Cyber Threats 2020: A Year in Retrospect Cyber Threats 2020: A Year in Retrospect Contents Introduction 1 A cyber pandemic 2 Intelligence gathering* 6 Asia Pacific 7 Europe 14 Middle East 17 Information operations 20 Blurring the lines 22 Cyber crime 26 Rise of the defenders 40 Tools, Tactics and Procedures 44 MITRE ATT&CK techniques 51 Sectors 56 Conclusion 62 PwC Cyber Security 63 * This section looks at intelligence gathering and collection activity conducted by threat actors based in different geographic regions. Introduction 2020 saw a distinct shift in the cyber threat landscape, with ransomware becoming the most significant cyber security threat faced by organisations, irrespective of industry sector or location. The COVID-19 pandemic also permeated through the cyber world as threat actors exploited the resulting fear and uncertainty. A greater reliance on remote working brought in to focus the new and existing threats to related technologies and infrastructure. Major shifts in the tactics used by the threat actors behind multiple ransomware families saw mass data exfiltration performed prior to encrypting a victim’s systems. As a result, leak sites came into prominence, bringing the compromise directly into the public domain and increasing pressure on victims to meet ransom demands. The success of such operations brought new players to the market and even attracted established cyber criminal groups to add ransomware to their portfolios. As the demand for ransomware services grew, affiliate programmes and Ransomware-as-a-Service (RaaS) schemes lowered the barrier to entry for inexperienced threat actors. Like the rest of the world, threat actors adapted to the changes brought about by the global pandemic. Both cyber criminals and advanced persistent threat actors (APTs) were quick to incorporate the theme in their phishing emails and document lures. The pandemic theme evolved over time to reflect shifting concerns from the availability of masks, to financial aid schemes, and news about vaccines, showing that most threat actors are willing to exploit any circumstance to make their operations more successful. For the most part, threat actors used these themes to carry out their normal activity, however, response efforts have also been a focal point with vaccine-related research highly sought after by several threat actors. Several themes observed in 2019 continued to play their part in the threat landscape throughout 2020: intelligence gathering activity has continued to align to the geopolitical landscape, mirroring real-world events and the strategic aims of nation states; there has also been a growing trend of threat actors historically aligned to espionage activity being linked to financially motivated activity, in operations likely motivated by personal gain; and the supply chain remained a key target with threat actors looking to exploit privileged access and trusted relationships. In 2020, both the public and private sectors continued to be brazen in attributing cyber attacks and making greater use of legal action to disrupt malicious activity. This report analyses the overarching and thematic trends from 2020, including mapping tools, techniques, and procedures to the cyber threat landscape. Our analysis is based on our in-house intelligence datasets on cyber attacks and targeting from a variety of threat actors, intelligence gleaned from our incident response engagements around the world, and our Managed Cyber Defence service, as well as publicly available information from the cyber security community. This report intends to highlight the most prolific cyber trends PwC observed throughout 2020 and explore their wider impact. A greater reliance on remote working brought in to focus the new and existing threats to related technologies and infrastructure. Cyber Threats 2020: A Year in Retrospect | 1 Cyber Threats 2020: A Year in Retrospect | 2 A cyber pandemic The COVID-19 pandemic has had an unprecedented global impact, with organisations across all sectors having to adapt and find new ways of working. The shift to remote working brought immediate risks and altered the threat landscape for many organisations. Changes to standard work practices and an increased level of messaging has put employees at a greater risk of exploitation through social engineering. At the technical level, the rapid deployment of new VPN endpoints and introduction of online collaboration tools, has not only served to facilitate remote working, but also increased the potential attack surface. PwC has seen both cyber criminals and espionage threat actors taking advantage of this massive shift, with widespread targeting of all sectors and regions. Cyber Threats 2020: A Year in Retrospect | 3 Figure 2 – UK news themed lure content Coronavirus lockdown: What can and can’t you do under new UK laws? Not all parts of government guidance can be enforced by police under the new laws Lizzie Dearden Home Affairs Correspondent @lizziedearden The government has imposed unprecedented restrictions on the British public in an attempt to slow the spread if coronavirus. Boris Johnson initially called for people to voluntarily use social distancing measures, before announcing a lockdown on 23 March. But there are significant differences between the government’s guidance, and the laws that can be enforced by the police with fines and criminal proceedings. There are also differences between the legal restrictions in force in England Wales, Scotland and Northern Ireland. Business as usual As the impact of the virus spread across the globe, threat actors were quick to capitalise on the atmosphere of fear and uncertainty, enticing individuals to open phishing lures or browse to a malicious website. Whilst the use of timely lures mirroring real world events is a common tactic, as a theme, COVID-19 has been abused by both cyber criminals and espionage threat actors on a wide scale. From our observations, the majority of threat actors started using the pandemic as a persistent lure theme by late February 2020, and volumes of COVID-19 themed lures peaked in March, with a significant decrease in the second half of the year. For the most part, the predominant objective has been to continue normal operations, with threat actors making minor updates to their phishing and lure material to incorporate pandemic- related themes. We observed these phishing themes evolve over time to align with shifting priorities.1 At the start of the pandemic, common themes included notifications and advice from healthcare organisations and businesses, the availability of products such as face masks and testing kits, news of vaccines, and remote working. These were in addition to more traditional lures, such as delivery notifications and invoices, which were adapted to include advice or a sense of urgency due to the pandemic. As financial aid schemes were rolled out, we observed spoofed websites designed to harvest credentials or personal information. Figure 1 – Website spoofing Canada’s COVID-19 Emergency Response Benefit (leopardfitness[.]com) 1 ‘Cyber pandemic – two months on’, PwC Threat Intelligence, CTO-TIB-20200603-02A Cyber Threats 2020: A Year in Retrospect | 4 Cyber criminal threat actors were quick on the uptake – in January 2020, an Emotet campaign targeting Japan referenced reports of COVID-19 infections within phishing emails.2 PwC analysed TrickBot spam campaigns which used a range of different social engineering themes, including Personal Protective Equipment (PPE), COVID-19 testing kits and UK government financial compensation packages for furloughed workers.3 These were crafted to induce victims into enabling content on malicious attachments designed to download the malware. We also observed White Austaras (a.k.a. TA505) using a COVID-19 themed phishing email to target users across North America.4 This included targets in the healthcare, manufacturing and pharmaceutical industries in the US;5 this reflected a wider trend by threat actors to exploit the pandemic as a means to distribute both mass and targeted spam campaigns, while public susceptibility to social engineering was likely to be at its highest. Espionage threat actors also made use of COVID-19 themed lures in conducting their campaigns.6 For example, the Vietnam-based threat actor, Scarlet Ioke (a.k.a. OceanLotus, APT32) was observed using a COVID-19 themed lure to target Mandarin speaking victims.7 Decoy documents with content taken from the New York Times and the Chinese Ministry of Agriculture were displayed to the user upon execution, whilst the malicious process ran in the background. This was observed to drop a remote access trojan (RAT) known as DenesRAT as the final payload. Targeted response As the pandemic took hold, the search for a vaccine became a global priority, with breakthroughs in this area seen as a necessary step in getting back to normality. We saw several advanced persistent threat actors (APTs) performing intelligence gathering and collection activities on organisations involved in the research and rollout of vaccine targeting. There are several factors which make this data valuable. On a country level, the ability to produce vaccines and associated treatments domestically would create a level of supply resilience and minimise the costs associated with purchasing from third parties. There may also be a political advantage to be gained from the successful rollout of vaccination schemes. WellMess In July 2020, the UK’s National Cyber Security Centre (NCSC) reported that malware known as WellMess was used to perform intelligence gathering from several organisations involved with COVID-19 vaccine development.8 The activity was attributed to the Russia-based threat actor, Blue Kitsune (a.k.a. APT29). WellMess is a highly versatile backdoor; we have analysed samples written in both. NET and Go, with the latter seen in 32-bit and 64-bit variants as both ELF and PE files, allowing for deployment to different architectures.9 It has several robust network communication methods and a wide range of functionality including the ability to run PowerShell scripts post-infection. Through our analysis, we observed strings used as file paths which likely indicate the exploitation of COVID-19 research facilities by the threat actor. These correspond to a Canadian vaccine research company and the University that stood up the Research Headquarters for Epidemic Prevention and Control with the Chinese Academy of Science.10 2 ‘Coronavirus Goes Cyber With Emotet’, IBM, https://exchange.xforce.ibmcloud.com/collection/18f373debc38779065a26f1958dc260b 3 ‘Cyber pandemic – two months on’, PwC Threat Intelligence, CTO-TIB-20200603-02A 4 ‘TA505 exploiting COVID-19’, PwC Threat Intelligence, CTO-TIB-20200420-01A 5 �‘TA505 and Others Launch New Coronavirus Campaigns; Now the Largest Collection of Attack Types in Years’, Proofpoint, https://www.proofpoint.com/us/threat-insight/post/ta505-and-others-launch-new-coronavirus-campaigns-now-largest-collection-attack 6 ‘APT using COVID content for targeted attacks| CREST Webinar’, YouTube, https://www.youtube.com/watch?v=nYC0AWQ3tXo (24th November 2020) 7 ‘New name, same me – Scarlet Ioke targets China’, PwC Threat Intelligence, CTO-TIB-20200505-01A 8 ‘Advisory: APT29 targets COVID-19 vaccine development’, NCSC, https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development (16th July 2020) 9 �‘How WellMess malware has been used to target COVID-19 vaccines, PwC, https://www.pwc.co.uk/issues/cyber-security-services/insights/cleaning-up-after-wellmess.html (16th July 2020) 10 �‘Analysis of WellMail malware’s Command and Control (C2) server’, PwC, https://www.pwc.co.uk/issues/cyber-security-services/insights/wellmail.html (17th September 2020) https://exchange.xforce.ibmcloud.com/collection/18f373debc38779065a26f1958dc260b https://www.proofpoint.com/us/threat-insight/post/ta505-and-others-launch-new-coronavirus-campaigns- https://www.youtube.com/watch?v=nYC0AWQ3tXo https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development https://www.pwc.co.uk/issues/cyber-security-services/insights/cleaning-up-after-wellmess.html https://www.pwc.co.uk/issues/cyber-security-services/insights/wellmail.html Cyber Threats 2020: A Year in Retrospect | 5 An AppleSeed a day Between late August and November 2020, we observed North Korea-based threat actor Black Banshee (a.k.a. Kimsuky) registering domains impersonating a number of entities in the healthcare and pharmaceutical sectors and involved in COVID-19 vaccine and treatment research in Europe and South Korea, as well as the World Health Organisation (WHO).11 Further domains impersonating other entities in the biopharmaceutical space had infrastructure overlaps with command and control (C2) servers for AppleSeed and FlowerPower, two malware families we attribute uniquely to Black Banshee.12 Although the WHO has confirmed that North Korea would be among the low-income countries to be supported in the COVAX Advance Market Commitment agreement to allow access to COVID-19 treatment drugs and vaccination, and despite North Korean government officials denying that there have been any COVID-19 cases in the country, North Korea continues to be under international sanctions and cut off from the international research community. It is likely that Black Banshee’s uptick in COVID-19 related activity was motivated by intelligence gathering, as vaccine and treatment trials were underway. A Charming phish Iran-based threat actor Yellow Garuda (a.k.a. Charming Kitten) was observed by PwC using a fake Yahoo login page that almost certainly looked to be targeting the email account of an executive within a major pharmaceutical company working on the COVID-19 vaccine.13 This activity was in alignment to open source reports that the same pharmaceutical company was being targeted by the threat actor.14 The campaign involved the use of a domain attempting to obtain a two-factor authentication (2FA) code for this email account, which the threat actor could subsequently use to bypass the email’s security check. Given the profile of the victim and our understanding of how Yellow Garuda conducts its campaigns, it is likely that the individual was targeted as a means to gaining access to corporate information. 11 �‘Black Banshee targets COVID-19 research’, PwC Threat Intelligence, CTO-TIB-20201007-01A 12 ‘One AppleSeed a day keeps COVID-19 away’, PwC Threat Intelligence, CTO-QRT-20201113-02A 13 �‘Yellow Garuda and COVID-19’, PwC Threat Intelligence, CTO-QRT-20200511-01A 14 �‘Exclusive: Iran-linked hackers recently targeted coronavirus drugmaker Gilad –sources’, Reuters, https://www.reuters.com/article/us-healthcare-coronavi- rus-gilead-iran-ex/exclusive-iran-linked-hackers-recently-targeted-coronavirus-drugmaker-gilead-sources-idUSKBN22K2EV (8th March 2020) 15 �‘People’s Republic of China (PRC) Targeting of COVID-19 Research Organizations’, CISA, https://www.cisa.gov/sites/default/files/publications/Joint_FBI-CI- SA_PSA_PRC_Targeting_of_COVID-19_Research_Organizations_S508C.pdf.pdf (13th May 2020) 16 �‘Two Chinese Hackers Working with the Ministry of State Security Charged with Global Computer Intrusion Campaign Targeting Intellectual Property and Con- fidential Business Information, Including COVID-19 Research’, US Department of Justice, https://www.justice.gov/opa/pr/two-chinese-hackers-working-minis- try-state-security-charged-global-computer-intrusion (21st July 2020) 17 ‘You fool, ufo0lxy’, PwC Threat Intelligence, CTO-SIB-20200811-01A Probing for vulnerabilities In May 2020, the US Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) issued a joint announcement concerning the targeting of COVID-19 research organisations by China-based threat actors. It was reported that threat actors had attempted to obtain data concerning vaccines, treatments and testing from ‘networks and personnel affiliated with COVID-19-related research’.15 This announcement aligns with accusations made in an indictment against two Chinese nationals, unsealed by the US Department of Justice (DOJ) in July 2020.16 The indictment accused the individuals of conducting intelligence gathering cyber attacks in alignment to state interests, as well as financially motivated attacks for personal gain. Whilst the list of alleged attacks went back to 2009, the individuals were also accused of probing for vulnerabilities in organisations involved in the development of COVID-19 vaccines, testing technology, and treatments. However, it is noted that their focus on healthcare preceded the COVID-19 pandemic.17 https://www.reuters.com/article/us-healthcare-coronavirus-gilead-iran-ex/exclusive-iran-linked-hackers-recently-targeted-coronavirus-drugmaker-gilead-sources-idUSKBN22K2EV https://www.reuters.com/article/us-healthcare-coronavirus-gilead-iran-ex/exclusive-iran-linked-hackers-recently-targeted-coronavirus-drugmaker-gilead-sources-idUSKBN22K2EV https://www.cisa.gov/sites/default/files/publications/Joint_FBI-CISA_PSA_PRC_Targeting_of_COVID-19_Research_Organizations_S508C.pdf.pdf https://www.cisa.gov/sites/default/files/publications/Joint_FBI-CISA_PSA_PRC_Targeting_of_COVID-19_Research_Organizations_S508C.pdf.pdf https://www.justice.gov/opa/pr/two-chinese-hackers-working-ministry-state-security-charged-global-computer-intrusion https://www.justice.gov/opa/pr/two-chinese-hackers-working-ministry-state-security-charged-global-computer-intrusion Cyber Threats 2020: A Year in Retrospect | 6 Intelligence gathering Throughout 2020, there was continued alignment between the cyber threat landscape and geopolitical events, with cyber activity seemingly conducted in support of nation state strategy. In this section, we look at intelligence gathering and collection activity conducted by threat actors based in different geographic regions. Cyber Threats 2020: A Year in Retrospect | 7 The view from Pyongyang Late 2019 saw the collapse of bilateral talks between the US and North Korea, which had aimed to defuse military tension and nuclear proliferation, with the potential for North Korea to obtain some reprieve from international sanctions. Under these conditions, Kim Jong Un’s New Year Address to the Workers’ Party of Korea set out to reorientate strategic priorities. In particular, the intention not to act in order to alleviate international sanctions, but to achieve national strategic objectives in spite of them. This includes the continued development of a nuclear force and a rearrangement of the country’s current economic disposition. Throughout 2020, North Korea-based threat actors maintained a very high operational tempo. PwC observed these threat actors conducting multiple campaigns on a global scale, in pursuit of complementary and at times overlapping targets, in overall alignment with the national interests of North Korea. Black Artemis Show, don’t tell: the ShowState campaign Throughout 2020, we observed Black Artemis (a.k.a. HIDDEN COBRA, Lazarus Group) aggressively pursuing companies and individuals in the aerospace and defence industry, as well as organisations and individuals dealing in cryptocurrency, as part of a persistent, coordinated campaign we call ShowState.18 The campaign featured significant social engineering efforts. Individual victims at targeted organisations were lured into opening malicious attachments, which mainly contained job descriptions for roles at prominent aerospace and defence companies in the UK, the US, as well as India, among other countries. Public threat intelligence reporting that aligns with the ShowState campaign, also suggested that threat actors created ad-hoc LinkedIn profiles to reach out to individual victims, establish a rapport, and deceive them into opening the job specification files.19,20,21 Recruitment-themed social engineering of victims at targeted organisations is a tactic that Black Artemis has used on several occasions in the past, as we noted in our ‘Cyber Threats 2019: Year in Retrospect’ report.22 In the ShowState campaign, the job specification lures were weaponised with malicious macros that would drop and execute a next-stage DLL, along with the appropriate arguments to run the backdoor we call ShowState. We have identified variants, including a 2020 Mach-O variant, of the same backdoor, which is also known as BLINDINGCAN and was the subject of a US-CERT Malware Analysis Report in August 2020,23 going as far back as 2017. Asia Pacific 18 ‘Artemis Banshee and Shoggoth walk into a bar’, PwC Threat Intelligence, CTO-TIB-20200630-02A 19 �‘Operation In(ter)ception: Aerospace and military companies in the crosshairs of cyberspies’, ESET, https://www.welivesecurity.com/2020/06/17/operation-inter- ception-aerospace-military-companies-cyberspies/ (17th June 2020) 20 �‘Operation North Star A Job Offer That’s Too Good to be True?’, McAfee Labs, https://www.mcafee.com/blogs/other-blogs/mcafee-labs/operation- north-star-a-job-offer-thats-too-good-to-be-true/ (29th July 2020) 21 ����‘Operation ‘Dream Job’ Widespread North Korean Espionage Campaign’, ClearSky Security, https://www.clearskysec.com/wpcontent/uploads/2020/08/Dream- Job-Campaign.pdf (13th August 2020) 22 �‘Cyber Threats 2019: A Year in Retrospect’, PwC Threat Intelligence, https://www.pwc.co.uk/issues/cyber-security-services/insights/cyber-threats-2019-retro- spect.html 23 ��‘Malware Analysis Report (AR20-232A) – MAR-10295134-1.v1 – North Korean Remote Access Trojan: BLINDINGCAN’, US Cybersecurity & Infrastructure Security Agency (CISA), https://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a (19th August 2020) Throughout 2020, North Korea- based threat actors maintained a very high operational tempo. https://www.welivesecurity.com/2020/06/17/operation-interception-aerospace-military-companies-cyberspies/ https://www.welivesecurity.com/2020/06/17/operation-interception-aerospace-military-companies-cyberspies/ https://www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-north-star-a-job-offer-thats-too-good-to-be-true/ https://www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-north-star-a-job-offer-thats-too-good-to-be-true/ https://www.pwc.co.uk/issues/cyber-security-services/insights/cyber-threats-2019-retrospect.html https://www.pwc.co.uk/issues/cyber-security-services/insights/cyber-threats-2019-retrospect.html https://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a Cyber Threats 2020: A Year in Retrospect | 8 From Black Artemis to Mac Artemis In May 2020, US-CERT released an advisory on a malware family known as COPPERHEDGE, that PwC has tracked for several years as Manuscrypt. In 2020, Black Artemis developed several new variants of Manuscrypt across multiple platforms, including PowerShell, ELF, and Mach-O samples in addition to the known x86 and x64 Portable Executable variants.24 Its efforts to develop or update its custom tools in order to target MacOS have been ongoing since at least 2018, as evidenced by public reports, 25 and have included a multi-platform plugin-based malware framework known as MATA26 or Dacls RAT.27 Its efforts in this area likely reflect a need to widen its targeting capabilities, particularly in relation to cryptocurrency exchanges and platforms – its early macOS campaigns specifically trojanised trading applications.28 Black Banshee Black Banshee (a.k.a. Kimsuky, THALLIUM) also ramped up its operational tempo from 2019, both in terms of the number of attacks and its victims. In 2020, we observed Black Banshee continue campaigns using known malware like BabyShark and GoldDragon, as well as introducing new malware families such as AppleSeed (a.k.a. AutoUpdate) and FlowerPower. Infrastructure for deception Similar to Black Artemis, we also observed Black Banshee make renewed efforts to socially engineer victims through multiple means. The threat actor continued to use suitably timely lure documents with themes that would be relevant to targets. For example, we tracked Black Banshee’s use of lures themed around the US presidential election in early November 2020, and about post-election predictions on US foreign policy thereafter.29 Additionally, Black Banshee continued to build and operate a large network of internet infrastructure.30 The threat actor is known to register domains highly likely intended to impersonate specific target organisations. Some of these were then used to launch email phishing campaigns, some to host fake login portals for credential phishing, and some for malware command and control.31 Persistent and sweeping Overall, Black Banshee actively pursued victims on an international scale: from long-standing target countries like South Korea, to recent areas of intense focus like Japan. We observed Black Banshee target entities across multiple sectors, including: • Government entities in South Korea and supranational bodies, including the United Nations and the Office of the High Commissioner for Human Rights at the UN; • Defence companies internationally, including in South Korea and Eastern Europe; • Higher education institutions across South Korea, Japan, and the United States; • Journalists and news organisations in South Korea and the United States; and, • Cryptocurrency systems and entities involved with blockchain products and research. Overall, the activity that we assess to have been conducted by Black Artemis and Black Banshee in 2020 is a testament to the double nature of the threat actors’ strategic objectives and requirements: • Espionage motivated intelligence gathering, likely for military, defence or economic purposes; and, • Financially motivated activity, that an August 2019 United Nations Security Council (UNSC) report described as ‘a source of funds for a professional branch of the military’.32 This type of activity is a way to guarantee the North Korean regime the ability to operate in spite of international economic sanctions, rather than having to act in order to alleviate them. 24 �‘Artemis Banshee and Shoggoth walk into a bar’, PwC Threat Intelligence, CTO-TIB-20200630-02A 25 �‘Operation AppleJeus: Lazarus hits cryptocurrency exchange with fake installer and macOS malware’, Kaspersky, https://securelist.com/operation-apple- jeus/87553/ (23rd August 2018) 26 ��‘Lazarus’ MacOS Dacls RAT Shows Multi-Platform Ability’, TrendMicro, https://www.trendmicro.com/en_us/research/20/e/new-macos-dacls-rat-back- door-show-lazarus-multi-platform-attack-capability.html (11th May 2020) 27 �‘MATA: Multi-platform targeted malware framework’, Kaspersky, https://securelist.com/mata-multi-platform-targeted-malware-framework/97746/ (22nd July 2020) 28 �‘Operation AppleJeus: Lazarus hits cryptocurrency exchange with fake installer and macOS malware’, Kaspersky, Operation AppleJeus: Lazarus hits cryptocur- rency exchange with fake installer and macOS malware (23rd August 2018) 29 �‘Interpreting Black Banshees alluring lures’, PwC Threat Intelligence, CTO-TIB-20210115-01A 30 �‘Twelve months of Black Banshee’, PwC Threat Intelligence, CTO-TIB-20200124-01A 