Self Assessment

CYFIRMA INDUSTRY REPORT : INFORMATION TECHNOLOGY

Published On : 2024-08-07
Share :
CYFIRMA INDUSTRY REPORT : INFORMATION TECHNOLOGY

EXECUTIVE SUMMARY

The CYFIRMA Industry Report delivers original cybersecurity insights and telemetry-driven statistics of global industries, covering one sector each week for a quarter. This report focuses on the information technology industry, presenting key trends and statistics in an engaging infographic format.

INTRODUCTION

Welcome to the CYFIRMA infographic industry report, where we delve into the external threat landscape of the information technology industry over the past three months. This report provides valuable insights and data-driven statistics, delivering a concise analysis of attack campaigns, phishing telemetry, and ransomware incidents targeting the Information Technology industry.
 
We aim to present an industry-specific overview in a convenient, engaging, and informative format. Leveraging our cutting-edge platform telemetry and the expertise of our analysts, we bring you actionable intelligence to stay ahead in the cybersecurity landscape.

METHODOLOGY

CYFIRMA provides cyber threat intelligence and external threat landscape management platforms, DeCYFIR and DeTCT, which utilize artificial intelligence and machine learning to ingest and process relevant data, complemented by manual CTI research.

For the purpose of these reports, we leverage the following data from our platform. These are data processed by AI and ML automation based on both human research input and automated ingestions.

OBSERVED ATTACK CAMPAIGNS

  • Leveraging our Early Warning platform data set, we present known attack campaigns conducted by known advanced persistent threat actors, both nation-state and financially motivated.
  • Each attack campaign may target multiple organizations across various countries.
  • Campaign durations can vary from weeks to months or even years. They are sorted by the “last seen” date of activity to include the most relevant ones. Note that this may result in campaigns stacking up on later dates, affecting time-based trends.
  • Attribution to specific threat actors can be murky due to increasingly overlapping TTPs and commodity tools used. While suspected threat actors in this report are attributed with high confidence, we acknowledge the potential for inaccuracy.

PHISHING

  • Our data focuses on phishing campaigns rather than individual phishing or spear-phishing emails, which may limit visibility into more advanced single-target attacks.
  • Our primary focus is on detecting brand impersonation over intended targets. Due to our collection methodology and automation, we may not present comprehensive victimology for phishing campaigns across all industries as some are simply not good phishing lures.

RANSOMWARE

  • The victim data presented in this report is directly sourced from the blogs of respective ransomware groups. However, it’s worth noting that certain blogs may provide limited victim information, such as only names or domains, while others may be entirely obfuscated. These limitations can impact the accuracy of victimology during bulk data processing.
  • In some cases, multiple companies share the same name but are located in different countries, which may lead to discrepancies in geography and industry. Similar discrepancies occur with multinational organizations where we are not able to identify which branch in which country was compromised. In such a case, we count the country of the company’s HQ.
  • During the training of our processing algorithms, we manually verified results for industry and geography statistics at an accuracy rate of 85% with a deviation of ±5%. We continuously fine-tune and update the process.
  • Data related to counts of victims per ransomware group and respective dates are 100% accurate at the time of ingestion, as per their publishing on the respective group’s blog sites.
  • Finally, we acknowledge that many victims are never listed as they are able to make a deal with the attackers to avoid being published on their blogs.

While this report contains statistics and graphs generated primarily by automation, it undergoes thorough review and enhancement for additional context by CYFIRMA CTI analysts to ensure the highest quality and provide valuable insights.

ADVANCED PERSISTENT THREAT ATTACK CAMPAIGNS

Information technology organizations featured in 8 out of the 17 observed campaigns, which is a presence in 47% of all campaigns.

OBSERVED CAMPAIGNS PER MONTH

In the last 90 days, we observed a significant spike of activity targeting information technology sector in July.

SUSPECTED THREAT ACTORS

The 8 observed campaigns were carried out by a wide variety of threat actors. From Ulture in Philippines to US17IRGCorp in Iran.

