Group IB -HI TECH CRIMES TRENDS 2020/2021

→ New Botnets → Affiliate Programs → Network Compromise

NOVEMBER 2020 2020 / 2021 disclaimer

HI-TECH CRIME TRENDS 2020/2021 → disclaimer

1. The report was written by Group-IB experts without any third-party funding. 2. The report provides information on the tactics, tools, and infrastructure of the various groups. The report’s goal is to minimize the risk of the groups committing further illegal acts, suppress any such activity in a timely manner, and raise awareness among readers. The report also contains recommendations on how to protect against future attacks. The details about threats are provided solely for information security specialists so that they can familiarize themselves with them, prevent similar incidents from occurring in the future, and minimize potential damage. Any information outlined in the report is not intended to advocate fraud or other illegal activities in the field of high technologies or any other fields. 3. The report is for information purposes only and is limited in distribution. Readers are not authorized to use it for commercial purposes and any other purposes not related to education or personal non-commercial use. Group-IB grants readers the right to use the report worldwide by downloading, reviewing, and quoting it to the extent justified by legitimate citation, provided that the report itself (including a link to the copyright holder’s website on which it is published) is given as the source of the quote. 4. The entire report is subject to copyright and protected by applicable intellectual property law. It is prohibited to copy, distribute (including by placing on websites), or use the information or other content without the right owner’s prior written consent. 5. If Group-IB’s copyright is violated, Group-IB will have the right to approach a court or other state institution to protect its rights and interests and seek punishment for the perpetrator as provided by law, including recovery of damages.

group-ib.com page 2 of 78 HI-TECH CRIME TRENDS 2020/2021 → TABLE OF CONTENTS TABLE OF CONTENTS

INTRODUCTION �� 6

KEY FINDINGS AND FORECASTS �� 7 Ransomware attacks �� 8 Military operations �� 9 Threats to the telecommunications sector �� 10 Threats to the energy sector �� 11 Threats to the banking sector �� 12 Threats to retail �� 13 Banking Trojans �� 14 Web phishing and social engineering �� 15

KEY TRENDS �� 16 Gaining access to corporate networks for ransomware purposes �� 17

.The emergence of ransomware affiliate programs �� 17 .Initial compromise vectors �� 18 .Post-compromise �� 19 .Stealing and publishing data �� 19 .Attack statistics �� 19 .Estimated damage �� 23

Increasingly larger market for selling access to corporate networks �� 24 Nation-state actors sell access to networks and use ransomware �� 29 Large companies under increasing threat from massive hacks �� 30 Growing activity of post-exploitation frameworks �� 31

MILITARY OPERATIONS �� 32 A changing threat landscape �� 33 New APT groups �� 34 Well-known groups remaining undetected for a long time �� 35 Significant operations �� 36

.Attacks on nuclear facilities �� 36 .Attacks on Israel's water supply facilities �� 37 .Attacks on Iran’s critical facilities �� 37

group-ib.com page 3 of 78 Swift .Card processing .ATM Switch ATM

HI-TECH CRIME TRENDS 2020/2021 → TABLE OF CONTENTS

THREATS TO THE TELECOMMUNICATIONS SECTOR �� 39 Nation-state actors attacking the telecom sector �� 40 Attacks on mobile operators �� 41 BGP Hijacking �� 42 Growing power of DDoS attacks �� 43

THREATS TO THE ENERGY SECTOR �� 45 Nation-state actors attacking the energy sector �� 46 Attackers most often use the following methods to bypass air gaps �� 48 Organized crime targeting the energy sector �� 49 sale of access �� 49 Ransomware attacks on energy companies �� 50

THREATS TO THE BANKING SECTOR �� 51 Recent thefts �� 52

.SWIFT �� 52 .Card processing �� 52 .ATM Switch �� 53 .ATM �� 53

shift in priorities �� 54

THREATS TO THE RETAIL SECTOR �� 55 General carding trends �� 56 JS sniffers �� 57 Attacks on POS terminals �� 58 Credential stuffing �� 60

.Types of monetization �� 60 .Attack techniques �� 61

BANKING TROJANS �� 62 Trojans for PC �� 63 Trojans for Android �� 63

WEB PHISHING AND SOCIAL ENGINEERING �� 65

group-ib.com page 4 of 78 HI-TECH CRIME TRENDS 2020/2021 → TABLE OF CONTENTS

RECOMMENDATIONS FOR TOP MANAGEMENT �� 68 Three pillars of Information security �� 69 General recommendations �� 69 Recommendations for how to set up your technical infrastructure and train your information security team �� 70

incident Response team capabilities �� 70

TECHNICAL RECOMMENDATIONS FOR COUNTERACTING CYBERATTACKS �� 71 Banking botnets, Trojans (TrickBot, Qbot, Silent Night and others) �� 72 Primitive errors: vulnerable software versions in publicly accessible services or weak passwords; vulnerabilities with public exploits �� 72 distributed brute-force attacks on remote access interfaces (RDP, SSH, VPN) and other services (using new botnets) �� 72 Ransomware �� 72 Post-exploitation frameworks: a free tool called Metasploit and a cracked version of Cobalt Strike. Less often, the frameworks PoshC2 and Koadic. �� 73 supply-chain attacks �� 73 Privilege escalation using various software (e.g., Mimikatz, LaZagne) or brute-force attacks �� 73 Tools for attacks on physically isolated networks that use USB devices for jumping the air gap �� 73 New records in DDoS attack power: 2.3 Tb per second and 809 million packets per second �� 73 BGP hijacking and route leaks �� 74 Attacks on card processing and interbank transfer systems �� 74 JS-sniffers �� 74 Attacks on POS terminals �� 74 Credential stuffing �� 74 Web phishing and social engineering �� 75 Growing demand for Linux malware designed to achieve persistence in the network and escalate privileges �� 75 ioT botnet owners may start selling access to devices installed on corporate networks �� 75 Gaining access to SCADA systems at industrial enterprises to manipulate production processes �� 76 Mobile RATs �� 76 initial compromise through VPN servers �� 76

