Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

1/31/2018
04:20 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Lazarus Group, Fancy Bear Most Active Threat Groups in 2017

Lazarus, believed to operate out of North Korea, and Fancy Bear, believed to operate out of Russia, were most referenced threat actor groups in last year's cyberattacks.

The busiest threat actor groups of 2017 were Sofacy (otherwise known as Fancy Bear or APT28) and the Lazarus Group, security experts report. As these groups ramped up activity, threat actors operating out of China became quiet.

Analysts at AlienVault leveraged data from its Open Threat Exchange (OTX) threat intelligence sharing platform to take a broad look at threat patterns from last year. They found the most frequently referenced threat group in 2017 was Sofacy.

Ten years ago, Sofacy primarily targeted NATO and defense ministries. Over the past three years its operations have expanded to target businesses, individuals, and elections in the United States and France. Leaked information from the US government, and an official report from the German government, indicate the threat group is associated with Russian military intelligence.

The second most active group was Lazarus, which is believed to operate out of North Korea (or Democratic People's Republic of Korea, DPRK).

"In the past, security researchers thought DPRK cyber adversaries were unsophisticated compared to more traditional nation-state adversary groups, like China or Russia," says Dmitri Alperovitch, cofounder and CTO at CrowdStrike.

"However, the North Korea regime has invested significant resources in training and development in recent years and their cyber capabilities have matured significantly as a result." Alperovitch points out that in 2017, cyber operations were linked to DPRK almost monthly. Lazarus was linked to WannaCry and has hacked into banks and cryptocurrency exchanges.

Crowdstrike found Lazarus is comprised of four groups: Silent Chollima, Stardust Chollima, Labyrinth Chollima, and Ricochet Chollima. Most adversaries focus on targeted attacks or cyberespionage; DPRK threat actors aren't as particular. While they primarily focused on South Korean targets in 2017, they have been known to hit organizations in other regions.

What usually motivates these groups? John Bambenek, manager of threat systems at Fidelis Cybersecurity, says financial gain is often a driver. "You're dealing with organized crime, in essence," he explains. "There's a payday at the end of it."

Attackers, specifically those in North Korea, have begun turning to cryptocurrency. More are targeting consumer devices and leveraging their computing power to mine crypto. "For a nation that is highly sanctioned with currency requirements, Bitcoin and its related cousins provided great means to capitalize," Bambenek points out.

The goals of nation-state threat actors will vary from group to group. Those looking for money could target cryptocurrency exchanges while those seeking to disrupt election cycles could target social media to spread disinformation. "It depends on the geopolitical circumstances," he says.

Why Chinese threat groups fell silent

AlienVault's data shows Stone Panda, also known as APT10 or CloudHopper, fell in tenth place for 2017 activity. This is the highest-ranked group operating out of China, and AlienVault threat engineer Chris Doman notes its ranking "would have been very different three years ago."

The last year saw a significant decrease in the number of targeted attacks from China-based threat groups against Western businesses. While this followed political pressure and agreements to stop activity, it's also possible their attacks have become tougher to detect. CloudHopper is known to hit targets by compromising major IT service providers, a method that's difficult to detect for vendors and government agencies.

"We may continue to see reported activity from groups in China drop further," Doman writes, adding that UPS (also known as Boyusec or APT3) switched from Western to domestic targets.

What should you worry about?

Alperovitch warns businesses to worry about the danger North Korean threat groups pose to their brands and networks. "These adversaries have demonstrated a degree of unpredictability about what they may try to do next," he says. "It is important for organizations to continually hunt their systems for potential intrusions and swiftly remediate before any damage is done."

Bambenek acknowledges the potential for ICS-based attacks, which he says will be a growing area of focus for threat groups. "Someone will take a utility hostage for ransom," he says. "With Triton getting published to GitHub, we've drastically lowered the bar for ICS attacks."

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
7 Truths About BEC Scams
Ericka Chickowski, Contributing Writer,  6/13/2019
DNS Firewalls Could Prevent Billions in Losses to Cybercrime
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2019
Can Your Patching Strategy Keep Up with the Demands of Open Source?
Tim Mackey, Principal Security Strategist, CyRC, at Synopsys,  6/18/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-3896
PUBLISHED: 2019-06-19
A double-free can happen in idr_remove_all() in lib/idr.c in the Linux kernel 2.6 branch. An unprivileged local attacker can use this flaw for a privilege escalation or for a system crash and a denial of service (DoS).
CVE-2019-3954
PUBLISHED: 2019-06-19
Stack-based buffer overflow in Advantech WebAccess/SCADA 8.4.0 allows a remote, unauthenticated attacker to execute arbitrary code by sending a crafted IOCTL 81024 RPC call.
CVE-2019-10085
PUBLISHED: 2019-06-19
In Apache Allura prior to 1.11.0, a vulnerability exists for stored XSS on the user dropdown selector when creating or editing tickets. The XSS executes when a user engages with that dropdown on that page.
CVE-2019-11038
PUBLISHED: 2019-06-19
When using gdImageCreateFromXbm() function of gd extension in versions 7.1.x below 7.1.30, 7.2.x below 7.2.19 and 7.3.x below 7.3.6, it is possible to supply data that will cause the function to use the value of uninitialized variable. This may lead to disclosing contents of the stack that has been ...
CVE-2019-11039
PUBLISHED: 2019-06-19
Function iconv_mime_decode_headers() in versions 7.1.x below 7.1.30, 7.2.x below 7.2.19 and 7.3.x below 7.3.6 may perform out-of-buffer read due to integer overflow when parsing MIME headers. This may lead to information disclosure or crash.