GEOGRAPHICAL DISTRIBUTION

Recorded victims of observed attack campaign span 23 different countries. There does not appear to a be clear geographic pattern. Considering suspected TAs, it is suggesting opportunistic targeting and possibly financial motivation over geopolitical in most cases.

TOP ATTACKED TECHNOLOGY

Web applications continue to be the most targeted technology across industries, followed by Operating System and Cloud technologies.

APT CAMPAIGNS

EXTERNAL THREAT LANDSCAPE MANAGEMENT (ETLM) OVERVIEW

Risk Level Indicator: Moderate

In the past 90 days, information technology industry have been significantly impacted by advanced persistent threat (APT) campaigns. 47% (8 out of 17) of observed APT campaigns recorded victims affecting this industry.

Monthly Trends
After a period of relative calm, We observed a surge in July during the last 90 days.

Key Threat Actors
No single threat actor has stood out in the past 90 days. Nearly all observed campaigns were evenly distributed with one threat actor per campaign. One exception is Ulture, a threat actor from Philippines with 2 campaigns. They also come from different countries. CoralRaider from Vietnam, FIN11 from Russia, US17IRGCorp from Iran and an unknown Thai-speaking group among others.

Geographical Impact
Observed geographies align with the interests of the threat actors. Nation-state groups have an interest in rival countries and regional cybercrime is looking for victims at home and region.

Targeted Technologies
Web applications, operating systems and cloud services are top – attacked technologies.

PHISHING ATTACKS IN THE IT INDUSTRY

Over the past 3 months, CYFIRMA’s telemetry detected 42,338 phishing campaigns themed around information technology brands out of a total of 251,575.
 
The chart below illustrates the global distribution of observed themes. Combined Online/Cloud Services and Email Provider accounts for 16.82% of all captured phishing.

GLOBAL DISTRIBUTION OF PHISHING THEMES

TOP IMPERSONATED BRANDS

Office 365 is mostly commonly used, mainly due to the fact is serves as a vessel for other phishing themes and techniques. Following are Netflix, Telegram and Outlook. In total 53 brands were impersonated.

TOP COUNTRIES OF ORIGIN (ASN)

The geographical sources of observed phishing campaigns show that most of it comes from the US.

PHISHING

EXTERNAL THREAT LANDSCAPE MANAGEMENT (ETLM) OVERVIEW

Risk Level Indicator: Moderate

The information technology sectors remain popular phishing themes since various IT services are used to facilitate many other phishing themes as well as allow direct monetization.

Office 365 stands out as the most frequently exploited service for phishing. Following this, Netflix, Telegram, Outlook and various Webmail providers also significantly targeted.

Overall, the list includes 53 organizations from 73 countries. Many international and regional platforms are being impersonated.

ASN-origin data reveals that the United States is the leading source of phishing emails impersonating information technology organizations, reflecting the sheer size of the market in the U.S. and the vast number of compromised devices used in botnets to send phishing emails. Significant activity is also observed in the Netherlands, Germany, Hong Kong and India.

Southeast Asia, Latin America and even Africa are steadily growing as sources and targets of phishing.

The presence in both developed and developing nations highlights that phishing campaigns are opportunistic and globally pervasive. Regional variations suggest more sophisticated attacks in high-count countries, while lesser-known regions like Malawi or Turkmenistan show expanding attacker reach.

RANSOMWARE VICTIMOLOGY

In the past 90 days, CYFIRMA has identified 115 verified ransomware victims in information technology industry. This accounts for 8.8% of the overall total of 1,306 ransomware victims during the same period.

GLOBAL DISTRIBUTION BY INDUSTRY

VICTIMS PER INDUSTRY SECTORS

IT Services, consulting and software development are the most frequent victims of ransomware in IT industry.

INDUSTRY MONTHLY ACTIVITY CHART

Monthly activity chart shows sustained interest by threat actors with a mild spike in June activity.

