2017 in cyber perspective: The rise of Iranian threat actors, repeat attacks and other trends

In 2017, cyber security threats, breaches and attacks came in rapid fire as threat actors developed new and more sophisticated ways to exploit vulnerabilities, steal information, disrupt operations and make money in the process. Undiscriminating in their attacks, the year saw the truth about Equifax and Uber emerge, WikiLeaks’ steady leak of US intelligence documents and hacking tools, devastating strains of ransomware like WannaCry and NotPetya, healthcare hacks, cyber espionage campaigns and breaches spreading like wildfire.

Security firm FireEye’s Mandiant has released its annual M-Trends 2018 report this week detailing some of the newer and longer-term trends identified across the cyber landscape and new advanced persistent threat groups that have stepped up their covert attacks, tactics and techniques over the past year.

Global exposure and mitigation

Researchers observed that the global median dwell time for attackers in 2017 slightly increased from the year before - 101 days up from 99 days in 2016. Regionally, the median dwell time for the Asia-Pacific (APAC) reason rose significantly from 172 days in 2016 to 498 days in 2017 highlighting that attackers were able to maintain access to compromised systems far longer than expected.

Meanwhile, the median dwell time for EMEA was 175 days, up from 106 days in 2016. On the other hand, the Americas’ median dwell time slightly decreased from 99 days in 2016 to 75.5 days in 2017.

Notably, the global median time for internal detection has dropped by over three weeks - from 80 days in 2016 to 57.5 days in 2017, signalling that organizations’ in-house detection systems and teams are getting better at detecting malicious threats and actors.

Emergence of new APT groups

As cyber espionage campaigns, TTPs and attack motivations grew more sophisticated over the past year, FireEye named four new APT groups that were promoted from previously tracked TEMP groups.

One sophisticated group that has been tracked since at least 2014 was APT32, also known as the OceanLotus Group, that targets foreign corporations with vested interests in Vietnam, foreign governments, Vietnamese dissidents and journalists. In a recent campaign, the group launched social engineering emails with Microsoft ActiveMime file attachments to deploy malicious macros and download additional dubious payloads from a remote server onto the targeted system.

“We believe recent activity targeting private interests in Vietnam suggests that APT32 poses a threat to companies doing business or preparing to invest in the country,” researchers noted in the report. “While the specific motivation for this activity remains opaque, it could ultimately erode targeted organizations’ competitive advantage.”

Uptick in attacks by Iran-sponsored actors

FireEye’s Mandiant observed a notable rise in cyberattacks by Iran-sponsored threat actors in 2017. These incidents have grown in severity from web defacements by a “loose collective of patriotic hackers” and DDoS campaigns to an operational pace and scale at par with other nation-state sponsored threat groups in the post-Stuxnet era.

“Today they leverage strategic web compromises (SWC) to ensnare more victims, and to concurrently maintain persistence across multiple organizations for months and sometimes years,” researchers said. “When they are not carrying out destructive attacks against their targets, they are conducting espionage and stealing data like professionals.”

Two Iran-linked threat groups that have emerged in 2017 are APT33, APT34 and APT35 - all of which focused on targets in the Middle East.

APT33’s cyberespionage operations target defense, aerospace and petrochemical organizations to harvest information. Mandiant said evidence suggests the group has been targeting Western and Saudi Arabian agencies that provide maintenance, training and support for Saudi Arabia’s military and commercial fleets as well.

Utilizing a mix of public and non-public tools, APT33 leveraged a range of tools and techniques in launching spear-phishing operations such as multiple non-public backdoors, built-in phishing module from “ALFA TEaM Shell” and DROPSHOT malware to deploy variants of the TURNEDUP backdoor.

APT34 conducted reconnaissance that seemed to align with strategic Iranian interests. Honing in on the Middle East, the group primarily focused on financial, energy and government organizations among others. Similar to APT33, this group used both public and non-public tools in their spear-phishing campaigns.

In July 2017, APT34 targeted an unnamed Middle Eastern organization by delivering the POWRUNER PowerShell-based backdoor using a malicious RTF file that exploited CVE-2017-0199. In November, it exploited the Microsoft Office vulnerability CVE-2017-11882 to deliver POWRUNER and the downloader BONDUPDATER shortly after Microsoft issued a patch for the flaw.

APT35, also known as the Newscaster Team, targeted US and Middle Eastern government, military and diplomatic personnel, energy and defense industrial base, media organizations as well as engineering, telecommunications and business service sectors. Its name stems from its social engineering campaigns that involve using fake but detailed social media personalities, many of which claim to be from news organizations.

According to Mandiant, few threat actors have been as successful as APT35 with regards to stealing email.

APT35’s “methodology for accessing and stealing email from a victim organization adapted to accommodate cloud migration trends as companies moved to off premises email solutions such as Office 365”, researchers said. “Ultimately, APT35 had used access to hundreds of mailboxes to read email communications and steal data related to Middle East organizations, which later became victims of destructive attacks.”

Chinese cyber espionage in 2018?

Researchers said China has mostly complied with the landmark “Obama-Xi Agreement” in September 2015 under which the Chinese government agreed not to use state-sponsored hackers to steal information and intellectual property from US companies. Although there has been a notable drop in Chinese government-controlled cyber campaigns and operations, researchers have observed an increase in cyber espionage campaigns targeting cloud service providers, telecommunications and law firms.

“We further assess China may be willing to violate the “Obama-Xi Agreement” on strategic imperatives when diplomatic consequences can be minimized,” researchers noted. “China may be willing to risk upsetting the status quo to obtain the economic and military advances these technologies could provide.”

Fool me once, fool me twice

Users and organizations that fall victim to hackers are more likely to fall for another similar cyberattack or data breach just months following the initial intrusion, researchers found.

According to FireEye, 56% of organizations targeted by a significant attack in 2017 were targeted a second time within months. Nearly half of those who fell victim to the first attack were successfully attacked again within 12 months of the first incident. A whopping 86% of organizations who experienced more than one significant attack also had more than one unique attacker in their environment.

This trend of repeat attacks was particularly severe in the APAC region where customers are twice as likely to have experienced multiple cyberattacks, as compared to those in the Americas or EMEA region.

The top three industries targeted by multiple attackers included high-tech, telecommunications and education. Meanwhile, the top industries with the most significant attacks were financial, high-tech and healthcare.

Prevalent weaknesses in detection and prevention controls

Although organizations have been shoring up efforts to bolster their cyber defenses, detection and prevention controls, researchers said there are still significant weakness in their implementation that are easily exploited by hackers. These include lack of mature threat, vulnerability and patch management functions, weakness in authentication and authorization controls, lack of well-defined data classification policies and protection requirements for sensitive data, issues with consolidated visibility across all environments and weaknesses in network segmentation and cloud services configuration.

Many organizations still rely on legacy signature-based endpoint protections as opposed to hardened detection and prevention controls such as advanced malware protections, investigation capabilities and application whitelisting.

“Defenders have to get it right every single time, while threat actors only need to get it right once,” researchers noted.