ABOUT GROUP-IB �� 77

group-ib.com page 5 of 78 HI-TECH CRIME TRENDS 2020/2021 INTRODUCTION

As the world continues to be rocked The paralysis of entire economic The market for Cybercrime-as-a-Service by an unpredictable pandemic, with bor- sectors, mass transition to remote is actively developing. The phenome- ders still closed, businesses struggling work, and widespread layoffs have led non directly correlates with the renting to stay afloat, and political confronta- to a surge in cybercriminal activity. out of computer networks that are tions becoming increasingly hostile, Threat actors have taken advantage infected with malware (botnets) and one thing has remained constant: The of the unique global situation and used for organizing DDoS attacks, steady growth of cybercrime. become more creative, develop- sending phishing emails, and providing For 17 years, Group-IB has dedicated ing increasingly elaborate schemes proxy servers. There have emerged new its efforts to investigating cybercrime, to achieve their illicit goals. In the spring sellers of network access who form monitoring the evolution of attackers’ of 2020, Group-IB experts predicted partnerships with ransomware opera- tactics and instruments, and developing that there would be a growth in the tors and APT groups that have shifted innovative technologies to hunt for and number of financial crimes, and cyber- their focus from bank theft to working eliminate cyber threats. The company attacks on the computers, computer with private affiliate programs. State- actively shares its insights and investi- equipment (routers, web cameras), and sponsored threat actors have likewise gations with the expert community and unprotected networks of at-home work- jumped on bandwagon, opening the general public, and this expertise cul- ers. Those employees working in finan- doors of corporate infrastructure to ran- minates in the annual Group-IB Hi-Tech cial institutions, telecom operators, somware. This threat has become larger Crime Trends report. and IT companies would be the primary than life and can no longer be ignored targets. Unfortunately, the predictions by any company, no matter its industry In their new report, Hi-Tech Crime were right. or geographic location. Trends 2020-2021, Group-IB experts name the key changes that have During the pandemic, Group-IB analysts We are confident that with the con- occurred in the field of high-tech crime, noticed a spike in the number of cyber- stant exchange of information, joint revealing the inner workings of the attacks originating from state-spon- efforts to maintain stability in the cybercrime underground, communica- sored threat actors and criminals using global cyberspace, and the creation and tion between different threat groups, spyware, ransomware, and backdoors development of partnerships between and affiliate programs that sell mal- to exploit people’s fears and anxiety private companies and international law ware and other malicious services. over the coronavirus. The analysts also enforcement agencies, we can effec- Traditionally, Group-IB investigates not noted that attackers actively looked tively combat cybercrime. By raising only attacks on the commercial sector for ways get into enterprise networks, the global community’s awareness but also those on critical infrastructure. a goal they achieved by infecting the of cybercrime, we can help preserve The latter are typically the result of cov- computers of remote workers with and protect the opportunities cyber- ert activities conducted by the special malware. space give us. services of various countries around the While the overall number of success- world. ful targeted attacks on banks went Hi-Tech Crime Trends gives you access down, Group-IB analysts discovered to the most complete trove of strategic a shocking increase in the use of social data and detailed information on active engineering to commit fraud. The main cyber threats. By reading the report, attack vectors are vishing and phishing, you will get the answer to these burning whose victims are mainly bank custom- questions: ers. The fraudsters’ main goal is still to steal money and information that can — Who are your enemies be sold, but they go about it in a new in cyberspace? way. — How do they operate today? The past year saw the majority of cyber- — How will their toolkits adapt for criminal groups switch to working with future attacks? ransomware. With ransomware in their — How can you protect yourself arsenal, attackers are able to earn against them? no less than they would in a successful Armed with this knowledge, companies bank attack and with a much easier worldwide, regardless of industry, will technical execution. Big Game Hunting, be able to build more effective cyberse- or attacking large companies with the curity strategies. aim of collecting the largest possible ransom, is gaining momentum. New groups are joining the game and creat- ing dangerous affiliations and partnerships in the cybercrime underworld. group-ib.com HI-TECH CRIME TRENDS 2020/2021 KEY FINDINGS AND FORECASTS

group-ib.com HI-TECH CRIME TRENDS 2020/2021 → Key findings and Forecasts

Ransomware attacks

Current threats

— Primitive errors (such as vulnerable — Cybercriminals have mainly used The main goal: software versions in public services two post-exploitation frameworks create access to corporate networks or weak passwords) pose one of the to move laterally and gain control for ransomware purposes most serious risks to companies. over targeted corporate networks: If a vulnerable system is compro- a free tool called Metasploit and mised, adversaries will usually a cracked version of Cobalt Strike. Ransomware affiliate attempt to inflict as much damage Less often, adversaries used the programs shape the market of corporate to the business as possible, followed frameworks PoshC2 and Koadic. network access for sale by extortion. During the reporting period, — Ten ransomware affiliate programs Group-IB experts identified more involve brute-force attacks on serv- than 10,000 hosts with these frame- — Over the past year, seven new ers accessible externally through works installed. Between H2 2018 ransomware affiliate programs have Remote Desktop Services. Three pro- and H1 2019, Group-IB researchers emerged (bringing the total to 15), grams exploit vulnerabilities in VPN identified around 6,000 such hosts. which has shaped the market of cor- services. — The countries attacked the most porate network access for sale. — New botnets that perform distrib- often were the USA, the UK, Canada, — Between H2 2019 and H1 2020, the uted brute-force attacks on remote France, and Germany. They suffered number of access for sale offers has access interfaces (RDP, SSH, VPN) 381 attacks out of 505, i.e. 75%. increased 2.6-fold (from 138 to 362) and other services have been — The most attacked sector was manu- compared to the previous period. identified. facturing. Half of all attacks targeted — There are more and more users who — One of the most common ways entities in the manufacturing, trade, actively sell access to corporate net- that victims are tricked into paying government, healthcare, construc- works. In 2019, there were 50 active ransoms is stealing data from the tion, and academic sectors. sellers; in the first half of 2020, network and threatening to leak the — Group-IB identified cases of threat Group-IB identified 63. information online. actors using new ransomware — Owners of the banking botnets — In an effort to increase their prof- designed to disrupt processes TrickBot, Qbot, Silent Night, and RTM its, some groups have conducted associated with industrial net- have started using their botnets auctions to sell stolen data instead work applications. Such tools help to deploy ransomware. of publishing it online. cybercriminals encrypt valuable — The cybercriminal groups Cobalt — Ransomware proved so popular that data at manufacturing plants more and Silence, which had previ- criminals began to publish ready- effectively. ously focused on targeted attacks made ransomware-as-a-service on banks, have presumably joined (RaaS) projects for Linux, MacOS, and ransomware affiliate programs. Windows (e.g., the RAASNet project) on websites such as GitHub. Forecasts

— Group-IB expects that specialized — The number of ransomware affiliate on SCADA systems at industrial trading platforms will emerge for programs will grow for a brief time enterprises in order to manipulate exhibiting lots with access to cor- only. Group-IB expects that the production processes may emerge. porate networks, which may lead market will stabilize and that num- — Intelligence services may be inter- to even more related incidents. bers will stop increasing by the end ested in owners of affiliate programs — We expect that there will be more of 2020. and use them to access networks demand for Linux malware designed — There may be cases of ransomware of interest. to achieve persistence in the network attacks targeting company mail sys- — To inflict maximum damage on enti- and escalate privileges. tems. Hackers are likely to steal data ties and divert attention away from — IoT botnet owners may start selling from local mail servers and disable their attacks, special services may access to devices installed on corpo- the mail system — bearing in mind start mimicking criminals by spread- rate networks. that stable email communications ing documents that undermine the — New botnets and related criminal are critical to businesses. This may attacked organization’s business services for distributed brute-force lead to cloud mail services becoming operations or by selling access to the attacks on remote control interfaces more popular and the on-prem mail affected corporate networks. will emerge. storage model being abandoned. — Groups that focus on attacks

group-ib.com page 8 of 78 HI-TECH CRIME TRENDS 2020/2021 → Key findings and Forecasts

