Although 2015 will undoubtedly hold many surprises on the cybersecurity front, researchers at security intelligence firm Crowdstrike expect to see an uptick in nation-state cyberattacks in the coming year.
“Western businesses and enterprises need to know that there are serious bad guys in North Korea, China, Iran, Russia and other countries working tirelessly on ways to get around our defenses to steal intellectual property, disruptbusiness and even destroy,” said Adam Meyers, vice president of intelligence at Crowdstrike in a blog post.
In its annual Global Intel Report, Crowdstrike said in 2014 physical world conflicts often spurred related cyber operations, a trend that will likely continue in the upcoming year. The attack on Sony Pictures by North Korea at the end of the year, for example, served as an important wake-up call for organizations unaware of the damaging effects of a targeted attack by a nation-state.
The North Korea attack showed that nation-state actors are targeting not only governments, but any organization with valuable information. In the year ahead, awareness of this reality will be critical for organizations looking to develop the tools and procedures necessary to protect their enterprises.
“Throughout 2014, the activity monitored by CrowdStrike in the cyber domain was reflective of the events unfolding in the real world,” the report said. “This was punctuated in late 2014 with the now-infamous attack attributed to North Korean actors who levied destructive malware in a flagrant assault against a private entity.”
North Korea was not the only nation using high-profile international events to conduct cyber attacks. Other nation-backed attacks took advantage of the conflict in Ukraine, the Malaysia Airlines incidents, and the Umbrella Revolution in Hong Kong.
“The conflict in Ukraine resulted in targeted intrusion and other activity from both Russia-based and China-based adversaries,” the report said. “Adversaries with a nexus to Iran were also very active in 2014 targeting western government entities as well as private organizations, particularly in the defense sector. Elections were also heavily targeted in 2014 both in Ukraine and in Hong Kong, where the Umbrella Revolution garnered a great deal of attention from Chinese actors.”
Nation-state adversaries will maintain their persistent nature in 2015. According to Crowdstrike researchers, targeted intrusions will continue to proliferate and nation-states will use espionage to collect information from any organization with valuable data that will serve the country’s national interests.
“Incidents of targeted intrusion activity related to nation-state interests have been on the increase for the past several years,” said the report.
2015 will be no different.
China-based adversaries continue to be the most prolific in the targeted intrusion space. Since February 2014, Crowdstrike has observed HURRICANE PANDA—an advanced Chinese adversary actively targeting Internet services, engineering, and aerospace companies—leveraging two zero day exploits, which indicates that the adversary has above-average capabilities.
Most of the targeting from this campaign has been directed towards the French aerospace sector. The researchers said, “HURRICANE PANDA is among the more capable China-based adversaries, and run-ins with this actor should be treated with the utmost concern.”
A number of Chinese adversaries have used high-profile events to launch related cyber operations. For instance, the conflict in Ukraine has been the motivation for a significant amount of targeted intrusion operations and other malicious cyber activity.
The Chinese actors primarily targeted Russia in cyber operations surrounding the conflict in Ukraine. Crowdstrike believes the increase uptick in interaction between the two countries made Russia a target for Chinese targeted intrusion operations.
“One of the primary reasons for this increase in Russian targeting by China based adversaries is likely that ties between China and Russia have recently been growing stronger,” the report said. "In May 2014, the two countries agreed on a $400 billiondeal for Russia to supply natural gas to China. Additionally, they reached agreements over the construction of a bridge between the countries and the use of a port in eastern Russia; they also revealed a plan to set up GPS ground stations in each other’s country.”
In addition, Southeast Asia continues to be a target of Chinese cyber operations. As China works to retain its strategic dominance in the region, especially amid disputes over territorial rights in the South China Sea, there has been an uptick in targeted cyber intrusions in the region.
During these operations, China employed a number of adversaries including Goblin Panda, Vixen Panda, Lotus Panda, Predator Panda and Pirate Panda.
Crowdstrike noted that, “The Southeast Asia activity declined dramatically at the end of August, which coincided with the time that China removed HD-981 from Vietnamese waters.”
During the World Cup in summer 2014, Crowdstrike researchers also observed some limited targeted intrusion activity from LOTUS PANDA and VIXEN PANDA, but the level of activity from such actors was not as high as anticipated.
FLYING KITTEN, an adversary believed to be operating out of the Islamic Republic of Iran, was first observed by Crowdstrike in 2013 and remained active throughout 2014. In January 2014, CrowdStrike became aware of an ongoing operation by this actor targeting a company in the defense industrial base in the United States.
One of FLYING KITTEN’s most used tactics is setting up spoofed login web pages on domains that closely resemble the legitimate pages used by the targets. The fake web page gives the adversary access to the users’ credentials and downloads a remote access tool that can exfiltrate data to an attacker-controlled server.
