2021 Global Threat Report

As 2021 began, the world faced the possibility that we have not entirely put the unprecedented challenges of 2020 behind us. Healthcare sector entities continue to fight the COVID-19 pandemic that, beyond the tragic human toll of the disease, fueled numerous incidents of malicious cyber activity. The ransomware adversaries that proliferated in 2020 are as motivated as ever, evidenced by the introduction of increasingly damaging tactics, techniques and procedures (TTPs). Finally, as 2020 came to a close, a major supply chain software attack racked the U.S. public sector and adjacent industries.

TWISTED SPIDER’s adoption of data extortion tactics was singled out in early 2020 as a direction other eCrime actors might pursue to capitalize on ransomware infections — a preview of what would become, without exaggeration, an explosion of similar activity throughout the year. The allure of big game hunting (BGH) — ransomware campaigns aimed at high-value targets — dominated the ecosystem of eCrime enablers in 2020, spurring the market for network access brokers. BGH trends also disrupted traditional targeted eCrime behavior — as seen by threat actor CARBON SPIDER’s shift away from the targeting point-of-sale (POS) systems to join the BGH ranks. WIZARD SPIDER — a BGH actor and established eCrime “megacorp” — sustained their high-tempo operations to become the most reported eCrime adversary for the second year in a row.

Not even the global pandemic could slow the pace of targeted intrusions in 2020, nor could the large number of public disclosures regarding adversary activity in both 2019 and 2020. In continuation of a trend highlighted in 2019, Chinese adversaries targeted telecommunications, with WICKED PANDA having another prolific year, despite indictments against individuals associated with their operations. As expected, Democratic People’s Republic of Korea (DPRK) adversaries sustained their currency-generation efforts. Interestingly, the blending of eCrime and targeted intrusion tactics previously associated with these North Korean actors and some Russian adversaries was also observed from Iran-nexus PIONEER KITTEN.

To tackle these threats, CrowdStrike Intelligence has offered an unparalleled level of coverage, adding 19 named adversaries to bring the total of tracked actors across the globe to 149. In instances where CrowdStrike Intelligence lacks sufficient information or evidence to assign an adversary name, targeted intrusion activity is tracked as a “cluster.” In 2020, the number of tracked activity clusters under continued monitoring rose to 24.