Secureworks released their 2024 State of the Threat Report, revealing a 30% year-over-year rise in active ransomware groups. Thirty-one new groups entered the ransomware ecosystem during the last 12 months.The report examines the cybersecurity landscape from June 2023 to July 2024.

A landscape previously dominated by a few, is now home to a broader set of emerging ransomware players. As smaller groups look to become established, it means there is less repeatability and structure in how they operate and organizations need to continue to remain alert for a wider variety of tactics. This year's median dwell time of 28 hours reflects the newness of these partnerships. While some clusters of groups are executing fast “smash-and-grab” attacks within hours, others spend hundreds of days in networks in the most extreme cases. As the new ecosystem continues to take shape, we can expect to see further variation and shifts in dwell times and methodology.

AiTM and AI as growing threats

In the past year, threat actors are increasingly stealing credentials and session cookies to gain access by using AiTM attacks. This potentially reduces the effectiveness of some types of MFA, a worrying trend for network defenders. These attacks are facilitated and automated by phishing kits that are available for hire on underground marketplaces and Telegram. Popular kits include Evilginx2, EvilProxy and Tycoon2FA.

As AI tools have become widespread and readily available, it was inevitable that cybercriminals would take note as they look to scale. Since mid-February 2023, Secureworks CTU researchers have observed an increase in posts on underground forums about OpenAI ChatGPT and how it can be employed for nefarious purposes. Much of the discussion relates to relatively low-level activity including phishing attacks and basic script creation.

State-sponsored threat activity – A summary

The report also examines the significant activities and trends in the behavior of state-sponsored threat groups belonging to China, Russia, Iran and North Korea. This year, we are also including threat group activity from Hamas, which has seen a notable increase since the outbreak of the Israel-Hamas war, now spilling over into the public domain and our aperture. The primary drivers for these countries are geopolitical.

China:

Chinese cyber activity has continued to track with previous observations. Their aims are broadly focused on information theft for political, economic and military gain. Much of this activity targeted at industrial sectors that align with the high-level objectives of the Chinese Communist Party's (CCP) Five Year Plan. In October 2023, the heads of the U.S., U.K., Australian, Canadian and New Zealand security agencies warned of the "epic scale" of Chinese espionage. State-sponsored threat actors were not immune to the law enforcement activity. In March 2024, the U.S. State Department unsealed indictments against seven named individuals all part of the BRONZE VINEWOOD threat group. The indictments contain details of an extensive campaign of intrusions committed by the group over more than a decade of malicious activity. In the same month, the UK government stated that China was responsible for two malicious campaigns against the UK Electoral Commission between 2021 and 2022. However, no information was released about the group responsible.

Iran:

Iranian internal and external cyber activity remained driven by its political imperatives. Internationally, Iran primarily focuses on Israel, regional adversaries including Saudi Arabia, United Arab Emirates and Kuwait, and the U.S. Iran makes regular use of fake hacktivist personas to target enemies, allowing itself plausible deniability. There are two primary Iranian sponsors of cyber activity: the Islamic Revolutionary Guard Corp (IRGC) and the Ministry of Intelligence and Security (MOIS).

North Korea:

North Korean threat actors continued their pursuit of revenue generation via cryptocurrency theft and sophisticated fraudulent employment schemes to gain access to Western jobs. They were persistent in targeting the IT sector and weaknesses in the supply chain. There was a major focus on entities in the U.S., South Korea and Japan. These activities were set within the geopolitical context of an increased willingness on the part of North Korea to work with Russia and Iran, with the intent to foster relations with countries that are prepared to confront related, perceived enemies despite international sanctions.

Hamas:

The report tracks three threat groups: ALUMINUM SHADYSIDE, ALUMINUM SARATOGA and ALUMINUM THORN considered to be aligned with Hamas, the militant group that governs the Gaza Strip. The outbreak of the Israel-Hamas war in October 2023 led to an uptick of cyber activity targeted at Israel and countries perceived to be aligned with them. However, much of that activity is thought to have been the work of hacktivist groups and personas masquerading as Palestinian but more likely linked to Iran or Russia.

Russia:

The war in Ukraine continues to drive Russian state-sponsored cyber activity, both in Ukraine and abroad. Groups associated with all three of Russia's intelligence agencies were active throughout the past year. CTU researchers assess that Russia's most aggressive use of cyber capabilities in sabotage operations will remain focused on critical infrastructure targets within Ukraine. One notable example of this kind of activity this year was IRON VIKING's cyber espionage attacks against battlefield control systems used by Ukrainian defense forces.

Download the report.