###### From January 2019 to April 2020
# Main incidents in the EU and worldwide


-----

### Overview


**The sophistication of threat capabilities increased in 2019, with**

**many adversaries using exploits, credential stealing, and multi-**

**stage attacks. The number of data breach incidents is still very high,**

and the amount of stolen financial information and user credentials is

growing. In some cases, the failure to patch a known vulnerability that

has the potential to affect software or libraries in use - in a reasonable

timeframe – may have serious repercussions.

During the past decade, malware has made ENISA’s list of top 15

**threats, yet still many security systems are not able to detect this**

**threat. For many years, malware was spread mainly through malicious**

e-mail spam and more recently, using finely crafted phishing messages.

Technology companies and e-mail providers alike invested in spam

filters, improving the detection of malicious attachments. However,

**adversaries are now innovating to increase their chances of**

**reaching potential victims. Many of these innovations have paid back**

to malicious actors during this period.

The COVID-19 pandemic has put healthcare organisations and

professionals worldwide under pressure, and health has become one of

the most critical sectors to protect against cyberattacks. The number of

incidents involving ransomware targeting the healthcare sector was

already high but increased during the pandemic.


-----

###### __Top data breaches incidents

|8 39 202 275|Col2|620|770 808|
|---|---|---|---|


-----

### Timeline


###### _ January

MEGA cloud (NZ) suffered
a data breach exposing
770 million emails and 21
million passwords.1

###### _ October


###### _ February

Verification.io (US) exposed
ca. 800 million records.2

###### _ September


###### _ March

Norsk Hydro (NO)
victim of a
ransomware attack.

###### _ August


3


Websites and the national
TV broadcaster in Georgia
(GE) suffered a coordinated
cyberattack.30

###### _ November

UniCredit (IT) victim of a
data breach leaking 3M
records.10


Mastercard (BE) suffered a
data breach affecting ca.
90K customers in Europe.9

###### _ December

Prosegur (SP) suffered a
ransomware attack
disrupting its operation..11


Bulgarian (BG)
Personal Tax Revenue
office suffered a data
breach exposing PII
from all adult citizens.8

###### 2020

 _ January


Austria’s Foreign
Ministry (AT) targeted
by a cyberattack.12


-----

###### _ July

City Power (ZA) victim of a
ransomware attack
disrupting the energy
supply in Johannesburg.7

###### _ February


###### _ June

Five hospitals in Romania
(RO) hit by Badrabbit
ransomware.6

###### _ March


###### _ April

Over 500K Zoom (US)
accounts found for sale
in the dark web.31


INA Group (HR) victim of
ransomware attack.13


ENTSO-E (BE) network
compromised, victim
of an intrusion.14


-----

### Most targeted sectors


###### _In the line of fire

The sectors most targeted sectors during this period were digital

services, government administration and the technology industry.

Attacks on digital service providers often serve as proxies to reach other,

more attractive targets. In contrast, attacks on the technology industry

allowed malicious actors to compromise the supply chain or look for

vulnerabilities to exploit.

The e-mail platform verifications.io18, suffered a major data breach due


to an unprotected MongoDB database. Data from over 800 million e
mails were exposed, containing sensitive information that included

personally identifiable information (PII).

Over 770 million e-mail addresses and 21 million unique passwords

were exposed in a popular hacking forum hosted by the cloud service

**MEGA1. It became the most significant collection of breached personal**

credentials in history, named ‘Collection #1’.

The cloud and virtualisation provider Citrix was a victim of a targeted

cyberattack. To gain access to Citrix’s systems, the attackers exploited

several critical software vulnerabilities such as CVE-2019-19781 and

employed a technique called password spraying.


 attack


The cloud hosting provider iNSYNQ


19
experienced a ransomware


that left customers unable to access their data for more than a week,

forcing customers to rely on local backups.


-----

##### __Most targeted sectors

###### Digital Services_ Services such as e-mail, social and

collaborative platforms and cloud providers were under attack

during 2019. These were also used as proxies for further attacks.

###### Government Administration_ The financial

returns from ransoms paid makes the public sector one of the

most attractive targets for ransomware attacks.

###### Technology Industry_ The technology industry

was under attack in 2019 mainly through supply chain attacks

trying to compromise the development of software through zero
day exploits and backdoors attacks.

