A Gartner analyst recently asked me what HYAS thought was the number of organized cybercriminal gangs operating around the world. I didn’t have a quick answer at the time, but posed the question to the HYAS Intelligence Services team. In getting the answer, I learned a bit about the enterprise threat landscape that you might find to be interesting.
Nation-state Threat Actors: An Unlimited Budget for Malfeasance
Nation-state threat actors have made news headlines of late. The Solarwinds compromise affecting up to 250 agencies and businesses (and could have impacted 18,000 organizations using Solarwinds Orion) appears to have originated with Russian intelligence services. The Microsoft Exchange vulnerabilities appears to have originated in China and was exploited in at least 30,000 enterprises with on-premises Exchange servers, and the number could be as high as 250,000 victims worldwide. These two episodes are earthshaking in their magnitude and consequence, leaving IT teams scrambling to validate whether or not they are affected and focus on cleaning up if they are impacted.
Nation-state actors are unique among threat actors in having a virtually unlimited budget to fund their activities. In the case of the Solarwinds compromise, Microsoft’s President commented on the resources required to execute the attacks by saying, “When we analyzed everything that we saw at Microsoft, we asked ourselves how many engineers have probably worked on these attacks. And the answer we came to was, well, certainly more than 1,000.”
Nation-state threats are the exception rather than the norm for most enterprises. Nation-states have a variety of motivations, from espionage to sowing dissent through disinformation to stealing trade secrets. Nation-states typically target enterprises in a focused way to extract sensitive information to further their national goals rather than causing indiscriminate damage.
There is a gray area between criminal threat actors and nation-state threat actors. Some criminal gangs are nominally independent, but they operate with their national government turning a blind eye to criminal activities. The nation-state ignores what the cybercriminals are up to as long as the victims are outside of the country. National governments can lean on local threat actors or pose as a criminal operation to help cause mischief that furthers nation-state goals (hello Russia!).
Criminal Gangs: Making An Illicit Profit
Criminal gangs are out to compromise enterprises with the goal of making an illicit profit, and ransomware and phishing attacks are this year’s preferred profit generators. But what of the gangs behind the attacks? It is difficult to estimate the number of groups, but one starting point is counting the number of named “problem sets” that many security vendors use to collect activity attributable to a criminal enterprise or agents of espionage. The number of named groups might be significantly higher than the actual number of distinct organizations. Many espionage groups could be described as different squads in the same platoon. They’re all marching toward the same objective, but do so in measurably different ways, so analysts and researchers label them differently. We also know that researchers and analysts make a lot of assumptions about the analysis of other members of the research community. Without the benefit of full access to analytical research, it is difficult to say that one vendor’s “Frisky Kitten” is the same as or different than another vendor’s “APT83”.
When I asked different researchers in the HYAS Intelligence Services team about how many criminal gangs were active worldwide, the answers ranged widely. The various gangs typically collaborate, and there are probably 250 to 400 organized criminal threat actor groups (there is no precision here, the threat actors want to remain hidden). These groups each have some degree of specialization, ranging from REvil ransomware-as-a-service operation to the Lazarus Group out of the DPRK. While I mention a number range, I’d avoid fixating on the total number of groups as that misses the complexity of the criminal ecosystem where a few big threat actor groups cause much of the damage (we’ll save that topic for another blog post).
Cybercrime costs the world more than $1 trillion in 2019, representing a 50% increase from 2018, according to a McAfee analysis. Accenture’s annual cost of cybercrime study estimated that the average cost of malware attack was $2.4M. It is big money, and big risk. The latest example is a U.S. healthcare provider that announced in February that an apparent ransomware attack in 2020 caused $67 million in pre-tax losses.
Script Kiddies & Access Brokers: Spray & Pray, and Sell The Results
My initial impression was that the multitude of novice or less sophisticated threat actors (aka script kiddies) were an annoyance, using widely available tools to launch unsophisticated attacks. Basic cyber defenses should keep less sophisticated actors at bay. However, they occasionally get lucky and compromise a machine. This often involves systems with compromised RDP and shell accounts. The less sophisticated actors then sell access to the compromised machines to an access broker who caters to criminal gangs. There is an ecosystem of threat actors, and the script kiddies are the bottom rung providing compromised endpoints for exploitation to more sophisticated and organized threat actors up the ladder.
Lessons Learned: Prioritize and Manage Risk … and Know Your Enemies
So what is a cybersecurity leader to do? Enterprise security teams prioritize risk. Understanding your assets to protect and the adversaries trying to compromise those assets helps your team to prioritize, detect and respond to threats more quickly. The largest ongoing threat that has not been grabbing as many headlines lately remains cybercriminal gangs. Understanding who in that underworld is trying to go after you, and the infrastructure they are using to attack you, enables you to track and preempt those attackers. We understand this terrain - multiple Fortune 100 companies use HYAS Insight to track and counter adversary infrastructure, while HYAS Protect can intercept attacks at the network (DNS) layer.
How HYAS can help
To learn more about HYAS Insight, HYAS Protect, and how we can help you understand adversary infrastructure to speed investigations and intercept attacks before damage can occur, please request a demo (we LOVE giving demos!).