Our regular readers will know that every month we discuss the latest cyber security threats and how we build simulations into Threat Simulator, our breach and attack simulation (BAS) product. We do this so our customers and partners can quickly identify, remediate, and validate security vulnerabilities and therefore stay protected.
The Keysight Application and Threat Intelligence (ATI) team have compiled a summary of the major threat actors and their malicious activities over the past 12 months, this is based on analysis of over 600 threat campaigns released during 2023.
We have reviewed and highlighted the most used attack techniques, most targeted industries, and most targeted countries. As well as the most common adversary objectives, trends in exploit usage, most exploited software, and most active threat actors. Read our findings below to learn valuable insights for better risk and security operations prioritization.
Most Targeted Industries
The sectors analyzed in the report follow the STIX 2.1 specifications defined in the Industry Sector Vocabulary section. As denoted in Figure 1 below, the cybersecurity risks are not confined to specific industries or sectors; they permeate a wide range of areas. No sector remains unaffected by their operations. Within the last year, we have observed that 17.8% of the threat campaigns target government entities and 10.7% of events target the technology sector. Those targeting financial services (9.07%), defense (6.53%) and manufacturing (6.17%) form a substantial portion of the observed events.
Most Targeted Countries and Regions
During 2023, the cybersecurity landscape has witnessed a significant increase in quantity and diversity of cyberattacks and their consequences. The ongoing war against Ukraine, the ongoing Israel-Hamas war, and the ongoing trade tensions between the US and China continue to influence this landscape. Figure 2 shows the attack frequency on countries around the world, with dark blue at the top of the vertical bar showing those countries who experienced the highest attack frequency in 2023.
Most Common Adversary Objectives
Based on the characteristics of the analyzed threat campaigns, we define the following objectives. While these objectives can be categorized separately, they are not mutually exclusive and often intersect during a threat actor’s activities.
Financial Gain
This refers to the objective of cybercriminals to steal money directly or obtain sensitive confidential data which can then be monetized through fraudulent activities.
Cyber Espionage/Information Theft
This involves the unauthorized access, use, or theft of data or information, often for strategic, competitive, or national security advantages.
Service Disruption
This refers to threat actors’ intent to interrupt or halt the services of a system, network, or application, causing loss of revenue.
Unauthorized Resource Control and Usage
This involves gaining unauthorized control over a system or network resources and using them for malicious activities such as crypto currency mining.
Establishing Control for Future Attacks
This objective involves infiltrating a system or network to establish a foothold, typically through malware or hacking, which can be exploited for future attacks.
Data Leak
This refers to the intentional or accidental release of classified information to an untrusted entity or publicly. It can be a result of successful compromise, poor security protocols, or insider threat.
Reconnaissance
This is the act of gathering preliminary data or intelligence on a target system to identify vulnerabilities that can be exploited in future attacks.
Promotion of Ideological/Political Agenda
Some threat actors use cyber-attacks to promote their political or ideological beliefs, often through defacing websites, doxing, or spreading propaganda.
Malware Dissemination
This involves the distribution of malicious software to cause damage, steal data, or gain unauthorized access to systems.
Cyber Warfare
This refers to the use of digital attacks by one nation-state or international actor against another with the aim of causing damage, disruption, or gaining strategic advantages.
With 20.7% of the attacks classified as cyber espionage, the theft of data and sensitive information is a primary objective for many threat actors. Furthermore, long-term threat planning is also common, the fact that 16.5% of attacks are aimed at “Establishing Control for Future Attacks” indicates a high number of threat actors are taking a long-term approach to their activities, infiltrating systems to lay groundwork for potentially more damaging future attacks.
Cyber warfare is a significant concern as well. The 15.1% percentage of attacks classified as cyber warfare demonstrates that digital tactics are increasingly being used in conflicts, potentially by nation-states or politically motivated groups. Unauthorized resource control and usage is also notable, with 13% of attacks focusing on unauthorized resource control and usage, it is evident that systems and networks are often targeted to facilitate other malicious activities.
This distribution highlights the diverse strategies employed by threat actors, with a notable focus on espionage, control establishment, cyber warfare, and unauthorized resource usage. It underscores the importance of robust cybersecurity measures to protect against these varied threats.
Top MITRE Adversary Techniques
Threat actors are using a wide range of sophisticated methods to infiltrate systems, maintain access, avoid detection, and achieve their objectives. Notably, last year witnessed an unprecedented surge in ransomware incidents. The pandemic accelerated existing trends in remote work, e-commerce, and automation, which in turn lead to a surge in social engineering attacks. Historically, many phishing campaigns used document macros to execute malware. However, changes made by Microsoft to disable the Mark of the Web and block macros from the internet have made this technique obsolete. Threat actors have since switched to using compressed files, containers, and LNK shortcuts. Since 2023, there has been an increase in the use of OneNote documents for malware distribution, but this trend significantly dropped after Microsoft introduced improved protection measures.
The cybercriminal ecosystem has seen a shift in activity and threat behavior over the last year. Threat actors no longer use static, predictable attack chains for initial access but rely on dynamic, rapidly changing techniques. Although the misuse of legitimate tools is still prevalent, the ecosystem has transformed into an industry, with a network of supporting services adopting professionalized approaches to its operations. Furthermore, there are concerns about the misuse of AI-powered tools like chatbot ChatGPT for cybercrimes such as sophisticated social engineering attacks, fraud, impersonation, and information manipulation. These trends emphasize the necessity of an “assume breach” model and a “defense in depth” strategy when planning security defenses.
