There’s a bit of an everything-old-is-new-again feel to at least one of the major trends for 2015 in security firm Mandiant Consulting’s recent annual threat report.
As with previous reports, FireEye/Mandiant’s analysis is based on a review of its customer engagements in the past year. The most interesting new trend it discovered over the period was an increase in the number of business disruption attacks its clients suffered. Examples of such attacks included those where corporate data was held for ransom or where the organization itself was held to ransom by attackers threatening to delete data, release it publicly, modify it, or add malware to the data.
In a shift away from the low and slow attacks of recent years, many of the incidents that Mandiant was called in to remediate in 2015 harkened back to older attacks in that they were very public, leaked data, and taunted victims.
Instead of the usual focus on stealth and maintaining access for as long as possible, the attacks that Mandiant investigated in 2015 were deliberately designed to draw public attention to the malicious activity or to data that was compromised. “Some attackers were motivated by money, some claimed to be retaliating for political purposes, and others simply wanted to cause embarrassment,” Mandiant said in its report.
Publicity-seeking attacks were common a few years ago but have become far less frequent recently. Security researchers have noted how in recent years threat actors have chosen to focus on monetizing their criminal skills and in stealing data rather than displaying their hacking prowess to make a political or social point or to impress peers.
Charles Carmakal, vice president of Mandiant, says that the threat actors responsible for the disruptive attacks typically had very different motivations from those looking to steal data over the long-term.
“Disruptive threat actors are motivated by money and fame,” he says. “State-sponsored threat actors tend to steal information that provides economic, military, or political advantage to their countries.”
Usually, such hackers have been careful to avoid disrupting businesses because they want to continue to steal data from their victims he says.
Digital blackmail schemes were a common occurrence in 2015 among Mandiant’s clients. Such campaigns typically involved situations where an attacker tried to extort money from an organization by threatening to publicly release sensitive data that had been previously stolen from it.
“We’ve observed attackers stealing materially sensitive data, then threatening to release the information publicly, encrypting victim’s data, and conducting denial of service attacks until ransoms were paid,” Carmakal says. In most cases, the ransoms demanded tended to be commensurate with the value of the stolen data, suggesting that attackers had a fine-honed sense of the inherent value of the information.
Mandiant also investigated multiple attacks where the adversaries wiped data from critical business systems, and often the system backup infrastructure as well to keep victims offline, sometimes for weeks. While threat actors have had the ability to take such actions for years, most have refrained from doing so because their focus has been on theft of IP and other data.
“Many of the disruptive attacks that we observed in 2015 appeared to be opportunistic in nature,” Carmakal says. “However, we’ve observed attacks that were clearly targeted and deliberate.”
Somewhat ironically, the disruptive nature of many of the attacks in 2015 may have actually made them easier to spot.
According to Mandiant, last year it took about 146 days on average for organizations to learn they had been breached, or to be notified of one. While that is still a long time, it is better than the 205 days on average it used to take in 2014, and the astonishing 416 days in 2012.
The quicker detection times may be due to a few reasons, including the fact that threat actors are becoming more disruptive, so their malicious actions are more visible and therefore being detected quicker, Carmakal says.