Self Assessment

CYFIRMA INDUSTRY REPORT : TELECOMMUNICATION AND MEDIA

Published On : 2024-07-29
Share :
CYFIRMA INDUSTRY REPORT : TELECOMMUNICATION AND MEDIA

EXECUTIVE SUMMARY

The CYFIRMA Industry Report delivers original cybersecurity insights and telemetry-driven statistics of global industries, covering one sector each week for a quarter. This report focuses on the telecommunications & media industry, presenting key trends and statistics in an engaging infographic format.

INTRODUCTION

Welcome to the CYFIRMA infographic industry report, where we delve into the external threat landscape of the telecommunications & media industry over the past three months. This report provides valuable insights and data-driven statistics, delivering a concise analysis of attack campaigns, phishing telemetry, and ransomware incidents targeting the telecommunications & media industry.
We aim to present an industry-specific overview in a convenient, engaging, and informative format. Leveraging our cutting-edge platform telemetry and the expertise of our analysts, we bring you actionable intelligence to stay ahead in the cybersecurity landscape.

METHODOLOGY

CYFIRMA provides cyber threat intelligence and external threat landscape management platforms, DeCYFIR and DeTCT, which utilize artificial intelligence and machine learning to ingest and process relevant data, complemented by manual CTI research.
For the purpose of these reports, we leverage the following data from our platform. These are data processed by AI and ML automation, based on both human research input and automated ingestions.

OBSERVED ATTACK CAMPAIGNS

  • Leveraging our Early Warning platform data set, we present known attack campaigns conducted by known advanced persistent threat actors, both nation-state and financially motivated.
  • Each attack campaign may target multiple organizations across various countries.
  • Campaign durations can vary from weeks to months or even years. They are sorted by the “last seen” date of activity to include the most relevant ones. Note that this may result in campaigns stacking up on later dates, affecting time-based trends.
  • Attribution to specific threat actors can be murky due to increasingly overlapping TTPs and commodity tools used. While suspected threat actors in this report are attributed with high confidence, we acknowledge the potential for inaccuracy.

PHISHING

  • Our data focuses on phishing campaigns rather than individual phishing or spear-phishing emails, which may limit visibility into more advanced single-target attacks.
  • Our primary focus is on detecting brand impersonation over intended targets. Due to our collection methodology and automation, we may not present comprehensive victimology for phishing campaigns across all industries as some are simply not good phishing lures.

RANSOMWARE

  • The victim data presented in this report is directly sourced from the blogs of respective ransomware groups. However, it’s worth noting that certain blogs may provide limited victim information, such as only names or domains, while others may be entirely obfuscated. These limitations can impact the accuracy of victimology during bulk data processing.

    In some cases, multiple companies share the same name but are located in different countries, which may lead to discrepancies in geography and industry. Similar discrepancies occur with multinational organizations where we are not able to identify which branch in which country was compromised. In such a case, we count the country of the company’s HQ.

    During the training of our processing algorithms, we manually verified results for industry and geography statistics at an accuracy rate of 85% with a deviation of ±5%. We continuously fine-tune and update the process.

    Data related to counts of victims per ransomware group and respective dates are 100% accurate at the time of ingestion, as per their publishing on the respective group’s blog sites.

    Finally, we acknowledge that many victims are never listed as they are able to make a deal with the attackers to avoid being published on their blogs.

While this report contains statistics and graphs generated primarily by automation, it undergoes thorough review and enhancement for additional context by CYFIRMA CTI analysts to ensure the highest quality and provide valuable insights.

ADVANCED PERSISTENT THREAT ATTACK CAMPAIGNS

Telecommunications & Media industry organizations featured in 7 out of the 14 observed campaigns, which is a presence in 50% of all campaigns.

OBSERVED CAMPAIGNS PER MONTH

After a period of relative calm, we have observed a resurgence of observed campaigns during June, resulting in a spike of 5 campaigns with victims in Telecommunications & Media industry.

