Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.



08:30 AM
Larry Loeb
Larry Loeb
Larry Loeb

Russia – Fastest State Threat in the World

Russian threat actors were the most prolific last years – and were eight times faster at 'breaking out' than their nearest rival.

CrowdStrike, the US security firm, has this week issued the "2019 CrowdStrike Global Threat Report."

In the report, CrowdStrike ranked threat groups (both governmental and private) based on their "breakout time." They define this term as "the window of time from when an adversary first compromises an endpoint machine, to when they begin moving laterally across your network."

The dataset used for producing the breakout time analysis was based on intrusions that occurred during 2018 among the organizations CrowdStrike works with. Although large and representing every major industry across 176 countries, this large dataset is not universal. CrowdStrike admits "it is possible that researchers looking at other datasets may arrive at different measurements for breakout time."

The report compares the found breakout speeds of Russia, China, North Korea, Iran and the combined category of global eCrime actors.

Russian threat actors were found to be the most prolific last year, and had an average breakout time of 18 minutes and 49 seconds. This was eight times as fast as their speediest competitor -- North Korea-based adversaries. The North Koreans are almost twice as fast as intrusion groups thought to be from China.

The report notes that while Chinese-affiliated groups had an average breakout time of four hours, there were groups within China that were considerably faster. The average breakout metric may not account for some faster acting individuals.

The overall average breakout time that CrowdStrike observed in 2018 across all intrusions and threat actors was 4 hours 37 mins, which is a substantial increase from 1 hour and 58 minutes that was tracked in 2017.

The report says that the increase was due to, "a variety of factors may have contributed to this increase, including a rise in intrusions from slower-moving adversaries, as well as more organizations deploying next-generation endpoint security technologies that are more effective at detecting and stopping intrusions than legacy antivirus."

Additionally, the report found malware was a dominant method used by various types of attackers for initial infiltration. The media, technology and academic sectors were more heavily targeted by malware-free ("fileless" or memory resident) threats.

The report came to other conclusions including:

  • Nation-state adversaries were continuously active throughout 2018. Their activities were primarily aimed at targeting dissidents, regional adversaries, and foreign powers to collect intelligence for decision-makers.
  • Many countries used public channels to pay lip-service that they were curbing cyber-activities, but behind the scenes, they seemed to double down on their cyber espionage operations. The actors would combine their efforts with further forays into destructive attacks and financially motivated fraud.
  • Sixty percent of all cyber attacks involved a form of file-based malware, as opposed to "fileless" techniques.
  • China and North Korea were found to originate almost half of all the nation-state attacks in 2018.
  • Hacking supply chain companies instead of attacking targets directly has become a trend in wide use.
  • Cybercrime groups are now increasingly renting the services or tools provided by other groups, instead of creating their own. Criminal gangs adopted the tactic of "big game hunting" in ransomware attacks. This is when eCrime actors combine targeted enterprise intrusions with ransomware to extract large payoffs from organizations.
  • CrowdStrike also observed increased collaborations between "highly sophisticated" criminal actors.

The report has many details about all these topics, and is too broad to fully summarize here. But the overall sweep of the details in it can only give rise to concerns about the extent and depth of how threat actors function.

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internet—and What Your Organization Can Do About It
The Threat from the Internet—and What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.