threat intelligence to
                      – micro-segmentation is preferred              prioritize vulnerabilities
                                                                   » Patching, configuration management
                                                                     and isolation as remediation methods

OPTIV | 2020 CYBER THREAT INTELLIGENCE ESTIMATE                                                                                     15
1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14

            2 0 1 9 N O TA B L E
            Io T AT TA C K S

            SEPTEMBER 2019
            Palo Alto Networks analysts
            discovered an updated Gafgyt
            variant attempting to infect IoT
            devices, specifically small office/
            home wireless routers of certain
            commercial brands.

                                                  DECEMBER 2019

                                                  Palo Alto Networks analysts discovered a
                                                  new variant of the Muhstik botnet that
                                                  adds a scanner to attack Tomato routers by
                                                  web authentication brute forcing. Muhstik,
                                                  which has a wormlike self-propagating
                                                  capability to infect Linux servers and IoT
                                                  devices, mainly launches cryptocurrency
                                                  mining and DDoS attacks with IoT bots to
                                                  earn profit.

OPTIV | 2020 CYBER THREAT INTELLIGENCE ESTIMATE                                                                          16
1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14

             CYBER ESPIONAGE                                        » PsExec. This tool is part of Microsoft’s
                                                                      Sysinternals. It enables system
             Optiv’s gTIC followed cyber espionage,                   administrators to remotely access and
             which is cyber activity directed at private and          manage their systems over the Server
             public sector entities with the aim of stealing          Message Block (SMB) protocol, TCP
             sensitive or classified data or intellectual             port 445. The open-source penetration
             property to gain a competitive advantage over            tool Metasploit specifically contains
             a rival organization or country. Threat actors           a PsExec exploit module that allows
             engaged in cyber espionage are sophisticated             an attacker to conduct remote code
             and often fall under the classification of               execution on a targeted machine.
             advanced persistent threats (APTs). Depending
             on their target, they can exploit a range of           » Mimikatz. An offensive security tool,
             vectors to establish a foothold within a target          Mimikatz can be used at the post-
             system. These attacks are often preceded                 exploitation phase of an attack. Its
             by reconnaissance activity. The ramifications            functionality encompasses password
             of espionage include loss of competitive                 dumping from memory, PINs, hashes
             advantage, sabotage and political instability.           and Kerberos tickets. This tool works by
                                                                      exploiting Windows single-sign-on (SSO)
             Tools                                                    procedures. Successful exploitation can
                                                                      enable other attacks including pass-
             Threat actors often leverage both in-house and
                                                                      the-hash and Golden Ticket attacks.
             publicly available hacker tools common among
             many threat groups. This not only frees up time        » X-Agent. This modular backdoor is
             and resources but also makes post-exploitation           leveraged by APT28, a Russian state-
             analysis and attribution more difficult – adding         linked espionage group with ties to
             to the attackers’ level of obfuscation.                  GRU, Russia’s military intelligence
                                                                      organization. Also called CHOPSTICK,
             Espionage attacks do not differ much from                X-Agent functionality focuses on
             financially motivated attacks, but they can span         information gathering and includes
             a longer timeframe. State-hosted espionage               capabilities such as logging keystrokes,
             operations are commonly supported by a                   transmitting remote files, taking
             much larger and sophisticated infrastructure             screenshots and modifying registries.
             than those used by criminal actors. Some
             commonly leveraged public tools include:

                                                   Turla Hijacks APT34 Tools
                                                   In October 2019, the United Kingdom’s National Cyber Security
                                                   Centre (NCSC) and the United States’ National Security
                                                   Agency (NSA) issued a joint advisory. It stated that the Russian
                                                   state-associated threat actor Turla used tools linked to the
                                                   Iranian threat actor APT34. This included the Neuron and
                                                   Nautilus tools designed to target mail servers and web servers
                                                   on Windows. Turla used Neuron and Nautilus to target a range
                                                   of victims, including a cluster of Middle Eastern organizations.