SUSPECTED THREAT ACTORS

The seven observed campaigns are from a variety of threat actors from different countries. Including Unknown Thai speaking Cybercriminals.

GEOGRAPHICAL DISTRIBUTION

Recorded victims of observed attack campaigns span 21 different countries.

TOP ATTACKED TECHNOLOGY

Web applications continue to be the most targeted technology across industries, followed by Cloud technologies and Operating systems.

APT CAMPAIGNS

EXTERNAL THREAT LANDSCAPE MANAGEMENT (ETLM) OVERVIEW

Risk Level Indicator: Low – *Moderate

In the past 90 days, the telecommunication & media industry has been significantly impacted by advanced persistent threat (APT) campaigns. 50% (7 out of 14) of observed APT campaigns recorded victims affecting this industry.

Monthly Trends
After a period of relative calm, we observed a surge in June during the last 90 days.

Key Threat Actors
No single threat actor has stood out in the past 90 days. Observed campaigns were evenly distributed with one threat actor per campaign. They also come from different countries, Volt Typhoon and Stone Panda from China, CoralRaider from Vietnam, FIN11 from Russia, US17IRGCorp from Iran and an unknown Thai-speaking group.

Geographical Impact
Observed geographies align with the interests of the threat actors. Nation-state groups have an interest in rival countries and regional cybercrime is looking for victims at home and region.

Targeted Technologies
Web applications, operating systems and cloud services are top – attacked technologies.

PHISHING ATTACKS IN THE TELECOMMUNICATIONS & MEDIA INDUSTRY

Over the past 3 months, CYFIRMA’s telemetry detected 15,794 phishing campaigns themed around telecommunication & media industry out of a total of 252,771.
The combined Telecommunications and Gaming themes comprise 6.25% of all observed phishing.

GLOBAL DISTRIBUTION OF PHISHING THEMES

TOP IMPERSONATED BRANDS

AT&T and Chinese Central television are top two most impersonated brands. From gaming, platforms Steam and Garena are also among the most impersonated. In total 66 brands were impersonated.

TOP COUNTRIES OF ORIGIN (ASN)

The geographical sources of observed phishing campaigns show that most of them come from the US. Nearly all observed Chinese origin phishing is related to CCTV theme.

PISHING

EXTERNAL THREAT LANDSCAPE MANAGEMENT (ETLM) OVERVIEW

Risk Level Indicator: Moderate

The telecommunications & media sectors remain popular phishing themes due to the direct monetization avenue for threat actors and valuable account takeovers, such as gaming platforms.
AT&S stands out as the most impersonated brand, indicating a large U.S. phishing campaign in the last 90 days. Following this, China Central TV (China), British Telecom (UK), and Steam (US/Global) are also significantly targeted.

Overall, the list includes 66 organizations from 44 countries. Many national and regional telcos present underscore the worldwide nature of these threats.

ASN-origin data reveals that the United States is the leading source of phishing emails impersonating telecommunications organizations, reflecting the sheer size of the market in the U.S. and the vast number of compromised devices used in botnets to send phishing emails. Significant activity is also observed in the Netherlands, Canada, and Germany for similar reasons.

Southeast Asia and Latin America are steadily growing as sources and targets of global finance-themed phishing.

The presence in both developed and developing nations highlights that phishing campaigns are opportunistic and globally pervasive. Regional variations suggest more sophisticated attacks in high-count countries, while lesser-known regions like Kazakhstan show expanding attacker reach.

RANSOMWARE VICTIMOLOGY

In the past 90 days, CYFIRMA has identified 43 verified ransomware victims in the telecommunications & media industry. This accounts for 3.6% of the overall total of 1,212 ransomware victims during the same period.

GLOBAL DISTRIBUTION BY INDUSTRY

VICTIMS PER INDUSTRY SECTORS

Combined Telecommunications and Broadcasting are the most frequent victims of ransomware in the telecommunications & media industry.