###### Financial_ The number of incidents with financial

organisations and not necessarily banks, increased substantially

during the reporting period.

###### Healthcare_ The number of attacks against the

healthcare sector continues to grow.


-----

### Trends


###### _Across the board

- In 2019, intense trojan-activity was observed across the globe.

Emotet and Agent Tesla were the most frequently and dangerous


malwares


[.](https://www.enisa.europa.eu/topics/threat-risk-management/threats-and-trends/etl-review-folder/etl-2020-malware)



- **[Phishing](https://www.enisa.europa.eu/topics/threat-risk-management/threats-and-trends/etl-review-folder/etl2020-phishing)** remained one of the most successful techniques for


delivering malicious tools. Powerful phishing lures include phone

scams, fake invoices, payments, quotations and purchase and sales

orders.



- **Ransomware**


[](https://www.enisa.europa.eu/topics/threat-risk-management/threats-and-trends/etl-review-folder/etl-2020-ransomware) continues to generate substantial financial rewards for


malicious actors. A recent study identified human-operated


ransomware campaigns


17, in which adversaries employ credential


theft and lateral movement methods traditionally associated with

targeted attacks such as those from nation-state actors.

- **Card-skimming schemes have become a significant threat during**

2019 and 2020 due to the increasing number of online shoppers.

- **Business e-mail compromise (BEC) is a growing threat as a result of**

the vast amount of credentials and personal information stolen

during the last decade.

- Companies experience an average of 12 credential-stuffing attacks

each month, wherein the attacker is able to identify valid credentials.


-----

##### __Findings

#### 84%_of cyberattacks rely on social
###### engineering

#### 67%_of malware was delivered via

34

###### encrypted HTTPS connections

#### 230.000_new strains of malware every
###### day

#### 6_months in average is what it takes to
###### detect a data breach


#### 71%_of organizations experienced
###### malware activity that spread from one

35

###### employee to another


-----

### Actors


###### _Who

Knowing who is responsible or attributing responsibilities to a person or

a group for a cybersecurity incident is still a very daunting task and often

a worthless exercise. Yet, from a threat intelligence perspective, it is

essential to classify behaviours, understand the dynamics and modus

_operandi used by certain adversaries. This analysis often helps_

defenders to look for specific tracks and try to anticipate the next

adversarial action.

The Lazarus Group for example, an allegedly state-sponsored advanced

persistent threat (APT) group, was reportedly more active during the

reporting period in both financially and espionage motivated attacks.

The group has been associated with several incidents, including the

**AppleJeus campaign targeting cryptocurrency trading platform users**

and their systems.22 Major incidents attributed to this group include:

 - hacking an Indian nuclear power plant and space research

organisation in November 2019;

 - compromising a cryptocurrency trading app targeting exchange

administrators in October 2019;

 - attacking automated teller machines (ATMs) and banks in India,

identified in September 2019;

 - targeting Android users in South Korea through trojanised apps in the

Google Play Store identified in August 2019.


-----

-----

### Motivations


###### _Why

While it is challenging to determine the primary motivation behind a
cyberattack, we can still categorise them based on the outcome of the
incident.

**Financial: The number of incidents resulting in the theft of information,**
data and user credentials is the highest observed during the reporting
period. In most cases, the intention is to steal data/information and sell
it on the dark web. Other uses of this information/data to enable other
types of attacks with a completely different outcome such as espionage
or financial fraud, can also be identified. More than 620 million account
details were stolen from 16 hacked websites and offered for sale on the
popular dark-web marketplace Dream Market.

**Espionage: This is a motive behind an increasing number of reported**
attacks, mainly due to ongoing geopolitical and commercial tensions.
The number of incidents is not substantial, but their size and magnitude
put it second in ENISA’s list of top 5 motivations. Some noteworthy
incidents include that reported in April 2019, in which a General Electric’s
employee and a Chinese businessperson were charged by the United
States Department of Justice with economic espionage and theft of
General Electric’s trade secrets.20 AgenceFrance Presse (AFP) reported

that Airbus had fallen victim to a sophisticated cyber-espionage
campaign. Attackers reportedly breached the IT systems of several of
Airbus’s suppliers and, from there, penetrated the company’s IT
systems.21


###### Top five motivations: financial, espionage, disruption, political and retaliation.


-----

###### __Top motivations


The figure below shows that Financial is still the primary motive
for the majority of cyberattacks. In some cases, multiple
motivations can be identified within a single attack. For example,
espionage, political, financial and disruption are often combined
motives. Many incidents originate from automated systems and
are delivered ‘as-a-service’, paid in cryptocurrency. These services
include distribution of ransomware, command and control (C2),
distributed denial of service (DDoS), spam and other illicit
activities.

|financial|espionage|Col3|
|---|---|---|
||disruption|retaliation|
||political||


-----

### Attack vectors


###### _How

Cyberattacks take on average three steps to reach a victim’s valuable

assets. When reviewing the most frequently used attack vectors, we

must prioritise the entry point, course of action and action on assets.