OPTIV | 2020 CYBER THREAT INTELLIGENCE ESTIMATE                                                                                           17
1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14

             » Empire. An open-source post-exploitation    MALWARE: KRYPTIK,
               framework, Empire can operate cross-
               platform. It is used by advanced
                                                           OBFUSE AND EMOTET
               persistent threat actors including APT33,   VMware Carbon Black analysts provided
               APT19, FIN10 and Turla. Empire can run      insights into Kryptik, Obfuse and Emotet.
               PowerShell agents without powershell.exe    This malware is often used in long, complex
               along with a range of post-exploitation     campaigns for which the end goal is to
               modules geared to logging keystrokes,       leverage native operating system tools to
               network detection evasion and containing    remain invisible or gain a foothold in one
               Mimikatz. Additionally, Empire’s network    system (sometimes a supply chain partner) to
               traffic was asynchronous and blended in     island hop to a larger, more lucrative target.
               with normal network traffic. Development
               of Empire ceased in mid-2019.               The Kryptik trojan attempts to target victim
                                                           machines via nefarious installers. It then
             » netstat. This operating system utility is   attempts to acquire admin rights to make
               used to display TCP connections, network    registry modifications, allowing it to execute
               connections and listening ports common      each time a Windows machine boots. Kryptik
               within Windows, Linux and UNIX.             can be persistent and, without appropriate
                                                           visibility, can be difficult to detect as it attempts
             » Cobalt Strike. A commercially
                                                           to delete its executable file after running.
               available penetration testing tool,
               Cobalt Strike has been adopted by
                                                           As noted by a threat profile from the New
               several espionage threat actors. These
                                                           Jersey Cybersecurity and Communications
               include APT29, APT17 and CopyKittens.
                                                           Integration Cell (NJCCIC): “[The Kryptik trojan]
               Its full range of post-exploitation
                                                           queries the Windows registry for the .ini or
               functions present cyber-espionage
                                                           .dat file paths. It also queries registry subkeys
               actors with a convenient framework.
                                                           for the actual host, username and password
                                                           related to the specific FTP client application.
                                                           Kryptik searches the registry, querying for both
                                                           ftpIniName and InstallDir that hold the wcx_ftp.
                 RE C O M ME N D AT I O NS                 ini file. The trojan can recover many common
                                                           FTP clients, email clients, file browsers and file
                      Enforce a security policy that       manager programs. Kryptik also can update
                      covers cyber-based, insider          itself and remotely download new versions.”11
                      and physical-based threats to
                      stop cyber-espionage threat          Obfuse is a trojan virus designed to steal
                      actors that go to great lengths      confidential data stored on a system. It
                      to access their targets              is delivered through porn websites, free
                                                           online games, peer-to-peer file sharing,
                      Ensure operating systems,            misleading ads, free third-party software and
                      software and firmware are            spam email attachments. Difficult to detect
                      patched to the latest updates        and remove, Obfuse can disable antivirus
                      with patch management that           software, redirect browsers, slow system
                      maintains automatic updates          speed, freeze programs and pay repeat visits
                                                           after creating new malicious registry keys.
                      Implement multi-factor
                      authentication

OPTIV | 2020 CYBER THREAT INTELLIGENCE ESTIMATE                                                                                  18
1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14

             Emotet, a family of banking malware, has
             been around since at least 2014. Attackers
                                                                   A three-part Palo Alto
             continue to leverage variants of Emotet
             and are becoming increasingly shrewd                  Networks blog series focuses
             in the techniques they employ to deliver              on static analysis of PowerShell
             the malware onto an infected system.                  scripts and a platform-
             Researchers using managed hunting services            independent Python script
             observed a spike in the adaptation to                 to carry out the task. The
             existing methods leveraging PowerShell.
                                                                   author studied approximately
             Attackers encrypted the URLs of the
             command and control (C2) systems used
                                                                   5,000 PowerShell scripts
             to host the second-stage payload.                     and describes behavioral
                                                                   profiling, common
             Further, several attacks originated from              obfuscation, methods of
             phishing campaigns that leverage Microsoft            hiding data within PowerShell
             Office Word documents with obfuscated                 scripts and a scoring system to
             VBScripts using PowerShell and the
                                                                   assess risk.
             ConvertTo-SecureString cmdlet, which in
             the later stages is used to decrypt the C2(s)
             and associated logic. This represents an
             evolution of current macro attack techniques
             – these types of cmdlets are not typically
             associated with phishing campaigns.

