Understanding how cybercriminals operate is crucial in order to properly protect ourselves from a possible cyberattack. If we know what tactics, techniques and procedures they use – and monitor how these evolve over time – there is a better chance of staying one step ahead and successfully preventing attacks before they cause the intended damage.
In recent years we have seen considerable changes in the way cyber gangs operate and who they target. Their tactics will continue to evolve, which is why we have a dedicated investigation team who specialise in scrutinising major cyber incidents so we can learn, adapt, and better prevent and mitigate the threats facing those we protect.
Kaspersky’s Computer Incident Investigations Department examines Russian-based cybercriminals, as most of the recent major cyber incidents have been conducted by Russian-speaking groups.
That’s the benefit of our Russian roots – we can dig into cybercriminal activity from within the Eastern front and provide this intelligence to our customers all over the world. We investigate, detect and neutralise threats regardless of their origin or purpose.
Since the start of 2020, our team has looked into over 500 cyber incidents by Russian-speaking criminals and noted several changes in the way they work. Here are five notable shifts their investigations have identified:
- Russian cyber gangs as we knew them are gone. Cybercriminals are less and less tied to each other; the stable groups no longer exist. They have become very effective at outsourcing and purchasing access to hacked organisations and the tools they need to exploit that access.
- Cybercriminals no longer develop their own malware. Malicious tools are now much more accessible and available online – from leaked or released source codes to remote access software and publicly available penetration testing tools. This saves cybercriminals a lot of money, as they no longer need to invest time and resources to develop malware from scratch.
- Client-side attacks are on the decline. Just five years ago, visiting a news website could be enough to infect your computer. Malware infiltrated through security holes in popular browsers such as news platforms. However, thanks to improvements in browser security and automated updates, it is now much harder and more expensive for criminals to attack this way. Instead they send spear-phishing emails, luring people into opening malicious attachments that can then exploit a vulnerability in software – which the criminals hope has not yet been patched.
- The vulnerabilities market got a remake. Client-side infections used to rely heavily on vulnerabilities – entire teams would search for them and write exploits for particular weaknesses, adjusted for different operating systems. While these still remain, they are now in documents (like PDF or Word) not browsers, which makes the infection process more difficult and expensive. This is partly due to applications becoming more complex and having better safety mechanisms. It is also due to the fact that, unlike browser infections, when an attacker distributes a malicious file hidden in a document they cannot receive feedback from the victim’s device.
- Cybercriminals are on a digital transformation journey. Previously, cybercriminals would rent servers, or they tried to throw investigators off the scent by using organisations’ servers and making it tricky to trace it back to them. However managing these servers became harder and less profitable over time, so like the rest of us, cybercriminals have since transitioned to the cloud.
Russian-speaking criminals are becoming increasingly smart, sophisticated and spread out. They now target nations, organisations and individuals outside of their home country meaning the attack surface has grown immensely.
Everyone is a target now. That is why it is so important to understand how cybercriminals work.
Let’s all protect ourselves to bring on a safer tomorrow. We all can – and should – stay abreast of cyber developments by using public forums like local CERTs and sites such as Securelist.
At Kaspersky, we will continue monitoring the evolution of cybercrime, sharing what we find and adapting and enhancing our defence mechanisms accordingly so we can best protect the 400 million people worldwide that use our technologies. Ultimately, this will build a more secure world for everyone.