Military operations

Current threats

— Intelligence agencies are attacking During the incident, threat actors More and more often more aggressively. Their goal is now attempted to poison water by alter- espionage is replaced not only to spy on targets covertly ing water chlorine levels. Had it been by active attempts but also destroy critical infrastruc- successful, the civilian population ture facilities. in the country would have been seri- to destroy infrastructure facilities — During the reporting period, seven ously affected. new APT groups were identified. — Some country leaders began openly High-profile attack Group-IB also identified six known announcing successful attacks targets include threat groups that had remained on other countries. unnoticed for many years. — Hacker arsenals were actively nuclear facilities in Iran and India and Israel's water supply system — As part of an APT operation, adver- replenished with tools designed for saries shut down power units attacks on air-gapped networks. Over at nuclear power plants and phys- the past year, four tools using USB ically destroyed the surrounding for bridging the air gap have been infrastructure. identified. — A major cyberattack on a water management facility was thwarted. Forecasts

— Against the backdrop of rising those related to nuclear energy. — New achievements made by Elon tension in the Middle East, attacks — Security vendors have begun devel- Musk's companies in the space on the control systems of transport oping features for detecting back- industry may attract the attention ships in the Persian Gulf may be car- doors at the UEFI level more actively. of special services, both for espio- ried out. Such tools will help detect new UEFI nage purposes and in order to gain — Group-IB expects more sabotage malware leveraged during military control over the control systems operations against Iran's critical operations. of his satellite internet constellation. infrastructure facilities, especially

group-ib.com page 9 of 78 HI-TECH CRIME TRENDS 2020/2021 → Key findings and Forecasts

Threats to the telecommunications sector

Current threats

— During the reporting period, six — 5G networks have not been widely State-sponsored groups groups linked to special services deployed yet, which explains why the actively attacked the telecommuni- predictions relating to associated show an interest in the telecom sector and conduct sophisticated attacks against it cations sector. threats that we made in our previous — China is expanding its capacities report have not come true. They are in spying on mobile operators. To this relevant for the next period, however. 2.3 Tb per second end, it has developed a special Trojan — BGP hijacking and route leaks remain and 809 million packets for Linux servers that intercepts SMS a serious problem. Over the past per second messages based on specific criteria. year, nine significant cases have — Threat actors have set new records been publicized. new records in DDoS attack power in DDoS attack power: 2.3 Tb per second and 809 million packets per second.

Forecasts

— As interstate conflicts continue — The COVID-19 pandemic has forced and storage systems will con- to escalate, it is expected that threat a significant number of people tinue to increase given that they actors will attack telecom operators to work from home, and many help advanced crime groups and for the first time in order to cause of them will become permanent state-sponsored actors access logical network congestion, which work-from-home employees after corporate data without infiltrating would lead to a cascading effect and the pandemic ends. As such, the an organization's perimeter. affect multiple industries. number of attacks on home routers

group-ib.com page 10 of 78 HI-TECH CRIME TRENDS 2020/2021 → Key findings and Forecasts

Threats to the energy sector

Current threats

year. In the reporting period, how- — During the reported period, nine Both state-sponsored groups ever, Iran's nuclear energy facilities groups linked to intelligence services and organized crime actors were sabotaged, while facilities attacked the energy sector. Seven disrupt facilities and encrypt data in India were subject to espionage hackers reportedly sold access in order to demand ransoms attacks. Threat actors are particularly to energy networks. In addition, interested in India because the coun- eleven successful attacks involving try is developing nuclear technology ransomware were conducted on the Air gap bypassed: and thorium-based reactors. sector in question. new tools for attacks on isolated — No new frameworks able to influence — Many types of ransomware have networks discovered technological processes were iden- been equipped with new capabilities tified in the reporting period, which to detect processes associated with suggests that threat actors have industrial control systems, which has — Adversary arsenals were actively become more careful about conceal- led to substantial losses of critical replenished with tools designed for ing their use of such tools. data and increased ransom amounts attacks on air-gapped networks. — Organized crime groups have begun for recovering access to such data. Over the past year, four tools using showing an active interest in energy This is especially true for data stored USB flash drives to bridge the air gap companies. Targeted attacks are car- on Historian servers. have been identified. ried out to seize control over entire — Nuclear power has become an obvi- networks and infect infrastructure ous target for attackers. No such with ransomware. attacks were reported in the past

Forecasts

— Espionage will remain the primary last-mile energy distributors and — Cybercriminals (mainly sophisticated goal of state-sponsored threat small suppliers that offer additional hackers) will use the vector of initial actors. services to energy corporations. infection through vulnerable network — Sabotage attacks on the energy sec- — 5G networks will connect a large equipment more often. Less skilled tor will be carried out in the Middle number of devices to global net- criminals will use common phishing East or in countries with emerging works, including those belonging techniques. military conflicts. to energy and industrial enterprises. — To conduct attacks more effectively, As a result, the attack surface will threat actors will target not only increase dramatically. large energy companies but also

group-ib.com page 11 of 78 HI-TECH CRIME TRENDS 2020/2021 → Key findings and Forecasts

Threats to the banking sector

Current threats

hackers used a banking botnet called 2020. The threat actors gained Targeted thefts are Trickbot controlled by Russian- access to the card processing sys- becoming rare cases speaking cybercriminals. Moreover, tem and changed withdrawal limits. relevant only for poorly protected banks Group-IB researchers detected They also gained access to InstaPay, activity by another threat group an interbank transfer system. that used publicly available Trojans, As a result, they siphoned 167 million Hackers gaining access keyloggers, and unmodified exploits. pesos (USD 3.44 million) from the and encrypting data Such toolsets are effective only bank. to obtain hefty ransoms against banks with a minimum level — Tools used for attacks on ATMs have of security. Alternatively, during inci- evolved slightly. During the reporting is a trend in the banking sector dent response, security teams may period, the following utilities were have made mistakes that prevented identified: ATMDtrack developed them from identifying more sophisti- by Lazarus and a new version of the — In 2020, there have so far been cated tools. ATM Trojan developed by Silence. no public reports on thefts through — In the second half of 2019, only the It has not been confirmed whether SWIFT, ATM Switch, payment group Silence carried out successful either utility has been successfully gateways or ATMs when they were thefts without using SWIFT. They used in thefts. accessed through a bank’s network. stopped attacking the financial sec- — Cobalt and Silence have presumably — Nevertheless, the hacker group tor in 2020, however. joined ransomware affiliate pro- Lazarus reportedly continued — The Philippine government-con- grams, but they have shifted their to carry out theft attempts through trolled United Coconut Planters Bank focus from banks. SWIFT. To gain initial access, the (UCPB) was robbed in September