31 �‘To catch a Banshee’, PwC Threat Intelligence, CTO-TIB-20200622-01A 32 ���‘Report of the Panel of Experts established pursuant to resolution 1874 (2009)’, United Nations Security Council, https://www.securitycouncilreport.org/atf/ cf/%7B65BFCF9B-6D27-4E9C-8CD3-CF6E4FF96FF9%7D/S_2019_691.pdf (30th August 2019) https://securelist.com/operation-applejeus/87553/ https://securelist.com/operation-applejeus/87553/ https://www.trendmicro.com/en_us/research/20/e/new-macos-dacls-rat-backdoor-show-lazarus-multi-platform-attack-capability.html https://www.trendmicro.com/en_us/research/20/e/new-macos-dacls-rat-backdoor-show-lazarus-multi-platform-attack-capability.html https://securelist.com/mata-multi-platform-targeted-malware-framework/97746/ https://www.securitycouncilreport.org/atf/cf/%7B65BFCF9B-6D27-4E9C-8CD3-CF6E4FF96FF9%7D/S_2019_691.pdf https://www.securitycouncilreport.org/atf/cf/%7B65BFCF9B-6D27-4E9C-8CD3-CF6E4FF96FF9%7D/S_2019_691.pdf Cyber Threats 2020: A Year in Retrospect | 9 Sharing is compromising: China-based threat actors and the digital quartermaster In 2020, PwC observed China-based threat actors executing campaigns that continue to closely align with China’s strategic objectives. Key areas of focus were countries connected to the contentious South China Sea dispute, countries involved with the international Belt and Road initiative, as well as near neighbouring countries, especially ones with whom China has had territorial or administrative disputes. The primary targets included, first and foremost, governments and public entities on an international scale, and telecommunications providers; sectors that correspond to strategic priorities outlined in the current Five Year Plan and likely to be part of the next;33 and religious communities. The sharing of custom tooling among China-based threat actors continues to create a springboard for intrusions, while posing a further challenge to attribution of malicious activity. Exploited to an 8.t One immediate example of tool sharing is the continued use 34,35 of the 8.t document weaponisation framework, also known as RoyalRoad. The framework, which has evolved over the span of two years to exploit different vulnerabilities in Microsoft’s Equation Editor,36 has been used by multiple China-based threat actors. Each time, the weaponised documents have been deployed with unique characteristics, infrastructure, capability and victimology overlaps which has enabled attribution of the sets of activity to a specific threat actor. Some of the main users of the 8.t framework in 2020 are detailed below: • Red Hariasa (a.k.a. Chinoxy) , the threat actor that PwC assesses is the only one to use both the Chinoxy and FunnyDream backdoors, has been one of the primary users of the 8.t framework in 2020. PwC has observed activity using the Chinoxy backdoor targeting countries in Central and South East Asia, including Kyrgyzstan,37 Malaysia,38 and Vietnam.39 • Red Orthrus (a.k.a. KeyBoy, APT23) also used the 8.t framework as part of its continuous targeting of the Mongolian government and Mongolian public sector entities, to then deploy PoisonIvy payloads40 or the backdoor known as KeyBoy CotX RAT. • An espionage motivated threat actor that PwC tracks as Red Nue (a.k.a. SpyDealer) used the 8.t framework in July 2020 to create a Russian- language lure document dropping the LootRat backdoor.41 LootRat has been in use since at least 2017,42 and has Android and MacOS variants known as SpyDealer and Demsty respectively.43 It is worth noting that PwC has observed a marked drop in usage of 8.t after the first quarter of 2020, which could possibly be due to the framework having been featured in public reporting on multiple occasions covering several of its versions.44,45 33 �‘Predicting public policies’, PwC Threat Intelligence, CTO-SIB-20200618-01A 34 ‘Chinese Equations’, PwC Threat Intelligence, CTO-TIB-20181019-01A 35 ‘wll wll wll look what we have here’, PwC Threat Intelligence, CTO-TIB-20200529-01A 36 ‘A Quartermaster for Compromise’, PwC Threat Intelligence, CTO-TIB-20190923-01A 37 ‘COVID-19 lure targeting Kyrgyzstan’, PwC Threat Intelligence, CTO-TIB-20200326-01A 38 ‘8.t Builder seen in Malaysia’, PwC Threat Intelligence, CTO-QRT-20200402-01A 39 ‘Vietnam next in line for Chinoxy’, PwC Threat Intelligence, CTO-QRT-20200529-01A 40 ‘Keyboy taking a trip to Mongolia’, PwC Threat Intelligence, CTO-TIB-20200415-01A 41 ‘Red Dev 7 gets a Nue name’, PwC Threat Intelligence, CTO-TIB-20201016-01A 42 �‘SpyDealer: Android Trojan Spying on More Than 40 Apps’, PaloAlto, https://unit42.paloaltonetworks.com/unit42-spydealer-android-trojan-spying-40-apps/ (6th July 2017) 43 ‘LootRAT deals four of a kind’, PwC Threat Intelligence, CTO-TIB-20200130-02A 44 ‘An Overhead View of the Royal Road’, Nao-Sec, https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html (29th January 2020) 45 �‘Multiple Chinese Threat Groups Exploiting CVE-2018-0798 Equation Editor Vulnerability Since Late 2018’, Anomali, https://www.anomali.com/blog/multiple-chinese-threat-groups-exploiting-cve-2018-0798-equation-editor-vulnerability-since-late-2018 (3rd July 2019) The sharing of custom tooling among China-based threat actors continues to create a springboard for intrusions. https://unit42.paloaltonetworks.com/unit42-spydealer-android-trojan-spying-40-apps/ https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html https://www.anomali.com/blog/multiple-chinese-threat-groups-exploiting-cve-2018-0798-equation-editor-vulnerability-since-late-2018 Cyber Threats 2020: A Year in Retrospect | 10 From Winnti to ShadowPad, the new PlugX Beyond the 8.t framework, China-based threat actors have also been sharing sophisticated tools, which are deployed in targeted intrusions against high-value targets. For example, in ‘Cyber Threats 2019: A Year in Retrospect’ report, PwC assessed that multiple China-based threat actors were using variants of the Winnti backdoor, occasionally also sharing infrastructure, techniques, and implants but operating independently with different objectives.46 We continued to observe Winnti activity in 2020, with the US Department of Justice (DoJ) also filing an indictment in September against two individuals associated with Red Kelpie (a.k.a. APT41, BARIUM), one of the primary Winnti users.47 PwC has also tracked the ShadowPad backdoor being used by at least five threat actors with different victimology and areas of focus between 2019 and 2020. While we assess that the recently indicted Red Kelpie was likely a primary developer and user of the tool,48 we also identified ShadowPad activity that we attribute to other China-based threat actors. This included a campaign where we observed overlaps between the usage of ShadowPad and a Bisonal variant we call Biscoff,49 which has also been referred to in open source as xDll.50 We assess that the campaign, which mainly targeted Russia and South Korea, was highly likely conducted by Red Beifang (a.k.a. Tonto Team, Karma Panda), which we have observed being the second primary user of ShadowPad after Red Kelpie. Plugging into espionage: Red Lich’s PlugX campaigns PlugX is another malware family that has been shared across multiple China-based threat actors, and has persisted over the last decade. Throughout 2020, we observed consistent use of PlugX that we attribute to espionage motivated China-based threat actor Red Lich (a.k.a. Mustang Panda, Red Delta). Red Lich has been known to use PlugX payloads since at least November 2018,51 along with CobaltStrike, and to have a focus on the Asia Pacific region. In 2020, we noted particular interest by the threat actor in technology and telecommunications storage in Asia Pacific, as well as in religious communities. We identified Red Lich victims in Myanmar, Singapore, India, and Hong Kong,52 along with further targeting and potential compromise of organisations based in Vietnam53 and the Vatican.54 It is worth noting Red Lich’s targeting of the Christian community,55,56 specifically in Hong Kong, and of a Vatican-based NGO, between May and July 2020, is in line with Red Lich’s previous victimology – including religious communities and minorities, both Catholic organisations57 and Tibetan.58 However, the uptick in observed activity for this specific Red Lich campaign between May and July 2020 coincided with a period of tense relationships between the Vatican and Chinese authorities, over a provisional agreement on the appointment of Catholic Bishops in China. 46 ‘Cyber Threats 2019: A Year in Retrospect’, PwC Threat Intelligence, https://www.pwc.co.uk/issues/cyber-security-services/insights/cyber-threats-2019-retrospect.html 47 ‘A counterstrike on the money’, PwC Threat Intelligence, CTO-SIB-20200930-01A 48 ‘Shining a light on ShadowPad’s usage throughout 2019’, PwC Threat Intelligence, CTO-TIB-20200213-01A 49 ‘Red Beifang’s Biscoff trail’, PwC Threat Intelligence, CTO-TIB-20200810-01A 50 �‘ShadowPad: New activity from the Winnti Group’, Positive Technologies, https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/shadow- pad-new-activity-from-the-winnti-group/ (29th September 2020) 51 �China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations’, Anomali, https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations (7th October 2019) 52 ‘Storing PlugX’, PwC Threat Intelligence, CTO-TIB-20200630-01A 53 ‘Red Lich PlugX targeting Vietnam’, PwC Threat Intelligence, CTO-QRT-20200811-01A 54 ‘Red Lich’s PlugX server misconfiguration’, PwC Threat Intelligence, CTO-QRT-20201014-01A 55 ‘Red Lich’s PlugX vendetta’, PwC Threat Intelligence, CTO-TIB-20200723-01A 56 ‘Red Lich continued Catholic targeting’, PwC Threat Intelligence, CTO-QRT-20200911-01A 57 �China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations’, Anomali, https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations (7th October 2019) 58 ‘Cyber Threats 2019: A Year in Retrospect’, PwC Threat Intelligence, https://www.pwc.co.uk/issues/cyber-security-services/insights/cyber-threats-2019-retrospect.html https://www.pwc.co.uk/issues/cyber-security-services/insights/cyber-threats-2019-retrospect.html https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/shadowpad-new-activity-from-the-winnti-group/ https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/shadowpad-new-activity-from-the-winnti-group/ https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations https://www.pwc.co.uk/issues/cyber-security-services/insights/cyber-threats-2019-retrospect.html Cyber Threats 2020: A Year in Retrospect | 11 59 ‘Hand to hand with a Phoenix’, PwC Threat Intelligence, CTO-TIB-20200407-01A PwC’s Incident Response team responded to a Red Phoenix intrusion into a technology company in Western Europe in 2020.59 The threat actor had access to the network from at least May 2019 and maintained access until early March 2020. It initially compromised the victim by exploiting an exposed out of date Confluence server, using CVE-2019- 3396. It subsequently deployed the FOCUSFJORD (a.k.a. SoldierTrojan, SoldierLoader) malware family, which we exclusively attribute to Red Phoenix. The threat actor used custom tools as well as living off the land techniques (‘LOLbins’) to move laterally around the network. It pivoted to several other machines, and deployed HyperBro, another malware family exclusively attributed to Red Phoenix. In February 2020, the threat actor attempted to maintain access to the victim network by installing updated versions of HyperBro that sideload from a different executable. The new malware beaconed out to the same C2 IPs and the payload had the same capabilities, allowing the new and previously unseen binaries to be detected by heuristic rules. Following eviction, the threat actor aggressively tried to reacquire access to the network, attempting to access perimeter systems from IPs it had not used previously in the intrusion, but which had already been provided to the client to block by PwC’s Threat Intelligence team. The other side of the coin In addition to China and North Korea-based threat actor activity, PwC noted a significant uptick in activities from threat actors based in other countries within the region during 2020. This is mostly likely due to ongoing conflicts in the region, which have only increased in intensity over the last year. Kinetic conflict has been seen between India and Pakistan, as well as India and China, whilst the South China Sea continues to be a hotbed of political tension. Tit-for-tat hostilities have played out in the cyber realm, with threat actors based in Pakistan, India, and Vietnam alike ramping up their volume of operations, whilst simultaneously expanding their tools, techniques, and procedures (TTPs). Case study Red Phoenix compromises a technology company in Western Europe Cyber Threats 2020: A Year in Retrospect | 12 Pakistan The Pakistan-based threat actor Green Havildar (a.k.a. TransparentTribe, Mythic Leopard) continued its use of its backdoor CrimsonRAT in a vast number of campaigns, including, but not limited to: • Targeting India Defence targets, using lure documents looking to mimic commendations to soldiers on the 72nd Army Day – this campaign saw the threat actor host its payloads on a website feigning legitimacy as a shared drive.60 • Targeting Iranian political targets over several campaigns, making use of both religious and political themes in lure documents61 – the motivations behind this campaign are thought to stem from both Pakistan-Iran border tensions,62 as well as concern for Pakistan- Afghanistan border security after the election of the new Quds force leader following the death of General Qasem Soleimani.63 2020 also saw the threat actor develop a new tool, which in open source is known as ObliqueRAT.64 PwC has observed several campaigns in 2020 employing ObliqueRAT alongside password protected lure documents that are highly likely provided to the victim during correspondence.65 This shift towards a focus on active social engineering is a new technique for the threat actor. Green Havildar’s crime wing (a.k.a. Gorgon Group, Aggah), has also conducted a large number of campaigns, switching its initial delivery mechanism from Word and Excel documents to Powerpoint.66 PwC has observed these campaigns being conducted on a near weekly basis,67 and it is likely – based on their sheer volume in 2020 – we will continue to see these financially motivated attacks continue in 2021. India The targeting displayed by India-based threat actors has mirrored political events, with a substantial increase in targeting of China-based targets, as well as consistent espionage operations against Pakistan government and defence sectors. The campaigns conducted over the course of 2020 displayed both new and previously observed TTPs, whilst the lure documents often used news articles or documents published just days before the attack itself. This provides an insight into the reactive nature of these threat actors. Orange Chandi The India-based threat actor Orange Chandi (a.k.a. Sidewinder) was particularly prolific in 2020, conducting espionage operations targeting the defence sector. Victims have been based mostly in Pakistan and China, but PwC has also observed targets in Afghanistan. The payloads all used a familiar attack process from the threat actor of multiple HTA scripts to eventually deploy the final payload.68,69,70,71 Orange Kala Orange Kala (a.k.a. Donot) also had an extremely active year. The threat actor employed several techniques across 2020, some of which PwC has observed previously, whilst others see the threat actor retooling in real time. For example, PwC was able to obtain several lure documents and payloads that were not yet complete or ready for operational use.72 These files were subsequently used in attacks a few weeks after our initial discovery, likely targeting victims in Pakistan’s Defence sector. The threat actor was also seen using open source espionage tools for its payloads, such as the remote access trojan WarZoneRAT,73 sold as a Malware as a Service (MaaS).74 60 ‘Green Havildar up to its old tricks’, PwC Threat Intelligence, CTO-TIB-20200131-01A 61 ‘Green Havildars new focus – Iran’, PwC Threat Intelligence, CTO-TIB-20200914-01A 62 �‘Pakistan asks Iran to act on militants behind Baluchistan killings’, Reuters, https://www.reuters.com/article/us-pakistan-iran/pakistan-asks-iran-to-act-on-mili- tants-behind-baluchistan-killings-idUSKCN1RW0EQ (April 20th 2019) 63 �‘Iran’s New Quds Force Leader Has A Long, Shadowy History With Afghanistan’, RadioFreeLiberty, https://www.rferl.org/a/iran-s-new-quds-force-leader-has-a- long-history-with-afghanistan/30379354.html (15th January 2020) 64 �‘ObliqueRAT: New RAT hits victims’ endpoints via malicious documents’, Cisco-Talos, https://blog.talosintelligence.com/2020/02/obliquerat-hits-victims-via-mal- docs.html (20th February 2020) 65 ‘Great minds think alike on the Indian subcontinent’, PwC Threat Intelligence, CTO-TIB-20201211-01A 66 �‘Aggah Campaign’s Latest Tactics: Victimology, PowerPoint Dropper and Cryptocurrency Stealer’, HP, https://threatresearch.ext.hp.com/aggah-campaigns-lat- est-tactics-victimology-powerpoint-dropper-and-cryptocurrency-stealer/ (1st July 2020) 67 ‘Threats under the Spotlight December 2020’, PwC Threat Intelligence, CTO-TUS-20210111-01A 68 ‘Pakistan targeted by lnk files’, PwC Threat Intelligence, CTO-TIB-20200423-01A 69 ‘Orange Chandi goes back to school’, PwC Threat Intelligence, CTO-TIB-20200527-01A 70 ‘Orange Chandi pitches to the board’, PwC Threat Intelligence, CTO-TIB-20200619-01A 71 ‘Orange Chandis IT Services’, PwC Threat Intelligence, CTO-QRT-20200825-01A 72 ‘’White Dev 23s work in progress’, PwC Threat Intelligence, CTO-TIB-20200728-01A 73 ‘Let me get this strait’, PwC Threat Intelligence, CTO-TIB-20201104-01A 74 ‘Warzone: Behind the enemy lines’, CheckPoint, https://research.checkpoint.com/2020/warzone-behind-the-enemy-lines/ (3rd February 2020) https://www.reuters.com/article/us-pakistan-iran/pakistan-asks-iran-to-act-on-militants-behind-baluchistan-killings-idUSKCN1RW0EQ https://www.reuters.com/article/us-pakistan-iran/pakistan-asks-iran-to-act-on-militants-behind-baluchistan-killings-idUSKCN1RW0EQ https://www.rferl.org/a/iran-s-new-quds-force-leader-has-a-long-history-with-afghanistan/30379354.html https://www.rferl.org/a/iran-s-new-quds-force-leader-has-a-long-history-with-afghanistan/30379354.html https://blog.talosintelligence.com/2020/02/obliquerat-hits-victims-via-maldocs.html https://blog.talosintelligence.com/2020/02/obliquerat-hits-victims-via-maldocs.html https://threatresearch.ext.hp.com/aggah-campaigns-latest-tactics-victimology-powerpoint-dropper-and-cryptocurrency-stealer/ https://threatresearch.ext.hp.com/aggah-campaigns-latest-tactics-victimology-powerpoint-dropper-and-cryptocurrency-stealer/ https://research.checkpoint.com/2020/warzone-behind-the-enemy-lines/ Cyber Threats 2020: A Year in Retrospect | 13 Orange Athos Orange Athos (a.k.a. Patchwork) was observed in 2020 displaying several techniques PwC had not previously observed or associated with the India- based threat actor. One consistent campaign in July and August 2020 saw the threat actor use a vulnerability involving Encapsulated PostScript (EPS) images (CVE-2017-0261),75 with lure documents targeting: • Chinese speaking individuals concerned with Sino-Indian border tensions; • Individuals interested in Saudi-Pakistan relations (specifically organisations in oil & gas); and, • Individuals interested in Pakistan-China relations (specifically in the technology sector) Another significant operation undertaken by Orange Athos saw the threat actor taking advantage of GitHub repositories in order to pull further payloads onto the victim’s machine.76 What made this campaign particularly unique was the effort made by the threat actor to create sophisticated lure documents written in Mandarin Chinese; India-based threat actors will for the most part use news articles, but in this instance the threat actor appeared to hand-craft the lure documents. Vietnam Of the many threat actors that pervade the Asia Pacific cyberspace, there were few as active and diverse in their activities as Vietnam-based Scarlet Ioke (a.k.a. OceanLotus, APT32, White Ioke). It ran a substantial number of operations, favouring not just open source tools, such as CobaltStrike, but also building up bespoke capabilities of its own, such as the remote access trojan DenesRAT.77,78 The threat actor also continued to adapt its toolset to focus on victims that run MacOS in 2020.79 Significantly, Scarlet Ioke was publicly attributed by Facebook to an IT company-based in Vietnam called CyberOne Group; or CyberOne Security.80 According to the attribution, the company operates on behalf of the Vietnam government, although it is unclear whether CyberOne Group makes up the entirety of all operations attributed to Scarlet Ioke, or a sub-section of them. The operations of Scarlet Ioke in 2020 broadly consist of the following: • Espionage campaigns focused on intelligence gathering from other nation states in South East Asia. This includes the targeting of both computer and mobile devices; 81,82 • Website creation and hijacking for the purposes of profiling users that visit the sites, and having the capability to subject them to further malicious phishing sites or malware payloads. These operations have been documented targeting not just victims of other South East Asian nations, but also individuals in Vietnam itself;83 • Espionage campaigns against individuals in Vietnam, using malicious files such as CVs and letters of invitation;84 • Espionage campaigns against Vietnamese dissidents, now living abroad; and,85 • Conducting corporate espionage against private sector entities, as well as deploying cryptocurrency miners on these victims’ networks in order to either monetise its intrusions, or potentially act as a false flag for the intrusion’s purpose.86 75 �‘EPS Processing Zero-Days Exploited by Multiple Threat Actors’, FireEye, https://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.html (9th May 2017) 76 �‘A Patchwork of Campaigns’, PwC Threat Intelligence, CTO-TIB-20200313-01A 77 �‘New name, same me – Scarlet Ioke targets China’, PwC Threat Intelligence, CTO-TIB-20200505-01A 78 �‘Vietnamese Threat Actors APT32 Targeting Wuhan Government and Chinese Ministry of Emergency Management in Latest Example of COVID-19 Related Espio- nage’, FireEye, https://www.fireeye.com/blog/threat-research/2020/04/apt32-targeting-chinese-government-in-covid-19-related-espionage.html (22nd April 2020) 79 �‘New MacOS Backdoor Connected to OceanLotus Surfaces’, Trend Micro, https://www.trendmicro.com/en_us/research/20/k/new-macos-backdoor-connect- ed-to-oceanlotus-surfaces.html (27th November 2020) 80 �‘Taking Action Against Hackers in Bangladesh and Vietnam’, Facebook, https://about.fb.com/news/2020/12/taking-action-against-hackers-in-bangladesh-and-vi- etnam/ (10th December 2020) 81 �‘Scarlet Ioke – June-July Update’, PwC Threat Intelligence, CTO-TIB-20200806-01A 82 �‘Hiding in plain sight: PhantomLance walks into a market’, Kaspersky, https://securelist.com/apt-phantomlance/96772/ (28th April 2020) 83 �‘OceanLotus: Extending Cyber Espionage Operations Through Fake Websites’, Volexity, https://www.volexity.com/blog/2020/11/06/oceanlotus-extending-cy- ber-espionage-operations-through-fake-websites/ (6th November 2020) 84 ‘Scarlet Ioke goes back to its roots’, PwC Threat Intelligence, CTO-QRT-20200506-01A 85 ‘Lined up in the sights of Vietnamese hackers’, BR24, https://web.br.de/interaktiv/ocean-lotus/en/ (10th November 2020) 86 �‘Threat actor leverages coin miner techniques to stay under the radar – here’s how to spot them’, Microsoft, https://www.microsoft.com/security/blog/2020/11/30/ threat-actor-leverages-coin-miner-techniques-to-stay-under-the-radar-heres-how-to-spot-them/ (30th November 2020) https://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.html https://www.fireeye.com/blog/threat-research/2020/04/apt32-targeting-chinese-government-in-covid-19-related-espionage.html https://www.trendmicro.com/en_us/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html https://www.trendmicro.com/en_us/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html https://about.fb.com/news/2020/12/taking-action-against-hackers-in-bangladesh-and-vietnam/ https://about.fb.com/news/2020/12/taking-action-against-hackers-in-bangladesh-and-vietnam/ https://www.volexity.com/blog/2020/11/06/oceanlotus-extending-cyber-espionage-operations-through-fake-websites/ https://www.volexity.com/blog/2020/11/06/oceanlotus-extending-cyber-espionage-operations-through-fake-websites/ https://web.br.de/interaktiv/ocean-lotus/en/ https://www.microsoft.com/security/blog/2020/11/30/threat-actor-leverages-coin-miner-techniques-to-stay-under-the-radar-heres-how-to-spot-them/ https://www.microsoft.com/security/blog/2020/11/30/threat-actor-leverages-coin-miner-techniques-to-stay-under-the-radar-heres-how-to-spot-them/ Cyber Threats 2020: A Year in Retrospect | 14 Espionage motivated threat actors based in Russia and the former Soviet Union, which seek to access or steal intelligence, continued to be active throughout 2020. This activity includes the continuation of common targeting themes, such as the Russia-based threat actors Blue Python (a.k.a. Turla) and Blue Athena (a.k.a. APT28) targeting Ministries of Foreign Affairs in Central and Eastern Europe, and also responses to emerging global events, such as Russia-based threat actor Blue Kitsune targeting COVID-19 vaccine research.87 At a strategic level, 2020 brought some interesting geopolitical shifts to the region, in particular through the conflict over the disputed region of Nagorno-Karabakh, a region which, de jure, is a part of Azerbaijan, but which has been under the de facto control of the unrecognised, Armenia- backed Republic of Artsakh since 1994. In September 2020, major armed conflict broke out in the region, and lasted several weeks. We tracked several threat actors targeting parties to the conflict or using themes related to it. These include White Dev 51, a threat actor we assess to likely be based in or affiliated with Armenia, and spear phishing activity from the Russia/Ukraine-based threat actor Blue Odin (a.k.a. Cloud Atlas).  