CrowdStrike, a global provider of security technologies and services focused on identifying advanced threats and targeted attacks, today released “CrowdStrike Global Threats Report: 2013 Year in Review,”the product of CrowdStrike’s year-long study of more than 50 groups of cyber threat actors. The 30-plus page report offers insight into the evolving behaviors of these cyber attackers, naming groups in China, Iran, Russia, North Korea, and Syria that are responsible for some of the world’s most recent and visible online attacks.
“Organizations need to take an intelligence driven approach to security – proactively responding to advanced threats by prioritizing their limited resources,” said George Kurtz, CEO/President & Co-Founder of CrowdStrike. “The information in this report allows security professionals to differentiate between targeted and commodity attacks, thus saving time and focusing on the most critical threats to the enterprise.”
“With this report, we’re going above and beyond the traditional ‘threat report’ that simply analyzes malware trends,” said Dmitri Alperovitch, co-founder and CTO of CrowdStrike. “This report focuses on what’s most important — the adversary — rather than just the exploits they create. This is a great step toward fighting cyber security threats on a new battleground — by identifying and defending against human adversaries, rather than simply trying to block malicious code.”
In addition to profiling some of the world’s most prominent threat actors, the CrowdStrike Global Threats Report offers a look at some of these attackers’ most popular tactics and techniques for breaching the defenses of a targeted organization. For example, the report offers a detailed analysis of how several organized threat groups are using strategic web compromise (SWC) – sometimes called “watering holes” – to penetrate a target by infecting the websites most frequently surfed by its members. SWC attacks on the Council on Foreign Relations, the U.S. Department of Labor, and several foreign embassies are described in detail in the report.
“Compromising and weaponizing a legitimate website has significant advantages over spear phishing, which historically has been the most common method of launching a targeted attack,” said Adam Meyers, VP of Intelligence at CrowdStrike. “A strategic web compromise does not require social engineering a victim, which can expose an adversary to detection. We believe this tactic will be used with increasing frequency among the adversaries that we are tracking.”
The CrowdStrike Global Threats Report offers insight on the activities of several sophisticated groups of attackers, including:
- DEADEYE JACKAL, commonly known as the Syrian Electronic Army (SEA);
- NUMBERED PANDA, a group of China-based attackers, who conducted a number of spear phishing attacks in 2013;
- MAGIC KITTEN, an established group of cyber attackers based in Iran, who carried on several campaigns in 2013, including a series of attacks targeting political dissidents and those supporting Iranian political opposition;
- ENERGETIC BEAR, a Russia-based group that collects intelligence on the energy industry; and
- EMISSARY PANDA, a China-based actor that targets foreign embassies to collect data on government, defense, and technology sectors.
The report also offers predictions on the evolution of sophisticated adversaries in 2014. CrowdStrike predicts that 2014 will bring increased targeting of third-party vendors, abuse of the Internet’s new generic top-level domains (gTLDs), and vulnerabilities in Windows XP, which will reach end-of-life from Microsoft this April. The report predicts increased use of encryption to help protect and obfuscate malware; greater use of black markets for buying and selling custom-made malware; and increased targeting of attacks around major events, such as the Olympics, the 2014 G20 Summit, and major national elections. In the wake of the recent breaches of major retailers, the CrowdStrike team also discusses the evolution of cyber criminals, who are beginning to develop capabilities to identify and breach specific targets in pursuit of sensitive account data.
“One of the advantages of focusing on adversaries, rather than malicious code, is that humans have detectable habits and often make mistakes,” said Meyers. “We believe that the data we have collected here is not only a good summary of what happened in 2013, but a harbinger of the attacks to come in 2014. This is the type of information that enterprises can use to develop better, more effective defenses.”