Forecasts

— Next year, there will probably — However, stealing information about financial files belonging to Mossack be no traditional attacks on banks for financial transactions of VIP clients Fonseca, a Panamanian law firm), theft purposes. There may be rare and publishing it online may become in which some intelligence agencies incidents, but this type of activity a more serious threat than data are likely to be interested. will no longer be as widespread encryption. Such attacks may cause — Another trend may be threat actors as it used to be. significant financial damage and threatening to send (fake) alerts — As with other sectors, ransomware make banks pay ransoms to threat to financial regulators notifying operators will pose the biggest actors more readily. that a bank has security issues. threat to the financial vertical. This — Disclosing financial transaction data Threatening to send such notifi- hypothesis is confirmed by the could launch a series of investi- cations may act as an incentive increasing number of offers sell- gative journalism cases similar for banks to pay higher amounts ing access to corporate networks to the Panama Papers case in 2015 to extortionists. belonging to financial institutions. (a massive exposure of confidential

group-ib.com page 12 of 78 HI-TECH CRIME TRENDS 2020/2021 → Key findings and Forecasts

Threats to retail

Current threats

JS sniffers. The threat actor uses — During the reporting period, 19 com- 96 JS sniffer families a JS sniffer variant that automat- promised retailer networks were are currently being tracked ically steals funds from Bitcoin identified, compared to 17 in the by Group-IB experts wallets. previous year. — Techniques that prevent JS sniff- — Scammers primarily targeted bank ers from being detected on web cards issued in the United States, 156% more bank card dumps resources have improved greatly. which accounts for more than 92% stolen using POS Trojans were offered — The carding market has doubled of all card dumps, followed by India for sale compared to the previous period from $880 million to $1.9 billion com- and South Korea. pared to the previous year. — Although many vendors offer solu- — During the reporting period, 14 POS tions for protecting against bots and — It is possible to single out four main Trojans were found to be active. They attacks such as credential stuffing, threats targeting retailers that may were used to compromise and sell threat actors continue to actively damage businesses: JS sniffers, 63.7 million bank card dumps, which use bots without browsers, which attacks on POS terminals, credential is 156% more than in the previous offers opportunities to create stuffing, and ransomware. year. more advanced tools for bypassing — The number of known JS sniffer fam- — The amount of bank card textual defenses as well as possibilities ilies has grown from 38 to 96 com- details offered for sale has increased to develop the cybercrime market pared to the previous year. from 12.5 million to 28.3 million. The in this direction. — The state-sponsored threat largest bank card data leaks are due group Lazarus has started using to US retailers being compromised.

Forecasts

— Many online resources are hacked — Attacks on computers with con- — The carding market keeps growing. every day. Currently, the main mon- nected POS terminals aimed at col- However, arrests of main players etization methods used by hackers lecting bank card dumps will remain may stop this growth and redis- are selling databases and hosting a major threat in the United States. tribute carding activity between phishing pages. However, damage — Scammers often use a fraudu- criminals. to businesses may increase dras- lent scheme as part of which they — The main schemes for obtaining tically, and along with it the profits perform financial transactions bank cards and the list of popu- made by cybercriminals if the latter in a given location, then use access lar target countries are unlikely begin actively cooperating with ran- to POS terminals to cancel the to change. somware developers. operations in other countries. The — Carders may become more active — Hacker groups using JS sniffers will actions restore the card balance, in Latin America, where there pose a major threat to online retail- and the cybercriminals can con- is a large community of hackers with ers, especially in the US. At the same tinue to perform fraudulent financial experience in using financial Trojans. time, the main business risks will transactions. We may see similar be associated with fines for security new schemes involving access violations rather than with compen- to online resources that accept card sation for damage to customers payments. or reputational losses.

group-ib.com page 13 of 78 HI-TECH CRIME TRENDS 2020/2021 → Key findings and Forecasts

Banking Trojans

Current threats

— Latin America, particularly Brazil, — A total of 19 PC banking Trojans were 19 PC Trojans and has become the main source of new active this year, 12 of which were 10 Android Trojans banking Trojans. written by Russian-speaking devel- have been active this year — Russian-speaking owners of the opers. Six Trojans were developed largest banking botnets (Trickbot, by Latin American authors. One tool Dridex, Qbot, and Silent Night) have could not be attributed. Owners of banking botnets been following the main trend and — In total, 10 Android banking Trojans switching to ransomware. were active this year. Five of them are switching to ransomware are brand new.

Forecasts

— Russian-speaking owners of banking owners are likely to be arrested, nonexistent in three to five years. botnets for both PCs and Android which will also reduce this threat A similar situation may occur with devices will reduce their activity even significantly. the market for Android Trojans, which further. Eventually, such botnets will — Every year, three to five banking are becoming less and less effective cease to exist. botnets for PCs disappear from the year after year. — As banking Trojans become more market. At this rate, the market for active in Latin America, some of their PC banking Trojans may become

group-ib.com page 14 of 78 HI-TECH CRIME TRENDS 2020/2021 → Key findings and Forecasts

Web phishing and social engineering

Current threats

to become involved in phishing — So far, the main trend in 2020 is the A 118% growth attacks, which is one of the key rea- use of one-time unique links that in phishing compared to the previous year sons for the above-mentioned rise. become inactive after the user — Phishing attacks targeting bookmak- opens them. This approach helps ers increased in Q2 2020, amounting cybercriminals keep web phishing New trend: to 6% versus 2% in the previous resources from being detected. using one-time links quarter. — In Russia, the main reason for to phishing websites — Another attack type that increased the significantly higher numbers by 9% was phishing used to collect of phishing attacks is the emer- accounts for various online services gence of various affiliate programs — Over the period investigated, 118% such as Microsoft, Netflix, Amazon, for hackers wanting to make money more phishing resources were eBay, and Valve Steam. off phishing related to fake bank identified and taken down compared — Phishing resources targeting crypto- rewards programs, lottery draws, to the previous reporting period. currency projects have disappeared paid surveys, etc. — The COVID-19 pandemic has almost completely. — Phishing-as-a-Service projects have encouraged more cybercriminals become widespread in Russia.

