Cybersecurity Threat Analysis

Every quarter, this section of the Observatory details and analyses emerging threats for a non-technical audience, structured using the NC3 threat conceptual model.

2022

General Overview for the the period Get a rapid overview of the main cyber security incidents identified and attributed this quarter, along with a trend comparison to the previous quarter.

Q1 2024

Threat Landscape

Main Threat Actor

Kimsuky 15

arrow_upward1

Main External Pathways

Phishing 2204

arrow_upward-5998

Main Infrastructures

IoT 346

arrow_upward62

Main Tools

Remcos 83

arrow_upward78

See detail Information & Analysisarrow_forward

Main Access Points & Prevention

Main Access Point

CVE 342

arrow_upward321

See detail Information & Analysisarrow_forward

Main Target & Impact

Main Target

Defense 16

arrow_upward11

Main Impact

Ransom 37

arrow_upward16

See detail Information & Analysisarrow_forward

Detailed View & Analysis Dive deeper with a comprehensive breakdown of each cyber incident identified this quarter, including analyses, attribution evidence, and comparative metrics.

Q1 2024

Threat Agent Activities Who were the main threat actors acting during the period?

Our analysis Cyber-attacks often come from actors with specific intents, yet attribution remains challenging, with many attacks' identities and motivations unknown. The report notes changes calculated based on differences from the previous quarter, Q4 2023. Some well-known groups, including Kimsuky and the Lazarus Group, maintained their presence, with Kimsuky showing a slight increase to 15 attacks, representing 34.88% of incidents, and Lazarus holding steady at 14 attacks, or 32.56%. APT28 emerged anew with 4 recorded attacks, accounting for 9.30%, while other new entrants such as Silent Librarian, Turla, APT37, and menuPass contributed fewer attacks. Some groups, including APT-C-36, APT38, Andariel, Molerats, MuddyWater, and the Sandworm Team, had no reported activities, reflecting the dynamic nature of cyber threats and the difficulty in pinpointing responsible actors.

Threat Actors Name

Attributed Events

Trend

Kimsuky is a North Korea-based cyber espionage group that has been active since at least 2012. The group initially focused on targeting South Korean government entities, think tanks, and individuals identified as experts in various fields, and expanded its operations to include the United States, Russia, Europe, and the UN. Kimsuky has focused its intelligence collection activities on foreign policy and national security issues related to the Korean peninsula, nuclear policy, and sanctions

Lazarus group is a North Korean state-sponsored cyber threat group; it uses a wide range of methods depending on the characteristics of the campaigns carried out and the objectives pursued. It mainly aimed at manipulating employees of strategically important companies such as those involved in the military or aerospace industry

APT28 is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.

ATP29 is a Russian hacker group believed to be associated with one or more intelligence agencies of Russia, it primarily targets Western governments and related organizations, such as government ministries and agencies, political think tanks, and governmental subcontractors.

No Description

Turla is a Russian-based threat group that has infected victims in over 45 countries, spanning a range of industries including government, embassies, military, education, research and pharmaceutical companies since 2004 is a cyber espionage group operating against targets in East Asia, particularly Taiwan, and occasionally, Japan and Hong Kong. Based on the mutexes and domain names, BlackTech's campaigns are likely designed to steal their target's technology.

Tortoiseshell this has been active since at least July 2018. Symantec has identified a total of 11 organizations hit by the group, the majority of which are based in Saudi Arabia. In at least two organizations, evidence suggests that the attackers gained domain admin-level access;

Gamaredon Group has been active since at least 2013 and has targeted individuals likely involved in the Ukrainian government

APT-C-35 is believed to be linked with the Indian government. The group is known to have been active since 2016. Also, APT-C-35's primary motivation seems to be espionage for the interests of the Indian government, and cybersecurity researchers observed that they carried out various campaigns with this aim.

APT-C-36 is a suspected South America espionage group that has been active since at least 2018. The group mainly targets Colombian government institutions as well as important corporations in the financial sector, petroleum industry, and professional manufacturing.

No Description

ATP36 or Transparent Tribe is a suspected Pakistan-based threat group that has been active since at least 2013, primarily targeting diplomatic, defense, and research organizations in India and Afghanistan.

APT38 is a North Korean state-sponsored threat group that specializes in financial cyber operations;

No Description

Bad magic is a new APT found in the area of Russo-Ukrainian conflict.

BianLian is a ransomware developer, deployer, and data extortion cybercriminal group that has targeted organizations in multiple U.S. critical infrastructure sectors since June 2022. They have also targeted Australian critical infrastructure sectors in addition to professional services and property development.

No Description

FIN7 is a financially-motivated threat group that has been active since 2013 primarily targeting the U.S. retail, restaurant, and hospitality sectors, often using point-of-sale malware;

No Description

Mustang Panda is a China-based cyber espionage threat actor that was first observed in 2017 but may have been conducting operations since at least 2014. Mustang Panda has targeted government entities, nonprofits, religious, and other non-governmental organizations in the U.S., Germany, Mongolia, Myanmar, Pakistan, and Vietnam, among others.

No Description

External Transfer Pathways Ways harmful files or content are sent from external sources.

