Singapore, 25/11/2020 — Group-IB, a global threat hunting and intelligence company, has presented its annual Hi-Tech Crime Trends 2020/2021 report. In the report, the company examines key shifts in the cybercrime world internationally between H2 2019 and H1 2020 and gives forecast for the coming year. The most severe financial damage has occurred as a result of ransomware activity. The past year — a harrowing period for the world economy — culminated in the spike of cybercrime. It was also marked by the rise of the underground market for selling access to corporate networks and an over two-fold growth of the carding market. The stand-off between various pro-government hacker groups saw new players come onto the scene, while some previously known groups resumed their operations.
Group-IB’s report Hi-Tech Crime Trends 2020/2021 examines various aspects of cybercrime industry operations and predicts changes to the threat landscape for various sectors, namely the financial industry, telecommunications, retail, manufacturing, and the energy sector. The authors also analyze campaigns targeting critical infrastructure facilities, which are an increasingly frequent target of intelligence services worldwide.
Hi-Tech Crime Trends 2020/2021 is intended for risk management and strategic planning specialists in the cybersecurity field as well as members of boards of directors in charge of digital transformation and investing in cybersecurity systems. For IT directors, heads of cybersecurity teams, SOC analysts, and incident response specialists, the report is a practical guide for strategic and tactical planning and offers analytical instruments that help adjust and fine-tune corporate security systems.
Forecasts and recommendations set out in Hi-Tech Crime Trends 2020-2021 seek to prevent financial damage and manufacturing downtimes. Its purpose is also to help companies adopt preventive measures for counteracting targeted attacks, cyber espionage, and cyberterrorist operations.
Group-IB: Asia-Pacific is a primary target of APT groups
Military operations conducted by various intelligence services are becoming increasingly common. Group-IB have identified a continuing trend where physical destruction of infrastructure is replacing espionage. Attacker toolkits are being updated with instruments intended for attacks on air-gapped networks. The nuclear industry is turning into the number one target for state-sponsored threat actors. Unlike the previous reporting period, during which no attacks were observed, the current one was marked by attacks on nuclear energy facilities in Iran and India.
According to data analyzed by Group-IB, Asia-Pacific became the most actively attacked region by state-sponsored threat actors. A total of 34 campaigns were carried out in this region, and APT groups from China, North Korea, Iran, and Pakistan were the most active.
Most state-sponsored threat actors originate from China (23), followed by Iran (8 APT groups), North Korea and Russia (4 APT groups each), India (3), and Pakistan and Gaza (2 each). South Korea, Turkey, and Vietnam are reported to have only one APT group each.
Cybersecurity researchers have also detected seven previously unknown APT groups, namely Tortoiseshell (Iran), Poison Carp (China), Higaisa (South Korea), AVIVORE (China), Nuo Chong Lions (Saudi Arabia), as well as Chimera and WildPressure, whose geographical affiliation remains unknown. At least three of the groups – Poison Carp, Higaisa, and Chimera – operate in the Asia-Pacific. In addition, six known groups that remained unnoticed in recent years resumed their operations.
State-sponsored APT groups are not losing interest in the telecommunications sector. Over the review period, it was targeted by at least 11 groups affiliated with intelligence services. Threat actors’ main goals remain spying on telecommunications operators or attempts to disable infrastructure. Threat actors have also set a new record in DDoS attack power: 2.3 Tb per second and 809 million packets per second. BGP hijacking and route leaks remain a serious problem as well. Over the past year, nine significant cases have been made public.
Group-IB: The ransomware plague cost the world over $1 billion
Late 2019 and all of 2020 were marked by an unprecedented surge in ransomware attacks. Neither private sector companies nor government agencies turned out to be immune to the ransomware plague. Over the reporting period, more than 500 successful ransomware attacks in more than 45 countries were reported. Since attackers are motivated by financial gain alone, any company regardless of size and industry could fall victim to ransomware attacks. Meanwhile, if the necessary technical toolsets and data restoring capabilities are not in place, ransomware attacks could not only cause downtime in manufacturing but also bring operations to a standstill. Asia accounted for about 7 percent of the total number of reported ransomware incidents, with the most frequently attacked countries in the region being India and China.