Forecasts

— Phishing affiliate programs that have — Phishing attacks have become — One of the greatest challenges become more popular in Russia automated and longer-lasting thanks for the cybersecurity industry will will be more actively used in other to the emergence of scams prop- be hackers using one-time web regions. agated through the Phishing-as-a- phishing links. Service model. We expect that such projects will be actively developed and distributed.

group-ib.com page 15 of 78 HI-TECH CRIME TRENDS 2020/2021 KEY TRENDS

group-ib.com HI-TECH CRIME TRENDS 2020/2021 → Key trends

Gaining access to corporate networks for ransomware purposes

The emergence of ransomware affiliate programs

Going into 2019, many ransomware in penetrating corporate networks forums. Private affiliate programs, operators shifted their focus from ordi- monetize their actions by distributing on the other hand, are not advertised nary users to companies, government ransomware. After the victim pays the and are intended to bring together agencies, and other victims that would ransom, the ransomware authors send other types of threat actors (e.g. APT help them pocket more money. Yet a cut to their affiliates. groups) and trusted users. ransomware developers often lacked There are two types of affiliate pro- The table below contains information the tools and capabilities to infiltrate grams: public and private. Public pro- on affiliate programs related to the corporate networks. As a way to get grams first emerged in mid-2019. Their most popular ransomware. around this problem, they began setting distinctive feature is that the develop- up affiliate programs. The scheme works ers look for affiliates on underground as follows: threat actors who specialize

* Private affiliate program

page 17 of 78 HI-TECH CRIME TRENDS 2020/2021 → Key trends

Many affiliates prefer to keep their incident response procedures has made forums were involved in either selling activities under the radar. However, ana- it possible to identify some of them. access or working with various malware lyzing their activity in the hacker com- Some users who showed an interest (including stealers). Examples of access munity and information obtained during in affiliate programs on underground are presented below.

Figure 1-2. Access for sale offers on underground forums

Lannister 8 domain RDP accesses Megabyte Posted March 14 I'm selling 8 RDP accesses to various domain networks in cias9204 Access to a local network of an Indian financial institution

France. All have user access. I haven't scanned them for byte Posted October 21, 2019 Scammer hosts. I just know that they are domain networks and have I'm selling access to the local network of an Indian financial user rights. Deactivated 73 posts institution. This is a mutual investment fund that belongs to I want to sell them all together for just $800 a large group of companies. I will sell this access to a single Joined 20 posts Reason for ban: [link] customer and agree to work through an escrow service. I will 11/13/19 Joined Respectfully, provide all the proof required. All details will be provided in 07/14/19 jabber (+OTP). Please share your contact details via PM. Exploit.In administration Activity Other Please ban my account as I want to leave the forum.

Initial compromise vectors + Most often, the initial intrusion vec- In addition, other methods of distribut- The table below contains information tor was a malicious email campaign, ing ransomware included exploit kits, about ransomware affiliate programs a brute-force attack against Remote VPNs, botnets, and other malware (e.g., and the initial compromise methods Desktop Protocol (RDP), or the exploita- downloaders). Supply-chain attacks used by their operators. tion of public-facing applications are extremely rare (the case of REvil). (including VPN-related). In general, the above delivery methods are also relevant for ransomware dis- + tributed without affiliate programs.

Exploit Public-Facing External Remote Supply Chain Ransomware Phishing Application Service Compromise

REvil

MegaCortex

Maze

Dharma

JSWORM → Nemty

Buran → Zeppelin

NetWalker

Ako

Lockbit

Avaddon

Thanos

group-ib.com page 18 of 78 HI-TECH CRIME TRENDS 2020/2021 → Key trends

Post-compromise

Once inside, many ransomware opera- Threat actors then perform network more. The table below shows what tors first attempt to escalate privileges reconnaissance using legitimate frameworks were used by ransomware by using exploits or post-exploitation network scanners or frameworks such operators. frameworks. They then gain access as Cobalt Strike and Metasploit. They to other accounts using various soft- collect information about the system, ware (e.g., Mimikatz, LaZagne) or brute- groups, network resources, password force attacks. policy, domain trust relationships, and

PowerShell Ransomware Cobalt Strike Metasploit CrackMapExec PoshC2 Koadic Empire

Ryuk

REvil

MegaCortex

Maze

DoppelPaymer

Clop

Lockbit

Stealing and publishing data

In the early days, cybercriminals only use the HTTP, HTTPS, and FTPprotocols being stolen, the ransomware operators encrypted data and demanded ransoms and legitimate cloud storage services. will publish them online. To do so they from victims. Since the end of 2019, On rare occasions, they use email and create special websites, usually in the however, many have started using a new instant messengers. Tor network. An example of such a web- technique: before encrypting all the In such cases, if the victim fails to pay site is shown below. information, they copy it to their servers the ransom, then in addition to the data for further blackmailing. They usually

Figure 3. Stolen data goes online Figure 4. REvil auction

Attack statistics

Ransomware victims include both of successful attacks is much higher, The most popular targets (about 60%) small local companies and interna- but either the companies affected were US companies. European coun- tional giants. Over the last year, there decided not to publicize the incident tries accounted for only about 20% have been reports of more than 500 and pay the ransomware or the attack of all attacks. About 10% were countries successful attacks using well-known did not involve publishing data stolen in North and South America (excluding ransomware on companies in more from the victim's network. the USA) and Asia (7%). than 45 countries. The total number

group-ib.com page 19 of 78 HI-TECH CRIME TRENDS 2020/2021 → Key trends

NORTH AND EUROPE MIDDLE EAST SOUTHEAST ASIA SOUTH AMERICA AND AFRICA AND AUSTRALIA

Statistics by country India 6 Argentina 2 Cayman Islands 1

Country Number of victims South Africa 5 Oman 2 Sri Lanka 1

USA 313 Mexico 4 Kosovo 1 New Zealand 1

UK 25 China 4 Singapore 1 Cyprus 1

Canada 24 Colombia 4 Qatar 1 Algeria 1

France 20 Belgium 3 Philippines 1 Nigeria 1

Germany 17 Saudi Arabia 3 Portugal 1 Puerto Rico 1

Australia 13 Costa Rica 3 Chile 1 Luxembourg 1

Spain 11 Thailand 2 Dominican Republic 1 Macedonia 1

Brazil 9 Austria 2 Jamaica 1 Croatia 1

Italy 9 Hong Kong 2 Unknown 1 Netherlands 1

Switzerland 7 South Korea 2 Sweden 1 Vietnam 1

UAE 6 Japan 2 Slovenia 1 Total 523

Statistics by sector Telecommunications 12 Mining, Quarrying, and Oil and Gas 6 Broadcasting 2 Extraction Sector Number of victims Accounting 11 Gambling 2 Other 6 Manufacturing 94 Conglomerate 3 Aviation 2 Agriculture, Forestry, Fishing and Hunting 5 Trade 51 Consulting 9 Auction 1 Energy 5 Government 39 Engineering 9 Automobile 1 Bank 4 Health Care 38 Data Processing, Hosting, and Related 9 Food 1 Services Marketing 4 Construction 30 Management of Companies and 1 Design 8 Non-Profit 4 Enterprises Educational Services 29 Real Estate and Rental and Leasing 8 Newspaper publisher 3 Transport 1 IT 28 R&D 7 Travel Agency 3 Professional Organization 1 Legal Services 20 Insurance 7 ? Unknown 3 Transportation and Warehousing 18 Investments 6 Hospitality 3 Administrative and Support and Waste 14 Management and Remediation Services Lending 6 Arts, Entertainment, and Recreation 2

