Verizon’s 2020 Cyber Espionage Report, the result of a total of 14 years of research into global data breaches and threat actor activity, has come up with some illuminating observations about long-term patterns of cyber spying. Among the major highlights are that criminal organizations and disgruntled former employees play a trivial role in overall attempts, that the public sector is the preferred target of attackers and that desktops and laptops are far more likely to be breached than phones.
Cyber espionage report provides some surprising answers
This is the first report of this nature from Verizon, and it draws on some of the telecom giant’s other annual reports: seven years of the Verizon Data Breach Investigations Report (DBIR), and fourteen years of research conducted by the Verizon Threat Research Advisory Center (VTRAC).
As the report points out, cyber espionage is a particularly pernicious attack category as threat actors focus on surreptitious access and staying embedded in the network for an extended period of time (sometimes years). It is also overwhelmingly the game of state-backed actors. Though there is some market for corporate secrets in the criminal underworld, the research shows that these figures make up a small amount of overall cyber espionage incidents: about 4% are from organized crime, and about 2% are from former employees. An overwhelming 85% come from state-affiliated groups, with an additional 8% from nation-states. Verizon draws the “state-affiliated” distinction here as hacking groups that are strongly suspected to be backed by national intelligence services but maintain some level of plausible deniability, versus attacks that can be directly traced to the government of a particular country.
From 2014 to 2020, cyber espionage was ranked as the sixth most frequent type of data breach. However, it is in a tight cluster with the #2 through #5 entries; only the leading cause (web applications) really stands out from the pack.
The choice of targets is not surprising: 31% are in the public sector (government agencies), 22% are in manufacturing and 11% are in the professional classes. Also unsurprising is that phishing and malware backdoors are overwhelmingly the most common point of entry. Only about 30% of all cyber espionage hacking attempts use stolen credentials as an initial point of entry, and only about 12% enter via brute force attacks. Bribery is a negligible threat at only 1%.
Cyber espionage attacks have also trended sharply upward in terms of time to discovery. It now most frequently takes years for this type of attack to be discovered – 39% of the time it takes years, 30% of the time it takes months, and 14% of the time it takes weeks. This is a particular problem with this attack category given that the time of compromise is measured in seconds to days, and the time of first exfiltration of data is in minutes to weeks.
And for all the worries about phone security lagging behind computers on secure company networks, cyber espionage overwhelmingly takes place on the world’s desktops and laptops (88%). Only 14% of the incidents involved a mobile phone, and 10% involved a web application.
The research shows that once threat actors have gained access to the network, the primary interest is in finding credentials to grant even more access to sensitive information. Naturally attackers are also heavily targeting company secrets once in the door, but not to quite as great of a degree. “Low and slow” seems to be the theme of most cyber espionage attacks, with the groups looking to slowly settle in and maintain broad access to the organization’s network for years at a time. The researchers characterized these types of attacks as presenting relatively little risk and costing little to maintain, but offering massive rewards over time.
Difficulty in detecting patterns of cyber espionage
The researchers concluded with a note that, in spite of over a decade of data, the numbers in the report might actually be an underrepresentation due to the particular difficulty in detecting patterns of cyber espionage. Much of the research relies on mandatory reporting triggered by data breach incidents, but some information rated as “secret” or “classified” may be exempt from these reporting requirements under a number of different laws.
Though espionage is still a major threat to the industries and sectors that are heavily targeted by it, 2019 was the first year in some time in which financial crimes topped spying as the leading reason for data breaches. The trend toward financial motives is widely expected to continue and accelerate given the coronavirus pandemic, which has created many new targets of opportunity for enterprising cyber criminals. However, phishing of employee accounts remains the most common point of entry for nearly every major type of cyber attack.