Threat actors intensify focus on NATO member states

Initial access brokers (IABs) are increasingly targeting entities within NATO member states, indicating a persistent and geographically diverse cyberthreat landscape, according to Flare.

IABs infiltrate systems and gain unauthorized access through various techniques, including spear-phishing, exploiting unpatched vulnerabilities, and leveraging leaked and stolen credentials, with the primary goal of establishing persistence in these environments. Leaked credentials and cookies from stealer logs can be a common vector for IABs to gain initial access.

Flare analyzed hundreds of IAB posts on the Russian-language hacking forums, and discovered recent activity in 21 out of the 31 NATO countries – confirming the extensive reach and consistent potential threat IABs pose to national security and economic stability.

US defense sector witnesses increase in targeted cyberattacks

One of the key findings of the report is the threat actors’ preference for targeting critical infrastructure sectors in NATO member states – their strategic value allowing IABs to demand higher prices in the cybercrime market. The report also highlights the anonymized nature of IAB posts and the careful efforts of threat actors to conceal sensitive details, which poses challenges in identifying victims.

The analysis indicates a clear trend toward targeted cyberattacks on the US defense sector, and a higher price point for access to US defense contractors. This reflects the high value of these targets and suggests that threat actors recognize the significant impact of infiltrating defense-related systems.

Access to US defense contractors is priced at an average of $5,750 for immediate purchase, in stark contrast to an average of $1,489 for all other industries (after removing outliers). This disparity suggests that threat actors are willing to pay a premium for potential access to highly sensitive environments.

The average blitz price for NATO country infrastructure was $6,396, compared to $2,742 for all listings. Employing the Interquartile Range (IQR) method to eliminate outliers, the average selling price for critical infrastructure was still higher: $1,782 versus $1,420 for non-critical infrastructure.

Nation-states utilize cybercrime groups

There is a marked concentration by certain threat actors on critical infrastructure sectors. Actors like “Roblette” and “Sandocan” display a disproportionate focus on these areas, suggesting strategic targeting by cybercriminals for potentially higher financial gains and greater impacts.

The cautious approach of sellers on forums like Exploit, who often withhold sensitive details to avoid victim identification, is an example of the ongoing cat-and-mouse game between cybercriminals, researchers, and law enforcement.

Conversely, other incidents appear to be incidental, arising from widespread phishing and social engineering campaigns and enabled by tactics like credential stuffing or password spraying.

“Geopolitics are no longer isolated from cybercrime”, said Eric Clay, VP Marketing at Flare. “As global tensions have increased we’ve seen a spillover where nation-states may directly leverage cybercrime groups to further their aims.”

It is crucial for organizations to actively monitor forums such as Exploit to detect potential compromises. Given the anonymized nature of IAB postings and cautiousness of sellers, it is often difficult to determine an exact victim.