2013 Year in Review: Actors, Attacks, and Trends
As 2012 was winding down, the CrowdStrike Intelligence team was in hot pursuit of an adversary who was leveraging a Strategic Web Compromise (SWC) attack using an exploit for an at-the-time unpatched vulnerability (CVE-2012-4792). This attack was a harbinger of what was to follow throughout 2013. These attacks, commonly called “watering holes”, do not rely on social engineering and weaponized documents to victimize their prey. Instead, sites known to be of interest to the victim are seeded with exploits leading to droppers intended to implant the system of the unsuspecting visitor. In Q1 2013, the CrowdStrike Intelligence team warned our threat intelligence customers of the impending shift in targeting to this attack scenario. This estimative analysis factored in many pieces of intelligence that were collected and analyzed by the team and used to develop indications and warnings.
Today, CrowdStrike is publicly releasing the first annual “Global Threat Report: Year in Review”. The 2013 Global Threat Report is meant to provide readers with an overview of some of the key areas that the CrowdStrike Intelligence team feels defined the year in cyber adversaries. As with everything we do, this report is adversary focused, looking first at a technique that adversaries across the globe leveraged to conduct attacks. The report then looks at notable activity from a variety of actors not just in the nation-state-sponsored category, but also the hacktivist/nationalist category that we crypt using “JACKAL”. During 2013, we monitored more than 50 different cyber attackers with varying motivations and capabilities; in the third section of this report, we discuss two that we thought would be of interest. ENERGETIC BEAR, an adversary with a nexus to the Russian Federation, targeted a variety of government and research targets, as well as a large number of energy sector targets. This actor used an advanced implant with several unique characteristics; additionally, they leveraged several unique toolsets and secondary implants to pursue R&D and strategically valuable information. EMISSARY PANDA, a People’s Republic of China-based adversary, conducted a series of SWC attacks against, among other things, foreign embassies located in the United States. This adversary collected sensitive intelligence from the defense industrial base, aerospace, telecom, and shipping sectors.
The final section of the report is meant to provide indications and warnings for the current year. Much time was spent on this section with the intention of providing the security community and enterprise defenders with actionable intelligence for the coming year. Among the many predictions is the discussion of cyber spillover from regional conflicts, the likelihood of Democratic People’s Republic of Korea (DPRK) cyber aggression during the winter training cycle, and the increasing belligerence of Middle Eastern cyber actors leveraging customized toolsets. One prediction, which is a topic of general interest today, is the evolution of cyber criminal groups who, as recently evidenced in the well-known retail breaches, took a page from the targeted attacker playbook and moved laterally to deploy customized malware on very targeted systems.
CrowdStrike believes that to combat cyber attackers, you must understand their motivations, capabilities, and intentions. Through intelligence-driven security, our dedicated intelligence analysts, incident responders, and next-generation endpoint technology identify these adversaries and track their activities.