Self Assessment

CYFIRMA Industry Report : INFORMATION TECHNOLOGY

Published On : 2023-12-18
Share :
CYFIRMA Industry Report : INFORMATION TECHNOLOGY

EXECUTIVE SUMMARY

The CYFIRMA Industry Report delivers original cybersecurity insights and telemetry-driven statistics of global industries, covering one sector each week for a quarter. This report focuses on the information technology industry, presenting key trends and statistics in an engaging infographic format.

INTRODUCTION

Welcome to the CYFIRMA infographic industry report, where we delve into the external threat landscape of the information technology industry over the past three months. This report provides valuable insights and data-driven statistics, delivering a concise analysis of attack campaigns, phishing telemetry, and ransomware incidents targeting the information technology industry.

We aim to present an industry-specific overview in a convenient, engaging, and informative format. Leveraging our cutting-edge platform telemetry and the expertise of our analysts, we bring you actionable intelligence to stay ahead in the cybersecurity landscape.

METHODOLOGY

CYFIRMA provides cyber threat intelligence and external threat landscape management platforms, DeCYFIR and DeTCT, which utilize artificial intelligence and machine learning to ingest and process relevant data, complemented by manual CTI research.
 
For the purpose of these reports, we leverage the following data from our platform. These are data processed by AI and ML automation based on both human research input and automated ingestions.

OBSERVED ATTACK CAMPAIGNS

Leveraging our Early Warning platform data set, we present known attack campaigns conducted by known advanced persistent threat actors. Both nation-state and financially motivated.

Each attack campaign may target multiple organizations across various countries.

Campaign durations can vary from weeks to months or even years. They are sorted by the “last seen” date of activity to include the most relevant ones. Note that this may result in campaigns stacking up on later dates, affecting time-based trends.

Attribution to specific threat actors can be murky due to increasingly overlapping TTPs and commodity tools used. While suspected threat actors in this report are attributed with high confidence, we acknowledge the potential for inaccuracy.

PHISHING

Our data focuses on phishing campaigns rather than individual phishing or spear-phishing emails, which may limit visibility into more advanced single-target attacks.

Our primary focus is on detecting brand impersonation over intended targets. Due to our collection methodology and automation, we may not present comprehensive victimology for phishing campaigns across all industries as some are simply not good phishing lures.

RANSOMWARE

Our data on victims in this report is directly collected from respective ransomware blogs, though some blogs may lack detailed victim information beyond names or domains, impacting victimology accuracy during bulk data processing.

In some cases, there are multiple companies that share the same name but are located in different countries, which may lead to discrepancies in geography and industry. Similar discrepancies occur with multinational organizations, where we are not able to identify which branch in which country was actually compromised. In such a case, we count the country of the company’s HQ.

During the training of our processing algorithms, we manually verified results for industry and geography statistics at an accuracy rate of 85% with a deviation of ±5%. We continuously fine-tune and update the process.

Data related to counts of victims per ransomware group and respective dates are 100% accurate at the time of ingestion, as per their publishing on the respective group’s blog sites.

Finally, we acknowledge that many victims are never listed as they are able to make a deal with the attackers to avoid being published on their blogs.

While this report contains statistics and graphs generated primarily by automation, it undergoes thorough review and enhancement for additional context by CYFIRMA CTI analysts to ensure the highest quality and provide valuable insights.

PAST 90 DAYS IN NUMBERS

Advanced Persistent Threat Attack Campaigns
Information Technology organizations featured in 4 out of the 9 observed campaigns, which is a presence in 44% of campaigns.

Observed Campaigns per Month

The monthly chart shows a spike in November after a period of generally low campaign detections in September and October.

Suspected Threat Actors

Suspected threat actors are a mix of nation-state and financially motivated groups.

GEOGRAPHICAL DISTRIBUTION

Victims of the observed attack campaigns were recorded in 19 different countries, with many Asian victims in particular.

TOP ATTACKED TECHNOLOGY

Attack campaigns focused on attacking web applications, operating systems, infrastructure and application security software.

APT CAMPAIGNS EXTERNAL THREAT LANDSCAPE MANAGEMENT (ETLM) OVERVIEW

Risk Level Indicator: Medium

After a period of low detections during the summer months, we have witnessed a surge in new detections in November and early December. Specifically, within the IT industry, four out of the nine observed campaigns have recorded victims. This denotes a moderate level of interest from sophisticated threat actors, compared to other industries.

Concerning suspected threat actors targeting the IT industry, nation-state APTs significantly outnumber financially motivated threat actors. Chinese APTs, in particular, exhibit high activity, aligning with their known interest in the digital supply chain and compromising targets through third-party vendors.

Geographically, there is a notable presence of Asian countries that hold interest for Chinese APTs. These include regional rivals such as India, Japan, the Philippines, Australia, Vietnam, and, notably, Taiwan, alongside Singapore, Brunei, Malaysia, and Thailand. On the other hand, Russian threat actors maintain focus on European countries, likely in connection with the ongoing UA-RU conflict.

The technologies targeted within the IT industry victims encompassed web applications, operating systems, and infrastructure. Notably, in December, Mustang Panda’s campaign involved USB drive-by attacks, exploiting legitimate software.

