“One notable finding from the CrowdStrike report is a trend towards malware-free cyber-attacks. In 2018, 60% of attacks detected by CrowdStrike involved malware while 40% of detected attacks were malware-free. In 2019, malware-free attacks made up 51% of detected attacks.”
Cybersecurity is a concern for any business operating in the digital age, but companies with strong intellectual property divisions have some very specific security issues to handle. A recent conference on the subject of Chinese theft of American IP featured comments from Federal Bureau of Investigations (FBI) Director Christopher Wray, who remarked that the FBI has been investigating about 1,000 alleged cases of IP theft from Chinese actors since the China Initiative was launched by the U.S. Department of Justice (DoJ) in late 2018. Statistics provided by the FBI at that conference showed that technology theft cases involving China grew rapidly between 2008 and 2012, after which a steady rise has continued through 2020.
Although malware is often considered to be the major type of cybersecurity concern for businesses and consumers alike, one form of cyber-attack that has occurred to the detriment of IP-owning businesses involves the use of ransomware. These attacks involve malicious software programs that block access to data or threaten the publication of data after being downloaded into a company’s computer networks. In late February, the announcement of a ransomware attack on a U.S. precision parts manufacturer created concerns that sensitive data could be leaked from that manufacturer’s customers, which include SpaceX, Tesla and Lockheed Martin. This January, President Donald Trump signed the National Counterintelligence Strategy, which set forth key areas of focus for federal cybersecurity operations, including the protection of American intellectual property from malevolent foreign actors.
A Shift Toward Malware-Free Attacks
The cybersecurity firm CrowdStrike recently released its 2020 Global Threat Report, which includes a list of findings on cybercrime activities. The report focuses on the types of malicious software programs being employed for such attacks, nations around the globe which are the greatest sources of cybercrime activities, as well as the industry sectors which are among the top targets of those perpetrating cyber-attacks.
One notable finding from the CrowdStrike report that IP companies may find useful is a trend towards malware-free cyber-attacks. While malware attacks involve the downloading of malicious code into hard disk drives, malware-free attacks leverage code that executes from memory or stolen login credentials to gain access to sensitive information. In 2018, 60% of attacks detected by CrowdStrike involved malware, while 40% of detected attacks were malware-free. In 2019, malware-free attacks made up 51% of detected attacks. Whereas malware attacks aren’t difficult to intercept, malware-free attacks require more sophisticated behavioral analysis.
For North American companies in particular, malware-free attacks are becoming more of a concern. While each region of the globe experienced malware-free attacks in 2018 at rates ranging from 25% to 45% of total cyber-attacks, nearly 75% of all cyber-attacks targeting North American entities during 2019 were malware-free. By contrast, malware-free attacks in Latin America dropped to less than 10% of all cyber-attacks targeting that region during 2019. The CrowdStrike report also identifies particular techniques in cyber-attacks, noting a rise in masquerading techniques involving the manipulation of names or folder locations of executable files in order to escape detection.
A specific area of concern in the malware space is the increasing use of ransomware, which can hold companies and government agencies hostage by threatening the operation of secure systems. The ransomware industry has been growing more advanced as major ransomware developers have been building affiliate programs, operating ransomware-as-a-service (RaaS) platforms and taking a portion of the proceeds earned by attackers. Ryuk, a version of ransomware specifically designed to target enterprise-level networks, was the source of the highest amount of ransom demands during 2019, holding companies hostage for $12.5 million as well as 1,600 bitcoin. Ryuk is championed by the Russian-based threat group WIZARD SPIDER, a criminal collective which has developed many forms of malware and was CrowdStrike’s most reported adversary during 2019.
Ransomware accounts for about 26% of all electronic crime (eCrime) activities, increasing to about 37% when including attacks involving both ransomware and banking trojan malware. Banking trojans like TrickBot or BokBot themselves make up a large percentage of eCrime activity detected during 2019, as well as malware downloaders such as Emotet or Smoke Bot. Ransomware, banking trojans and malware downloaders constituted about three-quarters of all eCrime activity detected by CrowdStrike during 2019.
Chinese and Russian Cyber-Crime
The CrowdStrike report also includes regional profiles of nations that are home to large groups of cyber attackers. This list includes a collection of usual suspects including Russia, China, Iran and North Korea. Evidence of Chinese cyber-crime points to repeated intrusions into companies in both the telecommunications and the healthcare sectors, both of which are key domestic industries for China. Aside from corporate espionage, Chinese cyber-crime activity includes attacks against minority populations like Tibetans and Uighurs, especially at times when those populations have been involved in government protests. CrowdStrike also reports that a majority of the cyber adversaries stationed in China seemed to be working in concert with the Ministry of State Security, lending weight to the idea that Chinese state interests are involved with cyber-crime activity in that nation.
Politically-related motivations are also evident in Russian cyber-crime, most of which targeted Ukranian entities. CrowdStrike believes that these operations are conducted mainly to inform either Russian political leaders ahead of diplomatic negotiations or Russian military leaders to develop battlefield tactics. The report also forecasts potential Russian cyber-crime activity related to the World Anti-Doping Agency’s decision last December to ban Russia from international athletic competitions for four years. Such attacks would likely target companies that have a nexus with major competitions like the 2020 Tokyo Olympic Games.
The “1-10-60 Rule”
The CrowdStrike Global Threat Report concludes with a series of recommended actions that companies can take to ward off various threats. Many times, ransomware or other attacks have occurred that could have been prevented if companies had fully deployed their security controls across their enterprise network. CrowdStrike also recommends that companies implement cybersecurity practices that can meet what it calls the “1-10-60 rule”: detecting intrusions within one minute; understanding how the intrusion is operating within 10 minutes; and removing the threat adversary from the network within 60 minutes.
Image Source: Deposit Photos
Image ID: 140896086