Lesser Skilled Cybercriminals Adopt Nation-State Hacking Methods

Uploaded on 2018-10-18 in TECHNOLOGY--Hackers, NEWS-Cybersecurity News, GOVERNMENT-Law Enforcement, FREE TO VIEW

The trend underscores the need for organisations of all sizes to be prepared to detect and respond to threats faster, CrowdStrike says. 

Relatively unskilled, criminally motivated hackers are increasingly adopting the tactics, techniques and procedures (TTPs) typically used by more sophisticated nation-stated backed adversaries.

New analysis by security vendor CrowdStrike's Falcon OverWatch threat-hunting team of intrusion detection engagements at customer locations between January and June this year shows a continued blurring of lines between methods employed by criminals and known nation-state actors.

This trend spells trouble for enterprises because it means that no one is really safe from sophisticated attacks, says Jennifer Ayers, vice president of CrowdStrike's OverWatch and security response team. "Sophisticated techniques are becoming a little more commoditized," she says. "Anything goes. Anyone can be a target."

One example is cybercriminals increasingly using TeamViewer software to gain remote access to targets. TeamViewer is a legitimate tool for connecting to remote computers for desktop sharing and collaboration and enabling remote support, among other uses. 

CrowdStrike first observed TeamViewer being used for malicious purposes back in 2013 by Team Bear, a Russian advanced persistent threat actor. Team Bear used malicious versions of TeamViewer to remain hidden and persistent on victim machines and to enable communications with command-and-control servers. Since then, numerous other adversaries have begun employing the same tactics, including criminally motivated actors.

In the first quarter of this year, threat actors leveraging TeamViewer targeted the hospitality sector in particular. According to CrowdStrike, at least four major hospitality organisations experienced TeamViewer-related intrusions during the quarter. In each case, the attackers spoofed the TeamViewer binaries to make them appear like expected file names. The command and control infrastructure used in all four attacks were similar, suggesting the same attack group was behind them.  

In a separate incident, an unknown attacker used valid credentials to log into TeamViewer remotely and install various malware tools on systems belonging to a major organization in the entertainment industry.

The use of TeamViewer to gain remote access to target systems is not the only technique that less sophisticated, criminally motivated threat actors have begun borrowing from state-sponsored groups. In April of this year, CrowdStrike observed a criminal actor using a Trojanized version of Arkadin's Vision Desktop App software to drop malware on a system, allowing additional second stage tools to be installed on the compromised host.
China Rising

Such intrusions show that criminal actors, like their more sophisticated state-sponsored counterparts, are increasingly employing hands-on-the-keyboard tactics to break into systems, conduct reconnaissance, steal credentials, and move laterally, Ayers says.

"You want to be able to detect a threat in as close to real-time as possible," she says. CrowdStrike OverWatch's data shows that adversaries on average take just one hour and 58 minutes to begin moving laterally in a compromised network after gaining initial access to it. The vendor recommends that organizations ideally be able to detect an intrusion in less than one minute, investigate it in less than 10 minutes, and mitigate the threat in under one hour.

CrowdStrike's review of threat hunting data from the first half of this year also revealed an uptick in targeted intrusion attempts by China-based threat actors against organizations in multiple industries including biotech, pharmaceutical, defense, mining and professional services.

Of the 70 or so intrusions that CrowdStrike OverWatch was able to attribute to a specific actor or region, China-based actors were likely behind 40 of them. It's hard to say what specifically might be driving the uptick, though there has been an overall increase in cyber espionage activities, Ayers notes.

Dark Reading

You Might Also Read:

Cyber Criminals Catch Up With Nation-States:
 

 

« Corporate Cybercrime - A Hacker’s Point Of View
Build A Young Cyber Security Team »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Infosecurity Europe, 3-5 June 2025, ExCel London

Infosecurity Europe, 3-5 June 2025, ExCel London

This year, Infosecurity Europe marks 30 years of bringing the global cybersecurity community together to further our joint mission of Building a Safer Cyber World.

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Lastline

Lastline

Lastline is the leader in advanced malware protection.

Covenco

Covenco

Covenco is a data management and IT infrastructure specialist. Working with customers to transform their IT environments, with data protection and security at the forefront of everything we do.

INCIBE-CERT

INCIBE-CERT

INCIBE-CERT is the reference security incident response center for citizens and private law entities in Spain

ERMProtect

ERMProtect

ERMProtect is a leading Information Security & Training Company that helps businesses improve their cybersecurity posture and comply with regulations.

Cybertonica

Cybertonica

Cybertonica is a FinTech company which detects and prevents fraudulent transactions and reduces risk for financial services organisations.

AFNOR Group

AFNOR Group

AFNOR Group designs and deploys solutions based on voluntary standards around the world and provides services including training, professional and technical information, assessment and certification.

IAR Systems

IAR Systems

IAR Systems are a frontrunner in a changing industry, and a future-proof software supplier enabling the IoT.

Eclypsium

Eclypsium

Eclypsium protects organizations from the foundation of their computing infrastructure upward, controlling the risk and stopping threats inside firmware of laptops, servers, and networks.

Tide Foundation

Tide Foundation

Tide's breakthrough multi-party-cryptography enables TRUE-zero-trust technology that unlocks cyber-herd immunity.

Digistor

Digistor

Digistor is a leading manufacturer of industrial-grade flash storage products, secure storage products, and Removable Secure Data Storage.

TechMD

TechMD

TechMD (formerly ICS) is an award-winning IT solutions firm that specializes in cloud solutions, managed cybersecurity services, strategic IT consulting, and managed IT services.

Globesecure Technologies

Globesecure Technologies

Globesecure Technologies is a networks and cyber security company. We are here to resolve business security challenges and secure the digital transformation journey of our clients.

Bastion Technologies

Bastion Technologies

All your cyber defense. One platform. Keep your business assets and employees safe under one roof. Manage your cyber defense quickly, easily & efficiently.

Daisy Corporate Services

Daisy Corporate Services

Daisy is one of the largest providers of communications and IT solutions across the UK, with a portfolio spanning unified communications, cloud, cyber security and resilience.

Applied Insight

Applied Insight

Applied Insight work closely with government agencies and industry to overcome technical and cultural hurdles to innovation, empowering them with the latest cloud, data and cyber capabilities.

NOYB

NOYB

NOYB is a non-profit organization aiming to close the gap between privacy laws and the reality of corporate practice.