Year of the Dragon – Summary report of cyber events for 2018

We are happy to present our yearly summary report of cyber events for 2018. This report is
a combined effort of our intelligence research, threat-hunting and analyst teams. One of the
biggest challenges in cyber space is the overwhelming, and at times contradicting amount of
data we are confronted with on a daily basis.

As a result, companies and organizations may lose the broader picture. While often it can be
advantageous to understand the micro elements of cyber incidents, it is also imperative to
also have a clear and over-arching understanding of the events that have unfolded before
and after. Accordingly, our report provides a comprehensive overview and analysis of the
most significant events that took place this past year.

Read the full report: Summary report of cyber events for 2018

 

Abstract

Hundreds of Companies and Organizations Globally Targeted by Chinese APTs

2018 is the third year in which nation-state attackers are the most significant cyber actors.
However, unlike 2017, in which we assessed Russian APTs as the most influential cyber
threat due to their prolific activity, in 2018 China has become the most significant nation-
state attacker.

The campaigns revealed this year indicate a substantial effort by China to obtain by any
means necessary bleeding-edge proprietary technology and research, as well as political and
military intelligence. It appears that China expanded its cyber operation in order to promote
and secure its nations interests; with little care of international, economic or regulatory
agreements. Notably in December, the US exposed a large-scale and aggressive attack
campaign targeting numerous companies and organizations around the world.

In our assessment, over the last few years, China has systematically amassed a massive and
unprecedented wealth of knowledge; unlawfully obtained from thousands of companies,
organizations, academic, governmental and military bodies around the world. China’s end
goals with these operations is surpass the US, economically and technologically, and position
itself as the leading super-power.

It should be noted that this method of operation is not new. Many of the attacks that were
exposed this year operated undetected over long periods of time. With that in mind, over
the last year in particular we have seen bold attacks and campaigns. It appears that Chinese
cyber actors are returning to their modus operandi from 2016; characterized by aggressive
attack vectors with less emphasis on being covert. This in conjunction with the growing
efforts from various countries around the world to combat cyber threats, have resulted
among other reasons, with multiple large-scale Chinese cyber operations revealed
throughout 2018.

Russian Attacks

In 2018, just like in 2017, Russia continues to be a significant nation-state actor and habitat
for cybercrime groups. The latter, stealing in the past year billions of dollars via ransomware
and spear phishing targeted attacks. Following recent years, in 2018 the most targeted
sectors by the Russian were governmental, healthcare and financial sectors. However, unlike
previous years, many Russian attacks were thwarted by US intelligence, defense, and law
enforcement bodies.

Most significant cyber attack types in 2018

  • Spear and scatter-shot cyber extortion – millions of SMEs (Small to Medium
    Enterprises; aka SMB – Small to Medium Businesses) including their clients and
    customers, were affected this year by cyber extortion executed by both
    cybercriminal organizations and lone hackers operating independently.
  • BEC (Business Email Compromise) – these scams (aka “Man-in-the-Email” and CEO
    scams) are phishing attacks (often spear attacks) impersonating various key
    individuals such as CEO/CFO, representatives of third-party service providers, family
    members or friends, with the purposes of stealing money. According to recent
    estimates, in the last five years over $12.5 Billion were stolen by this vector.
  • Theft of financial records and data – as governments and the financial sector are
    continually pushing to digitize financial services and use, malicious actors are finding
    more and more vectors to steal and exploit financial records and details. For
    example, in the US we are seeing an alarming trend in recent years of malicious
    actors stealing and leveraging W-2 tax forms for monitory gain.
  • Attacks on banks’ core systems and crypto-markets – the magnitude of direct
    financial loss in 2018 is in our assessment around $1.5 billion dollars.
  • Multi-dimensional cyber attacks – Sophisticated attacks that concurrently target
    multiple systems of organizations. Some of the most notable victims of these attacks
    in 2018 were banks in India, Pakistan, Mexico and Chile. For example, in such attacks
    the attackers may target the ATM system, credit and debit card payment system,
    and the SWIFT system, as well as various IT systems; taking control of them and/or
    corrupting them in order to disrupt operation and following investigation.
  • Espionage attacks – Theft of sensitive data and technology. This is conducted for a
    wide range of reasons from criminal activity for financial gain, to nation-state
    operation for national interest.
  • Destructive attacks – Aka wiper attacks, are spear or scatter-shot attacks, often
    executed by APTs groups (Advanced Persistent Threat). For example, following the
    financial sanctions of Iran, the Iranian government re-implemented the destructive
    malware Shamoon against multiple energy providers and governmental
    organizations in the Gulf region.
  • Exploitation of the supply chain to execute cyber attacks – one of the most notable
    attack vectors in 2018 has been – targeting third party IT service and product
    providers in order to breach highly secure companies and organizations. For
    example, the Chinese attack on HP and IBM.
  • Destructive attacks – one of the most significant actors executing such attacks are
    Iranian APTs targeting Gulf Countries. This activity has escalated following the
    enactment of financial sanctions on Iran.

Notable Events and Trends in 2018

  • 2018 was a pivotal year for cyber regulation – throughout 2018, several high profile
    cyber regulations and initiatives were approved or implemented within numerus
    countries around the world. Many of these also included new measures and
    guidelines that governments and private organizations must follow in order to
    better protect information. Perhaps the most notable of these was the European
    Union’s act – the GDPR (General Data Protection Regulation), which was
    implemented in late May.
  • Attacks on prominent sectors and industries – in 2018 the most targeted industries
    included, public (e.g. local and national governments), defense and military,
    healthcare, IT, aviation and financial. Regarding the latter, this past year we witnessed dozens of attacks on banks’ core systems as well as crypto-markets;
    culminating in direct financial losses of about $1.5 billion, in our assessment.
  • Rapid exploitation of 1-day vulnerabilities, in conjunction with growing
    proliferation of attack tools – 1-day vulnerabilities are newly exposed vulnerabilities
    that have not yet received security patches. Attackers monitor reports for them and
    exploit the window of time between their reveal, and the time official fix are issued.
    One of the most interesting incidents this year was the 1-day-based malware that
    was propagated by the Iranians against Gulf states; just hours within the reveal of
    the vulnerability.

What Didn’t Happen in the cyber arena in 2018

  • Infection event affecting hundreds of companies – in the past year there were no
    destructive attacks with potential of affecting hundreds of companies around the
    world were executed or mitigated. This is in stark comparison to 2017, during which
    we witnessed several of these; with NotPetya being the most destructive, hitting
    hundreds of companies within hours, and causing billions worth of damages.
  • Critical national cyber event – in the past year no cyber attacks that can be
    classified as “category 1 – National cyber emergency” were executed (or at least
    exposed). The UK NCSC (National Cyber Security Centre) defines this category as a
    “cyber attack which causes sustained disruption of UK essential services or affects
    UK national security, leading to severe economic or social consequences or to loss of
    life”. In comparison, the 2017 WannaCry event was classified as a Category 2.
    In our assessment, the reason no category 1 took place this year was due to the
    significant improvement and strengthening of the global cyber community in detecting,
    alerting and mitigating cyber threats. In our assessment, the US government and cyber
    community uncovered and prevented this year several Russian/North Korean attacks
    that had the potential of causing considerable damages to hundreds or even perhaps
    thousands of companies.
  • Significant shutdown of industrial complexes – in 2018, no significant attack on ICSs
    (industrial control system) with dedicated wiper malware (such as Triton or CrashOverdrive),
    resulting in disruption of operation for over a week, were executed or exposed.