Telecoms, defense contractors favorite targets for foreign hackers

NOTE: This article first appeared on FCW.com.

Intelligence gathering and espionage remained the primary motivation for state-sponsored cyber intrusions in 2019, according to a new report.

In the latest version of its annual global threat report, cybersecurity threat intelligence firm CrowdStrike found that Advanced Persistent Threat groups heavily targeting governments, military sectors as well as their defense industrial base of contractors, while criminal groups are increasingly leveraging ransomware as a primary attack vector against the private sector and local governments.

Chinese-aligned groups focused on the telecommunications sector in particular, which CrowdStrike said it believes could support both signals intelligence and upstream surveillance activities. The emphasis came during the same year the U.S. government made a major push to discourage allies from using equipment from Chinese companies like Huawei while building out their 5G networks, warning them that doing so could make it easier for Beijing to spy on their communications. Hacking groups tied to China tended to use open source tools and tactics in an effort to mask and cover their tracks.

Hacking groups with ties to Iran spent much of their time targeting the defense and government sectors in the U.S. and elsewhere, and the firm said it tracked a noticeable shift in emphasis to the United States in the latter half of 2019. This targeting of U.S. entities began picking up around the same time as the 2019 Gulf of Oman incident, when three oil tankers and a bunkering ship were damaged with explosives, with U.S. officials blaming Iran.

Groups tied to Tehran created spoofed job postings for U.S. defense contracting work, which the firm said it believes was meant to catch individuals who might hold sensitive military secrets while their defenses are down.

"What we've observed is them actively targeting defense industrial base, members of the military who are moving into civilian jobs, and using that transitional point to target individuals, get access to individuals and pivot into their networks," said Adam Meyers, vice president of threat intelligence at CrowdStrike.

While Iranian hackers have leveraged destructive wiper malware attacks against U.S. entities in the past, those activities were mostly confined to countries in the Middle East in 2019. However, following the airstrike of Iranian Quds Force General Qassem Soleimani by U.S. in January, many threat intelligence firms and federal agencies like the Cybersecurity and Infrastructure Security Agency (CISA) have warned that Iranian groups could use them against U.S. targets in retaliation.

Like other organizations, CrowdStrike found that ransomware attacks are rising, though the victims are mostly confined to the private sector and local governments. Whereas hacking groups would previously tack on a ransomware component to other attacks in the hopes of squeezing out a few hundred dollars in profit, they have increasingly viewed it as a main attack vector to steal data, make big money and take advantage of "the operational necessity to be up and running," Meyers said.

"If you look at the history of how ransomware evolved, a few years ago it was a side hustle," he said. "What it shows is that threat actors realize they were squandering opportunities with one-off attacks, now they've figured out how to make the most of these activities."

Agencies like CISA have expressed concern about the potential for ransomware attacks to target voter registration systems or jam up the IT systems of local governments ahead of Election Day. However, Meyers said his firm has yet NOto observe activity or evidence to indicate these concerns are anything more than hypothetical at this point. Instead, he said he believes the easiest way to undermine a U.S. election is through disinformation.

"I've been saying since 2016 is that the most effective way to attack an election is to make people question the results," Meyers said. "We're seeing a lot more tension there, and a threat actor can effectively leverage that … with an influence operation to cause them to question the process. That's the most concerning thing for me."