BREAKDOWN OF ACTIVITY PER GANG

A breakdown of the monthly activity provides insights into which gangs were active each month. For example, RansomHub became very active during June, driving the observed spike. LockBit3 returned after it’s law enforcement disruption and contributed to numbers in May.

INDUSTRY RANSOMWARE VICTIMS PER GANG

In total 34 out of 59 active groups recorded IT organizations victims in the past 90 days. Notable is a high distribution among large number of groups in this industry.

ALL RANSOMWARE VICTIMS PER GANG

Comparing the IT industry to all recorded victims, RansomHub stands out as a group with high interest in this industry with 31 out of 61 (50.8%) victims. Next is Cactus with 7 out of 48 (14.5%) victims.

GEOGRAPHIC DISTRIBUTION OF VICTIMS

The geographic distribution heatmap underscores the widespread impact of ransomware, highlighting the countries where victims in this industry have been recorded.

INDUSTRY VICTIMS PER COUNTRY

In total 27 countries recorded ransomware victims with the US alone accounting for 50% of all victims with identified geography.

RANSOMWARE

EXTERNAL THREAT LANDSCAPE MANAGEMENT (ETLM) OVERVIEW

Risk Level Indicator: High

The information technology industry ranked 4th out of 14 industry categories. With a share of 8.8% of all ransomware victims, it faces a significant ransomware risk.

Organizations from IT services, IT consulting and software development sectors were the most frequent victims.

Monthly Activity Trends
Ransomware activity in this industry has shown a sustained numbers of victims each month, with a spike in June.

June spike was driven by RansomHub heightened activity and a focus on IT organizations.

Ransomware Gangs
A total of 34 out of 59 active ransomware groups targeted the Information Technology industry in the past 90 days:

RansomHub: This growing affiliate-based RaaS recorded the most victims in this industry (31 out of total 115 victims). They also showed high focus in this industry with 50.8% of all their victims (31 out of 61) being from IT sectors.

LockBit3: Due to its large affiliate base and sheer volume, it presents a high risk (15 out of 209 victims).

Cactus: It has the next highest share of victims in this industry. 14.5% (7 out of 48) of all their victims were IT organizations.

Geographic Distribution
50% of all victims are located in the US, underscoring US dominance in the information technology industry. Following is Israel, currently facing frequent attacks by Handala group. Italy, Brazil and Spain also recorded higher numbers of victims.

In total, 27 countries recorded ransomware victims in this industry

For a comprehensive, up-to-date global ransomware tracking report, please refer to our new monthly “Tracking Ransomware” series here.

CONCLUSION

In the past 90 days, Information Technology organizations have faced medium to high risks across monitored categories.

APT campaigns: The risk is moderate to high, with 47% of observed APT campaigns targeting the IT sector. Key actors included Ulture (Philippines), CoralRaider (Vietnam), FIN11 (Russia), US17IRGCorp (Iran), and an unknown Thai-speaking group. These campaigns mainly exploited web applications, operating systems, and cloud services. Activity surged in July after a period of calm, impacting geographies aligned with the interests of these threat actors.

Phishing: The risk remains moderate, with IT services being a popular vessel for other phishing themes. Office 365 was the most frequently exploited service, followed by Netflix, Telegram, Outlook, and various webmail providers. Phishing campaigns targeted 53 organizations across 73 countries, with the US being the leading source. Significant activity was also noted in the Netherlands, Germany, Hong Kong, and India, with growing sources and targets in Southeast Asia, Latin America, and Africa.

Ransomware: The IT industry faces a high ransomware risk, ranking 4th out of 14 industry categories and accounting for 8.8% of all ransomware victims. IT services, IT consulting, and software development sectors were the most frequent targets. Monthly activity remained steady, with a spike in June driven by RansomHub. In the past 90 days, 34 ransomware groups targeted the industry, with RansomHub, LockBit3, and Cactus posing significant risks. Victims were widespread, with 50% in the US and significant activity in Israel, Italy, Brazil, and Spain, affecting 27 countries overall.