group-ib.com page 20 of 78 HI-TECH CRIME TRENDS 2020/2021 → Key trends

155 TARGETED ATTACKS were conducted by Maze ransomware operators

page 21 of 78 HI-TECH CRIME TRENDS 2020/2021 → Key trends

Maze and REvil have been the Ransomware Victims Ransomware Victims Ransomware Victims Ransomware Victims Ransomware Victims most active ransomware since late 2019, accounting for over Maze 155 REvil 103 Ryuk 62 NetWalker 49 Pysa 25 50% of successful attacks. Top 5 attacked countries Top 5 attacked countries Top 5 attacked countries Top 5 attacked countries Top 5 attacked countries Ryuk, NetWalker, DoppelPaymer 93 63 53 28 5 are in the second tier. USA USA USA USA USA Canada 8 UK 7 Spain 5 France 6 UK 3 The most often attacked 6 5 1 4 2 sector was manufacturing. France Australia Australia Canada Canada Half of all attacks targeted Italy 6 Switzerland 4 UK 1 UK 2 France 2 entities in the manufacturing, UK 6 Canada 3 Germany 1 Austria 1 Mexico 2 trade, government, healthcare, construction, and academic Top 5 attacked sectors Top 5 attacked sectors Top 5 attacked sectors Top 5 attacked sectors Top 5 attacked sectors sectors. Although they currently Manufacturing 30 Manufacturing 20 Government 16 Manufacturing 14 Health Care 5 focus on the above industries, Trade 19 Trade 17 Educational Services 14 Health Care 6 Government 3 affiliates usually seek easier targets, which explains the wide Construction 15 IT 10 Health Care 14 Educational Services 5 Manufacturing 3 distribution of attacks across Administrative and 8 Legal Services 6 Newspaper publisher 3 Trade 4 Construction 2 different verticals. Support and Waste Government 4 IT 3 Transportation 3 Educational Services 2 Management and Warehousing and Remediation Services Health Care 7

Ransomware Victims Ransomware Victims Ransomware Victims Ransomware Victims Ransomware Victims Ransomware Victims DoppelPaymer 53 Nefilim 13 Ragnar 10 Clop 15 Ako 9 Avaddon 1 Top 5 attacked countries Top 5 attacked countries Top 5 attacked countries Top 5 attacked countries Top 5 attacked countries Top 5 attacked countries USA 35 Brazil 3 USA 7 Germany 7 USA 6 USA 1 France 5 India 3 Portugal 1 USA 2 UK 2 — — Canada 3 Germany 1 Germany 1 Spain 1 Canada 1 — — Saudi Arabia 1 France 1 Singapore 1 Austria 1 — — — — Qatar 1 Switzerland 1 — — UK 1 — — — —

Top 5 attacked sectors Top 5 attacked sectors Top 5 attacked sectors Top 5 attacked sectors Top 5 attacked sectors Top 5 attacked sectors Trade 8 Manufacturing 4 Marketing 2 Manufacturing 6 Construction 2 Construction 1 Government 7 Construction 2 Legal Services 2 IT 2 Legal Services 1 — — Manufacturing 6 Mining, Quarrying, and 2 IT 1 Transportation 2 Design 1 — — Oil and Gas Extraction and Warehousing Transportation 4 Manufacturing 1 Engineering 1 — — and Warehousing Transportation 1 Gambling 1 Construction 1 Manufacturing 1 — — Construction 3 and Warehousing Government 1 Administrative and Support 1 and Waste Management and Remediation Services

Ransomware Victims Ransomware Victims Ransomware Victims Ransomware Victims Ransomware Victims Ransomware Victims Sekhmet 6 Snake 3 MegaCortex 1 Conti 16 SunCrypt 2 WastedLocker 1 Top 5 attacked countries Top 5 attacked countries Top 5 attacked countries Top 5 attacked countries Top 5 attacked countries Top 5 attacked countries USA 3 Germany 1 USA 1 USA 13 USA 1 USA 1 Brazil 1 Argentina 1 — — Canada 2 Canada 1 — — UK 1 Japan 1 — — Spain 1 — — — — Spain 1 — — — — — — — — — — — — — — — — — — — — — —

Top 5 attacked sectors Top 5 attacked sectors Top 5 attacked sectors Top 5 attacked sectors Top 5 attacked sectors Top 5 attacked sectors Manufacturing 2 Health Care 1 Data Processing, Hosting, 1 Manufacturing 3 Manufacturing 1 Manufacturing 1 Legal Services 1 Energy 1 and Related Services Hospitality 2 Design 1 — — — IT 1 Conglomerate 1 — IT 1 — — — — — Insurance 1 — — — Insurance 1 — — — — — Transportation 1 — — — Health Care 1 — — — — and Warehousing — —

group-ib.com page 22 of 78 HI-TECH CRIME TRENDS 2020/2021 → Key trends

Estimated damage

Unfortunately, it is difficult to establish What’s more, the amount often varies — A group called Maze usually the exact damage caused by ran- from company to company: demands extremely high ransoms, somware groups. This is because the — For example, the ransoms demanded i.e. beyond one million dollars. The amount should include the ransoms by the group REvil depend on the average ransom is $2,420,000. paid by victims, losses caused by sys- size of the company and the number — Some groups such as WastedLocker tem downtime, and expenses of recov- of infected hosts. If only one com- carried out very few attacks, but ering internal systems. In addition, puter on the network is infected, the the ransom amount exceeded it is difficult to obtain information about ransom amount is about $48,000; $10 million. all attacks because many companies but if several machines within the — The same applies to MegaCortex pay ransoms without making this fact company's network are infected, ransomware. The exact number public. then the average ransom amount of attacks it has been involved is $470,000. There were several in is unknown, but the ransoms cases when the amount exceeded reportedly vary from 20,000 $1,000,000. The average ransom to $5,800,000. The table below details past ransom amounts amounts to $260,000.