Nagorno-Karabakh: a frozen conflict ignites88 Nagorno-Karabakh is a territory which has been disputed between Armenia and Azerbaijan since before the fall of the Soviet Union. The region, while populated mostly by ethnic Armenians, is internationally recognised as part of Azerbaijan, and has been formally under Azerbaijani control since the fall of the Soviet Union. However, since the first Nagorno-Karabakh war, which ended in 1994 with a Russia-brokered ceasefire, the region has been under the control of the Armenia-backed Republic of Artsakh, and remains unrecognised by the international community. In September 2020, Azerbaijani forces reportedly launched offensives intended to recapture occupied buffer areas surrounded by Azerbaijan, as well as push into the region itself. The conflict was largely dictated by Azerbaijan, which made substantial gains, eventually capturing the strategic city of Shusha. This resulted in thousands of casualties, both military and civilian, and tens of thousands of civilians have been displaced. This conflict ended in a Russia- brokered ceasefire in November 2020, which saw Azerbaijan regain the buffer areas surrounding Nagorno-Karabakh and keep its gains within the region itself. We have tracked a range of threat actor activity connected to this conflict, by threat actors across a broad range of levels of sophistication: Europe 87 �‘Advisory: APT29 targets COVID-19 vaccine development’ – NCSC, https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development.pdf 88 �The use of language and terminology in this section is not intended to demonstrate any partiality. PwC recognises that choice of place name references, for example, can be sensitive and the choices made here are for ease of reference rather than partisanship. 89 ‘Reigniting a frozen conflict’, PwC Threat Intelligence, CTO-SIB-20201202-01A 1 Hacktivist groups such as ‘Anti-Armenia Team’ and ‘Monte Melkonian Cyber Army’ have engaged in tit-for-tat leaking of information, including internal government emails and data related to a nuclear power plant in Armenia. 2 A threat actor of unknown origin, tracked by PwC as White Dev 51, used a Python-based backdoor known as PoetRAT, to target Azerbaijani government organisations. PoetRAT was delivered by spear phishing documents, most often pertaining to Azerbaijani government organisations. It provides the threat actor with a range of common RAT functionality, such as file manipulation and exfiltration. 3 Russia-based threat actor Blue Odin used a spear phishing document named PKK militants in Nagorno-Karabakh.doc containing contents cloned from an article which alleged that several hundred PKK militants were supporting Artsakh forces in Nagorno-Karabakh. We assess that this document was likely used to target Azerbaijani government organisations. We expect that interest in the region will continue, particularly from a number of regional players, such as Russia, Turkey and Iran, all of which have vested strategic interests in the power balance in the region89 – Russia for its direct involvement in peacekeeping, Turkey as Azerbaijan’s closest ally and partner, and Iran for the fact it shares a border with Armenia and Azerbaijan, control of which has shifted dramatically as a result of the recent ceasefire. We assess that it is highly probable that this strategic interest will be accompanied by activity from threat actors based in these regions. https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development.pdf Cyber Threats 2020: A Year in Retrospect | 15 The Snake Persists Blue Python (a.k.a Turla, Snake) is a highly sophisticated Russia-based threat actor, known for using a variety of complex tooling and novel Command & Control (C2) channels, including cloud storage,90 email attachments,91 and SMB named pipes. We observed continued Blue Python activity throughout 2020, which generally aligns closely with the threat actor’s historical targeting priorities – government agencies in Central and Eastern Europe (with a particular focus on Ministries of Foreign Affairs and Ministries of Interior). Blue Python continued to use a diverse and sophisticated toolset in order to accomplish its objective, consisting of multiple dropper, downloader, and backdoor malware families with a range of levels of sophistication. Based on our visibility into Blue Python activity, we assess that it is likely that simpler and less powerful malware is deployed initially, in order to assess the infected machines and determine whether the victim is of interest to the threat actor; it is only later that more sophisticated malware families are delivered. In 2020, the changes in Blue Python’s toolset were more evolutionary than revolutionary; that is, it has primarily iterated on known malware families, rather than introducing any entirely new variants. For example, in May, we reported on the use of a new, custom packer with the Kazuar backdoor, a malware family which has been known since at least 2017.92 We also analysed the use of PowerShell-based loader scripts as a means of loading several Blue Python malware families, such as COMRAT v4 and variants of RPCBackdoor, and the role of PowerShell scripts in a compromise of a Ministry of Foreign Affairs in Eastern Europe. In 2020, we analysed a newly discovered malware family we reported on as BigBoss (a.k.a. HyperStack).93,94 BigBoss implements a simple communications protocol over SMB named pipes. Certain components of BigBoss closely resemble other Blue Python malware families – for example, the encryption scheme used in BigBoss is identical to that of Carbon, a well-known Blue Python malware family. In essence, BigBoss implements familiar techniques and methods, but delivered in a far smaller package than many more sophisticated malware families. We expect that Blue Python will continue to primarily target government organisations in its pursuit of information of strategic interest in 2021, and that it will continue to both iterate on well- known TTPs and develop new malware families. 90 �‘Turla Crutch: Keeping the back door open’, ESET, https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/ 91 �‘From Agent.BTZ to ComRAT v4’, ESET, https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf 92 �‘Kazuar: Multiplatform Espionage Backdoor with API Access’, Palo Alto, https://unit42.paloaltonetworks.com/unit42-kazuar-multiplatform-espionage-back- door-api-access/ (3rd May 2017) 93 �‘BigBoss Calling’, PwC Threat Intelligence, CTO-TIB-20200929-01A 94 �‘Turla uses HyperStack, Carbon, and Kazuar to compromise government entity’, Accenture, https://www.accenture.com/us-en/blogs/cyber-defense/turla-belu- gasturgeon-compromises-government-entity https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/ https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf https://unit42.paloaltonetworks.com/unit42-kazuar-multiplatform-espionage-backdoor-api-access/ https://unit42.paloaltonetworks.com/unit42-kazuar-multiplatform-espionage-backdoor-api-access/ https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity Cyber Threats 2020: A Year in Retrospect | 16 Ja nu ar y Fe br ua ry M ar ch A pr il M ay Ju ne Ju ly A ug us t S ep te m be r O ct ob er N ov em be r 0 4 15 14 16 91 34 139 91 9 10 Figure 3 – Blue Otso domain registrations by month in 2020 Spotlight on Blue Otso Blue Otso (a.k.a Gamaredon) is a Russia-based threat actor which has historically targeted Ukrainian government and defence organisations, such as the Security Service of Ukraine (SBU). Blue Otso lure documents often include references to the self-proclaimed separatist regions known as the ‘Luhansk People’s Republic’ and ‘Donetsk People’s Republic’, and previous documents which likely targeted Ukraine’s military contained content relating to orders for military operations in these regions. In 2020, Blue Otso’s targeting of Ukraine both continued and evolved; while we still saw targeting of typical Ukrainian organisations, such as attempts to deliver spear-phishing documents to the National Defence Council of Ukraine, Blue Otso also began to cast a wider net, including efforts to target government entities in Central and Eastern Europe in early 2020.95 In December 2020, we analysed some recent activity of the threat actor, based on dates and times derived from Blue Otso’s domain registrations and malicious documents.96 These dates and times were consistent with the threat actor operating in Kiev or Moscow time (UTC+2 and UTC+3 respectively), with a likely working week between Monday and Saturday, and almost no activity observed on Sundays. The above graph shows domain registrations by a pair of email addresses associated with Blue Otso in 2020. Notably, there was a significant uptick in domain registrations in August 2020, potentially aligning with Ukraine’s Independence Day on 24th August. Open source reporting97 has previously suggested that Blue Otso activity often aligns with political events in Ukraine, including public statements made by the SBU. We assess it is highly likely that this spike in August 2020 was intended to disrupt or attack Ukrainian governmental organisations during Ukraine’s Independence Day. This assessment is further supported by a public announcement from the National Security and Defence Council of Ukraine,98 which noted signs of preparation for an attack on authorities and critical infrastructure ahead of Independence Day. Blue Otso was also among the threat actors we detected having a shift in activity as a result of the COVID-19 pandemic. More specifically, after 31st March, we observed a decrease in Blue Otso activity compared to the previous months from January to March. According to open source information, FSB officers were required to take annual leave around 31st March.99 Ukrainian SBU has publicly attributed Blue Otso to the FSB,100 which may explain the drop in activity. However, the evidence above clearly indicates a relatively rapid return to activity, beginning in June and peaking in August. 95 �‘Otso beyond Ukraine’, PwC Threat Intelligence, CTO-QRT-20200309-01A 96 �‘Blue Otso’s tangled web’, PwC Threat Intelligence, CTO-TIB-20201208-01A 97 �‘Operation Armageddon’, Looking Glass Cyber, https://www.lookingglasscyber.com/wp-content/uploads/2015/08/Operation_Armageddon_Final.pdf 98 �‘The NCCC at the NSDC of Ukraine has detected signs of preparation for a large-scale coordinated attack on state authorities of Ukraine and critical infrastruc- ture on the eve of the Independence Day‘, National Security and Defense Council of Ukraine, https://www.rnbo.gov.ua/en/Diialnist/4669.html 98 �‘FSB officers to be sent on unscheduled leave due to coronavirus’, RBC Group, https://www.rbc.ru/society/31/03/2020/5e830d439a794737b2cb7466?from=- from_main 100 �‘Operation Armageddon: Cyber Espionage as a Strategic Component of Russian Modern Warfare’, LookingGlass, https://www.lookingglasscyber.com/wp-con- tent/uploads/2015/08/Operation_Armageddon_Final.pdf (28th April 2015) https://www.lookingglasscyber.com/wp-content/uploads/2015/08/Operation_Armageddon_Final.pdf https://www.rnbo.gov.ua/en/Diialnist/4669.html https://www.rbc.ru/society/31/03/2020/5e830d439a794737b2cb7466?from=from_main https://www.rbc.ru/society/31/03/2020/5e830d439a794737b2cb7466?from=from_main https://www.lookingglasscyber.com/wp-content/uploads/2015/08/Operation_Armageddon_Final.pdf https://www.lookingglasscyber.com/wp-content/uploads/2015/08/Operation_Armageddon_Final.pdf Cyber Threats 2020: A Year in Retrospect | 17 Furthering Turkey’s strategic interests In January 2020, it was reported that DNS hijacking101 attacks targeting organisations in Europe and the Middle East were conducted in alignment to Turkish interests.102 The hijacked domains were reported to primarily include those of Turkey’s near neighbours including government entities, and civilian organisations within Turkey itself. From our assessment, this activity aligned with the known targeting and tactics of the Turkey- based threat actor Teal Kurma (a.k.a. Sea Turtle).103 DNS hijacking was a prominent technique in 2019 for Teal Kurma, during which it was seen to compromise organisations to gain access to credentials to change DNS records and even target DNS registrars themselves. Turkey’s role on the global stage is becoming increasingly prominent as it aggressively pursues its own interests, and thus is changing the status quo of decades-long alliances. Tensions intensified during the course of 2020 amongst Turkey and its near neighbours, including Cyprus and Greece, over disputed waters in the Eastern Mediterranean in which Turkey has conducted seismic exploration.104 The countries hold competing claims over the maritime and energy interests in the area and the rights to explore and exploit oil and gas reserves. On the cyber stage, this has been reflected in hacktivist activity from Greece and Turkey-based groups in tit-for-tat activity, with each side claiming to have compromised prominent websites.105 Presidential elections were held within Northern Cyprus in October 2020, the result of which was anticipated to have a significant impact on Turkey’s interests in the region, not least in its pursuit of oil and gas reserves within Cypriot waters. In October 2020, PwC identified a macro-enabled Microsoft Word document lure related to the Northern Cyprus Presidential elections which we attributed to the Turkey-based threat actor Teal Dev 2 (a.k.a. Promethium).106 The resulting dropped malware included the abuse of legitimate software which was used to sideload malicious DLLs. The TTPs used in the infection chain bore strong similarities to those seen in StrongPity, a malware family attributed to Teal Dev 2.107 The threat actor maintained a high level of StrongPity activity during 2020, however, we have not previously seen it using macro-enabled documents as a delivery mechanism before. From our analysis of the malware and the related infrastructure, we found similar samples going back to 2018, indicating that the threat actor has been using this technique and malware variant for some time, albeit from our telemetry, sparingly. Middle East 101 �DNS hijacking refers to a threat actor compromising credentials that allows it to manipulate DNS records, giving it the ability to redirect traffic to threat actor controlled infrastructure and capture sensitive information. 102 �‘Exclusive: Hackers acting in Turkey’s interests believed to be behind recent cyberattacks – sources’, Reuters, https://www.reuters.com/article/us-cyber-at- tack-hijack-exclusive/exclusive-hackers-acting-in-turkeys-interests-believed-to-be-behind-recent-cyberattacks-sources-idUSKBN1ZQ10X (27th January 2020) 103 �‘Furthering Turkish state interests though cyber operations’, PwC Threat Intelligence, CTO-SIB-20200323-01A 104 �‘Turkey extends exploration in disputed Mediterranean waters to October 27’, Reuters, https://uk.reuters.com/article/uk-turkey-greece-ship/turkey-extends-ex- ploration-in-disputed-mediterranean-waters-to-october-27-idUKKBN27702D (22nd October 2020) 105 �‘Battle for Supremacy | Hacktivists from Turkey and Greece Exchange Virtual Blows’, SentinelOne, https://www.sentinelone.com/blog/battle-for-suprema- cy-hacktivists-from-turkey-and-greece-exchange-virtual-blows/ (21st January 2020) 106 �‘Pity the pivot’, PwC Threat Intelligence, CTO-TIB-20201008-03A 107 �‘Pity the Pelican’, PwC Threat Intelligence, CTO-TIB-20201021-02A 108 �‘Iran attack: US troops targeted with ballistic missiles’, BBC, https://www.bbc.com/news/world-middle-east-51028954 (8th January 2019) 109 �‘Iran-based threat actor responses to rising geopolitical tensions’, PwC Threat Intelligence, CTO-SIB-20200108-01A 110 ��‘Cyber Threats 2019: A Year in Retrospect’, PwC Threat Intelligence, https://www.pwc.co.uk/issues/cyber-security-services/insights/cyber-threats-2019-retro- spect.html Turkey’s role on the global stage is becoming increasingly prominent as it aggressively pursues its own interests. https://www.reuters.com/article/us-cyber-attack-hijack-exclusive/exclusive-hackers-acting-in-turkeys-interests-believed-to-be-behind-recent-cyberattacks-sources-idUSKBN1ZQ10X https://www.reuters.com/article/us-cyber-attack-hijack-exclusive/exclusive-hackers-acting-in-turkeys-interests-believed-to-be-behind-recent-cyberattacks-sources-idUSKBN1ZQ10X https://uk.reuters.com/article/uk-turkey-greece-ship/turkey-extends-exploration-in-disputed-mediterranean-waters-to-october-27-idUKKBN27702D https://uk.reuters.com/article/uk-turkey-greece-ship/turkey-extends-exploration-in-disputed-mediterranean-waters-to-october-27-idUKKBN27702D https://www.sentinelone.com/blog/battle-for-supremacy-hacktivists-from-turkey-and-greece-exchange-virtual-blows/ https://www.sentinelone.com/blog/battle-for-supremacy-hacktivists-from-turkey-and-greece-exchange-virtual-blows/ https://www.bbc.com/news/world-middle-east-51028954 Cyber Threats 2020: A Year in Retrospect | 18 Iran’s proportional response On 3rd January 2020, Iranian General Qasem Soleimani was killed by a US drone strike. This inevitably escalated existing political tensions between the US and Iran, with Iranian officials quick to indicate there would be a swift and proportional response. Whilst this prompted Iran to take kinetic measures against military bases hosting US military personnel in Iraq,108 the initial response in the cyber domain was more muted than expected. This came in the form of website defacements conducted by self-reported pro-Iran hacktivists, and highly likely committed on an independent basis.109 No sophisticated cyber attacks were reported following Soleimani’s death, at least in the public domain, nor did our telemetry indicate any significant shift in Iran-based threat actor behaviours in the immediate or medium term following this event. This was unexpected; Iran- based threat actors are particularly proficient in the realm of destructive cyber attacks, and an attack of this type could have been considered a proportional response to the drone strike. Following activity involving StoneDrill, ZeroCleare and Dustman wiper malware families in 2019,110 major destructive attacks were noticeably absent from Iran-based cyber activity in 2020. However, Iran-based threat actors were far from quiet in 2020. Economic sanctions, numerous indictments and shifting alliances within the Middle East have all likely played a part in cyber activity conducted over the course of the year, as evident in a series of tit-for-tat incidents between Iran and Israel, with whom Iran continues to share a volatile relationship. Following reported cyber attacks on Israel’s water and waste management facilities in April 2020, Iran’s Shahid Rajaee port terminal was allegedly compromised in May, with media articles subsequently attributing the attack to Israel.111 This sparked a series of incidents affecting Iranian organisations and facilities prompting questions around whether Iran was being repeatedly targeted by sabotage attacks of either a cyber or kinetic nature.112 Cyber attacks targeting Israeli organisations have also been in the spotlight. In Operation Quicksand, PowGoop, a downloader likely associated with the espionage motivated Iran-based threat actor Yellow Nix (a.k.a. MuddyWater) was identified on the systems of an Israel-based organisation.113 The ransomware family Pay2Key was also used to target a number of Israeli organisations in November 2020,114 with multiple commonalities between this activity and the known modus operandi of Iran-based threat actor Yellow Dev 15 (a.k.a. Pioneer Kitten). As the threat actor has previously engaged in financially motivated activities and likely has the capability to deploy ransomware to victims, this escalation can be considered a progression from its known motivations.115 Yellow Nix steps up Yellow Nix had a busy year, expanding its targeting focus from its near neighbours in the Middle East, to include European entities. Alongside this shift, it made significant efforts to diversify its technical arsenal, and broaden its range of attack vectors. This included the development of two malware families: This is a DLL which uses DNS tunneling for network communication, the first time we have seen Yellow Nix using this technique. We assess this malware was used to target Western European entities including an organisation in the consumer markets industry.116 Forelord 1 A multistage malware with backdoor functionality. We observed its first stage delivered as an executable masquerading as a PDF document, a deviation from Yellow Nix’s typical macro delivery system. We assess the malware was used to target Turkish government entities and United Nations (UN) entities in June 2020.117,118 MoriAgent 2 111 ��‘Officials: Israel linked to a disruptive cyberattack on Iranian port facility’, The Washington Post, https://www.washingtonpost.com/nationalsecurity/officials-isra- el-linked-to-a-disruptive-cyberattack-on-iranian-port-facility/2020/05/18/9d1da866-9942-11ea-89fd-28fb313d1886_story.html (18th May 2020) 112 ��‘US targeting of adversaries’, PwC Threat Intelligence, CTO-SIB-20200728-01A 113 ��‘Operation Quicksand’, ClearSky, https://www.clearskysec.com/operation-quicksand/ (15th October 2020) 114 ��‘Pay2Kitten – Fox Kitten 2’, ClearSky, https://www.clearskysec.com/pay2kitten/ (17th December 2020) 115 ��‘The mysteries of Pay2Key’, PwC Threat Intelligence, CTO-SIB-20210113-01A 116 ��‘Yellow Nix has a spring in its step’, PwC Threat Intelligence, CTO-TIB-20200430-01A 117 ��‘Yellow Nix packages its wares for shipping’, PwC Threat Intelligence, CTO-TIB-20200722-01A 118 ��‘Mori than meets the eye’, PwC Threat Intelligence, CTO-TIB-20200828-03A https://www.washingtonpost.com/nationalsecurity/officials-israel-linked-to-a-disruptive-cyberattack-on-iranian-port-facility/2020/05/18/9d1da866-9942-11ea-89fd-28fb313d1886_story.html https://www.washingtonpost.com/nationalsecurity/officials-israel-linked-to-a-disruptive-cyberattack-on-iranian-port-facility/2020/05/18/9d1da866-9942-11ea-89fd-28fb313d1886_story.html https://www.clearskysec.com/operation-quicksand/ https://www.clearskysec.com/pay2kitten/ Cyber Threats 2020: A Year in Retrospect | 19 We also continued to see Yellow Nix attempt to repurpose third party tools. We observed Yellow Nix delivering the commercial remote administration tool, Remote Utilities, to retain remote access to a compromised victim.119 This application allows the threat actor to remotely access a victim’s device with full privileges, and was configured to send connectivity details to the operator using a predefined email address. From our observations, Yellow Nix has used Remote Utilities since at least October 2019 through to September 2020, which indicates that this has likely proven an effective tool in compromising its victims, perhaps even more so in 2020, given the increased use of remote tools. Yellow Nix’s attempts to leverage new tools and techniques over the past year indicate a step change in tactics. This may in part be an effort to shift away from its existing arsenal, some of which was notably leaked in 2019.120 In any case, Yellow Nix has shown itself to be a versatile threat actor; although we continue to observe it fall back on its tried and tested techniques, during 2020 it made considerable advances in its sophistication, shifting from VBScript and PowerShell payloads to developing multiple variants of bespoke malware. Yellow Liderc Yellow Liderc (a.k.a. Tortoiseshell) is an Islamic Revolutionary Guard Corps (IRGC) aligned threat actor, which PwC associates with a private sector Iranian entity. The threat actor first came into prominence in 2018, and remained active throughout 2020, with infrastructure management activities and intrusion operations aligning closely to the standard Iranian Saturday to Thursday working week. In contrast to 2019, where the threat actor made more frequent use of its rudimentary bespoke malware families and phishing campaigns, 2020 saw increased efforts to target key corporates via social engineering across multiple social and chat platforms. Yellow Liderc’s targeting typically falls in three categories: 119 ��‘Yellow Nix the one click wonder’, PwC Threat Intelligence, CTO-TIB-20200914-02A 120 ��‘New leaks of Iranian cyber-espionage operations hit Telegram and the Dark Web’, ZDNet, https://www.zdnet.com/article/new-leaks-of-iranian-cyber-espionage- operations-hit-telegram-and-the-dark-web/ (9th May 2019 Direct targeting of the Kingdom of Saudi Arabia This encompasses organisations in a wide variety of sectors, including petrochemicals, IT managed service providers and IT consultants, business process outsourcers, transport, financial services, government and defence. Upstream/downstream targeting Many Yellow Liderc targets appear to have direct relationships with Saudi Arabia and we assess that relationship is the primary reason for Yellow Liderc’s interest in them. These include India-based IT managed services providers (MSPs), financial software and technology companies such as enterprise resource planning (ERP) providers, Middle East engineering and construction companies, and business technology consultants. Aviation, aerospace and automotive Targeting of engine manufacturers (e.g. turbofans, aircraft engines and automotive engines), large aerospace and defence manufacturers, and several low cost European airlines. https://www.zdnet.com/article/new-leaks-of-iranian-cyber-espionage-operations-hit-telegram-and-the-dark-web/ https://www.zdnet.com/article/new-leaks-of-iranian-cyber-espionage-operations-hit-telegram-and-the-dark-web/ Cyber Threats 2020: A Year in Retrospect | 20 Information operations Information operations often seek to exploit existing societal divisions or wider conspiracy theories in an attempt to influence a narrative or effect a desired outcome. They may also exploit data that has been exfiltrated as part of a cyber espionage campaign. Social media platforms in particular have come under an increasing amount of scrutiny over the type of information that is propagated over these channels, and the often lack of robust scrutiny or challenge with which this is done. Cyber Threats 2020: A Year in Retrospect | 21 Election interference In relation to elections, the term ‘information operations’ has often become synonymous with ‘election hacking’, although the latter encompasses a wider array of activity including technical compromises and disruption tactics. Interference from Russia-based threat actors in the 2016 US presidential election was a watershed moment in the awareness of ‘election hacking’ and called into question the robustness of democratic process.121 In October 2020, US national security officials warned that both Iran and Russia had obtained some voter registration data and were attempting to sow ‘unrest’ ahead of the November 2020 presidential election, potentially by communicating false information to registered voters.122 It was indicated that Iran spread disinformation related to the US presidential election by masquerading as a far-right pro-Trump group to disseminate emails designed to ‘intimidate voters and cause social unrest’.123 In some cases, a ‘propaganda video’ was used to perpetuate rumours of manipulation concerning the mail-in vote process. It is important to note there was no indication that election systems had been compromised as some voter registration data was likely already available in the public domain or potentially leaked in previous unrelated breaches. A related advisory124 from the US Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) indicated that an unnamed Iran-based