According to Group-IB’s conservative estimates, the total financial damage from ransomware operations amounted to over $1 billion ($1,005,186,000), but the actual damage is likely to be much higher. Victims often remain silent about incidents and pay ransoms quietly, while attackers do not always publish data from compromised networks. The top five most frequently attacked industries include manufacturing (94 victims), retail (51 victims), state agencies (39 victims), healthcare (38 victims), and construction (30 victims).
Maze and REvil are considered to have the largest appetite: the operators of these two strains are believed to be behind more than half of all successful attacks. Ryuk, NetWalker, and DoppelPaymer come second.
The ransomware pandemic was triggered by an active development of private and public affiliate programs that bring together ransomware operators and cybercriminals involved in compromising corporate networks. Ransomware operators buy access and then encrypt devices on the network. After receiving the ransom from the victim, they pay a fixed rate to their partners under the affiliate program. The main ways to gain access to corporate networks include brute-force attacks on remote access interfaces (RDP, SSH, VPN), malware (e.g., downloaders), and new types of botnets (brute-force botnets). The latter are used for distributed brute-force attacks from a large number of infected devices, including servers.
In late 2019, ransomware operators adopted a new technique. They began downloading all the information from victim organizations and then blackmailed them to increase the chances of the ransom being paid. Maze (who allegedly called it quits not long ago) pioneered the tactic of publishing sensitive data as leverage to extort money. If a victim refuses to pay the ransom, they risk not only losing all their data but also having it leaked. In June 2020, REvil started auctioning stolen data.
The report contains recommendations for countering ransomware attacks both in terms of technological measures for corporate cybersecurity teams and boosting the expertise of cybersecurity teams.
Group-IB: sales of access to compromised corporate networks grow 4-fold
Sales of access to compromised corporate networks have been increasing from year to year and peaked in 2020. It is difficult to assess the size of the market for selling access, however, as offers published on underground forums often do not include the price, while some deals are cut in private. Nevertheless, Group-IB’s technologies for monitoring underground forums (which make it possible to see deleted and hidden posts) helped the company’s experts assess the total market size for access sold in the review period (H2 2019 to H1 2020): $6.2 million. This is a four-fold increase compared to the previous review period (H2 2018 to H1 2019), when it totaled $1.6 million.
In H1 2020 alone, 277 offers of access to corporate networks were put up for sale on underground forums. The number of sellers has also grown. During that period, 63 sellers were active, and 52 of them began selling access in 2020. For comparison, during all of 2018, only 37 access sellers were active, while in 2019 there were 50 sellers who offered access to 130 corporate networks. In total, the sales of corporate network access grew by 162% compared to the previous period (138 offers against 362). After analyzing offers of access to corporate networks, Group-IB experts found correlations with ransomware attacks: most threat actors offered access to US companies (27%), while manufacturing was the most frequently attacked industry in 2019 (10.5%). In 2020, access to state agency networks (10.5%), educational institutions (10.5%), and IT companies (9%) was high in demand. It should be noted that sellers of access to corporate networks increasingly rarely mention company names, their geographical location and industry, which makes it almost impossible to identify the victim without contacting the attackers.
As per Group-IB data, in 2020, in Asia-Pacific, the majority of companies the access to corporate networks of which was put up for sale on underground forums were from China (2.2 percent), Australia (1.9 percent), and India (1.1 percent). In 2019, top 3 was represented by the same countries, though, with different shares: Australia (4.6 percent), India (3.8 percent), and China (1.5 percent).
Selling access to a company’s network is usually only one stage of the attack: the privileges gained might be used for both launching ransomware and stealing data, with the aim of later selling it on underground forums or spying.
