Nation-state hackers from China, Russia and elsewhere spent last year updating their tradecraft and tightening their focus on espionage targets, according to a new CrowdStrike report examining the evolution of cyber-espionage in 2018.
The year didn’t see a suspected state-sponsored cyberattack on the scale of 2017’s NotPetya or WannaCry ransomware campaigns, which researchers have suggested were the work of Russian and North Korean hackers, respectively. But in the absence of another headline-grabbing crime spree, international hackers sought to advance their boss’ interests in more subtle ways: by more carefully determining who to hack and moving more quickly once inside, CrowdStrike said.
Chinese actors re-ignited their attacks against American targets amid a trade war with the U.S. Russia continued their reconnaissance efforts, while North Korea used digital techniques to generate cryptocurrency that would help Pyongyang avoid sanctions. Meanwhile, in Iran, state-sponsored hackers focused on domestic targets and rivals in the Middle East, the report found.
“We saw a lot of adversaries focusing on their tools and tradecraft as much as possible,” said Adam Meyers, vice president of intelligence at CrowdStrike, which is based in Silicon Valley.
Russian hacking groups — including Fancy Bear or APT28, which CrowdStrike said was the most active Kremlin-associated unit — moved the fastest.
Favorite targets included Ukrainian military and government organizations, NATO-affiliated targets, technology companies supporting Western military agencies and entities involved in investigating the poisoning of Sergei Skripal, a former double agent who gathered intelligence about Russia.
Once inside, it took Russian hackers an average of 18 minutes and 49 seconds to move from their initial entry point to another area of the hacked ecosystem. North Koreans took an average of two hours and 20 minutes while Chinese agents took four hours. The mean-time for Iranian actors was 5 hours and nine minutes, and cybercriminal gangs took nearly ten hours.
“Breakout time is important because it represents the time limit for defenders to respond to and contain or remediate an intrusion before it spreads widely in their environment and leads to a major breach,” the report stated. “While certainly not the only metric to judge sophistication by, this ranking is an interesting way to evaluate the operational capabilities of major threat actors.”
The average breakout time CrowdStrike observed last year across all breaches and hacking groups was 4 hours and 37 minutes. That’s way up from the one hour and 58 minutes from 2017, an increase CrowdStrike attributed in part to the rise in hacks from less skilled attackers. The company tracked 240 billion events per day in 2018, compared to 90.1 billion the year before.
CrowdStrike did not examine possible nation-state attacks in U.S. election infrastructure in this report. In testimony to Congress last week, U.S. National Security Agency Director Paul Nakasone told lawmakers China and Russia pose growing threats to U.S. cybersecurity, a danger that he said includes potential election interference.
Researchers also detailed “several targeted intrusion campaigns” focused on infiltrating telecommunications providers. Nation-states are directly targeting telecoms, compromising vulnerable equipment, and referencing telecom services in other attacks.
“The access gained by compromising entities in the telecom sector supports the subsequent targeting of their customers, which include government entities,” the CrowdStrike report states.
China, Russia and Iran each have prioritized infiltrating telecom supply chains for intelligence-gathering purposes. A successful attack could support the bulk collection of personally identifiable information, SMS text messages, call logs and geolocation data. And by breaching a trusted telecom or technology provider, then leveraging that company’s market reach, nation-states can the exploit a target’s reputation for its own purpose, Meyers said.
“You don’t want to build the whole technology, and build the whole wheel, when you can steal the wheel and build your own spikes and enhancements on it,” he said.