Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

2/19/2019
02:55 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

19 Minutes to Escalation: Russian Hackers Move the Fastest

New data from CrowdStrike's incident investigations in 2018 uncover just how quickly nation-state hackers from Russia, North Korea, China, and Iran pivot from patient zero in a target organization.

It takes Russian nation-state hackers just shy of 19 minutes to spread beyond their initial victims in an organization's network - yet another sign of how brazen Russia's nation-state hacking machine has become.

CrowdStrike gleaned this attack-escalation rate from some 30,0000-plus cyberattack incidents it investigated in 2018. North Korea followed Russia at a distant second, at around two hours and 20 minutes, to move laterally; followed by China, around four hours; and Iran, at around five hours and nine minutes.

"This validated what we've seen and believed - that the Russians were better [at lateral movement]," says Dmitri Alperovitch, co-founder and CTO of CrowdStrike. "We really weren't sure how much better," and their rapid escalation rate came as a bit of a surprise, he says.

Cybercriminals overall are slowest at lateral movement, with an average of nine hours and 42 minutes to move from patient zero to another part of the victim organization. The overall average time for all attackers was more than four-and-a-half hours, CrowdStrike found.

Russia's speedy infiltration of organizations versus other nation-states like China - which overall was the most active of all nation states in hacking in 2018 - reflects how Russia's cyber operations have evolved dramatically over the past few years. Russia wasn't always so brazen: The shift became painfully obvious during the 2016 US presidential election with its aggressive doxing and hacking and other malicious online activity.

"One of the definitive characteristics of Russia is that it's willing to go fast and break things" without caring about getting identified or outed, notes John Bambenek, director of cybersecurity research at ThreatStop. "They behave in atypical ways for an intel agency [in cases]. They get a beachhead and keep moving."

It's often easier to attribute attacks to Russian hacking teams because they move so quickly and are more likely to make mistakes that out or catch them in their tracks, he says. "Their mindset is to go fast and break things ... and they are still getting results," Bambenek says.

Even if they are outed, they rarely face consequences given the lack of an extradition agreement between the US and Russia.

Russia shifted from cagey to brazen around the fall of 2014, according to Kevin Mandia, CEO of FireEye, who explained the transformation in an interview with Dark Reading after the 2016 election. "Suddenly, they [Russian state actors] didn't go away when we responded" to their attacks, he said. Historically, Russian attackers would disappear as soon as they were rooted out by investigators: "The Russian rules of engagement were when we started a new investigation, they evaporated [and] just went way." 

Those days are long gone, experts say.

Jennifer Ayers, vice president of OverWatch and Security Response at CrowdStrike, says attackers overall are getting faster at infiltrating and invading their targets' networks. Russia's relative speediness, in part, has to do with its abuse of Web servers that, for example, haven't been hardened, she says.

"In many cases, they are using common malware and techniques like phishing email campaigns and BEC [business email compromise]. They are using Web servers on the Net that have not been hardened, so it lets them in a faster time move laterally from entry point to the next level," Ayers explains. Organizations, in turn, must lock down those weakest links and speed up their response rates, according to Ayers.

China
In contrast, China operates more slowly and deliberately, underscored by its more than four hours to get beyond its initial victim in a targeted organization. "They do [the initial attack], step back, get more data, and plan their next steps," taking time, for example, to create kernel modules for specific machines, Threat Stop's Bambenek says. "That takes time."

China last year began reupping its hacking for economic and competitive gain after a temporary reprieve following the 2015 pact between President Obama and China President Xi Jinping not to conduct cyber spying attacks for economic gain. "China is back in economic espionage [attacks] - all of this is taking place across diverse industries," Alperovitch says. 

China was technically the "biggest story of 2018," he says.

So far in 2019, China continues to be most active nation-state in cyberattacks, notes Benjamin Read, senior manager for cyber espionage analysis at FireEye. While FireEye hasn't measured the lateral movement speeds of various nation-states in its investigations, he says, it's logical that Russia would be the most efficient at escalation.

"It makes sense with their being the most technical of adversaries," Read says. For now, Russian activity mainly is focused on European targets, he notes.

Russia, not surprisingly, is expected to ratchet up its targeting of the US in the run-up to the 2020 US presidential election.

Now What?
With the average dwell time of an attacker at six months, according to Verizon's Data Breach Investigations Report (DBIR), just how can defenders apply this so-called "breakout time" of various nation-state actors?

CrowdStrike recommends applying those breakout times to benchmark the time it takes them to detect, investigate, and fix or remediate systems after an attack.

They also can tune their security tools and processes, notes Ayers, setting rules that take into consideration tight time frames. You can set the tools to determine in a matter of minutes whether to take action on a specific threat - blocking a hash if it's a piece of malware, for example. The tools also can determine whether a threat should be escalated to the incident response team for a deeper investigation, or whether passwords should be reset, she notes.

Speeding up response is key, Bambenek notes. "I care if they are marching through my infrastructure, but once they start stealing data, then I have a real problem," he says.

Meanwhile, CrowdStrike last year also spotted China, Iran, and Russia upping their targeting of telecommunications providers. Alperovitch says it's all about control of the Internet: "Just as previous wars fought over telegraph lines and radar and radio waves, this is the new battlefield - every nation wants to get an advantage," he says. "Telecommunications targets hold so much valuable information."

Related Content: 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
Black Hat Q&A: Hacking a '90s Sports Car
Black Hat Staff, ,  11/7/2019
The Cold Truth about Cyber Insurance
Chris Kennedy, CISO & VP Customer Success, AttackIQ,  11/7/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18954
PUBLISHED: 2019-11-14
Pomelo v2.2.5 allows external control of critical state data. A malicious user input can corrupt arbitrary methods and attributes in template/game-server/app/servers/connector/handler/entryHandler.js because certain internal attributes can be overwritten via a conflicting name. Hence, a malicious at...
CVE-2019-3640
PUBLISHED: 2019-11-14
Unprotected Transport of Credentials in ePO extension in McAfee Data Loss Prevention 11.x prior to 11.4.0 allows remote attackers with access to the network to collect login details to the LDAP server via the ePO extension not using a secure connection when testing LDAP connectivity.
CVE-2019-3661
PUBLISHED: 2019-11-14
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in McAfee Advanced Threat Defense (ATD) prior to 4.8 allows remote authenticated attacker to execute database commands via carefully constructed time based payloads.
CVE-2019-3662
PUBLISHED: 2019-11-14
Path Traversal: '/absolute/pathname/here' vulnerability in McAfee Advanced Threat Defense (ATD) prior to 4.8 allows remote authenticated attacker to gain unintended access to files on the system via carefully constructed HTTP requests.
CVE-2019-3663
PUBLISHED: 2019-11-14
Unprotected Storage of Credentials vulnerability in McAfee Advanced Threat Defense (ATD) prior to 4.8 allows local attacker to gain access to the root password via accessing sensitive files on the system.