threat actor, which we track as Yellow Dev 19, exploited US state websites, including election-related websites, in an attempt to obtain voter registration information. The threat actor reportedly used Acunetix vulnerability scanner, a web security scanning tool, and leveraged known vulnerabilities including SQL injections, webshell uploads, and what the advisory describes as ‘unique flaws’ against targeted websites. Although we have not seen a repeat of the 2016 activity, the impact of such influence or sabotage operations on democratic process, and in particular the role that social media platforms play in this, is likely to remain under scrutiny in the future. COVID-19 In addition to some of the malicious cyber campaigns that have targeted organisations or sectors involved in the fight against COVID-19, as outlined in the earlier section of this report, there has also been a deluge of both misinformation and disinformation related to the pandemic. Such activity has included state-sponsored information operations interacting with organic communities of online users to spread disinformation, validating already existing ill-formed and ill-informed contrarian opinions.125 On one hand, in 2020 we saw misinformation being shared online in the form of misleading statistics, healthcare information, potential cures or treatment, origins of the outbreak, and authorities’ responses to the pandemic. This also extended to conspiracy theories, such as that the roll-out of 5G technology being linked to the virus’ spread. We also saw disinformation likely aimed at disrupting public order or manipulating an agenda, capitalising on recent events. The motivation behind this could range from economic gain, such as online scams, to political purposes. For example, a European task force that tracks disinformation released a report126 in June 2020 that examined how a Russian media contractor was surreptitiously pushing out disinformation to other European websites.127 121 ��‘Hacking the 2020 US election’, PwC Threat Intelligence, CTO-SIB-20201027-01A 122 ��‘Iran and Russia Seek to Influence Election in Final Days, U.S. Officials Warn’, The New York Times, https://www.nytimes.com/2020/10/21/us/politics/iran-rus- sia-election-interference.html (21st October 2020) 123 ‘Learning on the job with Yellow Dev 19’, PwC Threat Intelligence, CTO-TIB-20201118-02A 124 ‘Alert (AA20-304A) Iranian Advanced Persistent Threat Actor Identified Obtaining Voter Registration Data’, CISA, https://uscert.cisa.gov/ncas/alerts/aa20-304a 125 ‘Corona non grata’, PwC Threat Intelligence, CTO-SIB-20200423-01A 126 �‘How two information portals hide their ties to the Russian news agency InfoRos’, EU Disinfo Lab, ‘https://www.disinfo.eu/publications/how-two-information-portals-hide-their-ties-to-the-russian-news-agency-inforos/ (15th June 2020) 127 ‘US officials: Russia behind spread of virus disinformation’, AP News, https://apnews.com/3acb089e6a333e051dbc4a465cb68ee1 (28th July 2020) https://www.nytimes.com/2020/10/21/us/politics/iran-russia-election-interference.html https://www.nytimes.com/2020/10/21/us/politics/iran-russia-election-interference.html https://uscert.cisa.gov/ncas/alerts/aa20-304a https://www.disinfo.eu/publications/how-two-information-portals-hide-their-ties-to-the-russian-news-agency-inforos/ https://apnews.com/3acb089e6a333e051dbc4a465cb68ee1 Cyber Threats 2020: A Year in Retrospect | 22 Blurring the lines For the majority of threat actors, their activities, however varied, broadly align to a single overarching motivation, be that intelligence gathering or financial gain. Of course, there have always been those that buck the trend – North Korea-based threat actors are a prime example of this having previously conducted espionage, crime, sabotage and hacktivist activities in line with shifting strategic objectives. Over recent years, there has been an increasing overlap in the activity of long standing espionage threat actors being linked to financially motivated activity, as a result of shifting objectives or personal gain. Hacker-for-hire operations have also blurred the traditional understanding of espionage activities, where activity conducted for multiple end users may be performed by a single private entity. Whilst this type of activity is not new, 2020 saw a number of such operations exposed in the public domain. Cyber Threats 2020: A Year in Retrospect | 23 Espionage heart, criminal mind In a continuing trend, an increasing number of threat actors portray dual motivations – seemingly using their tradecraft to conduct both espionage and financially motivated activity. In a divergence from 2019, throughout 2020 we observed more activity that is likely being conducted for personal gain as opposed to a wider shift in operational objectives to generate revenue. This poses an increasing threat to a wide variety of sectors and organisations as the targeting does not necessarily align to what is expected, nor does the tooling align to traditional cyber crime activity. This widely varying range of TTPs complicates both defence and attribution efforts. Activity of this sort that emerged in 2020 is associated with threat actors emanating from multiple regions: • Several individuals tied to China-based threat actor Red Kelpie were observed conducting cyber attacks targeting over 100 victim organisations across multiple sectors. The intent behind these attacks was to not just steal source code and customer account information, but to also create access for deployment of further payloads expressly for personal financial gain, such as ransomware and cryptojacking schemes.128,129 • An individual thought to be tied to the Russia- based threat actor Blue Echidna (a.k.a. Sandworm, Voodoo Bear) was found to be engaging in spear phishing campaigns for personal profit, targeting numerous sectors including asset and wealth management, retail and cryptocurrency.130 • PwC’s research into Iran-based criminal activities revealed a number of overlaps between individuals connected to both criminal operations and Iran-based espionage threat actors. Indictments released in 2020 indicated several individuals associated with Yellow Geryon (a.k.a. Rocket Kitten) and Yellow Dev 15 had used their offensive tradecraft for personal financial gain, often attempting to extort the victim after stealing sensitive information from them.131,132 We assess the motivations behind these multiple cases of Iran-based threat actors conducting both espionage and criminal operations stems from the conditions within which the threat actors operate, where ‘only the best individuals or teams succeed, are paid, and remain in business.’ These conditions subsequently drive threat actors, less able to compete, to seek out alternative or supplementary sources of income.134 • North Korean activity groups continued to conduct a blend of espionage and financially motivated attacks in 2020. Black Banshee and Black Artemis have been observed targeting organisations in the financial services sector, including cryptocurrency exchanges.135 This type of dual-hat activity has become fairly typical,136 and is relatively unique in that the revenue generated from these criminal intrusions is assessed to likely fuel the North Korean state’s strategic aims, rather than being conducted for personal gain.137,138 • Pakistan-based Gorgon Group (a.k.a. Aggah), which PwC assesses to be the cyber crime focussed element of the dual-motivated threat actor Green Havildar, was extremely active in 2020, using a number of malicious PowerPoint and Excel documents in order to target numerous victims across the world.139 This threat actor has a preference for commodity malware such as AgentTesla, which it can use for both espionage and criminal activities (i.e. information collection on the target, or intellectual property theft to later be sold on the Dark Web). 128 ‘A counterstrike on the money’, PwC Threat Intelligence, CTO-SIB-20200930-01A 129 �‘USA v Jiang Lizhi, Qian Chuan, Fu Qiang’, United States District Court for the District of Columbia, https://www.justice.gov/opa/pressrelease/file/1317206/ download (11th August 2020) 130 https://www.justice.gov/opa/press-release/file/1328521/download 131 ‘Money and intelligence – can a threat actor have it all’, PwC Threat Intelligence, CTO-SIB-20201023-01A 132 �‘Two Iranian Nationals Charged in Cyber Theft Campaign Targeting Computer Systems in United States, Europe, and the Middle East’, US Department of Justice Office of Public Affairs, https://www.justice.gov/opa/pr/two-iranian-nationals-charged-cyber-theft-campaign-targeting-computer-systems-unit- ed-states?s=08 (16th September 2020) 133 ‘Iran’s Hacker Hierarchy Exposed’, Recorded Future, https://www.recordedfuture.com/iran-hacker-hierarchy (9th May 2018) 134 ‘Money and intelligence – can a threat actor have it all’, PwC Threat Intelligence, CTO-SIB-20201023-01A 135 ‘Artemis Banshee and Shoggoth walk into a bar’, PwC Threat Intelligence, CTO-TIB-20200630-02A 136 ‘Mixed intentions’, PwC Threat Intelligence, CTO-TIB-20191106-01A 137 �‘North Korean crypto hacking: Separating fact from fiction’, CoinTelegraph, https://cointelegraph.com/magazine/2020/10/09/north-korean-crypto-hacking-separating-fact-from-fiction (9th October 2020) 138 �‘United States Files Complaint to Forfeit 280 Cryptocurrency Accounts Tied to Hacks of Two Exchanges by North Korean Actors’, US Department of Justice, https://www.justice.gov/opa/pr/united-states-files-complaint-forfeit-280-cryptocurrency-accounts-tied-hacks-two-exchanges (27th August 2020) 139 �‘Cyber-Criminal espionage Operation insists on Italian Manufacturing’, Yoroi, https://yoroi.company/research/cyber-criminal-espionage-operation-insists-on-italian-manufacturing/ (22nd May 2020) https://apnews.com/3acb089e6a333e051dbc4a465cb68ee1 https://apnews.com/3acb089e6a333e051dbc4a465cb68ee1 https://www.justice.gov/opa/press-release/file/1328521/download https://www.justice.gov/opa/pr/two-iranian-nationals-charged-cyber-theft-campaign-targeting-computer-systems-united-states?s=08 https://www.justice.gov/opa/pr/two-iranian-nationals-charged-cyber-theft-campaign-targeting-computer-systems-united-states?s=08 https://www.recordedfuture.com/iran-hacker-hierarchy https://cointelegraph.com/magazine/2020/10/09/north-korean-crypto-hacking-separating-fact-from-fiction https://www.justice.gov/opa/pr/united-states-files-complaint-forfeit-280-cryptocurrency-accounts-tied-hacks-two-exchanges https://yoroi.company/research/cyber-criminal-espionage-operation-insists-on-italian-manufacturing/ Cyber Threats 2020: A Year in Retrospect | 24 Hacker-for-hire groups Mercenary espionage groups, more commonly known as hackers-for-hire, offer different challenges to the cyber security community than standard espionage threats, despite deploying similar TTPs to their nation-state counterparts. These include: • Unpredictability in targeting – whilst threat intelligence teams are able to build up profiles of nation-state groups based on their country of origin and political events affecting it, hacker- for-hire groups follow the money. Their targeting is dependent on their client base, which has the potential to be broad with no particular focus on any sector; and, • Attribution – the ultimate client and objective behind any activity observed is more difficult to determine compared to activity from a traditional threat actor. Hacker-for-hire activities uncovered in 2020 have revealed insights into how these groups operate. This activity includes: Private intelligence companies CyberRoot and BellTroX (a.k.a. Orange Abtu, Amanda Lovers) were placed squarely in the middle of a lawsuit accusing them of compromising and stealing sensitive information of an American businessman for a client based in the Middle East.140 BellTroX has separately also been found to have conducted operations on hundreds of individuals and organisations on behalf of other clients.141 PwC’s analysis was able to not only tie CyberRoot and BellTroX together, but also find links to another group: Appin Security Group, which is suspected to have been responsible for the 2013 attack on a Norwegian telecommunications company.142 The findings outline a string of newly created private security organisations operating out of India, conducting hacker-for-hire espionage operations against a variety of sectors on behalf of clients.143 This illustrates that despite operations being ousted, these hacker-for-hire groups are adaptive, and will more often than not find a way to restart their campaigns. DeathStalker APT has been active since at least as early as 2018 and increased the number and diversity of its operations in 2020.144 It operates several bespoke malware families which allows it to conduct stealthy corporate espionage operations for clients on a large scale creating new backdoors in order to increase their capabilities.145 Deathstalker’s malware has been found in numerous countries, with the threat actor mostly focusing on targets within the financial and legal sectors. CostaRico APT has targeted organisations across several continents and a variety of sectors, with a heavy focus on South Asia. The origins of this group remain elusive, but with a number of relatively advanced defence evasion techniques (such as creating multiple SSH tunnels on a victim’s machine) as well as a bespoke backdoor – SombRAT – this threat actor can be considered a sophisticated cyber mercenary group. 146 Research of the infrastructure used for SombRAT communications suggests the campaigns started at least as early as November 2019, and appear to still be ongoing.147 140 �‘Complaint’, United States District Court for the Middle District of North Carolina, https://www.medianama.com/wpcontent/uploads/AZIMA_v_DEL_ROSSO_et_al__ncmdce-20-00954__0001.0.pdf (October 2020) 141 ��‘Dark Basin: Uncovering a Massive Hack-For-Hire Operation’, The Citizen Lab, https://citizenlab.ca/2020/06/dark-basin-uncovering-a-massive-hack-for-hire-operation/ (9th June 2020) 142 �‘Operation Hangover: Unveiling an Indian cyberattack infrastructure’, Norman Shark AS, https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2013/NS-Unveiling-an-Indian-Cyberattack-Infrastructure_FINAL_Web.pdf (May 2013) 143 ‘Intertwining web of Indian hack-for-hire operations’, PwC Threat Intelligence, CTO-SIB-20201104-01A 144 ‘DeathStalker: detailed look at a mercenary APT group that spies on small and medium businesses’, Kaspersky, 24th August 2020 145 ‘What did DeathStalker hide between two ferns?’, Kaspersky, https://securelist.com/what-did-deathstalker-hide-between-two-ferns/99616/ (3rd December 2020) 146 �‘The CostaRicto Campaign: Cyber-Espionage Outsourced’, BlackBerry, https://blogs.blackberry.com/en/2020/11/the-costaricto-campaign-cyber-espionage-outsourced (12th November 2020) 147 ‘CostaRicto: A new hacker-for-hire mercenary group discovered targeting the Asian region including Singapore’, PwC Threat Intelligence, S/N: SGCTIR-20201127-13 https://www.medianama.com/wpcontent/uploads/AZIMA_v_DEL_ROSSO_et_al__ncmdce-20-00954__0001.0.pdf https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2013/NS-Unveiling-an-Indian-Cyberattack-Infrastructure_FINAL_Web.pdf https://securelist.com/what-did-deathstalker-hide-between-two-ferns/99616/ https://blogs.blackberry.com/en/2020/11/the-costaricto-campaign-cyber-espionage-outsourced Cyber Threats 2020: A Year in Retrospect | 25 Deathstalker’s malware has been found in numerous countries, with the threat actor mostly focusing on targets within the financial and legal sectors. Cyber crime The year of COVID (and ransomware) In last year’s report, we noted that PwC’s Incident Response team responded to multiple cyber attacks affecting a range of different industry sectors. The overwhelming majority, 71% of incidents, were the result of criminal threat actors. 2020 was no different, with 86% attributable to cyber criminals. Cyber Threats 2020: A Year in Retrospect | 26 Cyber Threats 2020: A Year in Retrospect | 27 This is in marked contrast to ransomware operations last year, which were largely conducted in secret. The use of leak sites has almost certainly achieved its objective of increasing the pressure on victims to pay ransom demands. It has also provided a clear insight into the operational tempo of many ransomware operations. The scale and intensity of ransomware incidents in 2020 was striking, making ransomware the most significant cyber security threat faced by organisations, irrespective of their industry sector or location. While ransomware was a major threat in 2019, it has dominated the headlines in the last 12 months, largely due to a major shift in the TTPs employed by multiple ransomware threat actors: Many threat actors now exfiltrate data from their victims before they encrypt their victims’ files. Of those which do exfiltrate data, many announce that they have compromised a victim on a leak site (typically hosted on the dark web) and provide ‘proofs’ that they have downloaded data from their victims. These threat actors set a deadline by which a ransom must be paid. If the victim refuses to pay, stolen data is published on the leak site, adding data protection and regulatory issues to the challenges of restoring operations. Figure 4 – Running total of ransomware leak site publications in 2020 R un ni ng to ta l o f l ea ks 2 02 0 1400 1200 1000 800 600 400 200 0 Jan Feb Mar Apr May Jun Jul Aug Month (2020) Sep Oct Nov Dec Cyber Threats 2020: A Year in Retrospect | 28 What is driving the growth in attacks? Profit There was a sharp increase in the number of ransomware actors in 2020, following a trend already established in 2019. This was likely the result of high profile ransomware incidents and, in cases where details of ransom payments entered the public domain, the perceived profitability of human-operated ransomware attacks. This is attracting new players into the market. Recent arrivals include the ransomware systems such as Darkside, SunCrypt, Egregor, and Everest. The growth in ransomware operations is not confined to new threat actors. Many established criminal groups have already added ransomware to their portfolios. Banking trojans such as Emotet, Dridex and TrickBot are now more commonly used as the initial delivery mechanism in targeted ransomware attacks. The threat actor which we track as White Austaras (a.k.a.TA505) introduced CL0P ransomware at the end of 2019. The latest threat actor to make this switch is White Horoja, which controls the banking trojan Qakbot. Since March 2020, Qakbot has been used in the delivery of ProLock and DoppelPaymer ransomware and most recently, Egregor.148 The shift by established criminal actors towards ransomware is likely driven by opportunity costs. Successful online banking attacks rely on complex money laundering operations to receive stolen funds and transfer the proceeds to bank accounts under criminal control. The specialist criminals who provide money laundering services demand high commissions, whereas ransom payments are usually paid directly to cryptocurrency wallets already controlled by the attackers. As a consequence, ransomware operations are almost certainly more profitable than online banking attacks. We assess that several of the most significant ransomware threats, including Ryuk/Conti and WastedLocker, continue to be run privately. They are operated by criminal enterprises whose leadership has been active for over a decade and which comprise many of the most sophisticated and experienced criminal actors we currently track. These threat actors are largely secretive and no longer participate in the criminal forums or marketplaces frequented by less-established actors. Instead, they either have all of the resources they need in-house, or, where they do need to bring in external expertise or recruit additional talent, they employ private communication channels to do so. Established players can draw on an extensive list of trusted contacts they have accumulated over their extensive criminal careers. 148 �‘Egregor: Meet the new boss’, PwC Threat Intelligence, CTO-TIB-20201203-01A PwC’s Incident Response team responded to a Netwalker ransomware incident where the threat actor gained access to the victim’s network six weeks prior to the execution of the ransomware. Its access was gained through the use of compromised accounts to log in to external remote access services which did not require multi-factor authentication. The threat actor moved laterally through the environment by dumping credentials from the operating system of compromised hosts using Mimikatz, conducting network scans to identify targets and hosts to pivot to as it went. Using this method, it was able to gain access to a highly privileged account. The threat actor then was able to use this access to disable antivirus software and execute the Netwalker ransomware across the network. At the time, the threat actor did not steal data and threaten to publish it on the dark web, but it changed its tactics several months after this attack, and future victims were not so ‘lucky’ to be affected by ‘only’ the ransomware itself. Case study Netwalker ransomware incident Cyber Threats 2020: A Year in Retrospect | 29 149 �‘Nefilim’s immediate impact’, PwC Threat Intelligence, CTO-TIB-20200512-01A 150 �‘The rise of NetWalker’, PwC Threat Intelligence, CTO-TIB-20200612-02A 151 �‘Sodinokibi – The Beast Grows’, PwC Threat Intelligence, CTO-TIB-20201008-01A 152 �YouTube, ‘ЭЛИТНЫЕ ХАКЕРЫ REVIL: КАК ЗАРАБОТАТЬ $100 000 000 НА ШИФРОВАЛЬЩИКЕ? ‘https://www.youtube.com/watch?v=ZyQCQ1VZp8s (23rd October 2020) Scalability While the number of threat actors has increased, in some cases the scale and pace of their operations have also grown. Many of the ransomware threat actors we track, including Sodinokibi, Nefilim, NetWalker and Suncrypt, are run as affiliate programmes.149 The threat actors in control of the ransomware are responsible for the development and management of the malware. They provide access to the ransomware to their affiliates whose role is to conduct attacks. Ransom payments are deposited by victims into cryptocurrency wallets controlled by the ransomware developer and then shared with the affiliates in a pre-agreed profit sharing arrangement. In the case of Sodinokibi, the primary threat actor controls negotiations with victims; much the same applies with Suncrypt which claims to have a dedicated blackmail team (команда по шантажу) to handle ransom negotiations. The revenue of affiliate programmes is derived from the expertise of the affiliates involved in compromising target networks. The larger the number and the greater the skill of the recruits to an affiliate programme, the more revenue that programme will generate. This has introduced a degree of competition to attract skilled operatives, with rival threat actors adopting different approaches to recruitment: • NetWalker has claimed its profit sharing arrangements are more favourable than rival affiliate programmes (including Sodinokibi) and posted details of payouts from successful attacks.150 • When the threat actor in control of Sodinokibi relaunched its recruitment programme in September, it deposited the equivalent of USD 1 million into a cryptocurrency account linked to its profile on a criminal forum where it recruits affiliates. The threat actor claimed that the deposit was proof of the success of the Sodinokibi programme and the level of accessible funds it had at its disposal.151 Figure 5 – Sodinokibi’s million dollar gesture Figure 6 – Thanos private ransomware builder on sale in criminal forums • The same threat actor raised Sodinokibi’s profile yet further by taking part in an interview on a Russian-language social media channel on 23 October, in which he claimed that the ransomware operation had netted USD 100 million in 12 months.152 https://www.youtube.com/watch?v=ZyQCQ1VZp8s Cyber Threats 2020: A Year in Retrospect | 30 Barriers to entry are dropping In Ransomware-as-a-Service (RaaS) schemes, the developer sells access to the malware for a one-off fee. The products are usually marketed as ‘builders’, in that the purchaser can configure the ransomware through a graphic user interface (GUI) which then compiles the malware into a working binary. In addition to a one-off fee, some RaaS schemes offer a subscription service which provides users with ‘rebuilds’ to reduce antivirus detections and/or updates when new features become available. RaaS schemes are sold on criminal marketplaces and many are marketed as a better alternative to affiliate programmes: after the initial purchase is made, the threat actor keeps 100% of any revenue generated from its attacks.153 RaaS schemes have lowered the entry bar to ransomware operations as all that is required to obtain a working malware package is the funds to make the purchase and access to the criminal marketplaces where they are sold. Many of these packages are sold with extensive ‘how to’ guides and tutorials posted on social media platforms, meaning that relative newcomers to cyber crime can obtain a working capability without previous experience. To complicate matters further, the source code for a number of ransomware variants, including Dharma, GandCrab and others, has been leaked and has resulted in a proliferation of malware derivatives, dubbed ‘Frankenstein code’ in criminal forums. We assess that RaaS threat actors are more likely to target small and medium-sized enterprises (SMEs), whereas affiliate programmes and private ransomware operations are more likely to attack larger organisations. This is because RaaS customers often do not possess the requisite skills needed to attack and exploit large, complex networks. Established actors have raised their game Two of the most established and prominent ransomware threat actors have upgraded their systems in 2020. BitPaymer, a ransomware variant operated by the threat actor with the self-styled name ‘Evil Corp’ (a.k.a. the Dridex Group), was first introduced in 2017.154 Although the threat actor added some incremental improvements to the code, the core system has remained largely unchanged since its introduction. In 2020, ‘Evil Corp’ launched a new ransomware project known as WastedLocker, which was responsible for high profile attacks from the outset. Unlike BitPaymer, which was partially derived from the source code for the Dridex banking trojan, WastedLocker was written from scratch.155 Ryuk, one of the most serious ransomware threats to organisations, was first introduced in 2018. Ryuk operations were at a high tempo throughout 2019, which continued into Q1 2020. During this period, Ryuk was mainly delivered by a combination of Emotet and TrickBot. Ryuk then went through a dormant phase and did not re-emerge until Q3 2020. In parallel with Ryuk’s dormant phase, a new ransomware variant, Conti, emerged. Like WastedLocker, Conti has been written from scratch, but based on coding similarities and the naming conventions used in files and commands, we assess it has been written by the threat actor in control of Ryuk.156 Ryuk’s apparent disappearance during Q2 2020 prompted speculation that it had been supplanted by Conti. However, by September 2020 Ryuk had re-emerged but had switched delivery mechanisms to BazarLoader and Buer loader. 