Agent Tesla spyware ranked first among cyber threats in Russia in 2023.
BI.ZONE published an annual study of cyber threats and hacker groups operating in Russia. The Threat Zone 2024 report is based on an analysis of data collected by experts from incident response, monitoring, and cyber intelligence units.
According to Teymur Kheirkhabarov, Director of the Department of Monitoring, Response and Research of cyber threats BI. ZONE, in 2023 BI.ZONE tracked 50 groups that attacked Russian companies. The company's specialists processed 580,000 suspected incidents and responded to 2,000 cyber incidents. Of these 2 thousand incidents, 100 were highly critical. Based on these data, information security experts drew conclusions about the key trends that determined changes in the Russian cyber landscape.
By industry, 15% of all attacks occur in retail, 12% each in industry, energy, finance and insurance, and 10% in the transport sector. 9% of incidents affected the public sector, 8% - IT companies. Shares of other industries: engineering - 5%, communications-5%, education and science-5%, construction-4%.
According to the study, financial gain remains the main motive for attackers, accounting for 76% of all attacks. The attackers distributed ransomware, extorted ransom, and gained direct access to the victims ' financial assets.
In 2023, cybercriminals began to actively use specially created resources to publish data about their victims if the attackers refused to pay a ransom. In addition, financially motivated attackers differ in their level of training: among them are experienced hackers with deep technical knowledge and cybercriminals with a low level of training, who rely mainly on simple commercial HPE.
Commercial programs or hacked versions of this software are the most popular among HPE. Attackers disguise VPO as legitimate documents, using a double extension (for example. pdf [. exe]), and distribute such programs through phishing mailings, malvertising (malicious advertising) and poisoning search results.
The most popular malware among cybercriminals in 2023 was Agent Tesla, which was used in 22% of attacks. In one incident with its use, 400 Russian companies were compromised in a single day.
In 2023, 15% of attacks were related to espionage, while 5 new hacker groups were discovered. In addition, in 2023, several clusters of groups that previously had financial motivation switched to espionage, and clusters that attack using more primitive methods and commercial military hardware appeared.
According to the study, hacktivism accounted for only 9% of attacks. Hacktivists began to move from mass attacks to more targeted ones aimed at organizations that cause a public outcry. Criminals actively published messages about attacks in their Telegram channels and posted the received confidential data.
Attacks through IT contractors using legitimate credentials have become a new trend. Previously, hackers simply extorted money from hacked suppliers, but in 2023 they began to develop attacks on contractor customers more often. In addition to attacks through contractors, attackers most often penetrated the IT infrastructure through phishing, exploiting vulnerabilities in publicly available applications, or using remote access services for employees available from the Internet.
In the attacks, the attackers widely used common tools for pentest and embedded OS programs. Among them, the popularity of Adminer and Gsocket for remote access and data theft has grown.
After successful penetration, cybercriminals spent an average of 25 days in the compromised infrastructure before detection. For ransomware, this period was reduced to 5 days; in the case of espionage, hackers could remain undetected for months or years.
BI.ZONE published an annual study of cyber threats and hacker groups operating in Russia. The Threat Zone 2024 report is based on an analysis of data collected by experts from incident response, monitoring, and cyber intelligence units.
According to Teymur Kheirkhabarov, Director of the Department of Monitoring, Response and Research of cyber threats BI. ZONE, in 2023 BI.ZONE tracked 50 groups that attacked Russian companies. The company's specialists processed 580,000 suspected incidents and responded to 2,000 cyber incidents. Of these 2 thousand incidents, 100 were highly critical. Based on these data, information security experts drew conclusions about the key trends that determined changes in the Russian cyber landscape.
By industry, 15% of all attacks occur in retail, 12% each in industry, energy, finance and insurance, and 10% in the transport sector. 9% of incidents affected the public sector, 8% - IT companies. Shares of other industries: engineering - 5%, communications-5%, education and science-5%, construction-4%.
According to the study, financial gain remains the main motive for attackers, accounting for 76% of all attacks. The attackers distributed ransomware, extorted ransom, and gained direct access to the victims ' financial assets.
In 2023, cybercriminals began to actively use specially created resources to publish data about their victims if the attackers refused to pay a ransom. In addition, financially motivated attackers differ in their level of training: among them are experienced hackers with deep technical knowledge and cybercriminals with a low level of training, who rely mainly on simple commercial HPE.
Commercial programs or hacked versions of this software are the most popular among HPE. Attackers disguise VPO as legitimate documents, using a double extension (for example. pdf [. exe]), and distribute such programs through phishing mailings, malvertising (malicious advertising) and poisoning search results.
The most popular malware among cybercriminals in 2023 was Agent Tesla, which was used in 22% of attacks. In one incident with its use, 400 Russian companies were compromised in a single day.
In 2023, 15% of attacks were related to espionage, while 5 new hacker groups were discovered. In addition, in 2023, several clusters of groups that previously had financial motivation switched to espionage, and clusters that attack using more primitive methods and commercial military hardware appeared.
According to the study, hacktivism accounted for only 9% of attacks. Hacktivists began to move from mass attacks to more targeted ones aimed at organizations that cause a public outcry. Criminals actively published messages about attacks in their Telegram channels and posted the received confidential data.
Attacks through IT contractors using legitimate credentials have become a new trend. Previously, hackers simply extorted money from hacked suppliers, but in 2023 they began to develop attacks on contractor customers more often. In addition to attacks through contractors, attackers most often penetrated the IT infrastructure through phishing, exploiting vulnerabilities in publicly available applications, or using remote access services for employees available from the Internet.
In the attacks, the attackers widely used common tools for pentest and embedded OS programs. Among them, the popularity of Adminer and Gsocket for remote access and data theft has grown.
After successful penetration, cybercriminals spent an average of 25 days in the compromised infrastructure before detection. For ransomware, this period was reduced to 5 days; in the case of espionage, hackers could remain undetected for months or years.