These are the most critical stages that should constitute distinct

approaches in a defence strategy.

**Entry point: During 2019, the techniques used most frequently to start**

a cyberattack include brute force with stolen credentials, social

engineering, configuration errors and exploitation of web applications.

The exploitation of web applications, for example, was often used as an

entry point because of the growing uptake of this type of application to

transfer data to the cloud. Errors in cloud configuration and misuse of

systems were essential entry point in a large number of incidents. The

use of social engineering to plan an attack leverages from tools such as


phishing and business e-mail compromise (BEC)


16. Other techniques less


frequently but equally important are the exploitation of vulnerabilities

(from unpatched systems and zero-days) and software backdoors, often

used in more complex and sophisticated attacks.

**Course of action: Installing malware is the technique most widely used**

during the ‘course of action’ stage. Once installed, it helps the adversary

to do reconnaissance, move around the victim’s systems and networks,

install additional tools such as ransomware, steal data and communicate

with a C2 server.


-----

###### __Five most desired assets by
 cybercriminals

 01_Industrial property and trade secrets

Industrial property and trade secrets are the most desirable assets
because of their high value to their owners, the market and some cases
the criminal world.

###### 02_State/military classified information

This asset includes any information that a state deems sensitive. In
2019, the trade and diplomatic tensions between countries made this
type of information even more attractive.

###### 03_Server infrastructure

Server infrastructure is the first sensitive asset that is not data. In many
attacks, taking over the victim’s server infrastructure, is the primary
objective.

###### 04_Authentication data

Authentication data is valuable assets for generating profits but also as
an objective to support an attack.

###### 05_Financial data

Financial data such as credit card, banking and payment information
is always value to cybercriminals.


-----

### Strategic intelligence


###### _What changed in the landscape with the covid-19 pandemic?

In 2019, ENISA continued mapping the threat landscape, helping

decision-makers and policymakers define strategies to defend citizens,

organisations and cyberspace. This work is part of ENISA’s strategy to

provide strategic intelligence to its stakeholders. The central theme in

2019 was the next generation of mobile telecommunications, or 5G,

following a request from the European Commission and Member States.

**The agency will continue to produce these thematic threat**

**landscapes and in 2020, the focus is on artificial intelligence.**

The COVID-19 pandemic has been a prolific period for malicious actors

conducting attacks targeting sensitive areas such as healthcare service

providers and people working from home. ENISA is mapping the threat

landscape experienced during the pandemic and advising on mitigation

measures that will attempt to reduce the exposure to threats.

ENISA shares its cybersecurity recommendations on the COVID-19

pandemic on a variety of topics including working remotely, online

shopping and e-health, and it provides valuable up to date security


advice to the sectors affected.


32


The Brno University Hospital in the Czech Republic suffered a

cyberattack33 in the midst of the COVID-19 pandemic, which forced it to

reroute patients and postpone surgery. The incident is considered

critical since this Hospital is one of the Czech Republic's biggest COVID
19 testing laboratories.


-----

###### _COVID-19 threat landscape

ENISA prepared many resources for an awareness-raising campaign and
shared other internal and external resources dedicated to cybersecurity
experts, covering security issues associated with challenges faced during
the COVID-19 pandemic. One of these resources was an analysis of the
most critical threats during this period.


-----

### References


-----

-----

### Related


###### ENISA Threat Landscape Report The year in review

A summary on the cybersecurity trends for
the period between January 2019 and April
2020.
**[READ THE REPORT](https://www.enisa.europa.eu/topics/threat-risk-management/threats-and-trends/etl-review-folder/etl-2020-the-year-in-review)**


**[READ THE REPORT](https://www.enisa.europa.eu/topics/threat-risk-management/threats-and-trends/etl-review-folder/etl-2020-enisas-list-of-top-15-threats)**


###### ENISA Threat Landscape Report List of Top 15 Threats

ENISAs’ list of the top 15 threats of the
period between January 2019 and April
2020.