153 �‘We have liftoff – analysis of the Buran/Zeppelin ransomware programme’, PwC Threat Intelligence, CTO-TIB-20200330-01A 154 �‘Rezident evil: Dridex indictments’, PwC Threat Intelligence, CTO-SIB-20200102-01A 155 �‘WastedLocker – Evil Corp’s new smoking gun’, PwC Threat Intelligence, CTO-TIB-20200730-01A 156 �‘Conti – the child of Ryuk’, PwC Threat Intelligence, CTO-TIB-20200828-01A Figure 7 – The RANION RaaS is marketed on multiple criminal forums Cyber Threats 2020: A Year in Retrospect | 31 PwC’s Incident Response team responded to an incident in which a threat actor was observed to have gained access to the victim’s environment just a week prior to the execution of a Nefilim ransomware attack, with half of this time dedicated to extracting files from the victim’s environment. The threat actor’s initial access was through the compromised credentials of a software vendor who provided support to the victim for the vendor’s application. These credentials were used to gain access to the victim’s environment via a remote access solution. Once inside, the threat actor used Cobalt Strike to establish persistence and C2, and used Mimikatz and Cobalt Strike to expand its access and gain access to more privileged accounts. Having obtained privileged access, the threat actor identified a file server of interest and used its access to copy files from this server, stage them on other compromised systems, and upload them to cloud services controlled by the attacker. After extracting this data, the threat actor executed the ransomware, and threatened to publish the stolen files online unless a ransom was paid. After a week of non-payment, the victim’s executives were threatened directly via email that the organisation’s files would be released. Case study Nefilim ransomware incident The development of new ransomware variants is likely in response to improvements in defensive security. Whether variants have been written from scratch like Conti and WastedLocker, or incremental improvements have been introduced to established systems, there has been a drive to enhance the speed of encryption routines and defence evasion techniques. The intention of these improvements is clear: to reduce the risk of detection when the malware is first deployed on the network and/or to ensure encryption routines function as quickly as possible to prevent disruption of an attack while it is still underway. The changing face of ransomware operations As noted in the introduction, the advent of leak sites became one of the most striking elements of the ransomware phenomenon in 2020. Each time data is exposed on a leak site it represents an attack that failed to extort a ransom payment from a victim. It would be dangerous to infer that such attacks have had no impact; in many cases those incidents are likely to have caused significant disruption. Assessing the scale and tempo of ransomware operations based on how frequently threat actors expose stolen data on leak sites is inherently risky; several sophisticated threat actors, including those in control of Ryuk or WastedLocker, do not employ leak sites at all. Nevertheless, in 2020 at least 25 different actors have joined the leak site bandwagon since the first site was created by the actor in control of Maze ransomware. Some, like Light ransomware, have been short lived; others, have rebranded themselves (e.g. AKO changed its name to Ranzy); while others, such as Sodinokibi and DoppelPaymer have been active throughout the year. Since the beginning of the year, some 1,330 victims have had their data exposed, with the overwhelming majority (79%) of these leaks occurring in the second half of the year. This reflects the arrival of a series of aggressive ransomware operations which has driven up the number of incidents. But this figure belies the changing fortunes of some of the most prominent ransomware operations. In the first half of 2020, the threat actors in control of Maze and Sodinokibi were dominant, with new arrivals to ransomware operations beginning to make an impact. By Q4 2020, many more threat actors were active, with Egregor becoming one of the most prolific. The sectors most frequently targeted were Retail & Consumer and Manufacturing, although no sector is immune to ransomware incidents. Since the beginning of the year, some 1,330 victims have had their data exposed, with the overwhelming majority (79%) of these leaks occurring in the second half of the year. Cyber Threats 2020: A Year in Retrospect | 32 Figure 8 – Ransomware incidents Q2 2020 Figure 9 – Ransomware incidents Q4 2020 1% 12% 3% 14% 38% 1% 10% 2% 1% 2% 0% 1% 10% 1% 2% 1% 2%1%Ako/Ranzy Avaddon CL0P Conti Darkside DoppelPaymer Egregor Lockbit Maze MountLocker Nefilim NetWalker Pay2Key Ragnar Ragnarok RansomEXX Sodinokibi Suncrypt 5% 12% 35% 3% 10% 10% 3% CL0P DoppelPaymer Maze Nefilim NetWalker Pysa Ragnar 22%Sodinokibi Cyber Threats 2020: A Year in Retrospect | 33 Figure 10 – Ransomware incidents by ransomware family 2020 1% 13% 4% 12% 32% 1% 9% 1% 1% 2% 5% 1% 9% 1% 1% 3%1%Ako/Ranzy Avaddon CL0P Conti Darkside DoppelPaymer Egregor Everest Lockbit 1%Nefilim 1%MountLocker 1%Maze NetWalker Pay2Key Pysa Ragnar Ragnarok RansomEXX Sodinokibi Suncrypt Figure 11 – Ransomware incidents by sector 2020 9% 3% 4% 4% 10% 17% 2% 1% 2% 1% 1% 2%Transportation 1%Utilities Aerospace Automotive Construction Education 1% Energy 6% Financial services Government 6% Healthcare 3% Life Sciences 2% Hospitality 1% Food Logistics 17% Manufacturing NGO Oil & Gas 2%Real Estate 7%Professional services 1%Mining Retail TMT Legal Cyber Threats 2020: A Year in Retrospect | 34 157 �‘Emotet preparing to resume operations’, PwC Threat Intelligence UK, CTO-QRT-20200720-01A 158 �‘Analysis of a recent Emotet TrickBot campaign’, PwC Threat Intelligence UK, CTO-TIB-20191011-01A Delivery mechanisms Although ransomware infections captured the headlines within the cyber crime scene in 2020, a powerful ally to the threat actors were the delivery systems used to drop their malicious payloads. Malware delivery systems are pieces of software specifically designed to house malicious payloads, which are dropped by threat actors in order to gain an initial entry onto a target system. PwC observed a range of delivery systems in 2020, which are currently in play by several cyber criminal threat actors. These have included affiliate based systems, developed to allow access to a number of entities, through to off-the-shelf systems, which can be acquired through online private forums for a fee. Each played a crucial role in 2020 in aiding cyber criminal threat actors within their malicious campaigns. The year also saw the rebirth of certain systems that had been dormant for many years, as well as new systems entering the market to offer a fresh alternative to the pre-established delivery system players. Emotet ups and downs At the start of the year Emotet, which PwC tracks as White Taranis, continued to follow its form from the end of 2019, with its consistent delivery of both its spam and spear phishing campaigns up to mid-February 2020, when White Taranis began to initiate a powering down of its systems and spam campaigns. These remained largely dormant until mid-July 2020, when a sudden burst of Emotet activity once again flooded the scene.157 Spam campaigns by Epoch 2, the threat actor’s primary spam delivery botnet, were confined to the delivery of new Emotet binaries, rather than secondary payloads, such as TrickBot or Ursnif, which have been previously witnessed by PwC.158 This was closely followed by the threat actor’s other spam delivery botnet servers Epoch 1 and Epoch 3. The choice to solely deliver Emotet is likely to be part of a replenishment scheme by the threat actor to deploy the latest version of the Emotet binary on its stock of infected hosts, as part of a return to full- scale malware delivery operations. White Taranis has been frequently observed to take extensive ‘breaks’ in activity throughout its years of operation, and these have affected the loyalty of its client base. 2020 was no exception – during its break, clients of the Emotet delivery system were forced to make other arrangements due to its absence. This saw the popularity of systems such as Qakbot and Buer loader increase as alternatives to Emotet. PwC’s Incident Response team responded to a ransomware attack affecting a multinational client in New Zealand. The attack saw the vast majority of its systems encrypted and rendered inoperable, breaking its supply chain, halting global manufacturing and distribution, and putting its banking covenants at risk. The threat actor had been active on the victim’s systems from around 11th May 2020, based on evidence we found of beaconing activity in firewall logs, and the installation of tools such as ADFind and other Privilege Escalation tools. The threat actor spent the next couple of weeks exploring the client’s network and data, with file staging activities beginning on 27th May. Exfiltration to the AnonFiles file upload site started on 28th May. Our investigation revealed further installation of hacking tools on 30th May, with staging activity ceasing on 31st May followed by further exfiltration of the client’s data and the ransomware deployment on 1st June. It was at this point that PwC’s investigation, containment and recovery activities began. Working with our global teams it was rapidly determined that the attackers were likely to be external Russian speaking cybercriminals motivated by financial gain. This determination was based on the use of the Nefilim ransomware variant (based on Nemty ransomware family which originated in August 2019) and other factors. This enabled us to guide the client’s response in alignment with the threat actor’s MO including the likely timeline and actions it would take in terms of communication and posting the data on its data dump site. The IoCs and threat intelligence advisories were shared with relevant agencies and law enforcement. This included the threat actor’s FTP address and credentials which were discovered by reconstructing a Windows Terminal server caching bitmaps. Disk and log forensic analysis, along with reverse engineering some of the file paths enabled us to locate some of the data stored on the AnonFiles site and reconstruct much of the staged data. Case study Multinational company compromised by ransomware attack Cyber Threats 2020: A Year in Retrospect | 35 Alongside Emotet email and spear phishing campaigns, PwC also observed small developments being made to the Emotet binary that was being delivered during Q1 2020. This included a new Emotet module specifically designed to propagate over unsecured WiFi networks.159 The module added both scanning and brute-forcing capabilities which significantly improve Emotet’s ability to further compromise hosts on an infected network. Qakbot still quacking The threat actor that PwC tracks as White Horoja is behind the banking trojan named Qakbot (Qbot), which in 2020 was used to deliver a range of ransomware operations. First seen in 2007 targeting organisations within the finance sector, White Horoja took an extended break before returning to the scene in 2016 with a host of new developments and updates to improve both its capabilities and operational effectiveness.160 In 2020, PwC witnessed a spike in White Horoja activity resulting in an increase in spam emails delivering the banking trojan itself. This was further coupled with a number of high-profile ransomware cases that recorded the use of Qakbot within their infection process. Noticeable ransomware operations including Egregor, Prolock and DoppelPaymer have all used Qakbot as a delivery mechanism from at least Q2 2020 onwards.161,162 One of the reasons for this is likely due to the ‘break’ Emotet took between February and July 2020. Qakbot spam campaigns employed a tried and tested technique, used by White Horoja, of acquiring compromised WordPress websites and malicious Word documents to pull down and execute Qakbot. This proved to be an effective method to ensure that an instance of Qakbot would be running on a victim machine. Victims of Qakbot within 2020 covered a range of sectors including education, finance, healthcare, government and manufacturing across North America and Western Europe.163 Interestingly, one of the innovations adopted by Qakbot in 2020 was the introduction of a mail stealer module, which enabled White Horoja to distribute Qakbot via ‘reply to’ attacks from already infected hosts. This technique was used extensively by Emotet in 2019 and is likely to be highly effective; recipients of emails are more likely to open malicious attachments and enable content if they have received a message from a known contact in an existing email thread. When Emotet returned in July 2020, Qakbot resumed delivery by Emotet itself, which led to another eventual spike in Qakbot activity as Emotet spam campaigns began to power-up. A key feature of a number of Qakbot-leveraged ransomware attacks has been the use of an instance of Cobalt Strike, which employs a distinctive set of domains for C2. First observed in attacks deploying DoppelPaymer in Q2 2020, the Cobalt Strike C2 was hard coded to connect to domains impersonating a major cloud service and distributed computing service. Attacks delivered by Qakbot later in the year again used the same naming patterns for Cobalt Strike C2s, but were now dropping Egregor instead of DoppelPaymer. It is unclear if this distinctive use of Cobalt Strike can be attributed to a threat actor which has had access to both DoppelPaymer and Egregor, or if this is a feature of White Horoja’s Access-as-a-Service operation.164 Buer Loader Alongside the activity observed by some of the major players within the delivery system scene, PwC also witnessed increased activity from some of the lesser-known loaders delivering high-profile ransomware systems. Loaders such as Buer Loader, which was first introduced in August 2019, came to prominence in 2020, when it was selected to be used in a number of White Onibi campaigns, the threat actors behind Ryuk ransomware. Buer Loader provided an alternative option to threat actors as a delivery system that harnesses the Malware-as-a-Service (MaaS) model. This model allows users on the Russian-speaking criminal forum Exploit.in the opportunity to purchase the loader for a base price of USD 400. Advertised as a ‘modular’ loader, Buer was also consistently supported throughout the year by its developers. With multiple updates and iterations released by the authors, with a focus on improving its defensive evasions capabilities, in an attempt to reduce the number of antivirus detections for the loader. This helped enhance the loader’s attractiveness to the delivery system market, as a reliable and easily accessible loader compared to its more exclusive alternatives.165 Furthermore, with Emotet taking a brief departure during Q2 of 2020, Buer Loader popularity once again increased. As it was also observed to be used by White Magician (a.k.a. TrickBot) in a number of campaigns, which further cements this assessment.166 159 �‘Emotet wants your WiFi’, PwC Threat Intelligence UK, CTO-TIB-20200311-01A 160 �‘Qakbot – a dip into the pond’, PwC Threat Intelligence, CTO-TIB-20200515-02A 161 �‘Whats behind the increase in ransomware attacks this year’ PwC Threat Intelligence, https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is- behind-ransomware-attacks-increase.html 162 �‘Egregor: Meet the new boss’, PwC Threat Intelligence, CTO-TIB-20201203-01A 163 �NHS, ‘Qakbot Trojan’, https://digital.nhs.uk/cyber-alerts/2017/cc-1439 164 ‘Egregor: Meet the new boss’, PwC Threat Intelligence, CTO-TIB-20201203-01A 165 �‘Getting loaded with Buer’, PwC Threat Intelligence, CTO-TIB-20201120-02A 166 �‘Spear Phishing Campaign Delivers Buer and Bazar Malware’, zscaler, ‘https://www.zscaler.com/blogs/security-research/spear-phishing-campaign-delivers- buer-and-bazar-malware’ (29th November 2020) https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html https://digital.nhs.uk/cyber-alerts/2017/cc-1439 https://www.zscaler.com/blogs/security-research/spear-phishing-campaign-delivers-buer-and-bazar-malware https://www.zscaler.com/blogs/security-research/spear-phishing-campaign-delivers-buer-and-bazar-malware Cyber Threats 2020: A Year in Retrospect | 36 Bazar and TrickBot TrickBot continued to have a consistent year of activity throughout 2020. At the start of the year, PwC observed the banking trojan making numerous updates and additions to several of its custom modules. These modules are designed to provide TrickBot with a range of interchangeable functionalities, including the ability to scan for Remote Desktop Protocol (RDP) services or bypass User Access Controls (UAC) on Windows systems.167 This showcased White Magician’s commitment to improving and developing its malware. In April 2020, this behaviour was further solidified with the introduction of a new multi-stage modular loader known as BazarBackdoor (a.k.a Team9, BazaLoader, KEGTAP).168 The malware itself shares much of its operational and technical capabilities with the pre-existing TrickBot trojan, also developed by White Magician.169 However, we witnessed the threat actor employing a novel approach to C2 infrastructure, through the use of the EmerDNS service on the Emercoin blockchain.170 This new TTP for White Magician allowed it to strengthen its C2 infrastructure and prevent its domains from classic takedown and sinkholing efforts. In September 2020, White Onibi, the threat actor behind the Ryuk ransomware, began using Bazar as a delivery mechanism for its ransomware operations, leading to a noticeable spike in Bazar spam and domains being created.171 PwC observed the threat actor focus targeting large enterprises on a sector-agnostic basis, with many of its campaign themes centred around enterprise and business operations. Maze: rise and fall Maze is a cyber criminal threat actor that PwC tracks as White Labyrinth. It is behind the Maze ransomware operation that has been active since March 2019. Since that time, PwC has observed a dramatic increase in the level of activity by the threat actor, especially within Q1 of 2020. This period saw the threat actor target major organisations and companies in what is called ‘big game hunting’ in which organisations rather than individual consumers are targeted in an attempt to receive a greater return. These targeted organisations lay across a selection of sectors such as retail, healthcare, manufacturing and insurance.172 This included several instances of specific targeting against entities related to the COVID-19 pandemic, including hospitals, vaccine test centres and other organisations.173 However, White Labyrinth’s most notable contribution to 2020 was the fact that it pioneered the growing trend of ransomware leak sites. It became the first known threat actor to publicly display compromised data on a website, in an attempt to publicly exploit and apply pressure to the victim organisation to pay the ransom demand. The introduction of the Maze site sparked a revolution within the ransomware scene with multiple threat actors choosing to set up similar sites to publicly extort victims. It was also used to house victim data from other ransomware operations including LockBit and Ragnar Locker. By November 2020, White Labyrinth had released data stolen from 256 victims, which PwC approximates to one third of all data leaks in 2020, making it one of the most prolific ransomware operations to publicly expose stolen data.174 On 1st November 2020, White Labyrinth released a press statement on its site declaring that it would officially close down its project. This consisted of the powering down the leak site used as well as the halt in any new Maze ransomware infections. This left a considerable gap within the ransomware scene which was rapidly filled by the introduction of a new system titled Egregor, which many deem as the spiritual successor to the Maze operation. 167 �‘Old dog, new TrickBots’, PwC Threat Intelligence, CTO-TIB-20200214-02A 168 �‘BazarBackdoor: TrickBot gang’s new stealthy network-hacking malware’, BleepingComputer, https://www.bleepingcomputer.com/news/security/ bazarbackdoor-TrickBot-gang-s-new-stealthy-network-hacking-malware/ 24th April 2020 169 ‘Bazar – a new bag of Tricks Part 1’, PwC Threat Intelligence, CTO-TIB-20201125-01A 170 �‘EmerDNS’, Emercoin, https://emercoin.com/en/emerdns 171 �‘Bazar – a new bag of Tricks Part 1’, PwC Threat Intelligence, CTO-TIB-20201125-01A 172 �Trapped in the Maze’, PwC Threat Intelligence UK, CTO-TIB-20200501-01A 173 �‘COVID-19 Vaccine Test Centre Hit By Cyber-Attack, Stolen Posted Online’, Forbes, https://www.forbes.com/sites/daveywinder/2020/03/23/covid-19-vaccine- test-center-hit-by-cyber-attack-stolen-data-posted-online/?sh=370f057318e5 March 23rd, 2020 174 �‘What’s behind the increase in ransomware attacks this year?’, PwC Threat Intelligence UK, https://www.pwc.co.uk/issues/cyber-security-services/insights/ whatis-behind-ransomware-attacks-increase.html TrickBot continued to have a consistent year of activity throughout 2020. https://www.bleepingcomputer.com/news/security/bazarbackdoor-trickbot-gang-s-new-stealthy-network-hacking-malware/ 24th April 2020 https://www.bleepingcomputer.com/news/security/bazarbackdoor-trickbot-gang-s-new-stealthy-network-hacking-malware/ 24th April 2020 https://emercoin.com/en/emerdns https://www.forbes.com/sites/daveywinder/2020/03/23/covid-19-vaccine-test-center-hit-by-cyber-attack-stolen-data-posted-online/?sh=370f057318e5 March 23rd, 2020 https://www.forbes.com/sites/daveywinder/2020/03/23/covid-19-vaccine-test-center-hit-by-cyber-attack-stolen-data-posted-online/?sh=370f057318e5 March 23rd, 2020 https://www.pwc.co.uk/issues/cyber-security-services/insights/whatis-behind-ransomware-attacks-increase.html https://www.pwc.co.uk/issues/cyber-security-services/insights/whatis-behind-ransomware-attacks-increase.html Cyber Threats 2020: A Year in Retrospect | 37 Business Email Compromise: continued persistence and increasing sophistication In 2019, we saw a rising trend of BEC attacks, where a threat actor either hijacks or closely imitates (‘spoofs’) a legitimate email account in order to more effectively socially engineer individuals into conducting fraudulent financial transactions. BEC remained prevalent across all industry sectors and business sizes in 2020. According to the FBI, the increasing financial losses of BEC attacks amounted to USD 1.7 billion in 2019,175 making it the highest grossing form of internet crime that year. While the majority of BEC attacks focus on economies of scale, seeking to elicit smaller amounts from targets over multiple campaigns,176 some threat actors have managed to steal millions in a single attack. BEC attacks have been becoming increasingly sophisticated, employing a combination of tactics such as display name deception, secure server and domain name impersonation, vendor email compromise (VEC) and person-in-the-middle attack (PITM) techniques. In addition to social engineering, security researchers have tracked the exponential growth of commodity malware (keyloggers and RATs) and phishing kit use among BEC actors between 2014 and 2020 attesting to the continued development of BEC TTPs to enhance persistence and scale credential stealing capabilities.177 The severity of BEC has prompted increased law enforcement responses internationally, resulting in a number of high-profile arrests in 2020. In June 2020, the arrests of Raymond ‘Hushpuppi’ Igbalode178 and Olalekan Jacob Ponle179 (a.k.a ‘Mr. Woodberry’) drew mass media attention, after criminal complaints against the individuals alleged that their opulent lifestyles, which they flaunted openly on social media to over 2.4 million followers, were financed by the proceeds of online fraud. Hushpuppi alone is alleged to have laundered approximately USD 138 million from BEC attacks. In November 2020, in a joint operation, INTERPOL, Group-IB and Nigeria Police Force arrested three individuals in Lagos, Nigeria accused of engaging in BEC as well as developing and distributing at least 26 variants of commodity malware, including AgentTesla, Loki, Azorult, Spartan, NanoCore and Remcos Remote Access Trojans.180 PwC has reported on the activities of 11 active Nigeria-based threat actor groups,181 however, BEC is also attracting more sophisticated financially motivated threat actors, such as Russia-based Cosmic Lynx. More than 200 campaigns against targets in 46 countries have been attributed to the Russia-based threat actor since 2019, and while on average BEC attackers request approximately USD 55,000 from each target, Cosmic Lynx requests on average USD 1.27 million.182 It is highly likely that BEC will continue to be a highly attractive and lucrative form of attack, especially in light of the increased number of employees working from home due to COVID-19 lockdown measures. Remote working has led to changes in how many businesses operate, with threat actors continuing to capitalise on the climate of uncertainty. 