Self Assessment

CYFIRMA INDUSTRY REPORT : INFORMATION TECHNOLOGY

Published On : 2024-04-09
Share :
CYFIRMA INDUSTRY REPORT : INFORMATION TECHNOLOGY

EXECUTIVE SUMMARY

The CYFIRMA Industry Report delivers original cybersecurity insights and telemetry-driven statistics of global industries, covering one sector each week for a quarter. This report focuses on the information technology industry, presenting key trends and statistics in an engaging infographic format.

INTRODUCTION

Welcome to the CYFIRMA infographic industry report, where we delve into the external threat landscape of the Information Technology industry over the past three months. This report provides valuable insights and data-driven statistics, delivering a concise analysis of attack campaigns, phishing telemetry, and ransomware incidents targeting the information technology industry.
 
We aim to present an industry-specific overview in a convenient, engaging, and informative format. Leveraging our cutting-edge platform telemetry and the expertise of our analysts, we bring you actionable intelligence to stay ahead in the cybersecurity landscape.

METHODOLOGY

CYFIRMA provides cyber threat intelligence and external threat landscape management platforms, DeCYFIR and DeTCT, which utilize artificial intelligence and machine learning to ingest and process relevant data, complemented by manual CTI research.

For the purpose of these reports, we leverage the following data from our platform. These are data processed by AI and ML automation based on both human research input and automated ingestions.

OBSERVED ATTACK CAMPAIGNS

Leveraging our Early Warning platform data set, we present known attack campaigns conducted by known advanced persistent threat actors. Both nation-state and financially motivated.

Each attack campaign may target multiple organizations across various countries.
Campaign durations can vary from weeks to months or even years. They are sorted by the “last seen” date of activity to include the most relevant ones. Note that this may result in campaigns stacking up on later dates, affecting time-based trends.

Attribution to specific threat actors can be murky due to increasingly overlapping TTPs and commodity tools used. While suspected threat actors in this report are attributed with high confidence, we acknowledge the potential for inaccuracy.

PHISHING

Our data focuses on phishing campaigns rather than individual phishing or spear-phishing emails, which may limit visibility into more advanced single-target attacks.
Our primary focus is on detecting brand impersonations over intended targets. Due to our collection methodology and automation, we may not present comprehensive victimology for phishing campaigns across all industries as some are simply not good phishing lures.

RANSOMWARE

Our data on victims in this report is directly collected from respective ransomware blogs, though some blogs may lack detailed victim information beyond names or domains, impacting victimology accuracy during bulk data processing.

In some cases, there are multiple companies that share the same name but are located in different countries, which may lead to discrepancies in geography and industry. Similar discrepancies occur with multinational organizations where we are not able to identify which branch in which country was actually compromised. In such a case, we count the country of the company’s HQ.

During the training of our processing algorithms, we manually verified results for industry and geography statistics at an accuracy rate of 85% with a deviation of ±5%. We continuously fine-tune and update the process.

Data related to counts of victims per ransomware group and respective dates are 100% accurate at the time of ingestion, as per their publishing on the respective group’s blog sites.

Finally, we acknowledge that many victims are never listed as they are able to make a deal with the attackers to avoid being published on their blogs.

ADVANCED PERSISTENT THREAT ATTACK CAMPAIGNS

Information technology organizations featured in 4 out of the 10 observed campaigns, which is a presence in 40% of campaigns.

Observed Campaigns per Month

This 90-day snapshot includes only the first 3 days of April. Focusing on the previous 3 months we can see a downturn from 2 detections in January and February to no relevant campaigns observed in March.

Suspected Threat Actors

Suspected threat actors’ attribution is almost entirely to Chinese nation-state-linked groups. Along with them, we have observed Iranian APT US17IRGCorp (APT34).

GEOGRAPHICAL DISTRIBUTION

Recorded victims of observed attack campaigns span 24 different countries, with Japan, India and the US, having the highest number of victims. Notable are Middle Eastern countries as growing targets and persistent presence in South and Southeast Asia.

TOP ATTACKED TECHNOLOGY

Attack campaigns focused primarily on web applications, cloud services and operating systems.

APT CAMPAIGNS EXTERNAL THREAT LANDSCAPE MANAGEMENT (ETLM) OVERVIEW

Risk Level Indicator: Medium

In the past 90 days, the information technology industry has experienced fluctuating levels of risk, alternating between periods of steady medium volumes of detections to no detections for a whole month. Primary threat actors in this sector are Chinese groups Mustang Panda and APT41-nexus (tracked as Mission2025), Stone Panda and HAFNIUM. We have also observed Iranian APT US17IRGCorp (APT34).

Geographically, the most targeted regions were Japan, the US, and India. APAC and Southeast Asia specifically continue to be of high interest to Chinese APT groups and this is reflected in victimology. Furthermore, the Middle East is heating up as we keep observing APT campaigns in the region.

Web applications remain the most frequently targeted technology across various industries, followed by Cloud services, operating systems and IaaS solutions.

PHISHING ATTACKS IN THE INFORMATION TECHNOLOGY INDUSTRY

Over the past 3 months, CYFIRMA’s telemetry recorded 85,851 phishing campaigns out of a total of 342,599 that impersonated the information technology industry organizations.

