Cyber Intelligence 2017 Summary Report

Posted on by ClearSky Research Team

Major cyber trends in 2017

The most significant attacks this year were executed by organized cybercrime groups and nation-state actors

Over the last two years, cyberspace has become a prominent medium for fighting between countries. Among the major global cyber actors, Russia is both the most significant nation-state actor, and the most prolific habitat for cybercrime groups, who stole in the past year billions of dollars using ransomware and spear phishing targeted attacks.

Cyber-attacks targeting democratic processes and public perception

This year we observed cyber-attacks that were executed with an end goal of undermining democratic processes by spreading misinformation in order to alter public opinion, as well as sabotaging elections and public opinion polls by various means. For instance, creating thousands of fake social media profiles, and blatantly trying to influence other countries’ electoral processes. This can be seen for example, in the propagation of fake news in Ukraine, attempting to alter election results in the US and France, and attempting to influence the outcome of the Brexit referendum.

The crash of the Eggshell Security paradigm

The model, which is primarily based on the idea of implementing comprehensive outer security measures while keeping the inner “core” exposed, resulted in billions of dollars of losses to companies. The ramification of this paradigm was that in recent years inter-organizational security systems were neglected. The current state is that many organizations allocate considerable amounts of resources to their outer security layer at the expense of inner security systems. This imbalance enables attackers to easily spread across various systems once they penetrate an organization. Moreover, this paradigm is increasingly becoming less effective against hybrid attack vectors that use multiple techniques to ensure a successful attack.

Attacks such as NotPetya and WannaCry, have demonstrated and emphasized that this paradigm is outdated and no longer adequately effective.

The year of Enterprise-cyber-attacks – widescale successful destructive attacks against large companies

A prominent trend in 2017 is large destructive attacks against multi-national corporations. This is the first year we have seen widescale destructive attacks against private firms. Tens of thousands of computers and organizational core systems were corrupted due to cyber-attacks. Billions of dollars of damages, as well as months of disrupted operation have illustrated this threat to the managerial echelon of companies all around the world.

Cyber-attacks exploiting supply chain

This year there was a significant increase of successful attacks that compromised targets by exploiting their supply chains (i.e. third-party service provider). Often these attacks are executed in conjunction with exploitation of OS and communication protocols vulnerabilities.

Instantaneous exploitation of 1-day vulnerabilities

Another significant trend relates to the speed in which attackers are exploiting 0-day and new attack tools emerge following reports and publications. The events of 2017 have illustrated that for an attacker to execute a significant attack, he no longer need to invest time and effort in uncovering unknown vulnerabilities. All he must do is follow various channels of information that report newly discovered vulnerabilities, and leverage the gap of time between when a vulnerability is discovered, and when organizations update their systems with the relevant security patches. A proccess that may take up to several weeks and even months. An example of such an attack is the WannaCry event.

Proliferation of attack tools – wide scale propagation and instantaneous use of tools shared online

In a similar fashion to the exploitation of 1-day vulnerabilities, there is also a proliferation of attack tools. A notable example can be seen by the rapid proliferation of the leaked NSA attack tools that quickly got adopted by threat agent from North Korea, Russia, China and other countries.

The financial sector (notably banks) have become a central target for sophisticated attackers (both criminal and nation-state actors)

Core banking systems such as SWIFT and ATM networks have become a favorable target for cyber attackers. The primary targets were banks located in Eastern Europe and East Asia. These attacks resulted in hundreds of millions of dollars stolen from numerus bank around the world.

Cryptocurrency markets and wallets have become a prominent target for cybercriminals

As cryptocurrencies are gaining mainstream acceptance, hackers and cybercrime actors have shifted their efforts towards this matter in an ever-growing manner. This year, between several dozen to several hundreds of millions of crypto coins were stolen by various scams and attacks.

Most prominent cyber actors

Following our 2016 assessment, it appears that the most significant attackers in 2017 are Russian actors who can be categorized as follows:

  1. Nation-state threat agents – groups such as APT28 that executed high profile attacks, most notably against Ukraine and the US. The Russian government continued to blatantly use cyber weapons in numerous ways, ranging from attacks against Ukraine’s infrastructure to attempts to influence certain countries’ political process and influence the global geopolitical status quo.
  2. Cybercrime groups – The most prominent group is Carbanak which attacked SWIFT and ATM systems.

In accordance with our 2016 end of year assessment, as of early December, large Russian cybercrime groups (such as Carbanak), have not spear targeted Israeli companies in 2017.