                 RE C O M ME N D AT I O NS
                      Install next-generation antivirus       Implement techniques within
                      coupled with endpoint detection and     Microsoft environment such as
                      response (EDR) and micro-segmentation   Microsoft Just Enough Administration
                      to thwart malware attacks               (JEA) to allow delegated control;
                                                              Remove use of older PowerShell
                                                              2.0, which has been deprecated, and
                                                              enable PowerShell transcription
                                                              logging and Script Block Logging

OPTIV | 2020 CYBER THREAT INTELLIGENCE ESTIMATE                                                                                19
1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14

             MALWARE: RANSOMWARE                             Threat actors may also stop or disable
                                                             services on a system to render those services
             Optiv’s gTIC team (using the ThreatDNA          unavailable to legitimate users. Stopping
             platform) found that ransomware                 critical services can inhibit or halt responses
             was an influential topic throughout             to an incident or aid the adversary’s
             the past year in circles outside of             overall objectives to cause damage to the
             the information security industry.              environment. Adversaries may accomplish
                                                             this by disabling individual services of
                Numerous industry leaders and                high importance to an organization,
                                                             such as MSExchangeIS, which will make
                organizations saw a drastic
                                                             Microsoft Exchange content inaccessible.
                increase in ransomware activity,             In some cases, adversaries may stop
                as reported in the news and                  or disable any or all services to render
                incident response reports.                   systems unusable. Services may not allow
                                                             for modification of their data stores while
                                                             running. Adversaries may stop services to
             Many ransomware concepts can be                 induce data destruction or encrypt data
             explained by reviewing what is known about      for impact on the data stores of services
             the MITRE ATT&CK® for Enterprise patterns       like Exchange and Microsoft SQL Server.
             used by most ransomware families. Knowing
             more about how ransomware works will            Attackers can fake the parent process
             help identify and address vulnerabilities.      identifier (PPID) of a new process to evade
                                                             process-monitoring defenses or to elevate
             Adversaries may encrypt data on target          privileges. New processes are typically
             systems or on large numbers of systems in       spawned directly from their parent, or call,
             a network to interrupt availability to system   process unless explicitly specified. One way
             resources. They can attempt to render           of explicitly assigning the PPID of a new
             stored data inaccessible by encrypting          process is via the CreateProcess API call,
             files or data on local and remote drives        which supports a parameter that defines
             and withholding access to a decryption          which PPID to use. This functionality is used
             key. This may be done to extract monetary       by Windows features such as user account
             compensation from a victim in exchange for      control (UAC) to correctly set the PPID after
             decryption or a decryption key to render        a requested elevated process is spawned by
             data permanently inaccessible in cases          SYSTEM (typically via svchost.exe or consent.
             where the key is not saved or transmitted.      exe) rather than the current user context.

             In the case of ransomware, common user          Adversaries may abuse these mechanisms
             files like Microsoft Office documents, PDFs,    to evade defenses, such as those blocking
             images, videos, audio, text and source code     processes spawning directly from Office
             files are typically encrypted. In some cases,   documents, and analysis targeting unusual/
             adversaries may encrypt critical system         potentially malicious parent-child process
             files, disk partitions and the master boot      relationships, such as spoofing the PPID of
             record (MBR). To maximize the impact on the     PowerShell or Rundll32 to be explorer.exe
             target organization, malware designed for       rather than an Office document delivered
             encrypting data may have worm-like features     as part of spear phishing attachment. These
             to propagate across a network by leveraging     spoofing techniques can be executed
             other attack techniques like valid accounts.    via Visual Basic for Applications (VBA)
                                                             scripting within a malicious Microsoft

OPTIV | 2020 CYBER THREAT INTELLIGENCE ESTIMATE                                                                                  20
1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14

