Among the key events that defined the threat landscape of 2014, targeted attacks and malicious campaigns stand out, particularly in terms of their scale and impact on businesses, governments, public and private institutions. Over the last 12 months, our Global Research and Analysis Team (GReAT) reported seven advanced persistent cyber-attack campaigns (APTs). Between them, these accounted for more than 4,400 corporate sector targets in at least 55 countries worldwide. This year also saw a number of fraud campaigns that resulted in losses totaling millions of dollars. The number of victims affected by targeted attacks in 2014 is 2.4 times that of 2013. A thought-provoking figure, is it not?
Attacks towering: the number of corporate targets increased 2x in 2014Tweet
Cyberespionage APT campaigns, as well as fraud operations, were of special note this year, with a growing number of large-scale APT campaigns discovered.
Kaspersky Lab has recently launched a new interactive “Logbook” of APT campaigns featuring ongoing campaigns and those that cease to exist.
There are 13 active APT campaigns, 3 more ceased activities earlier this year, and 8 had been publicized in 2014:
- Energetic Bear/Crouching Yeti
- Epic Turla (with late additions)
- El Machete
- Cloud Atlas
Some of these are reincarnations of older threats. Regin and Darkhotel have been active since the first half of the 2000s, which makes them the oldest known APTs – even older than Stuxnet. Although its authors had largely been considered the openers of a Pandora’s box full of cyber-weaponry, the box had been opened before.
Overall, in 2014, organizations in at least 20 sectors were hit by advanced threat actors. The sectors include the public sector (government and diplomatic offices), energy, research, industrial, manufacturing, health, construction, telecoms, IT, private sector, military, airspace, finance and media, among others. This is the face of cyber-espionage today, and it’s not hard to imagine how much sensitive data is leaking due to APT groups’ activities.
Speaking of leaks, the overall damage caused by the huge hack of Sony Pictures is not yet known, but it’s already clear it will be drastic. It was a narrowly targeted attack, probably with some grudges as the criminals’ primary motive, but that has yet to be established or disproved. For now, what is known is that more than 11 TB of data were leaked, including movie scripts, executives’ and producers’ emails, a lot of dirty laundry for tabloids to gnaw upon and – what is especially troubling – troves of personally identifiable data of more than 6,000 Sony Pictures Entertainment employees.
Sony Pictures #hack looms menacingly over 2014. Hopefully, it’ll be a wake-up call #enterprisesecTweet
Also, this year was marked with a few cases of large-scale fraud resulting in the theft of millions of dollars and euros. These attacks were not just against banks, but ATMs as well. Next year, Kaspersky Lab’s experts expect to see further evolution of these ATM attacks, where APT techniques are used to gain access to the “brains” of cash machines. The next stage will see attackers compromising the networks of banks and using that level of access to manipulate ATM machines in real-time.
A detailed overview of 2014 in security, as well as predictions by Kaspersky Lab’s experts is available here.
We highly recommend you watch this fancy video below.
So, criminals are increasingly targeting corporate entities – 2.4 times growth this year, compared to 2013. What does it mean?
First of all, criminals are looking for more direct access to money, which is a much-discussed trend. Not only money, though: Targeted APT attacks are launched in order to extract sensitive and valuable information from businesses in all industries imaginable. The situation will only become more and more tense, since it is very likely that “common” cybercriminals will increasingly adopt APT tactics. So we’ll definitely hear more about APTs next year.
Finally, the criminals’ successes are the victims’ security shortcomings. Sony Pictures’ hack is especially indicative of this: super-secret passwords in a super-secretive folder “/Passwords”. But it’s wishful thinking to assume Sony Pictures is the only entity whose IT staff made mistakes that big, no matter the industry. Hopefully this serves as a wake-up call for the people responsible for IT security in their companies and organizations.
For a more detailed overview of 2014 please refer to Securelist.