We are happy to present our half-year report summarizing cyber events for the first half of 2019. This report provides an in-depth review of significant trends, as well as major attack events in the cyber landscape – a combined effort of our intelligence research, threat-hunting and analyst teams.
Read the full report: 2019 H1 Cyber Events Summary Report
Preface
In recent months we have observed multiple targeted ransomware attacks against major companies, including international corporations – undoubtfully, this is the most significant attack vector of the first half of 2019. The main penetration vector in these attacks includes the use of decoy email carrying malicious content and RDP (Remote Desktop Protocol) attack. In our assessment, this year RDP has become a significant vector through which computer systems are infected worldwide.
The most notable example of targeted ransomware operation is the Norsk Hydro Attack which we classified as the most significant attack of the first half of 2019. Forensic investigations covering the attack on Norsk Hydro, as well as other companies who suffered from similar incidents, revealed an extensive attack infrastructure aided by sophisticated, evasive tools and designated zero-day vulnerabilities. And indeed, the LockerGoga ransomware infrastructure has managed to infiltrate hundreds of companies worldwide and extort tens of millions of USD. Norsk Hydro alone stated that the damage caused by the attack is estimated at around 75 million USD.
Significant increase in targeted ransomware attacks on large companies and organizations globally
Behind several of these attacks are nation-state actors that execute ransomware attacks with the end goal of causing harm rather than financial gain. Several of the most notable ransomware attacks so far are – Norsk Hydro, ASCO, SonAngol and Verint. In contrast to the rising popularity of targeted ransomware, destructive ransomware attacks – in which the files are corrupted without a recovery option – were not reported during the first half of 2019. This could be the result of intense hindering collaborations between agencies worldwide.
Increase of BEC (Business Email Compromise) attacks
This type of an attack, in which the attacker traditionally impersonates an executive in the company or a third-party provider, is the most common type of attack globally. According to the latest data from the FBI, as of June 2018, BEC scams have compromised over 12 Billion dollars globally.[1] This figure is expected to continue rising in 2019. On the past two months, attackers began leveraging AI (Artificial Intelligence) systems to impersonate senior employees’ voices and execute financial transactions, resulting in immediate losses of millions of euros.
More Attacks against financial institutions
In 2019, financial institutes and banking users are still a desirable target for tailored cyber-attacks aimed at financial revenue. However, while the trend continues, we did not see a sharp increase in the attack rate. This appears to be a direct result of the considerable effort and resources invested by the banks in mitigating cyber threat conjunction with attackers targeting more profitable and less secure targets such as crypto-currency platforms. In 2019 these platforms continue suffering hundreds of millions of dollars in losses, being the most targeted financial platform to date. Alongside that, a notable decrease in the rate of attacks targeting the SWIFT system was observed – most likely as a result of the great effort invested by the security industry into protecting these systems.
Social media platforms combat the fake news phenomena
We have seen over the last six months considerable efforts by social media platforms to identify and take down fake-news sources and actors, by conducting both vast investigative efforts and routine takedown actions, little by little. While these actions don’t fully neutralize the phenomena, they do play a crucial role in raising awareness.
Attack attempts against Internet of Things (IoT) systems and SCADA Systems
Over the last six months, we have seen an alarming rise of threats to industrial IoT (Internet of Things) or ICS systems. Of note, various threat actors targeting power-grids. The most prominent actors in this regard are the USA and Russia. For example, Triton malware which was used in the attack on the Saudi oil refineries is currently being attributed to Russia
Escalation of the Digital Cold War between the US, Russia, and China
The recent developments of a “digital cold war” between the US, China, and Russia – amongst others – were a key event on the global cyber arena during the first half of 2019. Political conflicts resulted in immediate actions in the cyber landscape and led to parallel efforts by many power countries to possess designated SCADA malware, as well as the ability to cripple their adversaries’ power facilities in preparation for a time of need. For the first time, Trump administration employees reported that a payload developed in the US was planted in Russia’s power network.
One of the most outstanding results of this state is can be seen in the continued weaponization of social media platforms to propagate disinformation on a massive scale, and rapid proliferation of advanced malware. The latter in particular has facilitated new threats against service providers, alongside critical infrastructure.
Accordingly, these nations and their allies have begun taking major mitigation actions; be them economic such as embargoes and global trade restrictions, or technological such as new plans to implement an “internet kill-switch”.[2] These and other developments are largely reactionary backlash following large-scale campaigns on numerous industries and sectors, including critical infrastructure, large industrial operations, and military organizations.
More and more countries are claiming almost direct responsibility for major attacks
This is likely in an attempt to create deterrence and signals the next stage in the digital cold war – “who is a bigger threat/can cause the most amount of damage”. Alongside the deterrence efforts, we continue to see exposures of Critical zero-day vulnerabilities that pose a threat to global computer networks, such as the BlueKeep flaw. We believe that Russia will likely attempt to exploiting these vulnerabilities to execute a massive cyber attack in the vain of NotPetya.
Increase in Iranian cyber capabilities alongside the expansion of their cyber operations against foreign countries
With this regard, we also saw Iran expanding its operation into new regions. The increase in Iranian offensive operations in the cyber arena is aligned with the escalation of the conflict between Iran and the United States, concerning the Nuclear deal violation, the US sanctions and more.
Indicators of compromise are available for subscribers of the ClearSky threat intelligence service in MISP events.
[1] https://www.ic3.gov/media/2018/180712.aspx
[2] https://www.theguardian.com/world/2019/apr/11/russia-passes-bill-internet-cut-off-foreign-servers