             Office document or any code that can              Threat actors can shutdown/reboot
             perform execution through an API.                 systems to interrupt access to, or aid in the
                                                               destruction of, those systems. Operating
             Explicitly assigning the PPID may also enable     systems may contain commands to initiate
             privilege escalation, given appropriate           a shutdown/reboot of a machine. In
             access rights to the parent process. For          some cases, these commands also may
             example, an adversary in a privileged user        be used to initiate a shutdown/reboot
             space, such as an administrator, may spawn        of a remote computer. Shutting down or
             a new process and assign the parent as            rebooting systems may disrupt access to
             a process running as SYSTEM (such as              computer resources for legitimate users.
             lsass.exe), causing the new process to be         Adversaries may attempt to shutdown/
             elevated via the inherited access token.          reboot a system after impacting it in other
                                                               ways, such as a disk structure wipe, or
             Adversaries commonly use domain                   inhibiting system recovery, to hasten the
             generation algorithms (DGAs) to procedurally      intended effects on system availability.
             generate domain names for command and
             control communication, and for other uses         Attackers also interrupt the availability
             such as malicious application distribution.       of system resources by inhibiting access
             DGAs drastically increase the difficulty for      to accounts utilized by legitimate users.
             defenders to block, track or take over the        Accounts may be deleted, locked or
             command and control channel, as there             manipulated. Adversaries also may
             potentially can be thousands of domains           subsequently log off and/or reboot boxes
             that malware can check for instructions.          to set malicious changes into place.

                 RE C O M ME N D AT I O NS
                      Consider implementing IT recovery          Research trusted sources for public
                      plans that contain procedures for          releases of decryptor tools or keys to
                      consistently testing data backups          reverse the effects of ransomware
                      that can be used to restore critical
                      data. In some cases, the method to         Identify potentially malicious
                      decrypt files affected by a ransomware     software and audit and/or block
                      campaign is released to the public         it by using whitelisting tools

OPTIV | 2020 CYBER THREAT INTELLIGENCE ESTIMATE                                                                                    21
1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14

             Hybrid
             Threat Actors
             Hybrid threat actors present unique
             challenges because their classification
             is not always rigid. Common classes
             of hybrid threat actors include nation-
             states, cybercriminals, hacktivists and
             others described below. These actors may
             masquerade as a certain type to hide their
             true agendas. Or, threat actors may belong
             to two or more classes, switching between
             them as their priorities change.

OPTIV | 2020 CYBER THREAT INTELLIGENCE ESTIMATE                                                                 22
1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14

             NATION-STATES                                  » North Korea. The North Korean
                                                              government maintains a firm grip over its
             Nation-state threat actors are often thought     domestic cyber-threat actors. Its efforts
             to possess resources and capabilities above      are aided by the state’s indoctrination
             and beyond the average threat actor. They        methods so that technical skills are
             have unique relationships to other types of      developed among those serving the
             threat actors, and they view cyber-threat        government. When compared with other
             actors within their boundaries according to      nation-states, North Korea’s interests have
             philosophy and law. Citizens in a country        had a greater focus on monetary gain
             are subject to the laws, regulations and         brought on by the country’s economic
             governance of the nation-states in which         isolation and strict international sanctions
             they reside. Similarly, nation-state threat      imposed on the country. In addition
             actors are not excluded from the laws            to financially motivated activity, North
             and regulations of their own countries           Korea also engages in destructive
             and therefore cannot act with impunity.          cyber activity against South Korean
                                                              media and targets other foreign media
             Analysts from Optiv and Digital Shadows          institutions that have portrayed the
             weigh in below on prominent nation-              North Korean regime in a negative light.
             states that engage in cyber-threat activity      These actions were highlighted in cyber
             and use their positions to integrate             attacks carried out against international
             domestic, non-nation-state threat actors         banks and cryptocurrency exchanges
             into their offensive cyber policies.             that were linked to the North Korean
                                                              state. North Korea has been linked to
             » China. China prefers to indoctrinate           the infamous WannaCry attack in 2017.
               cyber-threat actors so they willingly          The Lazarus Group/HIDDEN COBRA,
               support the state. Feelings of patriotism      an advanced persistent threat group,
               and common achievement drive                   has been linked to several high-profile
               actors to cooperate and follow nation-         cyber attacks including the 2014 Sony
               state direction. China instills, and to        Motion Pictures breach as well as attacks
               an extent, enforces, a deep sense of           against South Korean critical infrastructure
               loyalty to country through schooling           and media/financial institutions.
               and the military. Groups may be directly
               associated with the military (APT1/            Digital Shadows analysts found that
               Comment Crew), or they attract and             the Lazarus Group was particularly
               maintain followers and members (Honker         active in 2019 – and well known for
               Union) via an agenda that focuses on           conducting operations for financial gain
               patriotism and duty to country. China’s        to raise government revenue. This is
               recurring Five-Year Plan, which lays out       unusual for nation-state groups, which
               key and strategic-level objectives related     typically are focused on espionage
               to economic growth, global influence,          operations used to gather sensitive
               investments and culture, directs and           political and military information. The
               influences the sentiment and actions           majority of Lazarus Group’s attacks on
               of domestic cyber operations. China            cryptocurrency exchanges took place
               maintains a robust cyber capability            in Asia – South Korea in particular.
               within both its intelligence service,
               the Ministry of State Security (MSS)
               and the People’s Liberation Army.

