It’s no secret that cybersecurity threats are rising for organizations of all sizes and industries.  U.S. cybersecurity authorities like the CISA, NSA, and the FBI are aware of recent reports of increased malicious cyber activity and expect this trend to continue. Organizations face security gaps and weaknesses from a patchwork of IT products and tools with little visibility and a false sense of security. In addition to IT staff shortages, expanding attack surfaces like cloud computing and work-from-anywhere enable threat actors to expand their reach and damage. Cyber attackers have noticed these challenges and are vigilant to exploit them. A deeper understanding of attackers can help better detect and respond to these persistent threats.

What are Cyber Threat Groups

Cyber threat groups are attackers who operate in a coordinated and synchronized manner. These adversary groups continue to morph their behavior and Tactics, Techniques, and Procedures (TTPs) to evade detection. Threat group characteristics include organization, synchronization, well-trained and well-funded, patience to achieve their nefarious goals, and being part of a criminal ecosystem. As threat groups seemingly disappear or are taken down by global law enforcement, new groups with similar TTPs and ransomware tools reappear quickly.  

Types of Threat Groups  

Cyber crime groups behave like legitimate businesses with training, incentives, promotions, and customer support. Many threat groups have existed for years, honing their exploitation skills over time. There are three primary types of threat groups:

1. Financially motivated attackers (FINs): These groups use threat vectors like phishing emails, ransomware, and click fraud to monetize their work. Cyber crime is extremely lucrative and relatively low risk. These financial attackers are patient, use “low and slow” techniques, and prey on human nature and social engineering to exploit victims. EXAMPLE: theft on the SWIFT financial network and Bank of Bangladesh has been attributed to REvil, also known as Sodinokibi and GandCrab.
2. Nation-state adversaries (APTs): These well-funded attackers use espionage and cyber theft to exfiltrate sensitive information like intellectual property to advance the country’s goals and political agenda. If not actually a part of the government, they may garner complicit support in a permissive environment. Nation-state adversaries use Advanced Persistent Threats (APTs) for their nefarious activities, and they are known to lurk for many months to achieve their objectives. EXAMPLE: the Nobelium gang known as APT 29 is believed responsible for the SolarWinds attack aimed at disrupting thousands of unsuspecting victims.
3. Hacktivists: While less frequent than financially motivated actors and nation-state adversaries, they nonetheless wreak havoc on businesses and governments. Hacktivists are motivated by political and social ideology and to promote unrest or public change. EXAMPLE: the attack on Sony Pictures as retribution to stop the release of a film unflattering to North Korea.

Tradecraft and motivations across financially minded adversaries and nation-state criminals are blurring. State governments use e-crime to fund government operations and bypass economic sanctions.

Threat Group Identification

It is challenging to identify an entity, organization, or country responsible for a specific adversary attack. Awareness and insight into threat group TTPs is helpful in better defending your infrastructure. Threat groups are often called by differing names across vendors, industry, and law enforcement, making it even more complicated to understand their motivations and tactics. APT 41, with its alleged ties to the Chinese Ministry of State (MSS), is also known as BARIUM and Wicked Spider. MITRE ATT&CK® is a knowledge base of adversary tactics based on real-world observations. The database also outlines threat groups and criminal gangs for practical security analysis and insight.

Dissect adversary behavior to strengthen defenses.

The MITRE Corporation

SMBs are Attractive Targets

Small-and-Medium-Sized Businesses (SMBs) may think they are too small to be targeted by attackers, but that is far from the truth. Cyber criminals target many businesses and SMBs may be targeted for their intellectual property, supply chain contacts, or perceived security weaknesses. Adversaries often use legitimate tools and services that evade detection, as our Security Operations Center uncovered. Attackers know that organizations large and small are focused on protecting their brand reputation and are likely to pay a cyber ransom. Stealthy and sophisticated attacks against service providers enable criminals to scale and achieve a larger ROI for their effort. So how can businesses understand well-funded threat groups and effectively protect themselves?

How You can Defend Against Adversaries and Stealthy Attacks

Here are some mitigation steps recommended by CISA to prevent, detect, and respond to suspicious security activity or possible incidents:

• Prevent what you can by implementing a social engineering awareness program within your organization
• Use different passwords for business and personal accounts
• Segregate internal networks
• Apply the principle of least privilege
• Disable or block unnecessary remote services and applications
• Secure and monitor the use of Remote Desktop Protocol (RDP)
• Promptly applying software patches and updates to prevent exploitation
• Enable or improve monitoring and logging processes
• Deploy robust cybersecurity solutions to reduce your attack surface

Threat Intelligence Reduces Your Attack Surface and Risk

Cyber criminals have a broad range of motives and methods, and their risks cannot be ignored.  Knowledge of these threat groups and their tradecraft reduces your likelihood of becoming a victim of a costly security incident. With cyber resiliency, businesses can better predict, prevent, detect, and respond to dynamic threats. Netsurion helps you predict, prevent, detect, and respond to adversary attacks with a managed open XDR solution. Comprehensive visibility and proactive threat hunting help shield you against stealthy threat actors.