PHISHING ATTACKS IN THE IT INDUSTRY

Over the past 3 months, CYFIRMA’s telemetry recorded 107,869 phishing campaigns out of a total of 263,495 that impersonated the IT industry brands, including IT and Email services and Social Networks.

As per the pie chart, Online/Cloud services’ share is 21.71% Social Networking adds another 15.90% and Email Providers an additional 3.33%, totalling 40.94% of all observed phishing campaigns.

Global Distribution of Phishing Themes per Sector

Top 25 Impersonated Brands

In the IT industry the most impersonated brands are what most people are very familiar with through their own spam boxes. Office 265 and Facebook are dwarfing the rest as they are the most used and known brands around the world

Top 20 Countries of Origin

ASN-based original of these phishing campaigns shows clear dominance of USA. However, notable are Southeast Asian countries continuously emerging as growing hubs for lower tier cybercrime.

PHISHING EXTERNAL THREAT LANDSCAPE MANAGEMENT (ETLM) OVERVIEW

Risk Level Indicator: High

The Information Technology industry, specifically Online/Cloud Services and Social Networking, stands as the prime target for phishing lures in today’s landscape. Microsoft Office, Outlook, Apple products, and major social networks like Meta and Telegram boast billions of global users, making them the ideal choices for expansive phishing campaigns. This approach ensures cybercriminals a significant return, due to the sheer volume of potential targets.

Examining the data based on ASN (Autonomous System Number) origins reveals an intriguing contrast between the regions targeted (based on impersonated brands) and the countries of origin. The United States stands out as the most frequent country of origin by a substantial margin, followed by the Netherlands and Vietnam. This trend strongly correlates with the favorable digital infrastructure in the US, coupled with the availability of compromised systems utilized in botnets and as proxies.

Concurrently, Vietnam, along with Indonesia, is emerging as a hub for cybercrime in Southeast Asia, often leveraging the favorable digital infrastructure in Singapore.

RANSOMWARE VICTIMOLOGY

In the past 90 days, CYFIRMA has identified 137 verified ransomware victims within the IT industry sectors. This accounts for 9.5% of the overall total of 1,433 ransomware incidents during the same period.

The Monthly Activity Chart

Monthly trends shows consistently high number without a clear trend when adjusted for partial months.

Breakdown of Monthly Activity by Gangs

A breakdown of the monthly activity provides insights per group activity. For example, LockBit3 has been consistently active, whereas Losttrust recorded victims only in September.

Ransomware Victims in Information Technology per Group

In total 32 out 49 groups recorded IT industry organization victims in the past 90 days. The top 4 are responsible for half of them.

Comparison to All Ransomware Victims by Group (Top 20)

Compared to all recorded victims in the same time period, Akira gang appears to be more focused on this industry whereas Nosescape has comparatively lower numbers of victims.

Geographic Distribution of Victims

The heatmap of geographic distribution illustrates the global reach of ransomware across continents.

Total Victims per Country

In total 28 countries recorded IT industry ransomware victims with the US alone accounting for ~42% of all.

Sectors Distribution

Listing consolidated sectors matched under the IT industry umbrella shows victims across sectors, including many niches.

RANSOMWARE EXTERNAL THREAT LANDSCAPE MANAGEMENT (ETLM) OVERVIEW

Risk Level Indicator: High

The IT industry organizations remain a popular target for ransomware attacks, with approximately one in every ten victims falling within this sector over the last 90 days. Monthly cyber activity consistently shows a gradual increase, with a notable peak observed in November so far.

Analysis of responsible groups highlights LockBit3 as the gang consistently recording the highest number of victims across months. In November, there was a surge in victims attributed to 8base, Blackbasta, and several mid-sized and smaller gangs.

Data on the total number of victims per group indicates that predominantly larger gangs are targeting the IT industry, with the top five accounting for half of all victims. However, since September, there has been a noticeable increase in the share of victims linked to newer or rebranded mid-sized groups, potentially signalling an evolving threat landscape.

Among the 49 active gangs in the past 90 days, 32 have have reported victims in the IT industry. Notably, Akira has exhibited higher interest in this sector, relative to their overall number of victims. 

Geographically, victims are spread across 28 different countries, with the United States experiencing the highest impact, followed by Canada, the UK, and Australia. While western countries dominate the IT industry’s victim count, occurrences have been recorded on all continents, underlining the global nature of these attacks.

For a comprehensive, up-to-date global ransomware tracking report on a monthly basis, please refer to our new monthly “Tracking Ransomware” series here.

CONCLUSION

Ransomware remains an acute threat within the cybersecurity landscape of the IT industry, with one in every ten victims being an IT organization. Among these, Managed IT Services providers and Software Developers emerge as the most vulnerable sectors. LockBit3 consistently reports the highest number of victims, while Akira’s increasing interest in this industry stands out relative to their overall victim count.

Sophisticated threat actors show moderate interest, with Chinese nation-state APTs responsible for the majority of the observed campaigns. This aligns with their known focus on exploiting digital supply chains and utilizing compromised third-party vendors to target their primary objectives.

Notably, IT industry services and social networks are among the most prevalent phishing lures globally, accounting for 41% of all observed phishing themes. This prevalence is due to their widespread usage, boasting billions of users worldwide. Popular services and brands such as Office365, Apple, Facebook, and various webmail providers are frequently exploited in these phishing attempts.