Annual threat report from Symantec reveals alarming increase in targeted attacks aimed at politically motivated sabotage and subversion.
Hackers, unfortunately, had a great year in 2016, launching hugely ambitious attacks which included multi-million dollar virtual bank heists and attempts to disrupt the US elections. The latter attack on the US elections reveals a worrying new trend, specifically that hackers are turning political in their attempts to disrupt and destabilise organisations and countries.
According to Symantec’s Internet Security Threat Report, subversion and sabotage attacks are emerging at the forefront of the threat landscape, with cyber criminals executing politically devastating attacks in a move to undermine a new class of targets. One only need look at the attack on the US Democratic Party to see a concerning trend toward criminals employing highly-publicised, overt campaigns designed to create waves in nation states.
“New sophistication and innovation are the nature of the threat landscape, but this year Symantec has identified seismic shifts in motivation and focus,” said Kevin Haley, director, Symantec Security Response.
“The world has seen specific nation states doubling down on political manipulation and straight sabotage. Meanwhile, cyber criminals caused unprecedented levels of disruption by focusing their exploits on relatively simple IT tools and cloud services.”
Although attacks geared towards sabotage have been rare, the perceived success of several attacks like that on the US Democratic Party will only serve to encourage other criminals to attempt the same, with hackers gearing up to influence politics and sow discord in other countries.
However, while the cyber saboteurs emerged at the forefront of the cyber landscape, a large proportion of the cyber underworld were doing what they do best – making money. The report revealed that a new breed of attackers were driven by major financial ambitions – which may be a means to an end for the attackers looking to fund covert and subversive activities.
Today, the largest heists are not done at gunpoint, but via a computer, with billions of dollars stolen virtually. An interesting finding was that while some of these attacks were the work of organised criminal gangs, for the first time nation states appear to be involved as well.
Symantec uncovered evidence linking North Korea to attacks on banks, with $81 million stolen from Bangladesh, $12 million from Ecuador and $1 million from Vietnam for a total of $94 million. The US government blamed the Sony attacks on North Korea, and we know the same attackers are behind these thefts based on the tools and techniques they used.
“This was an incredibly audacious hack as well as the first time we observed strong indications of nation state involvement in financial cyber crime,” said Symantec’s Haley.
“While their sights were set even higher, the attackers stole at least US$94 million.”
Moving from the motivations of the attackers to the weapons they arm themselves, the report found hackers using PowerShell, a common scripting language installed on PCs, and Microsoft Office files. Criminals were found to use the scripting language as it offers the ability to hide in plain sight and leaves a lighter footprint. A staggering 95% of PowerShell files seen by Symantec in the wild were malicious. This shows a trend of attackers “living off the land”, using the same tools already installed on your system against you.
Email, however, was found to be the weapon of choice for 2016. The favoured infection point for hackers, Symantec found one in 98 emails contained a malicious link or attachment – the highest rate in five years. Hackers also found a honey trap in the form of Business Email Compromise (BEC) scams, which rely on little more than carefully composed spear-phishing emails. This form of attack scammed more than three billion dollars from businesses over the last three years, targeting over 400 businesses every day.
Ransomware – the headline grabber which has been seized upon by the press recently – has continued to be a favourite form of malware for hackers. Symantec identified over 100 new malware families released into the wild, more than triple the amount seen previously, and a 36 percent increase in ransomware attacks worldwide. When looking at the report, it is clear as to why ransomware remains a favourite for cyber criminals – especially in the UK. 41% of UK ransomware victims are willing to pay a ransom, compared to 34% globally. Unfortunately, this has consequences. In 2016, the average ransom spiked 266% with criminals demanding an average of £840 per victim up from £229 as reported for the previous year.
The report from Symantec also looked forward, to the next frontier of cyber crime, with cloud firmly in the hackers’ cross-hairs. As more and more companies increase their reliance on cloud, the risk and threat of attack only increases. Tens of thousands of cloud databases from a single provider were hijacked and held for ransom in 2016 after users left outdated databases open on the internet without authentication turned on.
Cloud security continues to keep CIOs up at night, with data from Symantec revealing that CIOs have lost track of how many cloud apps are used inside their organisations. When asked, most assume their organisations use up to 40 cloud apps when in reality the number nears 1,000. This disparity can lead to a lack of policies and procedures for how employees access cloud services, which in turn makes cloud apps riskier. These cracks found in the cloud are taking shape. Indeed, Symantec warns that if CIOs fail to get a grasp on cloud security, then they will see a shift in how threats enter their business.