Nation State Attackers Shift to Credential Theft

A greater focus is being placed on credential theft by nation state actors rather than stealing money.

Speaking on a virtual briefing, Jens Monrad, head of Mandiant Threat Intelligence for EMEA at FireEye, focused on attacks from Russia, Iran and China and their various activities. Monrad said attacks are easily done because of the user’s common digital footprint, which can allow an attacker to pick up on items about the victim and use them in a social engineering scenario.

He explained that the biggest detection of malware seen by FireEye customers is focusing on stealing credentials and stealing information “and that makes sense as regardless of your motivation, if you can steal or buy stolen credentials. you will make less noise in your operation.”

Furthermore, if an attacker wanted to do a high stake “heist,” or if you wanted to rob a house, if you could purchase the access code to the alarm system or purchase the keys, you make less noise than if you break in and make more noise. 

“Credentials can vary from anything that requires a username and password to databases or access to cloud environments,” he said. “This is just part of the ecosystem we currently see, and [cyber-criminals] advertise databases and tools and services on the underground forums.”

Monrad added, from a cyber-criminal perspective or even as part of nation state campaign, buying those credentials may give you more of a silent entry into a system. “If you’re a cyber-criminal deploying ransomware post-compromise, this will make you more successful in your intrusions.” 

He said this is why Mandiant is focused on credential theft as a sole operation, as it sees this as a challenge for organizations to control their credentials, to monitor for stolen credentials and to make sure that they use the best guidance on passwords and enforcing MFA.

Asked by Infosecurity if the company's research had not considered nations which were seeking financial gain from attacks, such as North Korea, Monrad said the intention had been to focus on diplomatic attacks by Russia, “dual use” by China and “where anything is a threat” by Iran, but he admitted that where North Korea is involved, they do still see “those big money heists.”

He said that financial attacks are still happening, and there are more standard cyber-attacks taking place where the attacker tries “to gain large financial sums in one cyber-attack,” but the “longer game” with credential theft is now common, and from a cyber-criminal perspective, the value in purely financial attacks is diminishing, with more money made from “selling access to desktop machines.

“With the exception of North Korea we do see that change,” he concluded, noting there is more interest in interacting with the banking transfer systems and mechanisms, and specifically with the SWIFT banking transfer system.

What’s Hot on Infosecurity Magazine?