Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

3/30/2016
07:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Business Disruption A Big Focus In 2015 Cyberattacks

In a shift from the low and slow attacks of recent years, many incidents last year were attention seeking and were motivated not just by money, according to Mandiant's annual report.

There’s a bit of an everything-old-is-new-again feel to at least one of the major trends for 2015 in security firm Mandiant Consulting’s recent annual threat report.

As with previous reports, FireEye/Mandiant’s analysis is based on a review of its customer engagements in the past year. The most interesting new trend it discovered over the period was an increase in the number of business disruption attacks its clients suffered. Examples of such attacks included those where corporate data was held for ransom or where the organization itself was held to ransom by attackers threatening to delete data, release it publicly, modify it, or add malware to the data.

In a shift away from the low and slow attacks of recent years, many of the incidents that Mandiant was called in to remediate in 2015 harkened back to older attacks in that they were very public, leaked data, and taunted victims.

Instead of the usual focus on stealth and maintaining access for as long as possible, the attacks that Mandiant investigated in 2015 were deliberately designed to draw public attention to the malicious activity or to data that was compromised. “Some attackers were motivated by money, some claimed to be retaliating for political purposes, and others simply wanted to cause embarrassment,” Mandiant said in its report. 

Publicity-seeking attacks were common a few years ago but have become far less frequent recently. Security researchers have noted how in recent years threat actors have chosen to focus on monetizing their criminal skills and in stealing data rather than displaying their hacking prowess to make a political or social point or to impress peers.

Charles Carmakal, vice president of Mandiant, says that the threat actors responsible for the disruptive attacks typically had very different motivations from those looking to steal data over the long-term.

Disruptive threat actors are motivated by money and fame,” he says. “State-sponsored threat actors tend to steal information that provides economic, military, or political advantage to their countries.”

Usually, such hackers have been careful to avoid disrupting businesses because they want to continue to steal data from their victims he says. 

Digital blackmail schemes were a common occurrence in 2015 among Mandiant’s clients. Such campaigns typically involved situations where an attacker tried to extort money from an organization by threatening to publicly release sensitive data that had been previously stolen from it.

“We’ve observed attackers stealing materially sensitive data, then threatening to release the information publicly, encrypting victim’s data, and conducting denial of service attacks until ransoms were paid,” Carmakal says. In most cases, the ransoms demanded tended to be commensurate with the value of the stolen data, suggesting that attackers had a fine-honed sense of the inherent value of the information.

Mandiant also investigated multiple attacks where the adversaries wiped data from critical business systems, and often the system backup infrastructure as well to keep victims offline, sometimes for weeks. While threat actors have had the ability to take such actions for years, most have refrained from doing so because their focus has been on theft of IP and other data.

“Many of the disruptive attacks that we observed in 2015 appeared to be opportunistic in nature,” Carmakal says. “However, we’ve observed attacks that were clearly targeted and deliberate.”

Somewhat ironically, the disruptive nature of many of the attacks in 2015 may have actually made them easier to spot.

According to Mandiant, last year it took about 146 days on average for organizations to learn they had been breached, or to be notified of one. While that is still a long time, it is better than the 205 days on average it used to take in 2014, and the astonishing 416 days in 2012.

The quicker detection times may be due to a few reasons, including the fact that threat actors are becoming more disruptive, so their malicious actions are more visible and therefore being detected quicker, Carmakal says.

Related stories: 

  

Interop 2016 Las VegasFind out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Click here for pricing information and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Intel Issues Fix for 'Plundervolt' SGX Flaw
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5252
PUBLISHED: 2019-12-14
There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
CVE-2019-5235
PUBLISHED: 2019-12-14
Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
CVE-2019-5264
PUBLISHED: 2019-12-13
There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition...
CVE-2019-5277
PUBLISHED: 2019-12-13
Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.
CVE-2019-5254
PUBLISHED: 2019-12-13
Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600;NIP6800;S5700;SVN5600;SVN5800;SVN5800-C;SeMG9811;Secospace AntiDDoS8000;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG6000V;eSpace U1981) have an out-of-bounds read vulnerability. An attacker who logs in to the board m...