A year in cybersecurity is often marked by how disruptive the activity observed was — not just from a destructive standpoint, but also from the perspective of whether day-to-day life was affected. By any such measure, 2019 was an active year. From U.S. school districts to asset management firms, from manufacturing to media, ransomware attacks affected multitudes of people. Disruption in 2019 was not punctuated by a single destructive wiper; rather, it was plagued by sustained operations targeting the underpinnings of our society. The particularly disruptive impact that ransomware had across all sectors is addressed at the beginning of this report, followed by an assessment of additional eCrime threats.
Going into 2019, CrowdStrike Intelligence anticipated that big game hunting (BGH) — targeted, criminally motivated, enterprise-wide ransomware attacks — was expected to continue at least at the 2018 pace. However, what was observed was not just a continuation but an escalation. Ransom demands grew larger. Tactics became more cutthroat. Established criminal organizations like WIZARD SPIDER expanded operations, and affiliates of the ransomware-as-a-service (RaaS) malware developers adopted BGH attacks. In short, the greedy got greedier and the rich got richer.
Other criminal actors took note. Numerous adversaries specializing in the delivery or development of malware benefited from supporting customers or partners conducting BGH operations. Malware-as-a-service (MaaS) developers like VENOM SPIDER introduced ransomware modules. Banking trojans continued to be repurposed for download-as-a-service (DaaS) operations — a trend started by MUMMY SPIDER — used to distribute malware families associated with BGH. Even targeted eCrime appears to be in a state of change, apparent by the recent activity attributed to GRACEFUL SPIDER, an adversary notable for its high-volume spam campaigns and limited use of ransomware.
As in years past, the majority of state-sponsored targeted intrusions appeared to be motivated by traditional intelligence collection needs. Analysis in 2019 revealed a focus by Chinese adversaries on the telecommunications sector, which could support both signals intelligence and further upstream targeting. Content related to defense, military and government organizations remains a popular lure for targeted intrusion campaigns. Examples of such incidents were seen in the activity of Russian adversaries targeting Ukraine, and the use of defense-themed job and recruitment content by Iran-based IMPERIAL KITTEN and REFINED KITTEN.
While traditional espionage is the primary objective of many state-sponsored actors, adversaries associated with the Democratic People’s Republic of Korea (DPRK, aka North Korea) sustained their interest in cryptocurrencies and the targeting of financial services, with identified incidents linked to all five named DPRK-associated adversaries tracked by CrowdStrike. Exact motives remain unconfirmed, but it is possible this interest in financial sector organizations represents additional currency generation operations and/or industrial espionage. Industrial espionage is also a suspected motive for Vietnam’s targeting of the automotive sector and China’s targeting of healthcare and other sectors, bringing the threat of intellectual property theft back into the spotlight.
In the following sections, the CrowdStrike Intelligence team, the Falcon OverWatch™ managed threat hunting team and the CrowdStrike Services team present selected analysis that highlights the most significant events and trends in the past year of cyber threat activity. This analysis demonstrates how threat intelligence and proactive hunting can provide a deeper understanding of the motives, objectives and activities of these actors — information that can empower swift proactive countermeasures to better defend your valuable data now and in the future.