Malware attacks – especially advanced targeted attacks – have nearly doubled in the EMEA region in the first half of 2014, say the results of the analysis of network attacks that targeted FireEye customers in that period.
The UK (17%) and Germany (12%) were the most targeted countries, followed by Saudi Arabia (10%), Turkey (9%), Switzerland (8%), Italy (6%), Qatar (5%), France (4%), Sweden (4%), and Spain (3%).
In more than 50 percent of the cases, APT attackers have targeted governments and governmental organizations, companies offering financial services, and telecoms:
Based on the data, the company predicts that organizations in EMEA will almost certainly face cyber espionage risks from state-sponsored or state-associated threat actors working for or in association with nation-state governments in the days and months to come.
“Agencies and institutions whose networks are connected to those of other local government entities also face potential risks from threat actors moving laterally from an initially compromised network,” the researchers noted. “We suspect that a nation state actor may opt to target a local government network as opposed to that of a central government entity as the local network poses an easier and less complex target. Local governments likely lack the resources for stringent network security and monitoring, making them a technically easier target for threat actors.”
Organizations in the financial services vertical face a triple threat: organized cyber crooks, state-sponsored or state-associated attackers, and hacktivists.
In the energy sector, Nordic energy companies and an EMEA state’s national oil company have been recent targeted, and FireEye believed that the attacks have been executed by multiple actors based in Russia.
APT attackers have a great and obvious predilection for backdoor malware:
“DarkComet, njRAT, and XtremeRAT are all publicly available, easy-to-use RATs—njRAT is particularly popular in the region, and its author is based in Algeria,” the researchers noted.
“Rather than building custom malware and exposing valuable zero day exploits, many threat actors behind targeted attacks use publicly or commercially available remote access Trojans (RATs). This pre-built malware often has all the functionality needed to conduct cyber espionage and is controlled directly by the threat actor, who frequently possess the ability to adapt to network defences.”
Finally, the rise of APT threats does not mean that non-targeted cybercrime is slowing down – quite the opposite, in fact. Cyber crooks use some of the same malware and C&C domains located in the Middle East and North Africa, but target indiscriminately a wider audience with run-of-the-mill phishing and cybercrime attacks.
“In addition, we have observed local forums develop a cybercrime scene similar to what we have observed in China and Russia: forums with malware for sale and technical mentors who offer advice on evading anti-virus software and using dynamic domain hosting,” they noted. “This suggests growing expertise and specialization, which will likely result in more effective intrusions and cybercrime operations.”