Trellix, a leading cybersecurity intelligence firm, has pointed out that recent major global events have been major drivers of cyber threat activities. The escalation of cyber threats has been observed in response to events such as military exercises, political summits, elections, and other critical geopolitical occurrences. John Fokker, Head of Threat Intelligence at Trellix, emphasized the increasing complexity of the cybersecurity landscape, noting the need for enhanced operational threat intelligence to stay ahead of cybercriminal activities.
One of the key findings from Trellix’s latest CyberThreat Report is the increase in cyber attacks originating from China and Russia. China-linked threat groups, particularly Volt Typhoon, have been identified as the most prolific originators of advanced persistent threat (APT) activities, accounting for 68.3% of all detections. The report also highlighted a significant increase in cyber activities by Russia-linked APT group, Sandworm, with a 40% rise in detections compared to the previous reporting period.
Iran-linked threat groups have also shown a notable uptick in cyber operations, with an 8% increase in detections. This surge in activity is believed to align with Iran’s geopolitical objectives and its involvement in conflicts such as the Israeli-Hamas war. Additionally, Trellix uncovered malicious email campaigns targeting individuals to donate to election campaigns. These emails used legitimate marketing services to deceive recipients into making fake donations, highlighting the exploitation of political events for financial gain.
Ransomware actors have predominantly targeted the transportation and shipping sectors, with a significant portion of global ransomware detections attributed to these industries. Following a law enforcement action to disrupt the LockBit ransomware gang, Trellix identified imposters copying the group’s tactics, underscoring the evolving nature of ransomware threats.
Despite a decrease in detections, the use of Cobalt Strike, a popular offensive tool among threat groups, remains prevalent. This persistence signifies the continued effectiveness of Cobalt Strike in cyber operations. Moreover, a new EDR evasion tool called “Terminator,” developed by cybercriminals, was deployed in a campaign targeting the telecom sector. Trellix linked this campaign to the escalating tensions in the Russian-Ukrainian conflict.
An emerging trend identified by Trellix is the integration of artificial intelligence into cybercriminal operations. The availability of tools like ChatGPT 4.0 Jabber in the cybercriminal underground allows threat actors to leverage GenAI for knowledge sharing and idea theft. These developments underscore the evolving tactics used by cybercriminals to evade detection and enhance their malicious activities.
In conclusion, the Trellix Advanced Research Center’s CyberThreat Report sheds light on the dynamic landscape of cyber threats from October 2023 to March 2024. The report emphasizes the geopolitical drivers behind cyber operations and the continuous adaptation of threat actors to exploit global events for their malicious goals. As cybersecurity challenges evolve, organizations must remain vigilant and proactive in defending against sophisticated cyber threats.