According to SecurityWeek the Russian attackers targeted energy sector targets and a Chinese nexus intrusion group infected foreign embassies with malware using watering hole tactics in 2013.
CrowdStrike researchers found in its first-ever Global Threat Report. CrowdStrike's Intelligence Team tracked more than 50 different threat actor groups believed to be behind the majority of sophisticated threats against enterprises in 2013.
These groups operated out of China, Iran, India, North Korea, and Russia. In its Global Threat Report, CrowdStrike identified many of the tactics, techniques, and procedures used by these groups to craft and launch sophisticated attacks against major targets around the world.
CrowdStrike outlined details of how these groups carried out their attacks and what tools were used in the report, released Wednesday.
Attackers are human, which means “they make mistakes, and they have habits,” said Adam Meyers, vice-president of Intelligence at CrowdStrike, a firm focused detection and mitigation of targeted attacks.
ttack tools, no matter how sophisticated, have specific “marks” that can be used to track back to the humans who created them, he said.
The marks can be something like password reuse, a certain string that appears frequently in code, or even the name of the registrar hosting the domain name.
These marks cannot be obfuscated and CrowdStrike researchers rely on these clues to connect different attacks and campaigns to each other.
The report found that Strategic Web Compromises (SWC), where attackers infect strategic Websites as part of a watering hole attack to target a specific group of users, were a favorite attack method for groups operating out of Russia and China.
The attack against the Council of Foreign Relations website in early 2013, which also compromised Capstone Turbine and Napteh Engineering & Development Co., involved three different adversaries using multiple types of malware, the report found.
The group hosted a booby-trapped Microsoft Word document on the Website of a Spain-based defense manufacturer. Another watering-hole-attack affected the website for the Russian Federation's embassy in the United States.
An adversary group out of the Russian Federation, have conducted intelligence collection operations against the energy sector since at least August 2012, the report said.
There were hints that watering hole attacks were this group's “preferred delivery vector,” although there were other attacks based on booby-trapped PDF files targeted Adobe Reader.
This group used two primary remote access tools, HavexRAT and SysMain RAT, which share code and have several techniques in common, CrowdStrike said.
“Observed indicators obtained from monitoring this adversary’s activity suggest that ENERGETIC BEAR is operating out of Russia, or at least on behalf of Russia-based interests, and it is possible that their operations are carried out with the sponsorship or knowledge of the Russian state,” CrowdStrike said in its report.
CrowdStrike also included details about the various operations conducted by Deadeye Jackal, also known as the Syrian Electronic Army, including the attacks against Twitter accounts for multiple media outlets, the theft of TrueCaller.com's database and others, and compromising DNS records for various websites including The New York Times and The Washington Post.
CrowdStrike believes organizations have an “adversary problem, not a malware problem,” Meyers said. The best way to understand the types of threats the organization is facing is to focus on the tactics and tools used by the adversaries instead of getting bogged down trying to detect and identify every type of malware the group may use.
Criminal groups “diverse and difficult to track, but they, too, leave human toolmarks in the binaries and tools they leverage to steal information and criminalize the Internet,” the report said.
CrowdStrike researchers found in its first-ever Global Threat Report. CrowdStrike's Intelligence Team tracked more than 50 different threat actor groups believed to be behind the majority of sophisticated threats against enterprises in 2013.
These groups operated out of China, Iran, India, North Korea, and Russia. In its Global Threat Report, CrowdStrike identified many of the tactics, techniques, and procedures used by these groups to craft and launch sophisticated attacks against major targets around the world.
CrowdStrike outlined details of how these groups carried out their attacks and what tools were used in the report, released Wednesday.
Attackers are human, which means “they make mistakes, and they have habits,” said Adam Meyers, vice-president of Intelligence at CrowdStrike, a firm focused detection and mitigation of targeted attacks.
ttack tools, no matter how sophisticated, have specific “marks” that can be used to track back to the humans who created them, he said.
The marks can be something like password reuse, a certain string that appears frequently in code, or even the name of the registrar hosting the domain name.
These marks cannot be obfuscated and CrowdStrike researchers rely on these clues to connect different attacks and campaigns to each other.
The report found that Strategic Web Compromises (SWC), where attackers infect strategic Websites as part of a watering hole attack to target a specific group of users, were a favorite attack method for groups operating out of Russia and China.
The attack against the Council of Foreign Relations website in early 2013, which also compromised Capstone Turbine and Napteh Engineering & Development Co., involved three different adversaries using multiple types of malware, the report found.
The group hosted a booby-trapped Microsoft Word document on the Website of a Spain-based defense manufacturer. Another watering-hole-attack affected the website for the Russian Federation's embassy in the United States.
An adversary group out of the Russian Federation, have conducted intelligence collection operations against the energy sector since at least August 2012, the report said.
There were hints that watering hole attacks were this group's “preferred delivery vector,” although there were other attacks based on booby-trapped PDF files targeted Adobe Reader.
This group used two primary remote access tools, HavexRAT and SysMain RAT, which share code and have several techniques in common, CrowdStrike said.
“Observed indicators obtained from monitoring this adversary’s activity suggest that ENERGETIC BEAR is operating out of Russia, or at least on behalf of Russia-based interests, and it is possible that their operations are carried out with the sponsorship or knowledge of the Russian state,” CrowdStrike said in its report.
CrowdStrike also included details about the various operations conducted by Deadeye Jackal, also known as the Syrian Electronic Army, including the attacks against Twitter accounts for multiple media outlets, the theft of TrueCaller.com's database and others, and compromising DNS records for various websites including The New York Times and The Washington Post.
CrowdStrike believes organizations have an “adversary problem, not a malware problem,” Meyers said. The best way to understand the types of threats the organization is facing is to focus on the tactics and tools used by the adversaries instead of getting bogged down trying to detect and identify every type of malware the group may use.
Criminal groups “diverse and difficult to track, but they, too, leave human toolmarks in the binaries and tools they leverage to steal information and criminalize the Internet,” the report said.
No comments:
Post a Comment