**[READ THE REPORT](https://www.enisa.europa.eu/topics/threat-risk-management/threats-and-trends/etl-review-folder/etl-2020-cybersecurity-research)**


###### ENISA Threat Landscape Report Research topics

Recommendations on research topics
from various quadrants in cybersecurity
and cyberthreat intelligence.


-----

###### ENISA Threat Landscape Report Sectoral and thematic threat analysis

Contextualised threat analysis between
January 2019 and April 2020.
**[READ THE REPORT](https://www.enisa.europa.eu/topics/threat-risk-management/threats-and-trends/etl-review-folder/etl-2020-sectoral-thematic-analysis-of-threats)**


**[READ THE REPORT](https://www.enisa.europa.eu/topics/threat-risk-management/threats-and-trends/etl-review-folder/etl-2020-emerging-trends)**


###### ENISA Threat Landscape Report Emerging trends

Main trends in Cybersecurity observed
between January 2019 and April 2020.


###### ENISA Threat Landscape Report Cyber Threat Intelligence overview

The current state of play of cyberthreat
intelligence in the EU.
**[READ THE REPORT](https://www.enisa.europa.eu/topics/threat-risk-management/threats-and-trends/etl-review-folder/etl2020-cti-overview)**


-----

### RelatedOther publications


###### Roadmap on the Cooperation Between CSIRTS and LE

A roadmap on the cooperation across CSIRTs in particular
with national and governmental - law enforcement (LE) and
the Judiciary.

**[READ THE REPORT](https://www.enisa.europa.eu/publications/support-the-fight-against-cybercrime-roadmap-on-csirt-le-cooperation)**


###### EU MS Incident Response Development Status Report

A study aiming at the analyses of the current operational
Incident Response set-up within NISD sectors and identify
the recent changes.

**[READ THE REPORT](https://www.enisa.europa.eu/publications/eu-ms-incident-response-development-status-report)**


###### ENSIA CSIRT maturity assessment model

An updated version of the "Challenges for National CSIRTs
in Europe in 2016: Study on CSIRT Maturity" published by
ENISA in 2017

**[READ THE REPORT](https://www.enisa.europa.eu/publications/study-on-csirt-maturity)**


-----

###### “The sophistication of threat capabilities increased in 2019, with many adversaries using exploits, credential stealing, and multi- stage attacks.”

**_in ETL 2020_**


-----

### About


###### _ The agency

The European Union Agency for Cybersecurity, ENISA, is the Union’s
agency dedicated to achieving a high common level of cybersecurity
across Europe. Established in 2004 and strengthened by the EU
Cybersecurity Act, the European Union Agency for Cybersecurity
contributes to EU cyber policy, enhances the trustworthiness of ICT
products, services and processes with cybersecurity certification schemes,
cooperates with Member States and EU bodies, and helps Europe prepare
for the cyber challenges of tomorrow. Through knowledge sharing,
capacity building and awareness raising, the Agency works together with
its key stakeholders to strengthen trust in the connected economy, to
boost resilience of the Union’s infrastructure, and, ultimately, to keep
Europe’s society and citizens digitally secure. More information about
[ENISA and its work can be found at www.enisa.europa.eu.](http://www.enisa.europa.eu/)

**Contributors**
Christos Douligeris, Omid Raghimi, Marco Barros Lourenço (ENISA), Louis
Marinos (ENISA) and all members of the ENISA CTI Stakeholders Group:
Andreas Sfakianakis, Christian Doerr, Jart Armin, Marco Riccardi, Mees
Wim, Neil Thaker, Pasquale Stirparo, Paul Samwel, Pierluigi Paganini, Shin
Adachi, Stavros Lingris (CERT EU) and Thomas Hemker.

**Editors**
Marco Barros Lourenço (ENISA) and Louis Marinos (ENISA).

**Contact**
For queries on this paper, please use
[enisa.threat.information@enisa.europa.eu.](mailto:enisa.threat.information@enisa.europa.eu)
[For media enquiries about this paper, please use press@enisa.europa.eu.](mailto:press@enisa.europa.eu)


-----

-----

-----