Another Iran-based adversary, CHARMING KITTEN, leverages fake personas on social networking sites in order to conduct social engineering and ultimately targeted attacks against desired targets.
CHARMING KITTEN has been known to CrowdStrike intelligence since January 2014, when it was observed targeting individuals in the US government and defense sectors.
The group has been linked to Iran based on three factors: the “Parastoo” password used by the malware is an Iranian word used to refer to small birds; the adversary used Iran-based web hosting providers and infrastructure to host malicious domains; and one of the droppers related to one of the identified Parastoo variants dropped a Persian-language decoy document purporting tobe from Iran’s Ministry of Interior.
First observed by Crowdstrike in late 2014, FANCY BEAR is a Russian actor targeting government and military institutions in a number of countries. FANCY BEAR exhibits a high degree of technical sophistication, utilizing a main implant called X-Agent, which allows the adversary to combine the necessary implant functionality on a per-target basis, spanning multiple operating systems and mobile platforms.
FANCY BEAR has been involved in a number of high-profile events. Malaysia Airlines suffered two catastrophic incidents in 2014 with one of its flights (MH370) from Kuala Lumpur to Beijing mysteriously disappearing less than an hour after takeoff and another, MH17, shot down while flying over a conflict zone in Ukraine.
FANCY BEAR piggybacked on the MH17 disaster by targeting victims with the Sofacy malware dropped alongside a document concerning the cessation of hostilities around the crash site. China-backed adversaries, as well as a group believed to have a nexus to Pakistan, also used the Malaysia Airlines tragedies in their cyber operations.
As real-world physical conflicts continue to carry with them associated cyber components, Crowdstrike researchers believe these conflicts will increasingly result in “cyber spillover.”
In the year ahead, there may be an increase in cyber operations associated with the Islamic State (ISIS). In 2013,during the Syrian civil war, a number of cyber operations were conducted against western targets. Many of these were attributed to the Syrian Electronic Army’s DEADEYE JACKAL, which targets online articles and websites critical of Syria.
Mostly recently, on December 18 2014, the group hacked the website of the International Business Times to remove an article discussing depleting the military resources of Syria’s President Assad.
In addition, just weeks ago the pro-ISIS hacker group called CyberCaliphate hacked the Twitter and YouTube accounts of the US Central Command (CENTCOM), and used the accounts to disseminate their propaganda and leak information on CENTCOM personnel and other documents.
As Homeland Security Today reported, although the CyberCaliphate only recently began operating, it has already claimed responsibility for multiple cyberattacks on US targets, including a December 2014 attack on the Albuquerque Journal and unnamed ‘official network communications.’
The group also claimed to have hacked the FBI’s New Mexico office on January 7, 2015.
“It is likely that this and other related groups supporting the Islamist cause will engage in operations that support ISIS objectives,” states the report. “Most of this activity is likely to be a nuisance, such as defacements and low-level DDOS attacks, but it is possible that more advanced actors could carry out targeted or even destructive attacks.”
Last year, Crowdstrike had great success in estimating cybersecurity trends for the year ahead, correctly predicting the rise of North Korean cyber activity, the use of exploits to target out-of-life Windows XP machines, third-party targeting against DNS and hosting providers, sandbox-aware malware, and the increase of cyber attacks related to physical world conflicts in the South China Sea, Ukraine, and the Middle East.
Based on trends in 2014, Crowdstrike made a number of additional threat intelligence estimates for 2015:
Let’s Encrypt, the first free certificate authority with a pre-installed root certificate in major browsers, will launch in 2015. The service will offer very simple command line provisioning of certificates for use in HTTPS, which will likely result in an increasing amount of Internet trafficbeing encrypted. As HTTP traffic becomes less common, it is more likely to be subject to closer inspection, making it easier for adversaries to leverage SSL certificates for command and control.
Sandboxes using Hypervisor Introspection: A number of sandboxes using hypervisor introspection—which helps the sandbox avoid detection— will become available, both commercially and in open source, in 2015. Despite the difficulty in detection, advanced adversaries may explore techniques to identify or evade introspection-based systems. Less advanced adversaries will continue to target traditional sandboxes.
Embedded Devices: With the increasing pace of vulnerability disclosures in the embedded space and in the underlying software, embedded devices, regardless of whether they are home routers or industrial control systems, will be increasingly targeted in 2015.
Internet of Things (IoT): IoT is the interconnection of uniquely identifiable embedded computing devices within the existing Internet infrastructure. Since IoT devices are still in their infancy, Crowdstrike does not expect targeted attacks against IoT devices in the year ahead. However, the researchers do believe IoT devices will be abused for amplified Distributed Denial of Service (DDOS) attacks.
"At CrowdStrike, we believe the first and most important step is understanding your adversary, as well as the tools, tactics and procedures they are using against your enterprise,” said CrowdStrike CEO and co-founder George Kurtz.