INDUSTRY MONTHLY ACTIVITY CHART

Considering just a few days of April, we can see a sustained interest with a remarkably consistent number of victims each month.

BREAKDOWN OF ACTIVITY PER GANG

A breakdown of the monthly activity provides insights into which gangs were active each month. LockBit3 came back in May, RansomHub was active in June and Hunters recorded many victims in July.

INDUSTRY RANSOMWARE VICTIMS PER GANG

ALL RANSOMWARE VICTIMS PER GANG

Comparing the telecommunications & media industry to all recorded victims, none of the gangs particularly stand out with a high percentage of victims in this industry. The highest is Handala with 4 out of 36 (11.1%).

GEOGRAPHIC DISTRIBUTION OF VICTIMS

The geographic distribution heatmap underscores the widespread impact of ransomware, highlighting the countries where victims in this industry have been recorded.

INDUSTRY VICTIMS PER COUNTRY

In total 23 countries recorded ransomware victims with the US alone accounting for ~30% of all victims.

RANSOMWARE

EXTERNAL THREAT LANDSCAPE MANAGEMENT (ETLM) OVERVIEW

Risk Level Indicator: Moderate

The telecommunications & media industry ranked 12th out of 14 industry categories. Encompassing 3.6% of all ransomware victims, it faces a significant ransomware risk.
Combined telecommunications broadcasting sectors were the most frequent victims.

Monthly Activity Trends

Ransomware activity in this industry has shown sustained numbers of victims each month.
LockBit3 returned in May, RansomHub was active during June, and Hunters in July.

Ransomware Gangs
A total of 23 out of 57 active ransomware groups targeted the telecommunications & media industry in the past 90 days:

Handala: 11.1% of their victims were from this industry (4 out of 36 victims). They are specifically targeting Israeli organizations in relation to ongoing conflict and telecommunications are among primary targets.

Ransomhub: Growing affiliate-based RaaS recorded the most victims in this industry (7 out of 148 victims).

Lockbit3: Due to its large affiliate base and sheer volume, it presents high risk (6 out of 189 victims).

Geographic Distribution
30% of all victims are located in the US. Followed by Israel (4 victims) which is being targeted by a dedicated group in retaliation for the ongoing conflict

In total, 23 countries reported ransomware victims in this industry

For a comprehensive, up-to-date global ransomware tracking report, please refer to our new monthly “Tracking Ransomware” series here.

CONCLUSION

In the past 90 days, telecommunications & media organizations have faced moderate risk across monitored categories.

APT Campaigns: The industry has been significantly impacted, with 50% of observed APT campaigns targeting it. Key actors included Volt Typhoon and Stone Panda (China), CoralRaider (Vietnam), FIN11 (Russia), US17IRGCorp (Iran), and an unknown Thai-speaking group, reflecting a diverse array of threats from various nation-state and regional cybercriminal groups. These campaigns mainly exploited web applications, operating systems, and cloud services. Activity surged in June after a period of calm, impacting geographies aligned with the interests of these threat actors.

Phishing: The risk remains moderate due to the direct monetization potential and valuable account takeovers, such as gaming platforms. AT&S was the most impersonated brand, followed by China Central TV, British Telecom, and Steam. Phishing campaigns impersonated 66 organizations across 44 countries, with the US being the leading source. Significant activity was also noted in the Netherlands, Canada, and Germany. Southeast Asia and Latin America are growing sources and targets.

Ransomware: The industry faces a moderate ransomware risk, ranking 12th out of 14 industry categories and encompassing 3.6% of all ransomware victims. The telecommunications and broadcasting sectors were frequently targeted. Monthly activity remained steady, with notable involvement from LockBit3, RansomHub, and Hunters. In the past 90 days, 23 ransomware groups targeted the industry, with Handala group specifically focusing on Israeli organizations. The geographic distribution of victims was widespread, with 30% in the US and significant activity in Israel. Overall, 23 countries reported ransomware victims in this sector.