Gorodenkoff - stock.adobe.com

Cyber criminal collaboration intensifies

The level of cooperation between high-profile cyber threat groups has shifted up a gear, enabling a higher level of automation and making attribution more difficult, research shows

A new operating model among top cyber crime groups has emerged in the past year, boosting the efficiency of attack campaigns, a report warns.

Closer relationships between these groups has resulted in a greater degree of sharing tools, which in turn is making it more difficult to identify which group is behind any particular cyber attack, according to the latest Cyber threatscape report from professional services firm Accenture.

The report, based on Accenture threat intelligence and research from open source materials, notes a significant increase in threat actors and groups conducting targeted intrusions for financial gain, commonly known as “big game hunting”.

Despite the arrests of individuals associated with online underground marketplaces, activity among threat actor groups such as Cobalt, FIN7/Carbanak and Contract Crew has continued, the report reveals.

Accenture researchers have also observed the shared use of tools that automate the process of mass-producing malicious documents to spread malware that is used in both conventional crimeware campaigns and targeted attacks.

This new level of collaboration between groups suggests a major a change in how threat actors work together in the underground economy, the report said.

Researchers also report a shift in the way Cobalt Group targets victims to gain access to supply chain networks. While malware has typically been sent to internet users via phishing emails, the report said researchers have observed an emergence of malware executed through web browsers focused on targeting online merchants and retailers specifically.

“Over the past year, cyber criminals have continued to test the resilience of organisations by layering attacks, updating techniques and establishing new, intricate relationships to better disguise their identities, making attribution more difficult to pursue,” said Josh Ray, a managing director at Accenture Security.

“Organisations should understand the tangible elements, or the bread crumb trail left behind, which can help reveal the motivations, operational procedures and tool use, to create a profile of the adversary. This process is critical for organisations to understand so they can proactively be involved in properly allocating resources and improving their security posture to avoid becoming cyber crime’s next victim.”

In addition to a change in operating model, the report highlights a continued “global disinformation” battlefield influencing social media users and cautions that threat actors are becoming more skilled at exploiting legitimate tools. 

While disinformation campaigns to influence both domestic or foreign political sentiment and sway national elections are likely to continue, the report said the wider potential impact of disinformation on global financial markets is even more concerning.

“The financial services industry – and, more specifically, high-frequency trading algorithms, which rely on fast, text-driven sources of information – are likely to be targeted by large-scale disinformation efforts in the future,” the report said.

A well-orchestrated disinformation campaign may have serious consequences on brand reputation, specific markets, and even market stability, the report warns, adding that the tools required to implement a successful campaign are well within the capability of ideologically, financially, and politically motivated threat adversaries already targeting the financial sector.

Like other recent cyber threat reports, Accenture confirms that ransomware is increasingly plaguing businesses and government infrastructures, with the number of ransomware attacks more than tripling in the past two years.

“Ransomware attacks have risen as one of the key destructive tools used for financial gain, with attackers seeking extortion alongside sabotage and destruction,” the report said.

Aside from delivery via spam campaigns, researchers reported threat groups Nikolay and GandCrab are planting ransomware directly on networks through network access intrusions.

Actors are offering to sell remote desktop protocol (RDP) access to corporate networks, which they are likely to have gained through compromised servers and RDP brute forcing, the report said.

Ransomware attacks can significantly affect organisations financially by disrupting business operations, and the fact that the cost to repair or restore systems can be high, the report said, noting that some threat actors use ransomware for destructive purposes, in addition to or instead of financial ones.

“Regardless of motive, the ransomware threat will remain for the foreseeable future; businesses should try to ensure they have taken the adequate measures to prepare, prevent, detect, respond and contain any corporation-wide ransomware attack,” the report concludes.

Read more about ransomware

Read more on Hackers and cybercrime prevention

Data Center
Data Management