175 �‘2019 Internet Crime Report’, FBI, https://pdf.ic3.gov/2019_IC3Report.pdf (11th February 2020) 176 �‘BEC Wire Transfer Losses Soar 48% in Q2 2020’, Info Security Magazine, https://www.infosecurity-magazine.com/news/bec-wire-transfer-losses/ (1st September 2020) 177 �‘SilverTerrier: 2019 Nigerian Business Email Compromise Update’, Palo Alto Unit 42, https://unit42.paloaltonetworks.com/silverterrier-2019-update/ (31st March 2020) 178 �‘Nigerian National Brought to U.S. to Face Charges of Conspiring to Launder Hundreds of Millions of Dollars from Cybercrime Schemes’, US Dept of Justice, https://www.justice.gov/usao-cdca/pr/nigerian-national-brought-us-face-charges-conspiring-launder-hundreds-millions-dollars (3rd July 2020) 179 �‘Nigerian National Expelled From the United Arab Emirates to Face Cyber Fraud Charge in Chicago’, US Dept of Justice, https://www.justice.gov/usao-ndil/pr/nigerian-national-expelled-united-arab-emirates-face-cyber-fraud-charge-chicago (3rd July 2020) 180 �‘Three arrested as INTERPOL, Group-IB and the Nigeria Police Force disrupt prolific cybercrime group’, Interpol, https://www.interpol.int/en/News-and-Events/ News/2020/Three-arrested-as-INTERPOL-Group-IB-and-the-Nigeria-Police-Force-disrupt-prolific-cybercrime-group (25th November 2020) 181 �CTO-SIB-20200528-02A – You’ve got mail – analysis of Nigeria-based BEC threat actors 182 �‘Cosmic Lynx: A Russian Threat Hits the BEC Scene’, Agari, https://www.agari.com/email-security-blog/cosmic-lynx-russian-bec/ (7th July 2020) https://pdf.ic3.gov/2019_IC3Report.pdf (11th February 2020) https://www.infosecurity-magazine.com/news/bec-wire-transfer-losses/ (1st September 2020) https://www.infosecurity-magazine.com/news/bec-wire-transfer-losses/ (1st September 2020) https://unit42.paloaltonetworks.com/silverterrier-2019-update/ (31st March 2020) https://unit42.paloaltonetworks.com/silverterrier-2019-update/ (31st March 2020) https://www.justice.gov/usao-cdca/pr/nigerian-national-brought-us-face-charges-conspiring-launder-hundreds-millions-dollars (3rd July 2020) https://www.justice.gov/usao-ndil/pr/nigerian-national-expelled-united-arab-emirates-face-cyber-fraud-charge-chicago (3rd July 2020) https://www.interpol.int/en/News-and-Events/News/2020/Three-arrested-as-INTERPOL-Group-IB-and-the-Nigeria-Police-Force-disrupt-prolific-cybercrime-group (25th November 2020) https://www.interpol.int/en/News-and-Events/News/2020/Three-arrested-as-INTERPOL-Group-IB-and-the-Nigeria-Police-Force-disrupt-prolific-cybercrime-group (25th November 2020) https://www.agari.com/email-security-blog/cosmic-lynx-russian-bec/ (7th July 2020) https://www.agari.com/email-security-blog/cosmic-lynx-russian-bec/ (7th July 2020) Cyber Threats 2020: A Year in Retrospect | 38 The severity of BEC has prompted increased law enforcement responses internationally, resulting in a number of high-profile arrests in 2020. On 16th March 2020, Norfund transferred USD 9,888,055 to a bank account in Banco Mercantil del Norte, Mexico, which Norfund believed belonged to its client, the Cambodian financial institution LOLC Plc. In fact, the bank account was controlled by a threat actor, which managed to compromise an email account belonging to an employee at Norfund, registered fake domains and impersonated Norfund’s and LOLC’s employees in the conversation. Prior to the fraud, in September 2019, the threat actor compromised an email account belonging to an employee at Norfund, and monitored Norfund’s communication for seven months. On 9th March 2020, the threat actor intercepted email correspondence between Norfund and LOLC about the forthcoming transaction. It changed the bank account details in the disbursement notice and convinced Norfund that a Mexican bank was used to avoid using several bank intermediaries in the transaction. The threat actor used COVID-19 as a factor to convince LOLC that the bank transfer was delayed. At the same time, it sent emails to Norfund confirming that the funds were received by LOLC, to prevent further investigation on Norfund’s side. On 24th April 2020, the threat actor tried to manipulate a transaction with another Cambodian client, First Finance Plc, asking to change the bank account details to Banco Mercantil del Norte. Norfund’s investment manager requested First Finance to confirm the change and subsequently received confirmation that the account did not belong to them. On 30th April 2020, Norfund received an email from LOLC stating that the bank account details in the transfer on 16th March 2020 were incorrect. Following the discovery of the attempted fraud, Norfund engaged PwC’s Incident Response team to handle the incident in cooperation with Norwegian law enforcement and Norfund’s IT service provider. Case study Norfund defrauded of NOK 100 million in Business Email Compromise183 Cyber Threats 2020: A Year in Retrospect | 39 183 ‘Press Release from Norfund’, Norfund, https://www.norfund.no/app/uploads/2020/05/Press-release-13052020.pdf (13th May 2020) Charity/NGO Consumer markets Entertainment & media Financial services Government Healthcare & pharma Manufacturing Power & utilities Professional services Retail Technology & telecommunications Transport & logistics Engineering & construction Figure 12 – PwC’s Incident Response team statistics Insider Threat 5% 86% Crime APT 9% https://www.norfund.no/app/uploads/2020/05/Press-release-13052020.pdf (13th May 2020) Cyber Threats 2020: A Year in Retrospect | 40 Rise of the defenders As threat actors continued to breach organisations in pursuit of their objectives – and sometimes monetised their access on the side – public sector entities, legislative branches and private sector organisations have been sharpening their cyber strategies and coordinating their efforts to tackle malicious cyber activity. Cyber Threats 2020: A Year in Retrospect | 41 184 �‘Advisory: APT29 targets COVID-19 vaccine development’, UK National Cyber Security Centre (NCSC), https://www.ncsc.gov.uk/files/Advisory-APT29-targets- COVID-19-vaccine-development-V1-1.pdf (16th July 2020) 185 �‘The data breach at the Storting’, The Government of Norway, https://www.regjeringen.no/en/aktuelt/datainnbruddet-i-stortinget/id2770135/ (13th October 2020) 186 �‘Datainnbruddet mot Stortinget er ferdig etterforsket’, Politiets Sikkerhetstjeneste, https://www.pst.no/alle-artikler/pressemeldinger/datainnbruddet-mot- stortinget-er-ferdig-etterforsket/ (8th December 2020) 187 �‘Department of Justice and Partner Departments and Agencies Conduct Coordinated Actions to Disrupt and Deter Iranian Malicious Cyber Activities Targeting the United States and the Broader International Community’, US DoJ, https://www.justice.gov/opa/pr/department-justice-and-partner-departments-and- agencies-conduct-coordinated-actions-disrupt (17th September 2020) In October 2020, it was made public that the Norwegian Parliament (Stortinget) had fallen victim to an intrusion and the Norwegian government took the historic step of publicly accusing Russia of being behind the attack. At the time, the government did not provide evidence, nor did it provide any details about which Russia-based threat actor was responsible. The accusation was historic, as it was the first time Norwegian government officials pointed directly at another country following a breach. Previously, these types of reactions had been reserved for warning against Russia and China-based threats in the intelligence and security services’ annual threat assessments. On 8th December 2020, the Norwegian Police Security Service issued a public statement following its investigation, indicating that Russia-based threat actor Blue Athena was behind the intrusion.186 The investigation showed that the threat actor had bruteforced passwords to obtain valid usernames and passwords. This technique had been used against a high number of user accounts at Stortinget’s email systems and resulted in the threat actor being able to obtain legitimate credentials, which it used to log in to a smaller number of accounts. It was revealed that sensitive information had been extracted from some of the affected accounts. Furthermore, the investigation revealed that the threat actor had attempted to move laterally into Stortinget’s computer systems. However, there were no indications this had been successful. Case study Norwegian Parliament breached by APT28 Going public During 2020, governments worldwide were increasingly active in releasing information relating to malicious cyber operations in the public domain. This has taken many forms including the release of reports detailing the TTPs of specific threat actors, or commonly observed in intrusions against specific sectors, or advisories detailing the exploitation of specific vulnerabilities. In particular, governments were increasingly open to publicly attributing specific intrusions to foreign entities. For example, the United Kingdom, Canada, and the United States assessed earlier this year that Russia-based threat actors part of Blue Kitsune were responsible for targeting COVID-19 vaccine development.184 The associated advisory detailed some of Blue Kitsune’s initial access techniques and custom malware. In October, the Norwegian government assessed that Russia- based threat actors were responsible for a breach of the Norwegian Parliament’s email systems dating back to August 2020,185 in a move that represented the first time it had publicly attributed a cyber incident to a state. Legal action Sanctions and indictments form an increasingly prominent part of the strategy which is used to deter and disrupt malicious cyber activity. The US has been taking the lead in this space, continuing to use these measures as a warning to those attempting to conduct cyber attacks against the country. Most notably, in September 2020, there was a coordinated effort by several US departments to disrupt Iran-based cyber activity.187 Over the course of a week, several indictments were unsealed and sanctions brought against a number of individuals who allegedly performed malicious cyber activity associated with Iran’s Ministry of Intelligence and Security (MOIS), and Islamic Revolutionary Guard Corps (IRGC). This was combined with the release of technical alerts and advisories regarding the TTPs of Iran-based cyber activity. https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development-V1-1.pdf https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development-V1-1.pdf https://www.regjeringen.no/en/aktuelt/datainnbruddet-i-stortinget/id2770135/ (13th October 2020) https://www.pst.no/alle-artikler/pressemeldinger/datainnbruddet-mot-stortinget-er-ferdig-etterforsket/ https://www.pst.no/alle-artikler/pressemeldinger/datainnbruddet-mot-stortinget-er-ferdig-etterforsket/ https://www.justice.gov/opa/pr/department-justice-and-partner-departments-and-agencies-conduct-coordinated-actions-disrupt https://www.justice.gov/opa/pr/department-justice-and-partner-departments-and-agencies-conduct-coordinated-actions-disrupt Cyber Threats 2020: A Year in Retrospect | 42 2020 also saw the European Council impose its first-ever round of restrictive sanctions (including a travel ban and asset freezing) against multiple individuals and entities in response to different high-profile, global cyber incidents.188 The campaigns and attacks explicitly referenced in the Council Decision included: Operation Cloud Hopper, the global espionage campaign conducted by Red Apollo (a.k.a. APT10), which involved ‘unauthorised access to commercially sensitive data, resulting in significant economic loss’. A 2018 intrusion attempt into the Organisation for the Prohibition of Chemical Weapons (OPCW) by Blue Athena, ‘which, if successful, would have compromised the security of the network and the OPCW’s ongoing investigatory work’ into the Salisbury poisonings. A series of incidents attributed to Black Artemis: from the ‘WannaCry’ ransomware campaign; to the intrusion against the Polish Financial Supervision Authority as well as the financially-motivated compromise of Bangladesh Bank and Tien Phong Bank; to the sabotage-motivated compromise and destructive attack launched against Sony Pictures Entertainment. The public sector has not been alone in taking legal action against cyber threat actors. Microsoft has previously done so in order to take legal control of domains associated with cyber threat activity. It has legally seized infrastructure involved in campaigns conducted by Red Kelpie,189 Blue Athena,190 Yellow Garuda,191 as well as activity spanning the intrusion sets PwC associates with Black Shoggoth and Black Banshee.192 In 2020, Microsoft also brought a legal case against threat actors conducting a COVID-19-themed BEC campaign targeting users of Microsoft’s Office365 suite.193 An operation to disrupt TrickBot was conducted by the US Cyber Command in October 2020. The techniques reportedly included compromising the botnet’s C2 servers, and injecting junk data into stolen data to render data unusable.194 Similarly, Microsoft took action in conjunction with telecommunications providers and other security software vendors to cut off key infrastructure from operators, disrupting their ability to perform new infections or communicate with existing compromised hosts, in particular, activating ransomware.195 These actions have caused short term disruption to TrickBot activity as it rebuilt and recovered access to its infrastructure, and effectively pushed it closer to Emotet, with which it shares C2 infrastructure. 188 �‘EU imposes the first ever sanctions against cyber-attacks’, European Council, https://www.consilium.europa.eu/en/press/press-releases/2020/07/30/eu- imposes-the-first-ever-sanctions-against-cyber-attacks/# (30th July 2020) 189 ��‘MICROSOFT CORPORATION, a Washington corporation, Plaintiff, V. JOHN DOES 1-2, CONTROLLING A COMPUTER NETWORK AND THEREBY INJURING PLAINTIFF AND ITS CUSTOMERS, Defendants’, https://www.courthousenews.com/wp-content/uploads/2017/11/barium.pdf (2017) 190 �‘We are taking new steps against broadening threats to democracy’, Microsoft, https://blogs.microsoft.com/on-the-issues/2018/08/20/we-are-taking-new- steps-against-broadening-threats-to-democracy/ (20th August 2018) 191 �‘New steps to protect customers from hacking’, Microsoft, https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from- hacking/ (27th March 2019) 192 �‘Microsoft takes court action against fourth nation-state cybercrime group’, Microsoft, https://blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court- action-against-nation-state-cybercrime/ (30th December 2019) 193 �‘Microsoft takes legal action against COVID-19-related cybercrime’, Microsoft, https://blogs.microsoft.com/on-the-issues/2020/07/07/digital-crimes-unit-covid- 19-cybercrime/ (7th July 2020) 194 �‘A TrickBot Assault Shows US Military Hackers’ Growing Reach’, Wired, https://www.wired.com/story/cyber-command-hackers-TrickBot-botnet-precedent/ (14th October 2020) 195 �‘New action to combat ransomware ahead of U.S. elections ‘, Microsoft, https://blogs.microsoft.com/on-the-issues/2020/10/12/TrickBot-ransomware- cyberthreat-us-elections/ (12th October 2020) https://www.consilium.europa.eu/en/press/press-releases/2020/07/30/eu-imposes-the-first-ever-sanctions-against-cyber-attacks/# https://www.consilium.europa.eu/en/press/press-releases/2020/07/30/eu-imposes-the-first-ever-sanctions-against-cyber-attacks/# https://www.courthousenews.com/wp-content/uploads/2017/11/barium.pdf https://blogs.microsoft.com/on-the-issues/2018/08/20/we-are-taking-new-steps-against-broadening-threats-to-democracy/ https://blogs.microsoft.com/on-the-issues/2018/08/20/we-are-taking-new-steps-against-broadening-threats-to-democracy/ https://blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court-action-against-nation-state-cybercrime/ https://blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court-action-against-nation-state-cybercrime/ https://blogs.microsoft.com/on-the-issues/2020/07/07/digital-crimes-unit-covid-19-cybercrime/ https://blogs.microsoft.com/on-the-issues/2020/07/07/digital-crimes-unit-covid-19-cybercrime/ https://www.wired.com/story/cyber-command-hackers-trickbot-botnet-precedent/ https://blogs.microsoft.com/on-the-issues/2020/10/12/trickbot-ransomware-cyberthreat-us-elections/ https://blogs.microsoft.com/on-the-issues/2020/10/12/trickbot-ransomware-cyberthreat-us-elections/ Cyber Threats 2020: A Year in Retrospect | 43 As ransomware activity continues to grow, the US Department of Treasury’s Office of Foreign Assets Control’s (OFAC) warning against ransom payment may serve to generate change. In October 2020, OFAC warned US organisations of potential sanction risks for facilitating ransom payments to threat actors. It warned that organisations involved in the facilitation chain, such as financial institutions and insurance providers, may also be liable for breaching sanctions.196 Whilst threat actors will ultimately continue to conduct their operations, it is clear that the takedown of key threat actor infrastructure can cause significant disruption to their operations. The release of a threat actor’s toolset may also trigger a period of adjustment as they retool to avoid detection, although we note that some threat actors, such as those based in North Korea and Iran have been seemingly unphased by similar action in the past. The effectiveness of indictments and sanctions on deterring cyber operations is more difficult to determine. Indictments against individual operators, for example, are unlikely to result in extradition, particularly where the activity is tasked by the state. The effect of sanctions on ransom payments however, may push cyber criminals to reassess their methods going forwards if it becomes unviable to meet payments. Both the public and private sectors have grown increasingly bold in attribution and in the willingness to share information. At minimum, the attribution serves as a warning that this activity has not gone unnoticed, and when this information is brought into the public domain, generates a greater awareness of the cyber threat landscape, and a greater opportunity for defence efforts. 196 �‘Ransomware Advisory’, U.S. Department of the Treasury, https://home.treasury.gov/policy-issues/financial-sanctions/recent-actions/20201001 (1st October 2020) 197 �‘A vigilante is sabotaging the Emotet botnet by replacing malware payloads with GIFs’, ZDNet, https://www.zdnet.com/article/a-vigilante-is-sabotaging-the- emotet-botnet-by-replacing-malware-payloads-with-gifs/ (24th July 2020) Vigilante subversion In a variation of public entities’ takedown of cyber criminal infrastructure, in July 2020 an unknown vigilante entity took action to degrade the Emotet botnet’s operations for the space of about a week. Publicly available research had noted that the threat actor operating Emotet was using open-source webshells – mostly with the same password – to control its botnet’s compromised infrastructure and temporarily host payloads. The vigilante entity was able to gain access to the webshells across a portion of the Emotet botnet’s infrastructure, and moved to replace malicious payloads and controller scripts hosted on it with animated GIFs. The series of defacements reportedly slowed down Emotet operations temporarily, when the amount of hijacked infrastructure reached about a quarter of its total payload downloads.197 https://home.treasury.gov/policy-issues/financial-sanctions/recent-actions/20201001 https://www.zdnet.com/article/a-vigilante-is-sabotaging-the-emotet-botnet-by-replacing-malware-payloads-with-gifs/ https://www.zdnet.com/article/a-vigilante-is-sabotaging-the-emotet-botnet-by-replacing-malware-payloads-with-gifs/ Cyber Threats 2020: A Year in Retrospect | 44 Tools, Tactics and Procedures An endless supply... of supply chain compromise Supply chain compromise is not new and, while less frequently observed than other access paths, such as credential compromise and spear phishing, it remains a critical intrusion vector into organisations. Cyber Threats 2020: A Year in Retrospect | 45 Software compromise The alteration, replacement, or bundling of legitimate software, such as installers or updates, with malware that is delivered to victims. Digital trust compromise The theft, forgery or abuse of valid digital certificates to sign malware and bypass detection mechanisms. Trusted infrastructure compromise The compromise of legitimate websites or applications, often in order to perform watering hole attacks or to otherwise deliver malware to targets. Third-party access compromise The case where a threat actor is able to breach a trusted partner or supplier or contractor or service provider of a target, and abuse the entity’s access to the target’s network to perform an intrusion. Additionally, in some supply chain compromise incidents throughout 2020, analysis suggests the possibility that multiple threat actors might have compromised the same ‘supplier’ entity contemporaneously or at different times, which can complicate both the scoping, response, and attribution of incidents. To complicate prevention and detection efforts, supply chain compromise can take many different forms, which can include one or more of the following examples: SolarWinds In 2020, the SolarWinds compromise in particular left 18,000 of its customers exposed, including government entities. In December 2020, FireEye and Microsoft released research detailing a global supply chain compromise affecting multiple sectors.198,199 The threat actor, which PwC tracks as White Dev 61 (a.k.a. UNC2452), trojanised updates to SolarWind’s Orion IT monitoring and management software, modifying the ‘SolarWinds.Orion.Core. BusinessLayer.dll’ component, to contain a backdoor known as SUNBURST (a.k.a. Solorigate). Multiple iterations of the Orion software were affected from at least software version 2019.4 HF 5 to 2020.2.1 HF 1, released between March 2020 and June 2020.200 Our analysis, as well as multiple open source reports, highlighted that the threat actor invested significant effort in embedding SUNBURST into a legitimate SolarWinds Orion DLL: creating a file which contains both the SUNBURST payload and legitimate code used in SolarWinds functionality, all signed by a legitimate SolarWinds private key, across multiple updates. The threat actor also took a number of steps to blend in with legitimate activity and traffic of the infected system and make analysis and detection more difficult.201 In addition to masquerading HTTP requests as legitimate Orion traffic or as benign XML, and to using a custom JSON structure to communicate with the C2, SUNBURST applied execution delay, victim machine domain checking, screening running processes and services against a blocklist in an effort to avoid detection, command and control IP checking, stopping antivirus and EDR services, as well as other execution safeguards and anti-analysis features. 198 �‘Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor’, FireEye, https://www.fireeye. com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-withsunburst-backdoor.html (13th December 2020) 199 �‘Customer Guidance on Recent Nation-State Cyber Attacks’, Microsoft, https://msrc-blog.microsoft.com/2020/12/13/customer-guidanceon-recent-nation-state- cyber-attacks/ (13th December 2020) 200 �Active Exploitation of SolarWinds Software, CISA, https://us-cert.cisa.gov/ncas/current-activity/2020/12/13/active-exploitation-solarwindssoftware (13th December 2020) 201 �‘SUNBURST, SolarWinds, and Supply Chain Compromise’, PwC Threat Intelligence, CTO-QRT-20201214-01A https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-withsunburst-backdoor.html https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-withsunburst-backdoor.html https://msrc-blog.microsoft.com/2020/12/13/customer-guidanceon-recent-nation-state-cyber-attacks/ https://msrc-blog.microsoft.com/2020/12/13/customer-guidanceon-recent-nation-state-cyber-attacks/ https://us-cert.cisa.gov/ncas/current-activity/2020/12/13/active-exploitation-solarwindssoftware Cyber Threats 2020: A Year in Retrospect | 46 The malware has a wide range of capabilities. A notable feature is the way it generates a unique set of subdomains for the infected machine to connect to for command and control. Part of the logic of the custom domain generation algorithm (DGA)202 is used initially to identify victim machines of interest to the attacker. Specifically, SUNBURST determines the Fully Qualified Domain Name (FQDN) to which the victim machine is registered, and uses this in the DGA for subdomain generation, along with an eight byte unique victim ID. If the FQDN domain record is empty or null, the malware will exit, likely in an effort to avoid executing on machines which are not part of an intended target network. Overall, the threat actor that developed SUNBURST displayed a high level of technical sophistication, having gone to great lengths to develop a stealthy malware family able to clearly profile victims, and deliver further payloads or exfiltrate information from targets. Other than the notable scale of the incident, and it remaining under the radar for months, it is also worth pointing out that the SolarWinds compromise was likely only one of multiple methods used by the same threat actor to gain access to targets.203 As the investigation into the SolarWinds compromise continues, a follow-up report by Microsoft also detailed the discovery of a separate, different malware family from SUNBURST: a .NET webshell that is known in open source as SUPERNOVA.204 SUPERNOVA is designed to take a valid .NET program as a parameter, and compile and execute it in memory (leaving no forensic traces on disk).205 While SUPERNOVA was also delivered in the form of a maliciously altered SolarWinds Orion component, it was not delivered via the same vector as SUNBURST, and it has been associated with a different threat actor from the one deploying SUNBURST, adding further complexity to the timelining, scope, and consequences of the compromise as well as to its attribution. We track SUPERNOVA activity under White Dev 62. 