OPTIV | 2020 CYBER THREAT INTELLIGENCE ESTIMATE                                                                                 23
1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14

            2 0 1 9 S TAT E O F N AT I O N
            THRE AT A C T O R S

                                              RUSSIA                            NORTH KOREA
                                              allows cybercriminals to          have had a greater focus
                                              conduct their activities as       on monetary gain brought
                                              long as they target entities      on by the country’s
                                              outside of Russia’s borders       economic isolation and
                                              and accept cyber direction        strict international sanctions
                                              from state sources.               imposed on the country.

                                                   IRAN                       CHINA
                                                   actively cultivates and    maintains a robust cyber
                                                   recruits non-nation-       capability within both its
                                                   state actors.              intelligence service, the
                                                                              Ministry of State Security
                                                                              (MSS) and the People’s
                                                                              Liberation Army.

OPTIV | 2020 CYBER THREAT INTELLIGENCE ESTIMATE                                                                                    24
1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14

                Cryptocurrency-related organizations         Reporting suggests that by late 2018,
                remained a popular target for Lazarus. In    Iranian government officials took a
                addition to targeting multiple established   stricter stance on its independent actors
                cryptocurrency exchanges, the group also     to reel in offensive cyber operations
                was linked to an operation that promoted     under tighter government control and
                a fake cryptocurrency trading program        guidance. Throughout 2019, there was
                and installed a backdoor on a victim’s       a notable increase in aggressive Iranian
                device when downloaded. Lazarus also         activity that further degraded relations
                conducted more traditional espionage         between Iran and the West. Iranian state-
                operations. For example, the group was       linked hacker groups continued to remain
                linked to an operation targeting one of      focused on conducting disruptive cyber
                India’s nuclear power plants, Kudankulam     attacks and spreading disinformation
                Nuclear Power Plant (KNPP), in October       and pro-Iranian propaganda.12 It’s
                2019. The Dtrack trojan used in the          uncertain what the long-term response
                attack was developed by the group.           from Iranian groups will be in light of the
                Although Windows remains the target          strike that killed Islamic Revolutionary
                operating system of choice for most          Guard Corps (IRGC) commander General
                threat actors, a notable trend was           Qasem Soleimani in January 2020.
                Lazarus’ targeting of Mac OSX systems.       According to Digital Shadows research,
                South Korean OSX users were targeted         MuddyWater, an Iranian state-associated
                through macro-embedded documents             threat actor, was most active in the first
                that would go on to execute a malicious      half of 2019. But throughout the year,
                PowerShell script. Lazarus often targeted    the group used many new or previously
                both Windows and OSX users through           unobserved tools to conduct espionage
                the separation of infection procedures       operations targeting various sectors
                as part of the same operation.               and regions, including the Middle East,
                                                             Asia, Europe and North America. One
             » Iran. Iranian nation-state actors actively    campaign used a previously unseen
               cultivate and recruit non-nation-state        PowerShell-based backdoor called
               actors in addition to continually building    POWERSTATS v3 to target a university in
               out their paramilitary cyber units such as    Jordan and a government entity in Turkey.
               APT33 and OilRig. Many Iranian threat         The multi-staged backdoor exfiltrated
               actors carry out their activities by self-    information and staged a second-stage
               driven initiative as well as by suspected     attack by obtaining additional payloads
               guidance from Iranian government              from MuddyWater’s command and
               and military organizations. Hacktivist        control (C2) server. MuddyWater also
               groups, whose members sometimes               expanded its targets to include Android
               have loose ties to higher education and       devices. Mobile malware deployed by the
               military institutions, often are driven       group enabled it to gather information
               by the hope and expectation of being          – including contact lists, call logs, SMS
               rewarded or recruited by special units        text messages and Android geolocation
               within Iran’s military and paramilitary       information – from an infected device.
               groups that are involved in information
               security and cyber activity. The Basij,
               a volunteer corps, recruits for various
               domestic and national-level security
               initiatives, including cyber operations.

