Nation-States, Ransomware Attacks, and Dark Web Activity: Our Top 5 Research Pieces From 2019

January 2, 2020 • The Recorded Future Team

When you’re paying close attention to your own threat landscape — the specific threats faced by your organization — it’s easy to miss the bigger picture.

What are the big nation-state players up to? Which APT groups might start targeting your industry? What attack vectors are becoming more or less popular?

These are the types of questions many organizations simply don’t have the time or capacity to answer. That’s why our in-house research team, Insikt Group, devotes their time to investigating pressing issues in the cyber landscape.

With 2019 officially at a close, we’d like to take a moment to remember some of the most important research projects conducted by Insikt Group in the past year, and give you a quick overview of their findings.

1. Who’s Afraid of the Dark? Hype Versus Reality on the Dark Web

The dark web is often portrayed as vast and mysterious — many times larger than the surface web, and home to a highly organized clique of shadowy criminals. The reality is quite different.

The dark web is a fraction of the size of the surface web. After a thorough crawling exercise, we found just 55,000 dark web (“onion”) domains, of which only 8,400 had live sites. That makes the dark web approximately 0.005% the size of the surface web. It’s populated mainly by disorganized and unreliable sites. Even popular dark web sites fall well short of the 99.999% uptime that has become the norm for legitimate websites on the open web, and alarmingly, onion sites routinely go down for days or weeks at a time.

There is one widely held perception about the dark web that is accurate, however: it’s dangerous. Scams like typosquatting are extremely common, with one scammer claiming to have earned more than 200 BTC (over $1 million at the current exchange rate) from more than 800 typosquatted domains.

So where does the dark web’s mysterious reputation come from? Most likely, it’s derived from a tiny subset of the dark web — a handful of invitation-only, unpublicized communities that few people know about, much less have access to. These onion sites are inhabited by the highest tier of threat groups and criminal organizations. It is this tiny slice of the dark web that is truly dark.

2. Beyond Hybrid War: How China Exploits Social Media to Sway American Opinion

There has been a huge amount of speculation about Russia’s alleged attempts to influence the outcome of the 2016 U.S. presidential election.

In January 2017, the U.S. Intelligence Community published its assessment: That Russian President Vladimir Putin had ordered an influence campaign in 2016 which used disinformation to interfere with the U.S. presidential election. Ever since, there has been an assumption that other state-run influence campaigns would be similar in scope and tactics to the Russian model.

But that’s not what our research determined. Recorded Future analysts studied Chinese state-run social media influence campaigns and came to the conclusion that the techniques used were very different from those employed by Russia. Why? Because China and Russia do not share the same strategic goals and foreign policy. Russia’s objective is to disrupt Western power structures and international relations, while China’s is to increase its influence over the current international system

Our research determined that the Chinese government has made extensive use of state-run media to influence U.S. perceptions of China and the Chinese Communist Party. Instead of interfering with U.S. elections, China has engaged in widespread social media and paid advertising campaigns to present a positive, benign, and cooperative image of China.

3. Early Findings: Review of State and Local Government Ransomware Attacks

State and local governments have always been common targets for ransomware. Cybercriminals often consider them an easy mark — they typically can’t afford to maintain state-of-the-art security programs, and they have statutory obligations to fulfill, making it difficult for them to stomach any disruption.

In recent years, the number of ransomware attacks against state and local governments has appeared to have risen. To find out if this was really the case, Recorded Future’s Allan Liska conducted an analysis of 169 ransomware incidents affecting state and local governments since 2013. His analysis produced three important findings:

  • The number of ransomware attacks against state and local governments does appear to have risen in recent years.
  • These attacks are less targeted than you might think — most are more opportunistic.
  • State and local governments are less likely to pay a ransom than organizations in most other industries — just 17.1% paid up, compared to an average of 45% across all industries.

As of 2019, ransomware attacks against state and local governments are a growing problem, causing tremendous disruption and expense even when ransom demands are not paid.

4. APT10 Targeted Norwegian MSP and US Companies in Sustained Campaign

Between November 2017 and September 2018, Recorded Future’s Insikt Group and Rapid7 uncovered a sustained cyberespionage campaign targeting at least three companies in the U.S. and Europe. Based on the technical data uncovered, the pairing stated with high confidence that the attacks were conducted by APT10.

APT10 is one of China’s most active state-sponsored hacking groups. Recorded Future considers the group to be the most significant Chinese state-sponsored cyber threat to global corporations. The group carried out sustained attacks against at least three targets — in all three cases, the attackers entered the target network via remote access software using stolen user credentials. Once inside, they used privilege escalation techniques and highly sophisticated malware to achieve their objectives.

Notably, one of the techniques used has been linked to APT10 in the past, and has not been observed in use by any other group. This campaign further supports assertions made by the Five Eyes nations that the Chinese Ministry of State Security is conducting international cyberespionage on an unprecedented scale. While the Chinese government denies these allegations, evidence suggests that Chinese state-sponsored cyber activity is aimed at influencing international trade and eroding the advantage of Western organizations.

5. Iranian Threat Actor Amasses Large Cyber Operations Infrastructure Network to Target Saudi Organizations

Tensions between the U.S. and Iran have been high for a long time. In recent years, they have boiled over into the cyber domain.

Between April and June 2019, Recorded Future’s Insikt Group observed a spike in infrastructure building and targeting activity from Iran’s APT33, also known as Elfin. On June 21, it was reported that U.S. Cyber Command had launched a retaliatory cyberattack campaign against an “Iranian spy group.”

APT33 primarily targets nations in the Middle East, but has also been known to target organizations in the U.S., South Korea, and Europe. To gain a better understanding of the group’s tactics, techniques, and procedures (TTPs), Insikt Group researchers conducted a thorough analysis of their domain and hosting infrastructure.

The researchers concluded that APT33 (or an allied threat group) places a strong emphasis on the use of commodity malware — an attractive option for state-sponsored threat groups because it enables them to operate at scale while “hiding” among the noise of other threat actor activities.

By contrast, if these groups use more specialized attack tools, it becomes easier for security researchers to attribute and monitor their activities. In this case, APT33 was observed targeting mainly Saudi Arabian organizations across a range of industries. This is in line with their historical focus and shows that they are undeterred by previous research reports and media attention highlighting their activity.

Never Miss the Latest Research

All of our biggest stories and research reports are shared right here on our blog — and that’s not all we have to offer.

Sign up for our free Cyber Daily newsletter, and you’ll receive the top cybersecurity intelligence direct to your inbox each morning, including:

  • Top targeted industries
  • Most active threat actors
  • Most exploited vulnerabilities
  • Trending malware
  • The latest suspicious IPs
  • And much more

Subscribe today and use this intelligence to keep your organization safe from cyber threats.

New call-to-action

Related Posts

Checkers and Brute Forcers Highlight Dangers of Poor Password Management

Checkers and Brute Forcers Highlight Dangers of Poor Password Management

June 16, 2020 • Insikt Group®

Click here to download the complete analysis as a PDF Recorded Future analyzed current data...

New Ransomware-as-a-Service Tool ‘Thanos’ Shows Connections to ‘Hakbit’

New Ransomware-as-a-Service Tool ‘Thanos’ Shows Connections to ‘Hakbit’

June 10, 2020 • Insikt Group®

Editor's Note: The following post is an excerpt of a full report To read the entire analysis,...

Behind the Scenes of the Adversary Exploit Process

Behind the Scenes of the Adversary Exploit Process

June 3, 2020 • The Recorded Future Team

Vulnerability and patch management teams are continuously faced with the challenge of keeping up...