Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

02:55 PM
Connect Directly

19 Minutes to Escalation: Russian Hackers Move the Fastest

New data from CrowdStrike's incident investigations in 2018 uncover just how quickly nation-state hackers from Russia, North Korea, China, and Iran pivot from patient zero in a target organization.

It takes Russian nation-state hackers just shy of 19 minutes to spread beyond their initial victims in an organization's network - yet another sign of how brazen Russia's nation-state hacking machine has become.

CrowdStrike gleaned this attack-escalation rate from some 30,0000-plus cyberattack incidents it investigated in 2018. North Korea followed Russia at a distant second, at around two hours and 20 minutes, to move laterally; followed by China, around four hours; and Iran, at around five hours and nine minutes.

"This validated what we've seen and believed - that the Russians were better [at lateral movement]," says Dmitri Alperovitch, co-founder and CTO of CrowdStrike. "We really weren't sure how much better," and their rapid escalation rate came as a bit of a surprise, he says.

Cybercriminals overall are slowest at lateral movement, with an average of nine hours and 42 minutes to move from patient zero to another part of the victim organization. The overall average time for all attackers was more than four-and-a-half hours, CrowdStrike found.

Russia's speedy infiltration of organizations versus other nation-states like China - which overall was the most active of all nation states in hacking in 2018 - reflects how Russia's cyber operations have evolved dramatically over the past few years. Russia wasn't always so brazen: The shift became painfully obvious during the 2016 US presidential election with its aggressive doxing and hacking and other malicious online activity.

"One of the definitive characteristics of Russia is that it's willing to go fast and break things" without caring about getting identified or outed, notes John Bambenek, director of cybersecurity research at ThreatStop. "They behave in atypical ways for an intel agency [in cases]. They get a beachhead and keep moving."

It's often easier to attribute attacks to Russian hacking teams because they move so quickly and are more likely to make mistakes that out or catch them in their tracks, he says. "Their mindset is to go fast and break things ... and they are still getting results," Bambenek says.

Even if they are outed, they rarely face consequences given the lack of an extradition agreement between the US and Russia.

Russia shifted from cagey to brazen around the fall of 2014, according to Kevin Mandia, CEO of FireEye, who explained the transformation in an interview with Dark Reading after the 2016 election. "Suddenly, they [Russian state actors] didn't go away when we responded" to their attacks, he said. Historically, Russian attackers would disappear as soon as they were rooted out by investigators: "The Russian rules of engagement were when we started a new investigation, they evaporated [and] just went way." 

Those days are long gone, experts say.

Jennifer Ayers, vice president of OverWatch and Security Response at CrowdStrike, says attackers overall are getting faster at infiltrating and invading their targets' networks. Russia's relative speediness, in part, has to do with its abuse of Web servers that, for example, haven't been hardened, she says.

"In many cases, they are using common malware and techniques like phishing email campaigns and BEC [business email compromise]. They are using Web servers on the Net that have not been hardened, so it lets them in a faster time move laterally from entry point to the next level," Ayers explains. Organizations, in turn, must lock down those weakest links and speed up their response rates, according to Ayers.

In contrast, China operates more slowly and deliberately, underscored by its more than four hours to get beyond its initial victim in a targeted organization. "They do [the initial attack], step back, get more data, and plan their next steps," taking time, for example, to create kernel modules for specific machines, Threat Stop's Bambenek says. "That takes time."

China last year began reupping its hacking for economic and competitive gain after a temporary reprieve following the 2015 pact between President Obama and China President Xi Jinping not to conduct cyber spying attacks for economic gain. "China is back in economic espionage [attacks] - all of this is taking place across diverse industries," Alperovitch says. 

China was technically the "biggest story of 2018," he says.

So far in 2019, China continues to be most active nation-state in cyberattacks, notes Benjamin Read, senior manager for cyber espionage analysis at FireEye. While FireEye hasn't measured the lateral movement speeds of various nation-states in its investigations, he says, it's logical that Russia would be the most efficient at escalation.

"It makes sense with their being the most technical of adversaries," Read says. For now, Russian activity mainly is focused on European targets, he notes.

Russia, not surprisingly, is expected to ratchet up its targeting of the US in the run-up to the 2020 US presidential election.

Now What?
With the average dwell time of an attacker at six months, according to Verizon's Data Breach Investigations Report (DBIR), just how can defenders apply this so-called "breakout time" of various nation-state actors?

CrowdStrike recommends applying those breakout times to benchmark the time it takes them to detect, investigate, and fix or remediate systems after an attack.

They also can tune their security tools and processes, notes Ayers, setting rules that take into consideration tight time frames. You can set the tools to determine in a matter of minutes whether to take action on a specific threat - blocking a hash if it's a piece of malware, for example. The tools also can determine whether a threat should be escalated to the incident response team for a deeper investigation, or whether passwords should be reset, she notes.

Speeding up response is key, Bambenek notes. "I care if they are marching through my infrastructure, but once they start stealing data, then I have a real problem," he says.

Meanwhile, CrowdStrike last year also spotted China, Iran, and Russia upping their targeting of telecommunications providers. Alperovitch says it's all about control of the Internet: "Just as previous wars fought over telegraph lines and radar and radio waves, this is the new battlefield - every nation wants to get an advantage," he says. "Telecommunications targets hold so much valuable information."

Related Content: 



Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-10
Valve Steam through 2021-04-10, when a Source engine game is installed, allows remote authenticated users to execute arbitrary code because of a buffer overflow that occurs for a Steam invite after one click.
PUBLISHED: 2021-04-10
A command execution vulnerability in SonicWall GMS 9.3 allows a remote unauthenticated attacker to locally escalate privilege to root.
PUBLISHED: 2021-04-09
Zoom Chat through 2021-04-09 on Windows and macOS allows certain remote authenticated attackers to execute arbitrary code without user interaction. An attacker must be within the same organization, or an external party who has been accepted as a contact. NOTE: this is specific to the Zoom Chat softw...
PUBLISHED: 2021-04-09
Use after free in screen sharing in Google Chrome prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
PUBLISHED: 2021-04-09
Use after free in V8 in Google Chrome prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.