Group Average ransom ($) Number of victims Potential damage ($)

Ako 300,000 9 1,800,000 Avaddon 7,500 1 7,500 Clop 400,000 15 6,000,000 Conti 200,000 16 3,200,000 DoppelPaymer 1,143,500 53 60,605,500 Maze 2,420,000 155 375,100,000 Nefilim 100,000 13 1,300,000 NetWalker 720,000 49 35,280,000 Pysa None 25 None Ragnar 7,750,000 10 77,500,000 REvil 300,000 103 30,900,000 Ryuk 1,451,500 62 89,993,000 Snake None 3 None SunCrypt 400,000 2 800,000

This means that if combined publicly According to Group-IB's statistics, how- As regards Dharma ransomware, its known attacks and experts estimations ever, the owners of the Trickbot botnet source code was put up for sale last of possible ransomware incidents, the have successfully encrypted more than year and could have been used by many total potential damage could exceed 2,500 different networks over the past groups. Given the circumstances, one billion dollars ($1,005,186,000). year using ransomware such as Ryuk it is difficult to establish the damage The data above only covers known inci- (later Conti), Kraken, and Thanos. This caused. dents and shows the lower end of the means that the 62 known incidents rep- damage. It is just the tip of the iceberg. resent only 2.5 percent of all incidents. For example, only 62 incidents involv- The actual damage is likely to be much ing Ryuk and spread using the banking greater. Trojan Trickbot have been reported. $1 BLN estimated total potential damage

group-ib.com page 23 of 78 HI-TECH CRIME TRENDS 2020/2021 → Key trends

Increasingly larger market for selling access to corporate networks

Sales of credentials are widespread could belong to large companies and of new ransomware affiliate programs. on underground forums and have taken that access to them could be capital- Between H2 2019 and H1 2020, the num- place since the early days of such com- ized on. ber of access for sale offers increased munities. For a long time, cybercriminals Sales of corporate network access are 2.6-fold (from 138 to 362) compared did not perform additional reconnais- increasing from year to year. The peak to the previous period. sance after finding servers and gaining of sales occurred in 2020, which is asso- access to them, nor did they under- ciated with an increase in the number stand that the compromised servers

2018 2019 2020

Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4

37 11 68 25 25 20 33 52 104 173 — —

H1 H2 H1 H2 H1 H2

48 93 45 85 277 —

TOTAL TOTAL TOTAL

141 130 277

200

173

150

104 100

52 50 37 33 25 25 20 11

Q1 (2018) Q2 (2018) Q3 (2018) Q4 (2018) Q1 (2019) Q2 (2019) Q3 (2019) Q4 (2019) Q1 (2020) Q2 (2020)

group-ib.com page 24 of 78 HI-TECH CRIME TRENDS 2020/2021 → Key trends

The table below shows active sellers of access to corporate networks on underground forums in 2018-2020 (only those who posted several offers).

group-ib.com page 25 of 78 HI-TECH CRIME TRENDS 2020/2021 → Key trends

Number of access sellers 37 in 2018 50 in 2019 63 in 2020

In 2018, only 37 access sellers were active. 63 sellers were active, and 52 of them In 2019, Group-IB researchers identified began selling access in 2020. For com- 50 active access sellers, who offered access parison, during all of 2018, only 37 access to 130 companies. Moreover, 44 of them sellers were active. were newcomers. The market remains as fragmented as it was In H1 2020, 277 offers of access to corpo- in 2019, and new sellers are replacing rate networks were put up for sale on under- well-known ones. The diagrams to the left ground forums. The number of sellers illustrate this trend. has also grown. During the above period, group-ib.com page 26 of 78 HI-TECH CRIME TRENDS 2020/2021 → Key trends

main victims of attacks — 2019 production main victims of attacks — 2020 state-owned companies

In 2019, cybercriminals stopped mentioning organizations (usually hospitals and clinics) full company names when selling access, were also targeted. revealing only the country or industry. The In 2020, the list of attacked industries full company name was indicated in only changed drastically. Various state-owned 27% of ads. companies and educational institutions As regards the targeted sectors, in 2019 came to the fore. Manufacturing companies production companies remained the accounted for only 7.2%. main victims. However, many healthcare group-ib.com page 27 of 78 HI-TECH CRIME TRENDS 2020/2021 → Key trends

the most USA attacked region

It is difficult to assess the size of the market for selling access, however, as offers published on underground forums often do not include the price. $1,609,930 the total market size for access sold from H2 2018 to H1 2019 (the sum of the prices of all access information published on the forums) $6,189,388 the market size in the current period, H2 2019 to H1 2020 (it has almost quadrupled)

The United States remains the most often attacked region. It is worth highlighting, however, that it has become increasingly difficult to establish the name and location of the companies to which access is being sold without communicating with the cybercriminals involved. group-ib.com page 28 of 78 HI-TECH CRIME TRENDS 2020/2021 → Key trends

Nation-state actors sell access to networks and use ransomware

In an effort to increase their profits, A perfect example is an ad published Boeing, etc.), IT giants, and media com- some state-sponsored groups began by a user with the nickname nanash panies. The figure below contains the selling access to corporate networks in June 2020. The seller offered access full text of the ad. or even using ransomware like regular to many networks, including some cybercriminals. belonging to US government depart- Figure 5. A user nicknamed nanash offering access ments, defense contractors (Airbus, to various companies

Although the message looks suspi- — Taiwanese authorities suspect — The hacker group Lazarus has cious, further investigation revealed that Chinese hackers from APT41 resumed developing ransomware. that its author had access to at least were behind a ransomware attack The fact was brought to light during two companies from the list above. on Taiwan's energy and technology attacks on European companies Group-IB experts obtained screenshots companies in May 2020. The notice involving ransomware called VHD and a video demonstration of LDAP included CPC Corp., a Taiwanese Ransomware. The hackers gained access as evidence. company that delivers petroleum access through a vulnerable VPN In the ad, the seller specifies that products throughout the island, gateway, obtained administrator the price of access to each company among the victims. While the attack privileges, and installed the Dacls is 11 BTC (USD 125,000). Access is sold did not affect CPC's manufacturing backdoor. They moved across the directly with partial prepayment: after processes, it prevented customers victim's network and encrypted the customer has transferred 5 BTC, the from using CPC Corp.'s payment files with a combination of AES-256 seller provides additional evidence and cards to buy gas. During the wave in ECB mode and RSA-2048. the second transaction occurs. of attacks on Taiwanese targets, — Another group of Chinese hackers, threat actors used a new ransom- IronTiger, was behind the attack In the message, the author did not ware called ColdLock. Malware involving HybirdRansom ransomware mention all the companies they have analysis revealed similarities against companies in the Asia- access to, but the cost of accesses between the program and two known Pacific region in the fall of 2019 and to companies listed explicitly is close ransomware families: Freezing and the spring of 2020. The ransomware to $5 million. EDA2, an open-source ransomware has three components that conse- Another way for state-sponsored originally created for educational quently launch each other to lock groups to make money is to use purposes. the machine and encrypt file: Locker, ransomware: Loader, and Cryptor.