201 ‘SUNBURST, SolarWinds, and Supply Chain Compromise’, PwC Threat Intelligence, CTO-QRT-20201214-01A 202 ‘White Dev 61 SUNBURST’, PwC Threat Intelligence, CTO-TIB-20201217-01A 203 �‘DarkHalo leverages SolarWinds compromise to breach organizations‘, Volexity, https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds- compromise-to-breach-organizations/ (14th December 2020) 204 �‘Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers’, Microsoft, https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how- microsoft-defender-helps-protect/ (18th December 2020) 205 �‘SUPERNOVA: SolarStorm’s novel .Net webshell’, Palo Alto, https://unit42.paloaltonetworks.com/solarstorm-supernova/ (17th December 2020) SUPERNOVA is designed to take a valid .NET program as a parameter, and compile and execute it in memory https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/ https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/ https://unit42.paloaltonetworks.com/solarstorm-supernova/ Cyber Threats 2020: A Year in Retrospect | 47 Able Desktop Another example of a long-running campaign abusing the software supply chain is the compromise of Able Desktop, a business management suite widely used in Mongolia. In July 2020, we observed a sample of an Able downloader bundled with a first stage loader for the HyperBro backdoor. In December 2020, Avast reported on Red Phoenix (a.k.a. APT27, Emissary Panda) activity targeting the Mongolian public sector, including by compromising a company providing services to the Mongolian government, and deploying HyperBro.206 An ESET report also made a link between HyperBro and targeting of Mongolia.207 Based on ESET’s analysis, between at least 2018 and 2020, both trojanised Able Desktop installers and compromised Able Desktop updates were used by threat actors to deliver multiple different malware families to targets. These included: At the moment, it is unclear whether the same threat actor abused the Able compromise to deliver both HyperBro, PlugX, and TManger; whether Red Phoenix and Red Orthrus shared access to the victim; or, whether Red Phoenix and Red Orthrus separately compromised Able and abused their access to target Mongolia. VeraPort In November 2020, ESET also reported that Black Artemis was conducting a supply chain compromise campaign abusing WIZVERA VeraPort software.209 VeraPort is used to manage software integration installation, and is necessary in order to access some South Korean government websites. Upon visiting websites or applications also running VeraPort, VeraPort users automatically receive and install any component that may be required by such sites. The threat actor reportedly compromised individual legitimate websites supporting VeraPort, altering the hosted VeraPort software package to include malware. Thereafter, VeraPort users visiting the compromised websites would receive malware similar to that described by KR-CERT in Operation BookCode reports.210 Black Artemis also used stolen valid digital certificates to sign the malicious binaries delivered to victims, in order to bypass VeraPort’s default-enabled execution safeguards, as the software would only allow the installation of binaries signed with valid certificates but not verify who the certificates had been issued to. In our 2019 Year in Retrospect report, we had specifically highlighted that we had observed Black Artemis and its subset Andriel frequently use stolen digital certificates in its operations,211 a technique that the threat actor continues to apply. HyperBro, as observed by both PwC and Avast;1 PlugX, a backdoor shared between multiple China-based threat actors; and,2 TManger, a backdoor recently detailed in a series of posts by NTTSecurity208 and attributed to Red Orthrus (a.k.a. Keyboy).3 206 �‘APT group targeting governmental agencies in East Asia‘, Avast, https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east- asia/ (9th December 2020) 207 �‘Operation StealthyTrident: Corporate software under attack’, ESET, https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop/ (10th December 2020) 208 �‘Panda’s New Arsenal: Part 1 Tmanger’, NTT Security, https://insight-jp.nttsecurity.com/post/102gi9b/pandas-new-arsenal-part-1-tmanger (15th October 2020) 209 �‘Lazarus supply‑chain attack in South Korea’, ESET, https://www.welivesecurity.com/2020/11/16/lazarus-supply-chain-attack-south-korea/ (16th November 2020) 210 �‘TTPs#1 : , KR-CERT, https://www.krcert.or.kr/data/reportView.do?bulletin_writing_sequence=35330 (1st April 2020) 211 ‘Cyber Threats 2019: A Year in Retrospect’, PwC Threat Intelligence, https://www.pwc.co.uk/issues/cyber-security-services/insights/cyber-threats-2019- retrospect.html https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/ https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/ https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop/ https://insight-jp.nttsecurity.com/post/102gi9b/pandas-new-arsenal-part-1-tmanger https://www.welivesecurity.com/2020/11/16/lazarus-supply-chain-attack-south-korea/ https://www.krcert.or.kr/data/reportView.do?bulletin_writing_sequence=35330 Cyber Threats 2020: A Year in Retrospect | 48 In April 2020, PwC’s Incident Response team responded to an intrusion at a Nordic maritime and subsea technology company. The client had been devastated by ransomware, which had affected most of its critical IT systems. The threat actor that launched the attack made efforts to delete backups as well as log data. This made it challenging to pursue its activities. Shortly after the breach, the threat actor demanded USD 210,000 in exchange for decryption software. The victim did not pay the ransom. The investigation concluded that the threat actor had highly likely leveraged a Citrix NetScaler appliance vulnerable to CVE-2019-19781 as its entry point, deploying Cobalt Strike as its command-and-control tool, before deploying the ransomware family Defray777 (also known as RansomEXX, 777 and Target777). While PwC was unable to attribute the ransomware incident to a known threat actor, our investigation uncovered evidence that the same appliance highly likely had been compromised by two other threat actors prior to the ransomware incident. The China-based threat actor Red Kelpie had deployed a custom proprietary backdoor identified as SPECULOOS. The command-and-control portion of this implant abused functionality in the TLS 1.0 Client Hello handshake packet, making it appear to be requesting a legitimate Microsoft service in the Server Name Indication (SNI) field, while in reality reaching out to a non-associated IP address. At the time, the technique was novel, and suggests that the threat actor made significant efforts to make the handshake look innocuous. Prior to this intrusion, the Iran-based threat actor Yellow Dev 15 deployed a webshell framework on the same appliance. Yellow Dev 15 is reportedly known to sell access post-compromise to cyber criminals, after its own actions and objectives are achieved, which often align with Iran’s strategic objectives. However, the FBI assesses the threat actor has both capability and intent to deploy ransomware. The intrusion remains an interesting example of how organisations developing dual-use technologies can find themselves in the crosshairs of multiple resourceful threat actors. Case study Multiple threat actors target a maritime technology company Remote working: victims and threat actors Virtual Private Network (VPN) software, enterprise remote access and virtualisation software have doubtlessly been fundamental in the shift to flexible or fully-remote work following the COVID-19 outbreak. While they have long been a key target for threat actors determined to gain access to victim networks, VPNs and remote access products have really come in the crosshairs of attackers in 2020, being exploited both in espionage motivated and financially motivated intrusions. This is also partly due to several critical vulnerabilities being uncovered in enterprise software in 2020212,213,214,215 and several critical ones from both 2019 and 2018 remaining unpatched.216,217,218,219 Actual vulnerabilities in software have combined with ever-continuing phishing activity, and with the human factor – more relevant than ever in 2020, with often more isolated and fatigued personnel – into a highly exposed attack surface, especially when it comes to remote authentication and access. 212 ‘CVE-2020-5902’, PwC Threat Intelligence, CTO-QRT-20200706-01A 213 �‘2020-10 Security Bulletin: Junos OS: Buffer overflow vulnerability in device control daemon (CVE-2020-1664)’, Juniper, https://kb.juniper.net/InfoCenter/ index?page=content&id=JSA11061&actp=METADATA (29th October 2020) 214 �‘SonicWall VPN Portal Critical Flaw (CVE-2020-5135)’, TripWire, https://www.tripwire.com/state-of-security/vert/sonicwall-vpn-portal-critical-flaw- cve-2020-5135/ (14th October 2020) 215 �‘Alert: Multiple actors are attempting to exploit MobileIron vulnerability CVE 2020-15505’, UK NCSC, https://www.ncsc.gov.uk/news/alert-multiple-actors- attempt-exploit-mobileiron-vulnerability (23rd October 2020) 216 �‘CVE-2019-19781 – Vulnerability in Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP appliance’, Citrix, https://support.citrix. com/article/CTX267027 (23rd October 2020) 217 �‘SA44101 – 2019-04: Out-of-Cycle Advisory: Multiple vulnerabilities resolved in Pulse Connect Secure/Pulse Policy Secure 9.0RX’, Pulse Secure, https:// kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101 218 �‘Alert (AA20-258A) Chinese Ministry of State Security-Affiliated Cyber Threat Actor Activity’, US CISA, https://us-cert.cisa.gov/ncas/alerts/aa20-258a (24th October 2020) 219 �‘Alert (AA20-283A) APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations’, US CISA, https://us-cert.cisa.gov/ ncas/alerts/aa20-283a (24th October 2020) Cyber Threats 2020: A Year in Retrospect | 49 Threat actors will inevitably capitalise on the situation to conduct their attacks. In some cases, we have seen multiple threat actors exploiting the same known vulnerability to gain access to an organisation’s estate. Multiple threat actors, such as Red Kelpie, have continued to exploit existing vulnerabilities in VPNs as well as other remote access and enterprise software,220 such as PulseSecure and Citrix, while also working to include newly disclosed ones, for example CVE-2020-10189 (a Remote Code Execution vulnerability in ManageEngine Desktop Central).221,222 US CERT also reported that in some cases, Red Kelpie deployed the legitimate VPN software SoftEther to facilitate follow-on access to victim networks. Multiple other China-based threat actors have also been targeting VPN vulnerabilities, as detailed in a US National Security Agency (NSA) advisory released in October 2020.223 PwC also analysed some of Yellow Nix’s attack sequences, noting the threat actor’s agility in rapidly moving to exploit newly-released vulnerabilities.224 About one week after a public proof of concept exploit for the vulnerability was released, for example, Microsoft Security Intelligence reported that Yellow Nix had started exploiting Zerologon (CVE-2020- 1472).225 In some cases, Yellow Nix also exploited CVE-2020-0688, a remote code execution vulnerability affecting Microsoft Exchange mail server software, as well as known Outlook Web Access (OWA) vulnerabilities.226 US CERT also issued an alert, in September 2020, about the ongoing exploitation of VPN vulnerabilities by the Iran-based threat actor Yellow Dev 15.227 We have investigated several incidents involving this dual motivated threat actor, whose exploitation of network appliances is a technique which distinguishes it from other Iran- based sets. Finally, an NCSC advisory detailed Blue Kitsune’s exploitation of Sangfor VPN software.228 After compromising Sangfor VPN servers, Blue Kitsune was able to deliver the SOREFANG229 victim profiler and downloader to victims in place of the legitimate Sangfor update, abusing the fact that the VPN clients did not verify the integrity of the updates. In late October 2020, US CISA also reported that another Russia-based threat actor, that PwC tracks as Blue Kraken (a.k.a. Dragonfly, Havex), was also abusing Cisco AnyConnect SSL VPN connections for remote logins on victim networks along with other mailing software vulnerabilities such as in Microsoft Exchange Server (CVE-2020-0688).230 However, it is important to note that financially- motivated cyber criminal threat actors, too, have been targeting enterprises via VPN software and remote connections, in addition to the spam operations we detailed earlier in this report. While unsecured RDP has consistently been an initial access vector in intrusions, including ones ultimately deploying ransomware, ransomware affiliates have also been targeting VPN software as an entry point into networks. Public reports have indicated that a vulnerability in the Citrix Application Delivery Controller (CVE-2019-19781) was the entry point in intrusions leading to ransomware infections with Sodinokibi, DoppelPaymer, CL0P or Nefilim, while Sodinokibi and Ryuk also used a vulnerability in Pulse Connect Secure (CVE-2019-11510). VPN software is implemented by enterprises in order to guarantee secure remote access, but it can turn into a direct entry point into victim networks if valid VPN credentials are compromised or if the software is not adequately patched. This is the case both for recently disclosed, as well as previously known vulnerabilities, as public bodies, as well as private security companies, have pointed out in multiple advisories in the past year. Ultimately, this kind of exploitation is highly likely to persist – and to lead to both espionage- motivated as well as financially-motivated compromise – so long as systems remain unpatched. 220 �‘This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits’, FireEye: Christopher Glyer, Dan Perez, Sarah Jones, Steve Miller, https:// www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html, (25th March 2020) 221 ‘AC-000133-TT – Indictment of China-based Cyber Actors Associated with APT 41 for Intrusion Activities’, FBI, 16th September 2020 222 ‘A counterstrike on the money’, PwC Threat Intelligence, CTO-SIB-20200930-01A 223 �‘Chinese State-Sponsored Actors Exploit Publicly Known Vulnerabilities’, US National Security Agency, https://media.defense.gov/2020/Oct/20/2002519884/- 1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF (20th October 2020) 224 �‘Seedworm sees a CVE’, PwC Threat Intelligence, CTO-TIB-20201020-01A 225 �@MsftSecIntel, Twitter, https://twitter.com/MsftSecIntel/status/1313246337153077250 (5th October 2020) 226 ‘Operation Quicksand’ , ClearSky, October 2020, https://www.clearskysec.com/wp-content/uploads/2020/10/Operation-Quicksand.pdf 227 �‘Alert (AA20-259A) – Iran-Based Threat Actor Exploits VPN Vulnerabilities’, US CISA, https://us-cert.cisa.gov/ncas/alerts/aa20-259a (15th September 2020) 228 �‘Advisory: APT29 targets COVID-19 vaccine development’, UK National Cyber Security Centre, https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID- 19-vaccine-development.pdf (16th July 2020) 229 ‘MAR-10296782-1.v1 – SOREFANG’, US CISA, https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198a (16th July 2020) 230 �‘Alert (AA20-296A) – Russian State-Sponsored Advanced Persistent Threat Actor Compromises U.S. Government Targets’, US CISA, https://us-cert.cisa.gov/ ncas/alerts/aa20-296a (22nd October 2020) https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using Cyber Threats 2020: A Year in Retrospect | 50 In September 2020, PwC’s Incident Response team responded to an incident affecting an organisation in the transport sector. The client had been notified by local law enforcement that its external facing Citrix NetScaler devices may have been compromised by an Iran-based threat actor. Following our investigation, it was found that an unpatched vulnerability in Citrix NetScaler systems (CVE-2019-19781) was likely exploited multiple times by unrelated threat actors between January and September 2020. This is the same vulnerability that was exploited in the compromise of the maritime technology company discussed in an earlier case study. Although an entirely separate incident, there were overlaps in the threat actors exploiting the vulnerability and the techniques they were observed to use. The first known exploitation occurred in January 2020, where an unknown threat actor gained access to an internet facing NetScaler device in activity consistent with the general scanning and exploitation of the Citrix vulnerability. There was no evidence of any further malicious activity from this threat actor. Case study Multiple threat actors target an organisation in the transport sector In February 2020, following a successful exploitation of the vulnerability, a custom backdoor known as SPECULOOS was placed on a second NetScaler device, likely allowing for remote access to the system. Later that same month, a different version of the same backdoor was placed on the first NetScaler device. Based on the timing of the activity and known TTPs, this activity was likely related to Red Kelpie, which has been previously seen to target this vulnerability across multiple sectors. Threat actor activity attributed to Yellow Dev 15 was observed between July and September 2020. In July 2020, it placed a web-based backdoor (webshell) on both NetScaler devices following successful exploitation of the Citrix vulnerability, allowing it to remotely execute commands. The threat actor was able to exploit an unsecure LDAP connection to harvest credentials, gaining access to Domain Administrator level privileges. It was able to move laterally and performed internal reconnaissance leveraging native Windows tools including PsExec and the Director Service Internals suite, which it installed using PowerShell and used to extract credentials from the Active Directory. Social engineering Social engineering involves either the convincing or coercing of targets to gain their trust and ultimately carry out a specific action. More often than not, this technique is essential to the effective execution of the threat actor’s attack process. Whilst social engineering is by no means a new technique, 2020 saw threat actors perfecting their techniques and becoming more bold in engaging with their targets. Social media platforms are now not only used for reconnaissance but also increasingly leveraged to interact with targets across multiple services, a move which reflects the changing methods by which people interact today. As part of its ShowState campaign, Black Artemis used LinkedIn to perform both reconnaissance and create fake profiles to masquerade as a HR recruiter, building trust with the victim, sometimes over weeks or months of interaction. Once this had been established, the communication reportedly transferred alternate means of contact including WhatsApp, email, and even phone calls, before delivering malware. Yellow Garuda has utilised social engineering techniques to great effect over a number of years. In a campaign uncovered in August 2020,231 the threat actor used a fake journalist persona to converse with targets over multiple mediums including email, WhatsApp and LinkedIn. It even reportedly used WhatsApp to initiate voice calls with its targets, a technique we have not seen the threat actor use before. 231 �‘The Kittens Are Back in Town 3: Charming Kitten Campaign Evolved and Deploying Spear-Phishing link by WhatsApp’, ClearSky, https://www.clearskysec.com/wp-content/uploads/2020/08/The-Kittens-are-Back-in-Town-3.pdf (August 2020) Cyber Threats 2020: A Year in Retrospect | 51 Tactic Technique Initial Access T1566 – Phishing Phishing, whether through an attachment, link or via a service, remains one of the most common initial attack vectors utilised by threat actors. Timely lures concerning real-world events are often effective in piquing the interest of the target. In 2020, the onset of COVID-19 allowed many threat actors to readily take advantage of the uncertainty surrounding the pandemic, and PwC saw multiple threat actors utilising it as a theme. T1133 – External Remote Services Threat actors have continued to be adept at making use of disclosed vulnerabilities and incorporating new techniques into their arsenal. The compromise of remote services has come under greater focus in 2020 due to the increased reliance many organisations now have on them. Red Kelpie, for example, has utilised the vulnerabilities within these External Remote Services as a means to both gain and maintain initial access to its target’s networks, as well as deliver its final payloads to victim machines.233 T1195 – Supply Chain Compromise The targeting of entities within the supply chain has become a way for threat actors to gain access to one or many targets exploiting a trusted relationship. 2020 saw a global supply chain compromise which exploited a vulnerability in the SolarWinds Orion business software to deliver a previously undocumented backdoor known as SUNBURST. 234 Execution T1204 – User Execution User execution is a technique utilised in almost every campaign, with threat actors coercing the victim in one way or another to play a part in the attack process. Most commonly, in activating malware by getting the user to execute a malicious file or enable macros on their system. For example, Yellow Nix often uses a macro delivery system with a generic lure asking the user to enable macros to view the file contents. This action however, enables malicious code to run in the background.235, 236 T1059 – Command and Scripting Interpreter The use of common interfaces and scripting languages provides threat actors with a means of ensuring their malware executes successfully on different environments. On Windows operating systems, the use of PowerShell commands is particularly popular. For example, Blue Python has used PowerShell in a number of campaigns, both as a method of compiling and injecting its later stage payloads onto disk; such as ComRAT,237 as well as being used for executing commands on the victim’s system.238 232 MITRE ATT&CK, ‘Enterprise Matrix’, https://attack.mitre.org/matrices/enterprise/ 233 �‘This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits’, FireEye, https://www.fireeye.com/blog/threat-research/2020/03/apt41- initiates-global-intrusion-campaign-using-multiple-exploits.html (25th March 2020) 234 ‘White Dev 61 SUNBURST’, PwC Threat Intelligence, CTO-TIB-20201217-01A 235 ‘More Tricks from Yellow Nix’, PwC Threat Intelligence, CTO-TIB-20200113-01A 236 ‘Interstellar operational security’, PwC Threat Intelligence, CTO-TIB-20200206-01A 237 ‘Blue Pythons PowerShell Swarm Part 1’, PwC Threat Intelligence, CTO-TIB-20200928-01A 238 ‘Blue Pythons PowerShell Swarm Part 2’, PwC Threat Intelligence, CTO-TIB-20201023-02A MITRE ATT&CK techniques The MITRE ATT&CK matrices232 provide a model to describe a threat actor’s tactics and techniques across different environments. The following table highlights the most common techniques we saw being used in 2020. Cyber Threats 2020: A Year in Retrospect | 52 Tactic Technique Persistence T1547.001 – Boot or Logon Autostart Execution: Registry Run Keys/Startup Folder There are a number of techniques threat actors can use to maintain persistence, but the most common we see are the use of run registry keys or other startup mechanisms that mean the malicious payload will survive a system reboot. Such examples include variants of Red Phoenix’s HyperBro backdoor, which not only has the option to append the malware to the Run registry key if certain conditions are met, but has multiple other means to achieve the end goal of persistence.239 Privilege Escalation T1068 – Exploitation for Privilege Escalation One means of privilege escalation is through the exploitation of either a known or unknown (zero day) software vulnerability. Yellow Nix exploited CVE-2020-1472 – known as Zerologon – which concerns the Netlogon Remote Protocol (MS-NRPC). Using this exploit, Yellow Nix was able to escalate its privileges to that of a domain administrator.240 Defence Evasion T1027 – Obfuscated Files or Information Many threat actors will attempt to disguise their malware or communication through obfuscation, making it more difficult to identify and potentially analyse. This technique is used by most threat actors, although 2020 has seen some novel uses of it, such as Blue Python’s updated .NET obfuscator for their Kazuar malware. This used a large switch statement within the binary in order to make particular character substitutions.241 T1140 – Deobfuscate/Decode Files or Information Complementary to T1027, obfuscated data will often need to be deobfuscated or decoded prior to use. One example of this is in the use of the 8.t framework, which several China-based threat actors continue to use. This is an RTF weaponiser technique that uses OLE objects and a number of equation editor vulnerabilities in order to decode and execute shellcode into a final malicious payload.242, 243, 244 T1036 – Masquerading Masquerading is a common technique used by many threat actors as a means of blending into a victim’s environment. In many cases, relatively simple techniques are being used to effect. For example, we have seen Black Artemis mimicking antivirus vendors in its filenames to disguise its BEEFEATER malware.245 Similarly, the use of icons from legitimate applications is another common way of tricking victims into believing they are opening a legitimate application. As part of an extensive campaign targeting users in China, Orange Athos disguised malicious binaries using Microsoft Word, and icons mimicking Tencent Cloud services and the Qihoo360 company logo.246 239 ‘A history of HyperBro’, PwC Threat Intelligence, CTO-TIB-20200324-01A 240 ‘Seedworm sees a CVE’, PwC Threat Intelligence, CTO-TIB-20201020-01A 241 ‘Kazuars cryptic strings’, PwC Threat Intelligence, CTO-TIB-20200504-01A 242 ‘Exploited to a 8T’, PwC Threat Intelligence, CTO-TIB-20200122-01A 243 ‘From Moscow to Mongolia with Bisonal and 8.t’, PwC Threat Intelligence, CTO-TIB-20200327-01A 244 ‘wll wll wll look what we have here’, PwC Threat Intelligence, CTO-TIB-20200529-01A 245 �‘Artemis, Banshee and Shoggoth walk into a bar:North Korea-based threat actors activity report’, PwC Threat Intelligence, CTO-TIB-20200630-02A 246 ‘A Patchwork of Campaigns’, PwC Threat Intelligence, CTO-TIB-20200313-01A Cyber Threats 2020: A Year in Retrospect | 53 Tactic Technique Defence Evasion T1070.004 – Indicator Removal on Host: File Deletion The deletion of files on the victim’s system, whilst noisy, can prevent the victim from being able to see the full chain of execution and removes indicators of compromise from the victim’s machine. As such, it is a common technique used by multiple threat actors. For example, we have seen several Poison Ivy campaigns that use specific ‘Loader’ executables that initially load the Poison Ivy payload, and then subsequently delete itself and all trace of any initialisation.247 T1221 – Template Injection Template injection is a way for threat actors to conceal their malicious code within Office templates, usually through Office Open XML (OOXML) specifications. The malicious code can subsequently be used to fetch and execute remote document templates. One of the key exploiters of this technique in 2020 has been Blue Otso (a.k.a. Gamaredon Group), which has conducted multiple campaigns using DOCX files that use Office vulnerabilities in order to download and open a malicious template document that contains malicious embedded macros.248 Credential Access T1056.001 – Keylogging Keylogging is a technique that allows the threat actor to record the keystrokes of the victim as they interact with their keyboard. For example, North Korea-based threat actor Black Artemis (a.k.a. Lazarus Group) added an additional module to its already established Dtrack malware to give it keylogging functionality.249 T1187 – Forced Authentication This technique exploits baked-in protocols in Windows architecture. The threat actor will usually take advantage of several authentication protocols in Windows networks such as Server Message Block (SMB) and Web Distributed Authoring and Versioning (WebDAV), forcing the victim to provide authentication information which the threat actor can intercept. We have observed this behaviour in 2020 being used by Blue Kraken to exploit the SMB protocol, and inject code to grab the NTLM hashes of victims across multiple sectors, but mainly focusing on the aviation sector in the United States.250 Discovery T1083 – File and Directory Discovery In 2020, this technique has been consistently used by cyber crime groups, such as White Mjolnir (a.k.a. Ragnar Locker)251 and Blue Lelantos (a.k.a. Dridex),252 to enumerate and map their victim’s drives before extracting sensitive information. The information collected is used to coerce the target into paying the ransomware that is subsequently detonated on the target’s system, or it is sold on leak sites – a new, insidious theme across cyber crime in 2020. T1082 – System Information Discovery Threat actors often seek detailed information about the victim’s operating system and hardware such as system architecture, domain information and user data which the threat actor can potentially later exploit. This technique has been used by multiple threat actors, including Iran-based threat actor Yellow Liderc (a.k.a Tortoiseshell), which was observed in 2020 utilising scripts to enumerate system information and send it back to the threat actor. 