The new Accenture report has several key findings, such as an alteration with cybercrime operating models, in terms of threat groups operating in “secure syndicates. These are groups which closely collaborate and adopt similar tools in order to automate the cyber-attack process, by mass-producing malicious documents as so to spread malware. The report also discusses the topic of an emerging global disinformation battlefield. With this there is a wider potential impact of disinformation upon global financial markets.
To learn more about the findings, Digital Journal caught up with Howard Marshall, Director of Cyber Threat Intelligence at Accenture Security.
Digital Journal: What are the main cyber threats to businesses?
Howard Marshall: Cyber threats to businesses can come in many forms, and while conventional cybercrime is still prevalent, cybercriminals are exploring new ways to attack companies. Above all, many hackers are still relying on human error as the best way to breach networks.
In our research, we’ve witnessed disinformation campaigns continuing to influence domestic and foreign political sentiment across the globe. This has the potential to directly affect the financial services industry. While malware has typically been sent to internet users via phishing emails, analysts now see an emergence of malware executed through web browsers focused on targeting online merchants and retailers specifically.
Additionally, ransomware attacks have more than tripled in the past two years and we’re seeing an uptick in cases where ransomware is planted directly on networks through network access intrusions. On a global scale, threat actors are paying even closer attention to important global events and are using them as distractions or lures to breach target networks.
DJ: Where are these threats coming from?
Marshall: Cyberthreats are everywhere and as technology advances, so do techniques, tactics and the focus of cybercriminals. When one door shuts, another one can be opened. Cybercriminals are pushing to think outside of the box to find new vulnerable avenues to exploit, for example, targeting companies via their business partners and through the supply chain, to get to the bigger prize instead of directly targeting them.
Threats are now expanding more to state-sponsored activities such as global events or conferences. Nation states are using cybercriminals as a tool to monitor their citizens through manipulation of information on social networks and spyware campaigns.
DJ: How have cybercrime operating models changed in the past year?
Marshall:Cybercriminals are constantly testing the resilience of organizations and updating their techniques. Through our research ,we are seeing cybercriminals establishing new, intricate relationships and use the same tools to better disguise their identities. As businesses invest more in cybersecurity, threat actors are seeking new avenues to compromise organizations, such as targeting their supply chains—including those for software, hardware and the cloud.
We’ve observed several significant changes in cybercrime operations that our analysts have broken down into four distinct sections:
Conventional cybercrime operations: Although conventional cybercrime operations are still prevalent, the report observes crimeware groups have shifted their operating model from one of open partnerships on underground forums to one of close-knit syndicates due to high-profile law enforcement actions.
Localized cybercrime: Localized underground economies continue to emerge in non-English-speaking countries such as China and Brazil, which tend to target their domestic populations due to familiarity with their own societies, cultures and environments.
Targeted attacks: There is an increase in an attack trend known as “big game hunting” where threat actors and groups conduct targeted intrusions for financial gain.
Network access for sale: Network access can be used to carry out a range of malicious activities, and there has been a marked increase in the sale of remote access to compromised networks on underground forums and marketplaces.
DJ: What is the disinformation threat?
Marshall:Disinformation is communication designed to influence perceptions. Tactics can range from outright falsification to the selection and distortion of facts to tell a misleading story.
Those who carry out disinformation seek to target various audiences including depending on whether a state or non-state actor is doing the targeting. Disinformation and other information operations (IO) pursue to “dismiss an opponent’s claims or allegations, distort events to serve political purposes, distract from one’s own activities, and dismay those who might otherwise oppose one’s goals.” Tactics used in IO can include false news, disinformation, or what social media platforms refer to as “false amplifiers”—networks of fake accounts aimed at manipulating public opinion.
DJ: How have ransomware attacks changed? Are these increasing?
Marshall:According to our research, in the last two years, ransomware attacks have more than tripled. Accenture iDefense assesses that ransomware attacks may continue to make substantial amounts of money for threat actors. In addition to financial motives, ransomware attacks often serve ideological and political motives. In addition to delivery via spam campaigns, analysts have witnessed threat groups Nikolay and GandCrab planting ransomware directly on networks through network access intrusions. Actors are offering to sell remote desktop protocol (RDP) access to corporate networks, which they’ve likely gained through compromised servers and RDP brute forcing, to those in underground communities.
DJ: Which business sectors are most at risk from these types of attacks?
Marshall:No industry is an exception to the risk of a cyberattack, although different industries are more prone to certain types of cyberattacks. Our iDefense team has observed that the financial services industry is likely to be targeted in the future by large-scale disinformation efforts due to the high-frequency trading algorithms, which rely on text-driven sources of information.
Globally, threat actors have been homing in on global events and using them to breach networks. State sponsored hacktivism is on the rise and nation states are increasingly outsourcing cyberoperations to cybercriminals.
DJ: What measures should business put in place to lower their risks from attack?
Marshall:As cybercriminals continue to come up with new ways to break through the exterior of a company, pressure is being put on companies to increase their investment in cybersecurity. The more organizations invest in securing their networks and training their staff on how to safely navigate the digital workplace, the harder and more expensive it becomes for threat actors to disrupt or breach networks. Although this won’t stop cyber actors from making attempts to breach networks, these actions can help harden security defenses and decrease the adversary success rate. Companies need to monitor everything from their internal operations, to their supply chain business partner network.
DJ: Do these measures extend to changes to business culture?
Marshall:In this day and age, the measures to lower risk of cyberattacks are imperative and are in place to preserve the integrity, brand, trust and culture within a company. The consequences of many of these attacks are becoming more destructive and irreversible, not to mention the cost to reverse the damage continues to rise. Because of this broaching the subject is only becoming more and more common in the board room – slowly leading to change across entire organizations, internally and externally.