Group-IB: Market of stolen credit card data reached almost $2 billion
Over the review period, the carding market grew by 116%, from $880 million to $1.9 billion. The quick growth applies to both textual data (bank card numbers, expiration dates, holder names, addresses, CVVs) and dumps (magnetic stripe data). The amount of textual data offered for sale increased by 133%, from 12.5 to 28.3 million cards, while dumps surged by 55%, from 41 to 63.7 million. The maximum price for card textual data is $150 and $500 for a dump.
Dumps are mainly obtained by infecting computers with connected POS terminals with special Trojans and thereby collecting data from random-access memory. Over the review period, 14 Trojans used for collecting dumps were found to be active. Cybercriminals seek to obtain data relating to credit and debit cards issued by US banks: these account for over 92% of all compromised bank cards. Bank card data of bank customers in India and South Korea are the second and third most desirable targets for cybercriminals. Over the review period, the total price of all the bank card dumps offered for sale amounted to $1.5 billion, while textual data – to $361.7 million.
Textual data is collected through phishing websites and PC/Android banking Trojans, by compromising e-commerce websites, and by using JS sniffers. The latter were one of the main instruments for stealing large amounts of payment data over the past year. JS sniffers also became more popular in light of the trend of reselling access to various websites and organizations on underground forums
Group-IB is currently monitoring the activities of 96 JS sniffer families. This is a 2.5-fold increase compared to the previous reporting period, during which there were 38 families on the company’s radar. According to Group-IB’s findings, over the past year nearly 460,000 bank cards were compromised using JS sniffers.
The threat of bank card data leaks is most acute for retail companies that have online sales channels, e-commerce companies that offer goods and services online, and banks that unwittingly become involved in incidents. The main scenarios for illegally harvesting bank card data and most frequently attacked countries (the United States, India, South Korea) will remain the same. Latin America might become an increasingly attractive target for carders since it already has mature hacker community experienced in using Trojans for this purpose.
About the Hi-Tech Crime Trends report
Group-IB’s Hi-Tech Crime Trends report was presented at the international conference CyberCrimeCon’2020. Group-IB has been publishing an annual report for the past seven years, combining data gathered as a result of the company’s own investigations with incident response findings worldwide.
The report serves as a practical guide for a wide range of experts — in risk management, digital business transformation, strategic planning in the cybersecurity field and investing in information system protection — and provides annual forecasts that have always proved to be accurate. For technical specialists (including СISOs, SOC and DFIR teams, researchers and malware analysts, and Threat Hunting experts), Group-IB’s report offers the opportunity to analyze how relevant their cybersecurity policies are, adjust security settings for their systems, and strengthen their expertise in countering cyberthreats relevant to their industry.
Thanks to the use of unique tools for tracking cybercriminal infrastructure and a thorough examination of investigations carried out by various cybersecurity teams worldwide, Group-IB experts annually identify and confirm common patterns that form a full picture of how cyberthreats develop around the world. This forms the basis of future forecasts set out in the report that help companies around the world build effective cybersecurity strategies based on relevant threats.
Group-IB is a Singapore-based provider of solutions aimed at detection and prevention of cyberattacks and online fraud. The company also specializes in high-profile cyber investigations and IP protection services. Group-IB’s Threat Intelligence & Attribution system has been named one of the best in class by Gartner, Forrester, and IDC, while its Threat Hunting Framework has been recognized as one of the leaders in Network Detection and Response by the leading European analyst agency KuppingerCole Analysts AG.
Gartner identified Group-IB as a Representative Vendor in Online Fraud Detection for the company’s Fraud Hunting Platform. In addition, Group-IB was recognized as a Representative Vendor in Gartner’s Market Guide for Digital Forensics and Incident Response Services.
Group-IB’s technological leadership is built on the company’s 17 years of hands-on experience in cybercrime investigations around the world and 65 000 hours of cyber security incident response accumulated in one of the biggest forensic laboratories and a round-the-clock center providing a rapid response to cyber incidents—CERT-GIB.
Group-IB is a partner of INTERPOL and Europol, and has been recommended by the OSCE as a cybersecurity solutions provider.
Our mission is to protect clients in cyberspace using innovative products and services.