Russian State Hackers Take Minutes to Move Laterally

Written by

There was a major rise in Chinese state-sponsored cyber-activity in 2018 while Russian actors were by far the most operationally effective, according to the latest report from CrowdStrike.

The security vendor’s 2019 Global Threat Report tracked the relatively new metric of “breakout time” which measures how quickly a hacker manages lateral movement following an initial incursion. In so doing, CrowdStrike believes IT teams will be better able to understand how quickly they need to respond to and contain threats.

The vendor noted an average breakout time across all intrusions and threat actors of 4 hours 37 minutes. However, this varied considerably, with cyber-criminals averaging 9 hours 42 mins at one end but Russian state hackers doing the same job in just 18 minutes.

Next fastest were North Korean actors with an average breakout time of 2 hours 20 minutes.

China topped the list of most targeted intrusions, with a particular focus in 2018 on upstream telecoms companies as a way of compromising government targets in Asia.

“This report’s findings on adversary tradecraft and speed reflect what many defenders already know: We are in a veritable ‘arms race’ for cyber superiority. However, there are some important differences between an arms race in the cyber sphere versus the physical world: in cyberspace, any player can potentially become a superpower,” explained CrowdStrike CEO, George Kurtz, in a blog post.

“The capital costs are alarmingly low, compared to funding a physical war machine. Even some of the world’s most impoverished regions proved their ability to make a global impact through cyber campaigns in 2018 — and this is one genie that is not going back in the bottle.”

Another major trend highlighted in the report is the use of targeted techniques by financially motivated cyber-criminals to spread ransomware.

These so-called “big game hunting” tactics are primarily aimed at large enterprises and are used to spread families such as SamSam and Ryuk.

Cybercrime group Boss Spider, which CrowdStrike has pegged for SamSam raids, has accrued $6.7m to date as a result of these targeted tactics, which can include “well-tested reconnaissance, delivery and lateral movement TTPs.”

The intelligence is yet more confirmation that ransomware remains a major threat to organizations. Back in September 2018, Europol warned that it is currently the biggest malware threat to businesses worldwide and would be a major risk for many years.

What’s hot on Infosecurity Magazine?