Sponsored By

Russian threat actors were the most prolific last years – and were eight times faster at 'breaking out' than their nearest rival.

Larry Loeb

February 20, 2019

3 Min Read

CrowdStrike, the US security firm, has this week issued the "2019 CrowdStrike Global Threat Report."

In the report, CrowdStrike ranked threat groups (both governmental and private) based on their "breakout time." They define this term as "the window of time from when an adversary first compromises an endpoint machine, to when they begin moving laterally across your network."

The dataset used for producing the breakout time analysis was based on intrusions that occurred during 2018 among the organizations CrowdStrike works with. Although large and representing every major industry across 176 countries, this large dataset is not universal. CrowdStrike admits "it is possible that researchers looking at other datasets may arrive at different measurements for breakout time."

The report compares the found breakout speeds of Russia, China, North Korea, Iran and the combined category of global eCrime actors.

Russian threat actors were found to be the most prolific last year, and had an average breakout time of 18 minutes and 49 seconds. This was eight times as fast as their speediest competitor -- North Korea-based adversaries. The North Koreans are almost twice as fast as intrusion groups thought to be from China.

The report notes that while Chinese-affiliated groups had an average breakout time of four hours, there were groups within China that were considerably faster. The average breakout metric may not account for some faster acting individuals.

The overall average breakout time that CrowdStrike observed in 2018 across all intrusions and threat actors was 4 hours 37 mins, which is a substantial increase from 1 hour and 58 minutes that was tracked in 2017.

The report says that the increase was due to, "a variety of factors may have contributed to this increase, including a rise in intrusions from slower-moving adversaries, as well as more organizations deploying next-generation endpoint security technologies that are more effective at detecting and stopping intrusions than legacy antivirus."

Additionally, the report found malware was a dominant method used by various types of attackers for initial infiltration. The media, technology and academic sectors were more heavily targeted by malware-free ("fileless" or memory resident) threats.

The report came to other conclusions including:

  • Nation-state adversaries were continuously active throughout 2018. Their activities were primarily aimed at targeting dissidents, regional adversaries, and foreign powers to collect intelligence for decision-makers.

  • Many countries used public channels to pay lip-service that they were curbing cyber-activities, but behind the scenes, they seemed to double down on their cyber espionage operations. The actors would combine their efforts with further forays into destructive attacks and financially motivated fraud.

  • Sixty percent of all cyber attacks involved a form of file-based malware, as opposed to "fileless" techniques.

  • China and North Korea were found to originate almost half of all the nation-state attacks in 2018.

  • Hacking supply chain companies instead of attacking targets directly has become a trend in wide use.

  • Cybercrime groups are now increasingly renting the services or tools provided by other groups, instead of creating their own. Criminal gangs adopted the tactic of "big game hunting" in ransomware attacks. This is when eCrime actors combine targeted enterprise intrusions with ransomware to extract large payoffs from organizations.

  • CrowdStrike also observed increased collaborations between "highly sophisticated" criminal actors.

The report has many details about all these topics, and is too broad to fully summarize here. But the overall sweep of the details in it can only give rise to concerns about the extent and depth of how threat actors function.

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Read more about:

Security Now

About the Author(s)

Larry Loeb

Blogger, Informationweek

Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek. He has written a book on the Secure Electronic Transaction Internet protocol. His latest book has the commercially obligatory title of Hack Proofing XML. He's been online since uucp "bang" addressing (where the world existed relative to !decvax), serving as editor of the Macintosh Exchange on BIX and the VARBusiness Exchange. His first Mac had 128 KB of memory, which was a big step up from his first 1130, which had 4 KB, as did his first 1401. You can e-mail him at [email protected].

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights