Global cybercrime dominated by 50 core groups, CrowdStrike report finds

Cybercrime in 2013 was dominated by a core of around 50 active groups, including Russian and Chinese ‘threat actors’ whose activities are only now coming to light, a report from monitoring firm CrowdStrike has found. 

Using an approach that foregrounds the ‘threat actors’ above the malware itself, the firm divides groups according to whether they are deemed to be motivated primarily by national, political and purely commercial motives

As CrowdStrike’s marketing motto puts it: “you don’t have a malware problem, you have an adversary problem.”

At first, the categorisation system looks more like a blizzard of inscrutable names, with major cyber-groups including ‘Numbered Panda’, ‘Magic Kitten’, ‘Energetic Bear’ and Deadeye Jackal.

But the underlying system – it calls this methodology the ‘cryptonym system’ – is much simpler. Nation-state groups from China are always ‘pandas’, groups tied to politics rather than nation are ‘jackals’ and professional cybercriminals are always ‘Spiders’.

The most active groups included the Syrian Electronic Army (SEA) and a range of Chinese groups but this much was already known. More interesting, CrowdStrike thinks it has discovered a few that are less well documented, including ‘Emissary Panda’ and ‘Energetic Bear’, as their codenames would suggest the first being a Chinese group the second Russian.  Emissary Panda appears to be a recently-formed group that goes after the high-tech sector, defence firms and embassies in a clutch of targets countries and a complement to the many other Chinese groups doing the same thing.

More significant perhaps is Energetic Bear, which CrowdStrike believes has been going after energy-sector firms. Hitherto, Russia has been seen as the home of overwhelmingly commercial malware, indeed perhaps as the most active commercial cyber-criminal sector in the world bar none. Energetic Bear suggests that this could be changing as the Russian state takes a leaf out rival state-backed cyberjacking activities.

Active since at least 2012 in 23 different countries, Energetic Bear looks significant enough to have created 25 versions of one to its preferred Remote Access Trojans (RATs), Havex. Beyond energy firms, targets have included European governments and defence sector firms, engineering firms, and European, US and Asian academics, CrowdStrike said.

The evidence for this group’s Russian provenance included malware build times that corresponded to working hours in the country. Whether this means that this group is operating on behalf of the country’s Government is impossible to say.

“Whatever the motivation may be, having private groups carry out malicious activity has advantages for nation-states,” said CrowdStrike, which listed a major motivation as being plausible deniability.

“We have been tracking this threat actor for several years and the Energetic Bear objectives map to the Russian Federations use of natural resources as policy tool,” said CrowdStrike’s vice president of intellligence, Adam Meyers.

What is clear from all this is that cybercrime is becoming a global phenomenon with many more countries likely to see activity from local groups acting as proxies for state subversion in the next year. How the world of diplomacy manages this coming wave of groups remains to be seen.