Understanding how the cyber threat landscape changed in April
As warned by us last week, the attacks on healthcare institutions and research labs continued in the week ending April 25th. The Trump administration in the US admitted that healthcare service providers, medical institutions, and the Department of Health and Human Services overseeing the Centers for Disease Control and Prevention have been in hit in a wave of coordinated attacks. The Department of Justice has expressed concern over attempts by a nation to gain information on Coronavirus research through these attacks.
Are these attacks simply instances of unconnected attacks? Or is there a larger game plan that some hackers are working with?
If we observer the attacks that have happened over the last two months, a clear pattern begins to emerge. Hackers initially targeted enterprises and healthcare providers and manufacturers. The motive in these cases was clearly to steal IP and obtain a ransom. In the weeks that followed, not for profit agencies that were receiving donations for relief work were targeted. Now we are seeing labs researching the virus being targeted.
The hackers are working with four objectives in mind:
- Monetary gains
- Stealing IP
- Stealing diplomatic communication
- Stealing research connected to the virus
State-backed APT groups are behind the third and fourth objectives while 1&2 are driven by cybercriminals. Objective 4 will continue to push APT groups to attacks high-end labs while the attacks connected with 1&2 will rise as new groups join in.
Hackers are also carrying out diversionary attacks on airports and other infrastructure to keep cyber defense agencies busy and off their trail. By stretching the agencies involved in cyber-defense, hackers are trying their best to make them (agencies) take attention and resources off sources of interest so that they (the hackers) can attack high-value targets at will with ease. Apt groups are allowing or even hiring freelance hackers to carry out attacks on targets that are not so valuable.
Cyberattacks linked to geo-political events are also on the rise. This week also saw attacks on Poland and even China. Both these attacks had geopolitical motivations.
Attacks on financial institutions
Hackers from North Korea are mounting attacks on financial institutions around the world. These attacks have plateaued but remain a source of concern. Internet use in North Korea has increased significantly as the country has obtained another internet access route from Russia in addition to the existing one from China.
Hackers from North Korea are just looking at filling the state coffers with foreign exchange that the state desperately needs.
We are issuing an advisory for the following sectors this week:
- Financial services
- Healthcare research labs
- Oil and gas