group-ib.com page 29 of 78 HI-TECH CRIME TRENDS 2020/2021 → Key trends

Compromised hosts by time (2019-2020)

Large companies under increasing threat from massive hacks

In the past, massive attacks did not vulnerabilities in VPN services. from GoDaddy and 247.ai also used cause serious damage to large com- APT groups performed similar actions. CVE‑2019-10149 (Exim) to install an SSH panies. This was because brute-force For example, APT29 (aka Cozy Bear) backdoor. For several months of activity, attacks or exploiting vulnerabilities actively exploited the following vulnera- the group infected 80,000 servers. in widespread software led to their bilities with public exploits: As mentioned above, one of the main infrastructure being used to distribute — CVE-2019-19781 (Citrix) ways to gain access to corporate net- or manage malicious code, mine cryp- works is to conduct brute-force attacks — CVE-2019-11510 (Pulse Secure) tocurrencies, conduct DDoS attacks, on remote access interfaces (RDP, SSH, — CVE-2018-13379 (FortiGate) or proxy traffic. VPN). How effective such an attack However, the market for the sale — CVE-2019-9670 (Zimbra) is will determine how many companies of access to corporate networks, the The APT group BlackEnergy (aka will be compromised as a result and how number of ransomware attacks, and APT Sandworm) exploited CVE-2019-10149 much money the fraudsters will make. group activity have all increased, so the (a vulnerability in the Exim mail server) Another key change is the emergence cost of an error on a company’s external to install an SSH backdoor. of new types of botnets. Their main perimeter has surged as well. purpose is to help perform distributed Ordinary criminal groups carried brute-force attacks from a large number Ten out of 15 ransomware affiliate out similar actions. For example, the of infected devices, including servers. programs focus on brute-force attacks group Clownz responsible for leaks on RDP. Three programs actively exploit

Figure 6. Example of the sale of a service based on a bruteforcer, a distributed scanner for establishing passwords

Ivanushk23 Brute-force botnet kilobyte After 1+ year of work, I want to announce a new distributed bruteforce/scanner. Paid registration 37 posts Hey friends, Joined After one year of work, I'm happy to present a distributed 10/17/18 brute-force scanner. The distributed scanner/ bruteforcer is a software that distributes tasks to several computers to scan/brute-force simultaneously. This speeds up the process significantly.

Can the solutions be used on computers found? Yes, when using a module rootkit.

group-ib.com page 30 of 78 HI-TECH CRIME TRENDS 2020/2021 → Key trends

Growing activity of post-exploitation frameworks

Conducting a successful attack by ransomware affiliates and oper- more than 10,000 hosts used by such on a corporate network requires tools ators, organized crime groups, and frameworks were discovered. In con- for lateral movement and privilege state-sponsored actors. trast, 6,000 such hosts were discovered escalation. The growth of the access Group-IB regularly detects new infra- in the same period last year. sales market has led to post-exploita- structure for various post-exploitation tion frameworks being used more frameworks. From H2 2019 to H1 2020, often. Such frameworks are used

Threat actor Cobalt Strike Metasploit Covenant CrackMapExec PoshC2 Koadic

Ryuk

REvil

MegaCortex

Maze

DoppelPaymer Ransomware

Clop

Lockbit

Cobalt

Silence

Fxmsp Cybercrime FIN6

Lazarus

OilRig

APT41

APT32

Gamaredon

APT Chimera

Mustang Panda

Chafer

APT10

APT33 10,000 HOSTS used by post-explotation frameworks

group-ib.com page 31 of 78 HI-TECH CRIME TRENDS 2020/2021 MILITARY OPERATIONS

Seven new APT groups were discovered during the reporting period Six known groups that remained unnoticed in recent years resumed their attacks

New tools and destructive consequences Power units shut down, infrastructure destroyed, and air-gapped networks attacked

Asia-Pacific countries are becoming one of the key "arenas" and are attracting the attention of cybercriminals from China, North Korea, Iran, and Pakistan

group-ib.com HI-TECH CRIME TRENDS 2020/2021 → Military operations

A changing threat landscape

Multiple attacks were carried out in the During the reporting period, seven remained unnoticed for the past few Asia-Pacific, a region in which the main new APT groups were discovered. years. active groups from China, North Korea, Group-IB researchers also unveiled Iran and Pakistan showed interest. the activity of six known groups that

APAC America

APT10 China Gorgon Group Pakistan DarkHotel North Korea Kimsuky North Korea OceanLotus Vietnam IronTiger China TA428 China APT41 China Kimsuky North Korea APT35 Iran APT37 North Korea Oilrig Iran FruityArmor UAE APT33 Iran BITTER India APT20 China Patchwork India APT37 North Korea Emissary Panda China Gaza Cybergang Gaza Poison Carp China TA410 China Rancor China APT5 China Lazarus North Korea Tortoiseshell Iran IronTiger China Orangeworm Unknown APT41 China Transparent Tribe Pakistan Mustang Panda China Higaisa South Korea EUROPE APT33 Iran APT 10 China Platinum China APT15 China APT-C-35 Unknown Gorgon Group Pakistan APT20 China Kimsuky North Korea BlackTech China FruityArmor UAE Tick China Lazarus North Korea SideWinder India APT41 China APT40 China Mustang Panda China Transparent Tribe Pakistan APT29 Russia Cycldek China Turla Russia Tonto Team China Oilrig Iran TwoSail Junk China Avivore China Naikon China APT-C-35 Unknown Tropic Trooper China APT20 China Chimera Unknown APT35 Iran APT30 China Gaza Cybergang Gaza Orangeworm Unknown Gamaredon Group Russia APT33 Iran MIDDLE EAST & AFRICA InvisiMole Unknown APT10 China APT5 China Oilrig Iran Orangeworm Unknown MuddyWater Iran Transparent Tribe Pakistan Gorgon Group Pakistan FruityArmor UAE POST-SOVIET COUNTRIES Tortoiseshell Iran APT28 Russia APT41 China MuddyWater Iran Mustang Panda China Gamaredon Group Russia APT33 Iran IronTiger China APT-C-37 Unknown Turla Russia Domestic Kitten Iran Golden Falcon Kazakhstan APT35 Iran APT37 North Korea APT-C-23 Gaza Kimsuky North Korea Gaza Cybergang Gaza Tonto Team China Chafer Iran StrongPity Turkey WildPressure Unknown Orangeworm Unknown

page 33 of 78 HI-TECH CRIME TRENDS 2020/2021 → Military operations

New APT groups

Tortoiseshell