Flashpoint’s mid-year Business Risk Intelligence Report analyzes data from geopolitics and the deep and dark web to show how threat actors and their motivations have evolved over the first six months of 2017, and to provide insight into what new threats might appear in the coming months. It comprises sections covering both the primary nation-states and the main threat sub-sections.
The report notes the continuing Russian effort to interfere with western elections; especially during the approach to the German national elections in September 2017.
The Shadow Brokers (TSB) have re-emerged from dormancy, and are generally considered to be tied to the Russian state. Internally, Russia is tightening control over dissidents and internet usage. Ruslan Stoyanov was arrested over un-specified charges relating to ‘treason’. From prison, he warned the regime against “the consequences of partnering with domestic ‘patriot-thieves’ (cybercriminals).
“Moscow is moving quickly towards establishing an unprecedented level of information control within the country’s borders” warns Flashpoint, “…cementing the state’s authority over online activities.”
Chinese state-sponsored activity has remained low following the Xi-Obama agreement made in September 2015. Nevertheless, there has been some activity. In early March, a DHS report described activity under the ‘Pleasantly Surprised’ campaign spear-phishing commercial entities in the financial, retail and technology sectors. APT10 was also linked to a campaign targeting the National Foreign Trade Council around the time of the US/China summit in early April. Other probable Chinese activities included attacks against MSSPs and attempts to compromise South Korea’s Terminal High Altitude Area Defense (THAAD) anti-ballistic missile system.
Flashpoint notes that China remains a potent cyber force, but seems to have turned the focus of its attention to Asian and geographically nearby targets. Internally it continues to increase control over cyber activities with new regulations on data flows and VPNs.
The Five Eyes group of nations is described as the “pinnacle of cyber capabilities of all actors in cyberspace” — but one that is not considered a ‘threat actor’ to other western nations. However, the NSA continues to be embarrassed by the TSB leaks, while the CIA has been embarrassed by WikiLeaks’ Vault7 leaks. However, “Despite the synchronicity between the ShadowBrokers releases and the Wikileaks dump, there is no known connection between the two,” says Flashpoint.
Iran is described as a ‘moderately-capable threat actor in cyberspace’, and one that has concentrated on exploiting vulnerabilities in critical infrastructure systems. While it has been relatively quiet in recent months, Flashpoint warns that any attempt by the US Administration to dismantle the Iranian nuclear accord is likely “to be accompanied by renewed Iranian efforts in the cyber domain.” However, for the moment, it believes that the “re-election of Iranian President Hassan Rouhani is likely to have a stabilizing effect on Iranian cyber activities.”
North Korea is considered to be a potent threat, but one that has been relatively quiet this year following China’s apparent withdrawal of political support. Nevertheless, there have been at least two spear-phishing campaigns: one against South Korean research organizations, and the other against North Korean defectors.
The report notes the suggested links of the WannaCry ransomware to the North Korean Lazarus Group. Its own findings suggest a Chinese-speaking author; but adds these two findings are not mutually exclusive.
Geopolitically, the Trump administration has said, the “era of strategic patience is over.” Flashpoint concludes, “The North’s current apparent quiescence in cyberspace may come to a swift end in the event that the United States reacts strongly to the country’s sixth nuclear test, for which many analysts believe that Pyongyang is preparing.”
Just this week, US-CERT released a technical alert on behalf of the DHS and the FBI to warn organizations of North Korea’s “Hidden Cobra” activities, particularly distributed denial-of-service (DDoS) attacks.
Disruptive and Attention-Seeking Actors
Such actors have been quieter than usual during the first half of 2017. Flashpoint believes it may be because they are starved of publicity due to the media’s current focus on the new administration and the FBI/Russia probe. Other reasons may be industry’s improving security stance and, for example, the increased awareness among police departments of SWATTING techniques.
Cybercriminals are continuing to innovate and evolve. The switch from targeting individuals to targeting organizations continues, and the focus on targeting healthcare remains. “Flashpoint has observed a variety of actors such as “svako,” “hackworld,” “covrig3500,” and more targeting healthcare clinics across the United States in efforts to monetize the stolen data.”
Business Email Compromise (BEC) is growing. In April, Google and Facebook became victims in a scam that netted $100 million for the scammers.
Flashpoint notes a decline in western hacktivism. “Thus far in 2017,” it says, “the hacktivist landscape has been dominated by a small subset of largely-ineffectual hacktivist operations linked to the Anonymous collective, as well as activity emanating out of Turkey and China in particular.”
Jihadi actors have shown little growth in technical skill over the first half of 2017. “Due to the lack of technical acumen within most jihadi hacker groups, their victims tend to be poorly-defended or smaller, low-hanging-fruit websites.” The most active hacker group is the United Cyber Caliphate (UCC) which has called for all pro-ISIS hackers to unite under one banner, including the newly-created “Caliphate Cyber Terrorism Army (CCTA).” There is, however, no evidence that the group is directed or supported by ISIS itself. It has also suffered from the loss of at least three of its leaders to US airstrikes — the most recent being Osed Agha in March 2017, and the most notable being Junaid Hussain, or “TriCk” of TeaMp0isoN.
The physical threat to western nations has, however, increased. As the strength of the Isis Caliphate has dwindled, it has turned to recruiting and encouraging the “lone mujahid in the West.” Although not mentioned by Flashpoint as part of this report, this has led to increasing demands from western governments to curb end-to-end encryption, and for the social media giants to co-operate more closely with government.
Flashpoint believes that a deeper understanding of geopolitics and the interaction with cyber threats can help business better prepare for both current and future threats.