OPTIV | 2020 CYBER THREAT INTELLIGENCE ESTIMATE                                                                               25
1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14

                In the second half of 2019, there was a         »
                notable reduction in public reporting
                on MuddyWater, although it is possible          »
                that campaigns occurred in the second           »
                half of the year but were not reported.
                Similar to reporting of APT34 activity, a       »
                Telegram user leaked information on the
                threat actor in May 2019, including images      »MuddyWater
                of both MuddyWater C2 server source
                                                                »In 2019, the Iranian state-associated threat
                code and the back end of the C2 servers.        actor MuddyWater targeted government
                Given the sophistication of the group, it       »and telecommunication organizations in
                is unlikely that this would have severely       the countries surrounding Iran. Phishing
                disrupted their operations. It is more likely   »emails sent to targets contained Word
                that the lack of reporting was caused            documents that, once opened, displayed
                                                                »
                by reporting biases. Cyber-espionage             an error message to prompt a target into
                campaigns often are reported either in          »downloading a file. If a user proceeded,
                retrospect or not reported until many            the malicious file established a connection
                months or years after they take place.          »with a C2 server that had links to previous
                                                                 MuddyWater attacks. The file exploited
             » Russia. The Russian state controls and
                                                                 CVE-2017-0199 (a vulnerability previously
               coordinates cyber-threat activity with
                                                                 exploited by the Iranian state-associated
               its non-nation-state actors via coercion.
                                                                 threat actor APT34) and ran a PowerShell
               Cybercriminals are allowed to conduct their
                                                                 script. The script obtained and exfiltrated
               activities as long as they target entities
                                                                 information about the compromised
               outside of Russia’s borders and accept
                                                                 system to the MuddyWater C2 server. The
               cyber direction from state sources. Failure
                                                                 group also deployed additional, although
               to do so can result in criminal prosecution.
                                                                 unspecified, payloads onto compromised
               Russia is suspected of repurposing
                                                                 systems.
               domestic hackers and threat actors that
               are embroiled in legal issues stemming
                                                                Because CVE-2017-0199 was used previously
               from past cyber activities. These actors
                                                                by APT34, it is possible that the two threat
               may be leveraged by government security
                                                                actors are collaborating with Iranian
               and/or intelligence bureaus to carry out
                                                                state-associated groups known to share
               activities that benefit the state’s agenda.
                                                                infrastructure. Telecommunication
                                                                organizations are an attractive target for
                                                                espionage operations because they are part
                                                                of a country’s critical infrastructure and
                                                                form critical nodes in a country’s network.
                                                                By gaining access to telecommunication
                                                                organizations, a threat actor increases its
                                                                ability to intercept and collect network
                                                                traffic within a target country.

OPTIV | 2020 CYBER THREAT INTELLIGENCE ESTIMATE                                                                                      26
You can also read