Nation-state and criminal groups continue to expand
CrowdStrike Holdings, Inc., a leading provider of cloud-based protection of end devices, workloads, identities and data, announces the publication of the CrowdStrike Global Threat Report 2022. Among other things, the report not only reveals an 82 percent increase in ransomware-related data leaks, but also introduces WOLF (Turkey) and OCELOT (Colombia), two completely new groups of nation-state attackers. In addition, the experts add 21 new ones from all over the world to the list of groups observed by CrowdStrike. The 8th annual Global Threat Report also describes new operations and techniques of the Big Four: Iran, China, Russia and North Korea. In addition, the new report analyzes the consequences of the Log4Shell attacks and shows that attackers are relying less and less on malware, as 62 percent of recent discoveries were malware-free.
The report shows that attackers are using “lock-and-leak” operations and cloud service providers are increasingly being targeted by cyber actors close to Russia
The CrowdStrike Intelligence report documents both the continuous development of state-related and criminal attackers as well as the increasing sophistication, speed and impact of targeted ransomware attacks, disruptive operations and cloud-related attacks in 2021.
The key findings from this year’s report give companies the insights they need to improve their security strategies and protect themselves against numerous cyber threats.
Nation-state and criminal groups continue to expand
The threat landscape in 2021 has become more and more extensive due to the emergence of new opponents. Today, CrowdStrike observes a total of more than 170 such groups. Notable developments include:
- Financially motivated eCrime activities continue to dominate the interactive intrusion attempts captured by CrowdStrike OverWatch. Attacks that can be attributed to eCrime accounted for almost half (49%) of all observed activities.
- Attackers based in Iran use ransomware as well as disruptive “lock-and-leak” information operations – they use ransomware to encrypt target networks and then pass on information about the victims through channels they control.
- In 2021, players close to China were leaders in exploiting vulnerabilities and increasingly shifted their tactics to Internet-enabled devices and services such as Microsoft Exchange. CrowdStrike confirmed the exploitation of twelve vulnerabilities published in 2021 by actors close to China.
- The Russia-related attacker COZY BEAR extended his attacks on IT to cloud service providers in order to exploit trustworthy relationships and gain access to further targets through lateral movement. In addition, FANCY BEAR increasingly used credential harvesting tactics, including large-scale scanning techniques and phishing websites tailored to the victim.
- The Democratic People’s Republic of Korea (DPRK) targeted companies dealing with cryptocurrencies in order to generate illegal income during the economic interruptions caused by the COVID-19 pandemic.
- eCrime actors – including the partners of DOPPEL SPIDER and WIZARD SPIDER – used Log4Shell as an access vector for ransomware operations. Nation-state-related actors, including NEMESIS KITTEN (Iran) and AQUATIC PANDA (China), have also been linked to a likely Log4Shell exploitation before the end of 2021.
The methods of attackers are becoming more and more sophisticated
The new GTR report highlights that the immense growth and impact of targeted ransomware attacks, disruptive operations and an increase in cloud-related attacks in 2021 have been felt in almost every industry and country.
- CrowdStrike observed an 82 percent increase in ransomware-related data leaks in 2021, spread across 2,686 attacks as of December 31, 2021, compared to 1,474 attacks in 2020.
- The CrowdStrike eCrime Index (ECX) shows that ransomware attacks have been very lucrative throughout 2021. The ECX shows the strength, volume and sophistication of the cybercriminal market and is updated weekly based on 20 unique indicators of criminal activity, tracking things like big Game hunting victims, data leaks and ransom demands. During 2021, the CrowdStrike ECX recorded the following:
- CrowdStrike observed 2,721 cases of big game hunting last year.
- CrowdStrike observed an average of over 50 targeted ransomware events per week.
- The observed ransomware claims amounted to an average of $ 6.1 million per ransom, an increase of 36 percent compared to 2020.
- Attackers are increasingly using stolen user information and identities to bypass existing security solutions – of all the discoveries indexed in the fourth quarter of 2021, 62 percent were malware-free.
“As cybercriminals and nation-states around the world continue to adapt to the changing, connected landscape, it is critical that companies evolve to defend themselves against these threats by integrating new technologies, solutions and strategies,” said Adam Meyers, Senior vice President of Intelligence at CrowdStrike . “The CrowdStrike Falcon platform, built on the world-class insights underlying this annual report, provides a complete set of tools needed to provide the high-precision detection, automated protection, and remediation needed to stop threats in their tracks. The picture drawn by the annual Global Threat Report shows that the risks for companies are concentrated in three critical areas: end devices, cloud workloads, and identity and data. This makes it a valuable resource for companies that want to strengthen their security strategy.“