Our analysis Cyber-attacks utilize a variety of technical procedures and infrastructures, with the most common strategies associated with scams through email or similar approaches to reach potential victims. Phishing is the predominant strategy, though other scam strategies are recorded. Changes from Q4 2023 highlight a notable decrease in phishing incidents from 8202 to 2204 (-73.13%), while smishing also decreased from 109 to 57 (-47.71%). However, collection increased from 13 to 21 (+61.54%), and malspam increased from 11 to 12 (+9.09%). Other techniques, such as execution, DDoS, espionage, and DNS hijacking, saw varying levels of activity.

Pathway

Attributed Events

Trend

Focus on Phishing

With the support of SpamBee we collected the main keywords and email addresses associated with phishing attacks

Phishing

arrow_upward0

Keywords & Email Addresses Identified:

Infrastructures Infrastructures represent the systems used to help carry out attacks.

Our analysis Infrastructures represent the types of systems used to support attacks, encompassing those meant to compromise targeted systems or maintain a foothold within them. Following the gaining of access to a system device, a communication channel is maintained through command and control (C2) infrastructures and the utilization of IoT devices. These infrastructures enable cyber actors to issue instructions to compromised devices, download additional malicious payloads, and exfiltrate stolen data. The report indicates shifts from Q4 2023, notably with an increase in IoT usage from 284 to 346 (21.83%). Additionally, DNS and botnet infrastructures saw increases, with DNS rising from 2 to 5 and botnet from 1 to 3. Conversely, C2 and malicious network infrastructures did not report any activity in Q1 2024, reflecting the dynamic nature of cyber threats and the adaptability required for effective defense strategies.

Infrastructure

Attributed Events

Trend

Tools Types of viruses used to exploit or damage digital systems.

Our analysis The monitoring system revealed a significant prevalence of malware usage, particularly associated with IoT systems. During this quarter, there was an increase in events involving ransomware and trojans. Malware incidents decreased from 739 to 611 (-17.32%), whereas ransomware incidents increased from 20 to 36 (80.00%). Additionally, loaders surged from 3 to 32 (966.67%), and incidents involving stealers rose from 23 to 27 (17.39%). Moreover, RAT incidents increased from 8 to 20 (150.00%), and downloaders increased from 7 to 20 (185.71%). Backdoor incidents also rose notably from 3 to 14 (366.67%). However, incidents involving droppers, banking malware, bots, trojans, and wipers remained static or reported no activity in Q1 2024.

Tool

Attributed Events

Trend

Point of Access Review the indentified gateways that have been used as entry points in previous cyber incidents.

Our analysis The most commonly reported access point is email, which isn't too surprising given its effectiveness as an ingress vector for several types of attacks. It often exploits users' weaknesses, whether voluntary (negligence) or involuntary (lack of knowledge about specific threats). The monitoring system collected a significant amount of information about Common Vulnerabilities and Exposures (CVE). During this period, the attribution rate has increased significantly, primarily due to the high number of CVE records. Specifically, CVE incidents surged from 21 to 342 (1528.57%). Vulnerability incidents increased slightly from 17 to 20 (17.65%), while zeroday incidents rose from 1 to 9 (800.00%). Other access points, such as web browsers, Dropbox, Facebook, servers, Windows, and Citrix, either remained static or reported no activity in Q1 2024.

Point of Access

Attributed Events

Trend

Component and System Vulnerabilities Inspect known weak spots within software and hardware, complemented by details on available protective patches.

Component

Vulnerability

CVE Identifier

Protective Patch

Type of Impact Various outcomes of cyber threats identified.

Our analysis The information detected by the monitoring system regarding the type of consequences for the victim is mainly related to scams and ransom demands. Notably, there was an increase in ransom demands from 50% to 56.06%, with incidents rising from 21 to 37. However, the high number of scams is primarily due to the classification of phishing records as scam events, resulting in a rather low attribution rate for this class. Despite this, scam incidents saw a slight increase from 50% to 36.36%, with incidents rising from 21 to 24. Additionally, incidents related to espionage increased from 0% to 7.58%, with 5 recorded incidents in Q1.

Type of Impact

Attributed Events

Trend

IT Target Highlighting specific IT objectives that cyber attackers aimed for.

Our analysis Information on the attacked IT target is not sufficiently described by the analyzed events. However, it should be noted that there is still some residual evidence of the attack campaign related to the exploitation of a number of vulnerabilities in the Microsoft Exchange Server system. In Q1, there was an increase in incidents targeting Exchange and Office 365 (O365), each accounting for 1 recorded incident, representing 25% of the total each. Meanwhile, incidents targeting Windows decreased from 2 to 1, accounting for 25% of the total, marking a 50% decrease.

Type of Impact

Attributed Events

Trend

Type of Victim Diverse sectors targeted by cyber threats during the period.

Our analysis Incidents affecting defense organizations increased significantly from 29.41% to 76.19%, indicating a notable shift in targeting. Conversely, incidents affecting government facilities decreased from 35.29% to 9.52%. There was also a slight increase in incidents affecting the energy sector from 0% to 4.76%. However, incidents affecting financial services decreased from 23.53% to 4.76%, and incidents affecting water and wastewater systems decreased from 11.76% to 4.76%.

Infrastructure

Attributed Events

Trend