We are happy to present our yearly summary report of cyber events for 2018. This report is
a combined effort of our intelligence research, threat-hunting and analyst teams. One of the
biggest challenges in cyber space is the overwhelming, and at times contradicting amount of
data we are confronted with on a daily basis.
As a result, companies and organizations may lose the broader picture. While often it can be
advantageous to understand the micro elements of cyber incidents, it is also imperative to
also have a clear and over-arching understanding of the events that have unfolded before
and after. Accordingly, our report provides a comprehensive overview and analysis of the
most significant events that took place this past year.
Read the full report: Summary report of cyber events for 2018
Abstract
Hundreds of Companies and Organizations Globally Targeted by Chinese APTs
2018 is the third year in which nation-state attackers are the most significant cyber actors.
However, unlike 2017, in which we assessed Russian APTs as the most influential cyber
threat due to their prolific activity, in 2018 China has become the most significant nation-
state attacker.
The campaigns revealed this year indicate a substantial effort by China to obtain by any
means necessary bleeding-edge proprietary technology and research, as well as political and
military intelligence. It appears that China expanded its cyber operation in order to promote
and secure its nations interests; with little care of international, economic or regulatory
agreements. Notably in December, the US exposed a large-scale and aggressive attack
campaign targeting numerous companies and organizations around the world.
In our assessment, over the last few years, China has systematically amassed a massive and
unprecedented wealth of knowledge; unlawfully obtained from thousands of companies,
organizations, academic, governmental and military bodies around the world. China’s end
goals with these operations is surpass the US, economically and technologically, and position
itself as the leading super-power.
It should be noted that this method of operation is not new. Many of the attacks that were
exposed this year operated undetected over long periods of time. With that in mind, over
the last year in particular we have seen bold attacks and campaigns. It appears that Chinese
cyber actors are returning to their modus operandi from 2016; characterized by aggressive
attack vectors with less emphasis on being covert. This in conjunction with the growing
efforts from various countries around the world to combat cyber threats, have resulted
among other reasons, with multiple large-scale Chinese cyber operations revealed
throughout 2018.
Russian Attacks
In 2018, just like in 2017, Russia continues to be a significant nation-state actor and habitat
for cybercrime groups. The latter, stealing in the past year billions of dollars via ransomware
and spear phishing targeted attacks. Following recent years, in 2018 the most targeted
sectors by the Russian were governmental, healthcare and financial sectors. However, unlike
previous years, many Russian attacks were thwarted by US intelligence, defense, and law
enforcement bodies.
Most significant cyber attack types in 2018
- Spear and scatter-shot cyber extortion – millions of SMEs (Small to Medium
Enterprises; aka SMB – Small to Medium Businesses) including their clients and
customers, were affected this year by cyber extortion executed by both
cybercriminal organizations and lone hackers operating independently. - BEC (Business Email Compromise) – these scams (aka “Man-in-the-Email” and CEO
scams) are phishing attacks (often spear attacks) impersonating various key
individuals such as CEO/CFO, representatives of third-party service providers, family
members or friends, with the purposes of stealing money. According to recent
estimates, in the last five years over $12.5 Billion were stolen by this vector. - Theft of financial records and data – as governments and the financial sector are
continually pushing to digitize financial services and use, malicious actors are finding
more and more vectors to steal and exploit financial records and details. For
example, in the US we are seeing an alarming trend in recent years of malicious
actors stealing and leveraging W-2 tax forms for monitory gain. - Attacks on banks’ core systems and crypto-markets – the magnitude of direct
financial loss in 2018 is in our assessment around $1.5 billion dollars. - Multi-dimensional cyber attacks – Sophisticated attacks that concurrently target
multiple systems of organizations. Some of the most notable victims of these attacks
in 2018 were banks in India, Pakistan, Mexico and Chile. For example, in such attacks
the attackers may target the ATM system, credit and debit card payment system,
and the SWIFT system, as well as various IT systems; taking control of them and/or
corrupting them in order to disrupt operation and following investigation. - Espionage attacks – Theft of sensitive data and technology. This is conducted for a
wide range of reasons from criminal activity for financial gain, to nation-state
operation for national interest. - Destructive attacks – Aka wiper attacks, are spear or scatter-shot attacks, often
executed by APTs groups (Advanced Persistent Threat). For example, following the
financial sanctions of Iran, the Iranian government re-implemented the destructive
malware Shamoon against multiple energy providers and governmental
organizations in the Gulf region. - Exploitation of the supply chain to execute cyber attacks – one of the most notable
attack vectors in 2018 has been – targeting third party IT service and product
providers in order to breach highly secure companies and organizations. For
example, the Chinese attack on HP and IBM. - Destructive attacks – one of the most significant actors executing such attacks are
Iranian APTs targeting Gulf Countries. This activity has escalated following the
enactment of financial sanctions on Iran.
Notable Events and Trends in 2018
- 2018 was a pivotal year for cyber regulation – throughout 2018, several high profile
cyber regulations and initiatives were approved or implemented within numerus
countries around the world. Many of these also included new measures and
guidelines that governments and private organizations must follow in order to
better protect information. Perhaps the most notable of these was the European
Union’s act – the GDPR (General Data Protection Regulation), which was
implemented in late May. - Attacks on prominent sectors and industries – in 2018 the most targeted industries
included, public (e.g. local and national governments), defense and military,
healthcare, IT, aviation and financial. Regarding the latter, this past year we witnessed dozens of attacks on banks’ core systems as well as crypto-markets;
culminating in direct financial losses of about $1.5 billion, in our assessment. - Rapid exploitation of 1-day vulnerabilities, in conjunction with growing
proliferation of attack tools – 1-day vulnerabilities are newly exposed vulnerabilities
that have not yet received security patches. Attackers monitor reports for them and
exploit the window of time between their reveal, and the time official fix are issued.
One of the most interesting incidents this year was the 1-day-based malware that
was propagated by the Iranians against Gulf states; just hours within the reveal of
the vulnerability.
What Didn’t Happen in the cyber arena in 2018
- Infection event affecting hundreds of companies – in the past year there were no
destructive attacks with potential of affecting hundreds of companies around the
world were executed or mitigated. This is in stark comparison to 2017, during which
we witnessed several of these; with NotPetya being the most destructive, hitting
hundreds of companies within hours, and causing billions worth of damages. - Critical national cyber event – in the past year no cyber attacks that can be
classified as “category 1 – National cyber emergency” were executed (or at least
exposed). The UK NCSC (National Cyber Security Centre) defines this category as a
“cyber attack which causes sustained disruption of UK essential services or affects
UK national security, leading to severe economic or social consequences or to loss of
life”. In comparison, the 2017 WannaCry event was classified as a Category 2.
In our assessment, the reason no category 1 took place this year was due to the
significant improvement and strengthening of the global cyber community in detecting,
alerting and mitigating cyber threats. In our assessment, the US government and cyber
community uncovered and prevented this year several Russian/North Korean attacks
that had the potential of causing considerable damages to hundreds or even perhaps
thousands of companies. - Significant shutdown of industrial complexes – in 2018, no significant attack on ICSs
(industrial control system) with dedicated wiper malware (such as Triton or CrashOverdrive),
resulting in disruption of operation for over a week, were executed or exposed.