Combined categories of Online/Cloud Services and Email Providers amount to 25.05% of all observed phishing campaigns.

Global Distribution of Phishing Themes per Sector

Top Impersonated Brands

In total, we have observed 52 impersonated brands. The most impersonated brand by a large margin is Office365, mostly due to being used as a vessel for various other types of phishing campaigns.

Top Countries of Origin based on ASN

The absolute majority of the campaigns originated from the US, followed by Germany and Hong Kong. Combined 52 countries beyond the Top 25 listed would amount to 6th place after Singapore, underlining the dominance of the USA and a handful of other countries as sources of phishing.

PHISHING EXTERNAL THREAT LANDSCAPE MANAGEMENT (ETLM) OVERVIEW

Risk Level Indicator: High

The information technology industry, specifically the various services it provides to end-users, is among the most frequent phishing themes. This is amplified by two factors: one is that account takeover is the objective of the phishing itself, and two is that services like Office365 are used to carry out a plethora of phishing and spear-phishing schemes and themes. Office365 alone represents 59.6% of observed phishing in this industry and 14.9% of all observed phishing.

Compared to the previous 90-day period, online/cloud services phishing themes’ share grew from 21.7% to 22.8%, while email providers decreased from 3.3% to 2.25%.

The US is by far the largest country of origin for information technology-themed phishing, followed by Germany.

RANSOMWARE VICTIMOLOGY

In the past 90 days, CYFIRMA has identified 93 verified ransomware victims within the information technology industry sectors. This accounts for 5.9% of the overall total of 1,128 ransomware incidents during the same period.

The Monthly Activity Chart

April only includes the first 3 days. Focusing on the previous 3 months, we can observe a steady and slightly growing trend. However, compared to the previous 90-day period we can observe January was a dip from the high 30s in previous months

Breakdown of Monthly Activity by Gangs

A breakdown of the monthly activity provides insights into individual gangs’ activity. For example, gangs Play, BlackBasta, Ransomhub and Red Ransomware recorded the most victims in March, whereas LockBit3 and ALPHV were behind most of January victims.

Ransomware Industry Victims per Group

In total 23 out of 51 active groups recorded information technology organization victims in the past 90 days. The top 5 are responsible for half of them.

Comparison to All Ransomware Victims by Group

Comparing the industry victims to the total numbers recorded, we can see Akira gang has 13 out of 59 (22%) victims in the information technology industry, implying a focus on this industry.

Geographic Distribution Of Victims

The heatmap of geographic distribution shows a truly global reach of ransomware

Total Victims per Country

In total 25 countries recorded ransomware victims with the US alone accounting for ~40% of all victims with identified geography.

Sectors Distribution

Listing consolidated sectors falling under the information technology industry umbrella shows a wide variety of sectors. Most affected are networking and IT solutions providers.

RANSOMWARE EXTERNAL THREAT LANDSCAPE MANAGEMENT (ETLM) OVERVIEW

Risk Level Indicator: Medium

The monthly activity data over the past 90 days reveals steady and continuous ransomware activity, resulting in a medium-risk level. Victims in the information technology industry accounted for 5.9% of all recorded victims, reflecting a significant decrease from 9.5% in the previous period. We attribute this decrease partially to changes in our data processing aimed at improving the precision of industry categorization. Furthermore, the overall number of victims fell from 1,433 to 1,128 between the 90-day period.

Among the 23 out of 51 groups recording victims in the IT industry, LockBit3 and Akira recorded the highest numbers. The Akira gang recorded 13 out of 59 (22%) victims in this industry, suggesting their continued high interest in IT organizations. Interestingly, victims in the IT industry are more evenly distributed among ransomware groups than in most industries.

Ransomware incidents targeting the IT industry were recorded in 25 different countries, with the USA accounting for 40% of all cases, followed by Canada and Italy. A noteworthy continuous trend is the spill over into other regions beyond traditionally targeted Western countries, including the Middle East and Latin America.

Lastly, some of the sectors with the most victims were networking and IT solutions, together with managed IT services.

For a comprehensive, up-to-date global ransomware tracking report on a monthly basis, please refer to our new monthly “Tracking Ransomware” series here.

CONCLUSION

In the external threat landscape of the Information Technology industry, we observe a medium to high risk across monitored categories.
Observed Advanced Persistent Threat (APT) campaigns have retained a medium risk factor, as IT organizations were present in 40% of campaigns. Three out of four campaigns were by Chinese APT groups, with the remaining campaign attributed to an Iranian group.

Phishing remains a high risk, as various services provided by IT vendors are continuously exploited to carry out a wide range of phishing schemes. Furthermore, the takeover of user accounts on these services is often the primary objective.

Ransomware remains a significant concern, with IT organizations comprising 5.9% of all victims in the last 90 days. Akira, with 13 victims, exhibits a notable focus on this industry, while LockBit3, with 16 victims, posed a high risk due to its overall volume of ransomware attacks. However, nine other gangs recorded between 6 to 4 victims, showing that mid-sized gangs collectively present the highest threat.