Most significant attacks in 2017

  1. Petya/NotPetya – destructive cyber-attack against Ukraine: In late June one of the largest and most destructive cyber-attacks took place, wiping thousands of computers, and disrupting the operation of numerous companies in Ukraine and additional countries that conduct business with Ukraine.
    As of December 2017 this was the single most costly cyber-attack – It is estimated, based on reports from the affected companies, that the total sum of damages has reaches about 1.2 billion dollars; as such this was the most significant attack of 2017.
  1. WannaCry – global destructive cyber-attack: On Friday May 12th, WannaCry attack instigated an unprecedented global event, infecting and damaging over 230,000 computers across 150 countries within a single day.
  2. Equifax breach: In early September the consumer credit rating agency Equifax Inc. reported that it fell victim to a large scale cyber-attack resulting in over 143 million records of individuals and companies being compromised. Most of the stolen data pertains to US, UK and Canadian citizen.
    Equifax is one of the three largest American credit agencies, with extensive operations around the world. It aggregates and manages sensitive databases, including credit ratings of about 800 million citizens and companies.
  1. Vault 7 – NSA attack tools leak: The alleged National Security Agency’s 0-day vulnerabilities and attack tools leak resulted with the expedited development of new and more sophisticated attack vectors and tools. The weaponization of the leaks were leveraged by numerous actors from all ranges (hacktivists, criminals, nation-state threat agents, and terror organizations).
  2. Russian intervention with the US and other countries’ elections and democratic processes, including Brexit
    Claims were made in regard to propagation of sensitive or false information with the purpose of influencing and disrupting the democratic processes by Russian actors. As part of this agenda various social platforms such as Facebook and Twitter were maliciously used in attempts to undermine western and pro-western countries’ political status quo.

Most prominent attack vectors in 2017

  1. Attacks exploiting the supply chain: breaching a third-party service provider in order to execute an attack on a company that uses its services or products. In the NotPetya campaign a legitimate accounting software was exploited to distribute malware to thousands of companies and organizations (including governmental organizations) in Ukraine.
  2. Exploitation of native vulnerabilities with OS and communication protocols: this vector grew this year due to, amongst various reason, a series of nation-state attack tool leaks dubbed Vault7.
  3. Ransomware extortion attacks: throughout 2017, hundreds of business, NGOs, governmental organizations and private individual fell victim to ransomware attacks.
  4. BEC scams (Business Email Compromise) – attacks based on impersonating executives: According to an FBI report, companies in the US have lost over five billion dollars to these attacks over the last two years. This type of scam is relatively easy to execute. In one of the most common scenarios of this scam, the attacker impersonates a director in the company and requests from the target (often someone in a financial department) to immediately and covertly wire transfer money for reasons such as an urgent and secretive, yet highly important business deal.
  5. Wide scale DDoS attacks, some of which executed by IoT botnets: this year we saw a significant increase in the frequency of global DDoS attacks. Over the last year, DDoS attacks nearly doubled, increasing 91% since January. This is due in part to the exponential growth of IoT (Internet of Things), i.e. “smart” devices with online capabilities that are infected by Botnets such as the Mirai Botnet. Moreover, the market of DDoS-for-hire services is continually growing, enabling any malicious actor to execute massive DDoS attacks regardless of their technical capabilities.

Predictions for 2018

Growing exploitation of the supply chain for various attack vectors

The largest attacks this year have illustrated to all active threat agents operating today that this vector is highly effective, yet not fully exploited, and thus can be used to considerably expand the scale of attacks, as well as their success rate. In our assessment, this vector will be extensively used next year.

Increased attempts of attacks against the financial sector

Throughout 2016-2017 numerous attacks were executed against the SWIFT system, ATM systems, and other core banking/accounting systems. This trend is expected to grow in 2018 alongside new attacks against additional core banking systems.

Proliferation of attack tools

The timeframe between the moment an exploit code is made public and its use as an attack tool by malicious actors around the world is continuously becoming shorter. For example, the use of NSA’s tools by North Korea – This trend is expected to continue into 2018.

Increased awareness of data leaks following the implementation of the GDPR

On May 25th, 2018, the GDPR (General Data Protection Regulation) will be instated. One of the most important clauses of this regulation, is that organization would be required to report any database breach within 72 hours or be penalized with heavy fines. Accordingly, despite the likely initial difficulties for organizations to adapt, we expect to see more transparency from European organizations regarding malicious activity.

As for Israel

In our assessment, in 2018 we expect to see increased activity of multi-national criminal actors within the Israeli cyberspace. We also expect that concurrently additional criminal groups will enter the Israeli cyberspace.

Furthermore, we will likely see anti-Israeli nation-state threat actors adopting new attack vectors, although with a notably lower operational capability than criminal actors.

Recommendations for 2018

  1. Reallocating additional resources for inter-organizational security systems: with recent developments of hybrid attack vectors, the outer security shell can longer prioritize the outer security framework. Accordingly, organizations and companies must transition to a more holistic security model that can effectively cope with the accelerated evolution if attack methods that we saw in the last couple of years.
  2. Segmenting networks and taking core systems offline
  3. Creating an emergency backup system that could allow a company to operate up to three months after being hit by a destructive cyber-attack.
  4. Minimizing the time-gap between the time security patches are released and when they are installed: examine how to rapidly implement a policy to install security patches, despite the potential risk of disruption to the normal operation of the organization. For example, it is advised to define a timeframe that is both realistic and agreed upon by the relevant parties within the organization.
    5. Raising employee awareness to new attack vectors: notably social engineering techniques and significant campaigns.

Read the full report: 2017 Summary Report