At a glance.
- Russia responsible for more than half of state-sponsored cyberattacks.
- Chinese influence operation attempts to stir up protests in the US.
- SnapMC launches data theft extortion attacks.
Russia responsible for more than half of state-sponsored cyberattacks.
Microsoft says that Russia has been responsible for 58% of the state-sponsored cyberattacks the company has observed over the past year. These attacks have also been more successful this year, and have increasingly focused on government agencies:
"[A]ttacks from Russian nation-state actors are increasingly effective, jumping from a 21% successful compromise rate last year to a 32% rate this year. Russian nation-state actors are increasingly targeting government agencies for intelligence gathering, which jumped from 3% of their targets a year ago to 53% – largely agencies involved in foreign policy, national security or defense. The top three countries targeted by Russian nation-state actors were the United States, Ukraine and the UK."
Following Russia, the largest number of attacks came from North Korea, Iran, and China. Most of these attacks were focused on espionage, although Iran also launched destructive cyberattacks against Israel and North Korea conducted financially motivated operations against cryptocurrency companies.
Chinese influence operation attempts to stir up protests in the US.
Mandiant Threat Intelligence has observed a Chinese influence campaign that attempted to foment physical protests in the US over claims by Chinese dissident Guo Wengui, former White House Chief Strategist Steve Bannon, and Chinese virologist Dr. Li-Meng Yan, that COVID-19 originated in a Chinese lab. In some instances, the posts shared the apparent home address of Guo Wengui:
"Accounts in the network have actively sought to physically mobilize protesters in the U.S. in response to the COVID-19 pandemic, though we have seen no indication that these attempts motivated any real-world activity. While previous public reporting has highlighted limited instances of organic engagement with the network on Twitter and we have continued to track similar instances of organic engagement on both social media and niche online forums, this direct call for physical mobilization is a significant development compared to prior activity, potentially indicative of an emerging intent to motivate real-world activity outside of China’s territories. While this attempt did not appear to achieve any success, we believe it is critical that observers continue to monitor for such attempts in case greater degrees of organic engagement are later realized by the network."
The campaign had previously been spotted by other observers on Facebook, Twitter, and Instagram, but Mandiant's researchers "have now observed this pro-PRC activity taking place on 30 social media platforms and over 40 additional websites and niche forums, and in additional languages including Russian, German, Spanish, Korean, and Japanese."
SnapMC launches data theft extortion attacks.
NCC Group is tracking a threat actor dubbed "SnapMC" that's opted to forgo ransomware and simply conduct data theft extortion attacks. The threat actor gains access via SQL injection or by exploiting a patched remote code execution vulnerability in Telerik UI for ASPX.NET. After exfiltrating the information, the attackers send an email to the victim with a list of the stolen data, and demand payment within three days.
While many ransomware operators have adopted a dual-extortion approach by stealing data before deploying ransomware, NCC Group believes pure data theft extortion attacks will become more popular:
"NCC Group’s Threat Intelligence team predicts that data breach extortion attacks will increase over time, as it takes less time, and even less technical in-depth knowledge or skill in comparison to a full-blown ransomware attack. In a ransomware attack, the adversary needs to achieve persistence and become domain administrator before stealing data and deploying ransomware. While in the data breach extortion attacks, most of the activity could even be automated and takes less time while still having a significant impact."