In recent years, the most advanced hacking groups have been becoming bolder when conducting cyber attack campaigns, with the number of organizations targeted by the biggest campaigns rising by almost a third.
A combination of new groups emerging and threat actors developing successful strategies for breaking into networks has seen the average number of organizations targeted by the most active hacking groups rise from 42 between 2015 and 2017 to an average of 55 in 2018.
The figures detailed in Symantec’s annual Internet Security Threat Report suggest that the top 20 most prolific hacking groups are targeting more organizations as the attackers gain more confidence in their activities.
Once attackers might have needed the latest zero-days to gain access to corporate networks, but now it’s spear-phishing emails laced with malicious content that are most likely to provide attackers with the initial entry they need.
And because these espionage groups are so proficient at what they do, they have well tried-and-tested means of conducting activity once they’re inside a network.
“It’s like they have steps which they go through, which they know are effective to get into networks, then for lateral movement across networks to get what they want,” Orla Cox, director of Symentec’s security response unit told ZDNet. “It makes them more efficient and, for organizations, it makes them harder to spot because a lot of the activity looks like traditional enterprise activity.”
In many of the cases detailed in the report, attackers are deploying what Symantec refers to as ‘living-off-the-land’ tactics: the attackers use everyday enterprise tools to help them travel across corporate networks and steal data, making the campaigns more difficult to discover.
Not only is the number of targeted campaigns on the rise, but there’s a larger variety in the organizations being targeted. Organizations in sectors like utilities, government and financial services have regularly found themselves targets of organized cyber-criminal gangs, but increasingly, these groups are expanding their attacks to new targets.
“Often in the past, they’d have a clear focus on one sector, but now we see these campaigns can focus on a wide variety of targets, ranging from telecoms companies, hotels, universities. It’s harder to pinpoint exactly what their end goal is,” said Cox.
While intelligence gathering remains the key goal of many of these campaigns, some are beginning to expand by also displaying an interest in compromising systems.
This is a particularly worrying trend, because while stealing data in itself is bad enough, attackers with the ability to operate cyber-physical systems could be much worse.
One group Symantec has observed conducting this activity is a hacking operation dubbed Thrip, which expressed particular interest in gaining control of satellite operations – something that could potentially cause major disruption.
In the face of a rise in targeted attacks, governments are increasingly pointing the finger not just at nations but individuals believed to be involved in cyber espionage. For example, the United States named individuals it claims are responsible for conducting cyber attacks: they include citizens of Russia, North Korea, Iran and China. Symantec’s report suggests the indictment might disrupt some targeted operations, but it’s unlikely that cyber espionage campaigns will be disappearing anytime soon.