247 ‘You just got LBTServed’, PwC Threat Intelligence, CTO-TIB-20201209-01A 248 ‘Blue Otso super spreader’, PwC Threat Intelligence, CTO-TIB-20200406-01A 249 ‘Dtrack Side B’, PwC Threat Intelligence, CTO-TIB-20200130-01A 250 ‘Dissecting Blue Krakens Visits’, PwC Threat Intelligence, CTO-TIB-20201106-03A 251 ‘Ragnar Locker Ransomware’, PwC Threat Intelligence, CTO-TIB-20201207-01A 252 ‘WastedLocker – EvilCorp’s new smoking gun’, PwC Threat Intelligence, CTO-TIB-20201207-01A Cyber Threats 2020: A Year in Retrospect | 54 Tactic Technique Discovery T1057 – Process Discovery Understanding which processes are running on the target’s machine can be used to determine a malware’s next steps, such as terminating specific processes that are detrimental to its functionality, or terminating itself from the victim’s system. For example, White Mjolnir’s strain of ransomware (a.k.a. Ragnar Locker) that will search for and terminate specific processes running on the victim’s machine that it deems crucial to its operation.253 Collection T1005 – Data from Local System The local system of a victim’s machine provides large amounts of information that is useful to threat actors, such as file systems and local databases. We have observed Grey Karkadann (a.k.a. APT-C-23, Desert Falcons) incorporating a number of functions into its Pierogi malware which allow it to access data from the local system. For example, creating file listings of the user directory, finding and exfiltrating files of a specified file type and last modified date, and obtaining login data from specific browsers.254 Command and Control T1071 – Application Layer Protocol One of the most popular ways of blending in with legitimate network traffic is to communicate to the command and control (C2) server using application layer protocols. There are multiple examples of this technique being used by threat actors, such as the OceanMap256 and OceanDrive257 malware families that utilise either IMAP or Google Drive storage for C2 communications, or Red Keres (a.k.a. APT31) utilising Dropbox for its malware’s C2.258 Exfiltration T1041 – Exfiltration Over C2 Channel The exfiltration of sensitive data is often the end goal of intelligence gathering activities and using the existing C2 channel is a common means of doing so. 2020 has notably seen this technique being adopted by the operators behind ransomware as they increasingly look to incorporate data exfiltration as part of their attack process. Whilst the encryption of data is still a key component of their operations, the widespread use of leak sites has seen groups such as White Ursia (a.k.a. Sodinokibi), White Mjolnir (a.k.a. Ragnar Locker), and White Onibi (a.k.a. Ryuk) all adopt the model of exfiltrating data over a C2, whilst also detonating their ransomware on their way out. 259,260,261 253 ‘RagnarLocker Ransomware’, PwC Threat Intelligence, CTO-TIB-20201207-01A 254 ‘A new and improved recipe for Pierogi’, PwC Threat Intelligence, CTO-TIB-20201106-02A 255 �Microsoft, ‘Trojan:MSIL/OceanMap.A!dha’, https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:MSIL/ OceanMap.A!dha&ThreatID=2147767197 256 �Microsoft, ‘Trojan:MSIL/OceanDrive.A!dha’, https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:MSIL/ OceanDrive.A!dha&ThreatID=2147767195 257 ‘Oceans 58’, PwC Threat Intelligence, CTO-TIB-20201118-03A 258 ‘Red Keres’, PwC Threat Intelligence, CTO-SIB-20200702-01A 259 ‘Sodinokibi – The Beast Grows’, PwC Threat Intelligence, CTO-TIB-20201008-01A 260 ‘RagnarLocker Ransomware’, PwC Threat Intelligence, CTO-TIB-20201207-01A 261 ‘Conti – the child of Ryuk’, PwC Threat Intelligence, CTO-TIB-20200828-01A Cyber Threats 2020: A Year in Retrospect | 55 262 ‘Here comes the SunCrypt’, PwC Threat Intelligence, CTO-TIB-20201029-01A 263 ‘KONNI’s KONsistency’, PwC Threat Intelligence, CTO-QRT-20200117-01A 264 ‘Slithering into plain sight: Ekans’, PwC Threat Intelligence, CTO-TIB-20200723-02A Tactic Technique Impact T1486 – Data Encrypted for Impact The encryption of data is a technique notorious to cyber criminal groups, which have become increasingly more active and brazen in their targeting. Ransomware is used to encrypt a victim’s system, often only after extracting sensitive information from those directories. These sorts of attacks are more common than they have ever been, with 2020 seeing groups such as White Onibi (a.k.a. Ryuk), White Magician (a.k.a. TrickBot), and White Horoja (a.k.a. Qakbot) having an extremely active year. T1490 – Inhibit System Recovery Preventing a victim from recovering their system is a common technique used by cyber criminal groups, as a means of making sure the victim’s system remains permanently damaged should they not meet the demands of the attacker. This technique is found in a variety of ransomware families such as White Helios’ ransomware (a.k.a. Suncrypt) that will delete the victim’s shadow volume copy.262 T1489 – Service Stop Threat actors often attempt to disable services on a victim’s system to either cause further damage to an environment, or prevent the victim being alerted to malicious activity. For example, Black Shoggoth (a.k.a. Reaper) reconfigured a new ComSysApp service for its own malicious purposes by first deleting the legitimate one.263 Virtually all ransomware variants kill active processes that prevent them from accessing files targeted for encryption. EKANS (a.k.a White Morok) ransomware takes this one step further by closing OT processes for a range of ICS services.264 Cyber Threats 2020: A Year in Retrospect | 56 Sectors In this section, we highlight key cyber threats across different sectors, observed in 2020. Cyber Threats 2020: A Year in Retrospect | 57 The PwC Threat Intelligence team issued 342 intelligence reports in 2020 covering a range of sectors and threat actor locations, as seen below. Figure 14 – Report sector Figure 13 – Location of threat actor C hi na Ira n R us si a U nk no w n/ aw ai tin g cl as si fic at io n N or th K or ea In di a P ak is ta n C ro ss b oa rd er /m ul tip le r eg io ns V ie tn am Tu rk ey N ig er ia S yr ia S ou th K or ea 93 86 63 44 42 14 8 8 5 4 2 2 1 Count Charity/non-governmental organisation 23 Consumer markets 7 Education 41 Entertainment & media 17 Financial services 47 Aerospace & defence 63 Government 144 Healthcare & pharma 45 Hospitality & leisure 10 Insurance 4 Manufacturing 27 Oil & gas 18 Power & utilities 27 Professional services 19 Retail 16 Technology & telecommunications 70 Transport & logistics 47 Legal 5 Construction 11 Count Cyber Threats 2020: A Year in Retrospect | 58 265 ‘Uni is back in Session with Yellow Nabu, PwC Threat Intelligence, CTO-TIB-20200915-01A 266 ‘Blue Callisto targets UK Government and Universities’, PwC Threat Intelligence, CTO-TIB-20200820-01A 267 ‘The rise of NetWalker’, PwC Threat Intelligence, CTO-TIB-20200612-02A 268 This is discussed further in the section, ‘An endless supply… of supply chain compromise’ 269 ‘Supercomputers and TSCookies’, PwC Threat Intelligence, CTO-TIB-20200506-01A In 2020, we saw a great deal of activity targeting the education sector, particularly towards higher education institutions. Espionage activity has likely reflected long term strategic priorities such as the collection of research and data related to research of economic, military or geopolitical interest, or the monitoring overseas student communities for dissident activity. This has included an ongoing focus by threat actors such as Yellow Nabu (a.k.a. Silent Librarian), an Iran-based threat actor which has continued to conduct credential phishing campaigns targeting universities across the world, and operate sites for the sale and distribution of documents stolen in its intrusions.265 We also observed threat actors targeting the sector for the first time in activity likely reflecting wider strategic objectives. This included Russia-based threat actor Blue Callisto which targeted at least two UK universities, as well as UK government organisations. The threat actor used phishing Organisations in the technology and telecommunications sector are high value targets, not only for their intellectual property, but also as part of supply chain attacks. This has come into sharp focus yet again in late 2020 following the SolarWinds compromise, which in turn led to the potential compromise of many of its customers.268 We also observed TSCookie backdoor samples, uniquely associated with Red Djinn (a.k.a. BlackTech), signed with a value digital certificate belonging to a Chinese high-tech and supercomputers manufacturer. There is a realistic probability these were stolen from the manufacturer in an attempt to bypass application blocking.269 In the telecommunications sector, we observed an espionage campaign targeting several organisations across Vietnam, China and India which we attribute to Scarlet Ioke.270 The threat pages based on cloned Microsoft Office365 login pages in order to obtain credentials, which we assessed were likely later used to compromise the targeted organisations.266 As discussed in the Crime section, ransomware continued to be a major threat to all sectors. Educational institutions remain a popular target as they offer an essential service, making the potential economic payoff for ransomware actors substantial. For example, in June 2020, the University of California, San Francisco (UCSF) fell victim to ransomware that encrypted a limited number of servers within the university’s School of Medicine, making them temporarily inaccessible. It is likely that NetWalker ransomware267 was used in this incident, which resulted in a payment of over USD 1 million. Other cyber crime threats such as distributed denial-of-service (DDoS) extortion attacks have remained a threat, particularly given the greater reliance on remote teaching. actor sideloaded a malicious DLL into memory using a legitimate version of WinWord and ultimately deployed Cobalt Strike payloads. Throughout 2020, we observed Red Phoenix (a.k.a APT27, Emissary Panda), target and compromise several technology companies in several countries. These included manufacturers of network devices, and security software. Red Charon (a.k.a. Chimera), a threat actor PwC evicted from several semiconductor and advanced materials organisations from 2014-2016, before an apparent period of inactivity, resumed operations aggressively in 2020. The threat actor continued to demonstrate an interest in the high tech industry, but also a specific focus on low cost airlines in Europe, using several bespoke malware families, and abusing a variety of cloud services for command and control and data exfiltration. Education Technology & telecommunications Cyber Threats 2020: A Year in Retrospect | 59 PwC’s Incident Response team assisted a Hong Kong-headquartered telecommunications company which constantly suffered attacks from a business partner network. The organisation discovered that a threat actor gained access to a server inside a data centre which serves a team of call centre agents for the client. The data centre had operator workstations and servers with direct connectivity with the client’s server farm. The threat actor leveraged the hacked server as a pivot point to infiltrate into the client’s internal network through legacy system vulnerabilities and credential brute-forcing. After gaining initial access, the threat actor brought in common tools for enumeration (e.g. nbtscan), lateral movement, (e.g. PsExec) and credentials dumping (e.g. Mimikatz and secretsdump). After obtaining domain administrative privileges, the attacker continued to move laterally around the network before it was detected and its access was removed. While our client identified and restricted access from the server that initiated the attack, the threat actor continued to find ways back into the network. It started to compromise other endpoints within the data centre and used these as pivots to conduct other forms of attack against the client, leveraging the trusted relationship of the business partnership to connect back to the network. For network pivoting, the attacker used the Windows built-in command line utility netsh to create a port-proxy on the operator endpoints in the data centre, which are trusted with direct connectivity to the client network. Other than credentials reuse, lateral movement and theft of new credentials, the threat actor also utilised an exploit of the Zerologon vulnerability (CVE-2020- 1472) to achieve domain compromise. The threat actor was once again removed from the network upon the detection of its activities, due to the service outage brought by the side effect of the exploit. The client subsequently performed a complete review of the network connectivity between the business partners as well as other network demarcation points, and further segmented the server network to isolate the legacy zones and business partner network zone. Case study Telecommunications company attacked through trusted relationship The aerospace and defence sector has long been a target for espionage given the sensitivity of the information it holds, where links to military applications will make many organisations in the sector a valuable strategic target. • We observed North Korea-based threat actors continuing to target the sector throughout 2020, with Black Banshee targeting defence companies in South Korea and Europe, and Black Artemis as part of its ShowState campaign.271 • We observed a Russian-language lure document containing information concerning the 2020 Seattle Aerospace and Defence Supplier Summit conference, which exploited the Equation Editor vulnerability (CVE-2018- 0798) to deliver a Bisonal backdoor payload. We attributed this activity to Red Beifang.272 • Yellow Garuda was observed spoofing the domains of two satellite imagery and analytics companies based in the US and France between September and October 2020. We assess this activity was likely intended to phish credentials and access mailboxes related to the companies or their clients.273 • In 2020, Yellow Liderc targeted large aerospace and defence manufacturers as well as engine manufacturers and airlines.274 Aerospace and defence Cyber Threats 2020: A Year in Retrospect | 60 270 ‘Scarlet Ioke – June-July 2020 update’, PwC Threat Intelligence, CTO-TIB-20200806-01A 271 This is discussed further in the section, ‘The view from Pyongyang’ 272 ‘Moscow to Mongolia with Bisonal and 8.t’, PwC Threat Intelligence, CTO-TIB-20200327-01A 273 ‘A busy two months for Yellow Garuda’, PwC Threat Intelligence, CTO-TIB-20201109-01A 274 This is discussed further in the section, ‘Yellow Liderc’ 275 This is discussed further in the section, ‘The view from Pyongyang’ 276 This is detailed in a case study in the section, ‘Business Email Compromise: continued persistence and increasing sophistication’ 277 ‘Red Djinn PLEADing assets’, PwC Threat Intelligence, CTO-QRT-20200528-01A 278 ‘xStart when you’re ready’, PwC Threat Intelligence, CTO-TIB-20200929-02A 279 ‘Sign here to xStart’, PwC Threat Intelligence, CTO-TIB-20201229-01A 280 ‘Be right BEC, checking the invoice’, PwC Threat Intelligence, CTO-TIB-20201012-01A Financially motivated cyber crime remains the largest threat to the sector due to the volume of monetary transactions that take place. As seen in the Cyber crime section, ransomware attacks have affected organisations in the retail and consumer sector above all others, and with the advent of leak sites, this has posed new risks particularly pertaining to customer data. The compromise of ecommerce platforms through JavaScript-based malware – more commonly known as Magecart – continued throughout 2020, although this activity has been largely overshadowed by higher profile ransomware incidents. With a growing emphasis on online retail, in part propelled by national lockdowns, this activity is likely to continue as more organisations look to rapidly increase their online presence. BEC attacks also remained a significant threat. We observed an extensive phishing campaign beginning in June 2020 targeting a range of sectors and geographies with financial themed lures. Although the activity was likely opportunistic in nature our analysis found the most targeted sectors to be consumer markets and manufacturing.280 Retail & consumer markets The financial services sector is a prime target for financially motivated cyber crime given the significant capital it holds. Cryptocurrency exchanges continued to be a popular target given the relative ease at which threat actors can transfer and obscure their stolen currency. North Korea- based threat actors have conducted operations in this space including the targeting of entities involved in blockchain products and research in 2020.275 More general cyber crime activity such as BEC remains a threat to organisations in the sector, as highlighted by the 2020 Norfund fraud incident.276 We also observed Red Djinn spoofing the domain of a Taiwanese financial services company in a likely attempt to target the sector for espionage purposes. This activity was related to a sample of the Bluether variant of the PLEAD malware family.277 In September 2020, we uncovered a series of campaigns which delivered Cobalt Strike using a unique dropper we call xStart. We assess this was used to target organisations in China across a number of sectors, including financial services, for espionage-motivated activity. We currently track this activity as White Dev 50.278, 279 Financial services Cyber Threats 2020: A Year in Retrospect | 61 281 ‘Slithering into plain sight: Ekans’, PwC Threat Intelligence, CTO-TIB-20200723-02A 282 �‘Two Chinese Hackers Working with the Ministry of State Security Charged with Global Computer Intrusion Campaign Targeting Intellectual Property and Confidential Business Information, Including COVID-19 Research’, the US Department of Justice, https://www.justice.gov/opa/pr/two-chinese-hackers-working- ministry-state-security-charged-global-computer-intrusion (21st July 2020) 283 ‘You fool, ufo0lxy’, PwC Threat Intelligence, CTO-SIB-20200811-01A 284 �‘Ragnar Locker ransomware hits EDP energy giant, asks for €10M’, Bleeping Computer, https://www.bleepingcomputer.com/news/security/ragnarlocker- ransomware-hits-edp-energy-giant-asks-for-10m/ (14th April 2020)’ 285 �‘Internal Data Stolen, Leaked, in REvil Attack on Electricity Market’s Elexon’, CBR, https://www.cbronline.com/news/elexon-hack-ransomware-revil (1st June 2020) 286 �‘Algerian petroleum JV hit by Maze ransomware, data posted online’, IT Wire, https://www.itwire.com/security/algerian-petroleum-jv-hit-by-maze-ransomware,- data-posted-online.html (6th April 2020) 287 This is discussed further in the section, ‘Technology and telecommunications’ 288 This is discussed further in the section, ‘Yellow Liderc’ 289 �Russian State-Sponsored Advanced Persistent Threat Actor Compromises U.S. Government Targets, CISA, https://us-cert.cisa.gov/ncas/alerts/aa20-296a (22nd October 2020) 290 ‘Dissecting Blue Kraken Visits’, PwC Threat Intelligence, CTO-TIB-20201106-03A 291 ‘You’ve got Mailto’, PwC Threat Intelligence, CTO-TIB-20200320-01A 292 �‘Ransomware attack hits TFI’s Canadian courier divisions’, Freight Waves, https://www.freightwaves.com/news/breaking-news-tfi-ransomware-attack-hits- canadian-courier-divisions (23rd August 2020) 293 �CMA CGM confirms ransomware attack’, Lloyd’s List, https://lloydslist.maritimeintelligence.informa.com/LL1134044/CMA-CGM-confirms-ransomware-attack (28th September 2020) The increasing convergence between operational technology (OT) and corporate IT environments continues to widen the potential attack surface to industrial environments and lower the barrier to entry for a wider range of threat actors. In 2020, EKANS ransomware was found to kill specific industrial control system (ICS) processes before activating its encryption routine.281 Intelligence gathering activity remains a threat, in part due to the increasing competition in the sector, where new technologies, particularly pertaining to green technologies are likely to be highly sought after. In July 2020, the United States Department of Justice (DOJ) unsealed an indictment against two Chinese nationals, accused of conducting intelligence gathering cyber attacks in alignment to state objectives, as well as financially motivated attacks for personal gain.282, 283 The activity included the compromise of the network of an Australian solar energy engineering firm and stealing information related to high-efficiency gas turbines from a mechanical engineering company. There have also been a number of high profile ransomware incidents affecting the sector in 2020, likely driven in part by the perceived wealth of organisations within the sector. Attacks involving Ragnar Locker,284 Sodinokibi285 and Maze286 ransomware families have all resulted in the theft and leak of data, a tactic that has become increasingly prominent in ransomware attacks in general. Energy Intelligence gathering activity has been at the forefront of targeting, particularly in aviation. During 2020, several low cost airlines in Europe were targeted by both Red Charon287 and Yellow Liderc.288 In October 2020, an attack on San Francisco International Airport was attributed to Russia- based threat actor Blue Kraken.289 Our analysis of IP addresses likely under the control of the threat actor indicated traffic associated with the wider aviation supply chain and related third parties in addition to airports and airlines. This included technology companies developing software for use in aviation and organisations involved in lobbying and developing industry data and insights.290 Although ransomware remains a threat to all organisations, 2020 saw several victims in the transport and logistics sectors.291 These organisations were likely targeted as the high business impact to their operations may make them more likely to meet ransom demands. In August 2020, international transport and logistics company TFI disclosed that four Canadian courier divisions were impacted by a ransomware outbreak.292 French container transportation and shipping company, CMA CGM was targeted by Ragnar Locker ransomware in September 2020. The company shut down its online services as part of its containment strategy.293 Transport Cyber Threats 2020: A Year in Retrospect | 62 Conclusion 2020 was an unpredictable year with the COVID-19 pandemic bringing an unprecedented change to the business world and, as a result, to the cyber threat landscape. The dependency on remote working infrastructure has brought existing threats into prominence, such as the exploitation of vulnerabilities in VPNs, enterprise remote access and virtualisation software. Threat actors have always made use of timely lures reflecting real-world events in their phishing campaigns, and the pandemic has been no exception, with a plethora of related themes used by cyber crime and espionage threat actors alike. However, the majority of this activity was focussed on business as usual operations. For espionage threat actors, we saw continued alignment to the strategic objectives of nation states with tit-for-tat activity reflecting wider shifts in the geopolitical landscape. The supply chain remained a prominent attack vector with several high profile compromises in 2020. In a continuation from 2019, there were several instances of espionage threat actors being linked to financially motivated activity. These dual motivations are likely due to activity being performed for personal gain as opposed to a wider shift in operational objectives. However the variation in activity, in terms of a deviation in expected targeting and tooling, provides extra challenges in both defence and attribution efforts. 2020 also saw a number of hacker-for-hire operations publicly exposed, changing our traditional understanding of espionage activity. The cyber crime scene has been dominated by ransomware and the advent of leak sites. Victims must now deal with the potential of sensitive data leaks and public exposure of the incidents, in addition to the business impact caused by the encryption. The success of these operations saw a surge in new players and existing cyber crime groups expanding into the field. This resulted in a definitive shift in the cyber threat landscape making ransomware operations a significant threat for organisations across all sectors and geographies, in a trend that is likely to continue throughout 2021. Cyber Threats 2020: A Year in Retrospect | 63 PwC Cyber Security If you would like more information on any of the threats discussed in this report please feel free to get in touch at threatintelligence@pwc.com. PwC is globally recognised by industry analysts as a leader in cyber security; as a firm with strong global delivery capabilities, and the ability to address the security and risk challenges our clients face. We underpin our board-level security strategy and advisory consulting services with expertise gleaned from the front lines of cyber defence across our niche technical expertise in services such as Managed Cyber Defence, red teaming, incident response and threat intelligence. We differentiate ourselves with our ability to combine strategic thinking, strong technical capabilities and complex engagement delivery with client service excellence. Our unique research and security intelligence, technical expertise, and understanding of cyber risk helps clients get the clarity they need to confidently adapt to new challenges and opportunities. We bring together a team of specialists with expertise in security management, threat detection and monitoring, threat intelligence, security architecture and consulting, behavioural change and regulatory and legal advice, to help our clients protect what matters most to them. We specialise in providing the services required to help clients resist, detect and respond to advanced cyber attacks. This includes crisis events such as data breaches, ransomware attacks, economic espionage and targeted intrusions, including those commonly referred to as APTs. Our threat intelligence research underpins all our security services, and is used by public and private sector organisations around the world to protect networks, provide situational awareness, and inform strategy. Cyber Threats 2020: A Year in Retrospect | 64 © 2021 PricewaterhouseCoopers LLP. All rights reserved. PwC refers to the UK member firm, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details. 2021-02-03_RITM4586469 Introduction A cyber pandemic Intelligence gathering Asia Pacific Europe Middle East Information operations Blurring the lines Cyber crime Rise of the defenders Tools, Tactics and Procedures MITRE ATT&CK techniques