Vulnerability/Exploit Usage in Various Threat Campaigns
Threat actors are increasingly more reliant on software vulnerabilities to reach their goals. One potential reason could be that threat actors are known to be conducting attacks around vacations and holidays. For example, on May 27th, the Cl0p ransomware operation began exploiting a new vulnerability, CVE-2023-34362, within the MOVEit Transfer file service. This choice was strategically timed to coincide with the extended US Memorial Day holiday, a period when many organizations experienced reduced staffing. Most of these breaches occurred between May 30 and May 31. The figure below illustrates the frequency of unique vulnerabilities leveraged in a quarter, normalized by the total number of threat campaigns observed in that specific quarter.
Another potential reason could be the fact that, as remote work has increased in recent times, threat actors are also attempting to gain entry points via exploitation of vulnerable VPN and RDP software. Known exploited applications pertain to Cisco, Zyxel and OpenVPN vendors. Below, we provide a list of the most exploited vulnerabilities and applications this year.
Naturally, adversaries concentrate on widespread vulnerabilities because their successful exploitation can be leveraged for a longer period. What is different from previous years is that the attackers are no longer focusing solely on older software vulnerabilities. The increased availability of public fuzzing and reverse-engineering tools, resources, and tutorials, which facilitate the discovery of new software vulnerabilities, could constitute a reason for this trend.
Most Active Threat Actors
Crambus
More commonly known as OilRig, is a long-running Iranian espionage group that targets industries and organizations especially but not exclusively in the Middle East. This year, during one of their campaigns, they targeted Saudi Arabia, Israel, United Arab Emirates, Iraq, Jordan, Lebanon, Kuwait, Qatar, Albania, the United States of America, and Turkey. They stole files, captured keystrokes, and intercepted emails. The group deployed PowerShell backdoors and infostealers along popular tools such as Mimikatz and Plink and used a Microsoft Exchange instance as C2 server.
Kimsuky
Also recognized as Velvet Chollima and Black Banshee, is a hacker group sponsored by the North Korean state. It primarily targets South Korean entities like think tanks, industrial sectors, nuclear power operators, and the Ministry of Unification for spying activities. In recent years, Kimsuky has broadened its operations to target countries like Russia, the United States, and several European nations. This year, they targeted organizations in education and government sectors across the globe using their new malware component called ReconShark. To increase the likelihood of success, they have used phishing emails tuned for their specific target. These emails enticed the users to download a file and recently they made use of Microsoft OneDrive.
Figure 8: Most active 5 threat actors in 2023
RedEyes
More commonly known as APT37, is a state-sponsored APT group sponsored by North Korea that conducts attacks against individuals such as North Korean defectors, human rights activists, and university professors. This year, during one of their campaigns, they leveraged specially crafted phishing emails which falsely contain information about the Fukushima Wastewater incident. The emails contained Microsoft Compiled HTML Help (CHM) that once opened, they would execute a PowerShell script embedded into it which gains persistence and runs the main based malware after a reboot.
Lazarus
Lazarus cybercrime group (APT38) is believed to be run by the North Korean government. They targeted a variety of victims. Some breaches have led to data extraction, while others have caused disruptions. This year, during one of their campaigns, they leveraged a trojanized VOIP (Voice Over IP) application developed by 3CX to deploy other malware (TAXHAUL, CODLCAT). In another campaign, called Operation Dramjob, they have used social engineering to spread malwares through LinkedIn job offers. Once a victim has downloaded an archive with a job description, they are infected with a Go written loader and a C++ Linux backdoor called SimplexTea.
Scattered Spider
Also known as Starfraud, UNC3944, Scatter Swine, and Muddled Libra, is a highly active hacking group. They have updated its tactics to incorporate BlackCat ransomware. This year the group, known for its attacks on MGM Resorts and Caesars Entertainment, employed social engineering for data theft, and used ransomware to encrypt VMware Elastic Sky X integrated servers. They have communicated with victims through TOR, Tox, email, or encrypted applications after encrypting the servers. The group used phishing emails, push bombing, and SIM swapping to obtain credentials, install remote access tools, and bypass MFA (Multi Factor Authentication). They also used tunneling tools such as Fleetdeck[.]io, ngrok, and Pulseway for access and employed off-the-grid living techniques to avoid detection.
Start using Threat Simulator today, and stay ahead of the latest attacks
At Keysight, enhancing the security posture of our customers is our utmost priority, Threat Simulator proactively replicates cyber threats, enabling you to swiftly discover, address, and validate security vulnerabilities before they escalate into serious issues.
Leveraging over two decades of expertise in network and security, our global Application and Threat Intelligence (ATI) Research Center stays updated with the newest threats. This allows us to develop simulations of these threats within hours of their detection.
Our Threat Campaigns are carefully crafted to replicate real-world scenarios, allowing you to test your controls manually or automatically. By doing so, you can ensure that your security posture is armed with identifiable Indicators of Compromise (IOC). Our Threat Campaigns are now enriched with behavioral audits, based on the analysis of the malicious files associated with a specific threat.
Stay ahead of the curve in the ever-changing world of cybersecurity with Keysight.
Visit our website for more information.