Group-IB, a global cybersecurity leader headquartered in Singapore , has today published its latest annual threat report Hi-Tech Crime Trends 2022/2023. The report, produced by Group-IB’s Threat Intelligence unit identifies the most pertinent cyber risks faced by companies in the Asia Pacific region. The report reveals that ransomware operations remain the top cyber threat to public and private companies across the world. Between H2 2021 and H1 2022, the number of companies that had their information uploaded onto the ransomware dedicated leak sites (DLS) was up by 22% year-on-year to 2,886, including data related to 322 companies from the Asia Pacific region. For the second consecutive year, Group-IB researchers observed the increasing impact of initial access brokers (IABs) on the ransomware market in APAC and beyond.
Group-IB recorded 2,348 instances of corporate network access being sold on dark web forums or privately by IABs, twice as many in the preceding period. The number of brokers also grew from 262 to 380, leading to a drop in prices making attacks from ransomware gangs and other threat actors more affordable. In the APAC region, the number of network access offers almost tripled to 382 in H2 2021 – H1 2022, resulting in a drop in price of total offers of 32%. APAC continues to be the main theater of operations for nation-state cyber threat actors, with Group-IB researchers detecting the activity of more than 35 advanced persistent threat (APT) actors.
For the 11th consecutive year, the Hi-TechCrime Trends report analyzes the various aspects of the cybercriminal industry’s operations, examines attacks, and provides forecasts for the threat landscape for various sectors such as the financial industry, telecommunications, manufacturing and energy. The report offers a global overview of the threat landscape and includes predictions for future developments.. Group-IB’s hands-on experience in investigating cybercrime coupled with an innovative suite of products and services allow for a thorough understanding of underground trends and activities, and long-term predictions to assist cybersecurity teams around the world to tailor their cyber defense.
In line with the global trend, the total cost of offers of access to the Asia Pacific companies’ networks traded on underground forums decreased by 32.3% to $2,238,924, due to a significant increase in supply. The number of APAC-related network access offers almost tripled from 133 in H2 2020 – H1 2021 to 382 in the following period, which explains the growing number of ransomware incidents in the region. In the review period, ransomware gangs posted sensitive information belonging to 322 APAC companies on DLS. Group-IB team highlights that effective corporate cybersecurity teams should take into account relevant knowledge about the attackers active in the region and suggests considering solutions based on the data from real-life cyber investigations and incident response operations in APAC.
A devil’s ransom
The report found that ransomware continues to be a major threat to companies worldwide, with 2,886 companies having their information, files, and data published on ransomware DLS between H2 2021 and H1 2022, a 22% increase compared to the 2,371 companies affected during the previous period (H2 2020 – H1 2021). It’s worth noting that the actual number of ransomware attacks is believed to be significantly higher as many victims chose to pay the ransom and some ransomware gangs do not use DLS.
Based on the analysis of ransomware DLS, Group-IB discovered that companies in North America (50% of companies whose data was leaked by ransomware gangs) were the most affected by this form of attack. Comparatively, the APAC region was the third-most affected region, with 322 companies having their data published on DLS. The major affected markets in this region were Australia (55 companies), India (38 companies), China (37 companies), Japan (31 companies), and Thailand (27 companies). Additionally, 17 companies in Singapore had information published on DLS. The most prolific ransomware gang in the APAC market was Lockbit, responsible for 41% of publications from the region on dedicated leak sites. Second in this list was Conti, a Russian-speaking ransomware group that launched the devastating ARMattack campaign at the end of 2021, which was responsible for 7% of leaks, and third was Hive (6% of leaks).
Between H2 2021 and H1 2022, Group-IB’s Threat Intelligence unit analyzed underground advertisements and identified a significant increase in the sale of corporate access. A total of 2,348 instances were recorded, which is twice as many as the previous period (1,099 access offers). Of these, 2,111 offers provided information about the country and 1,532 specified the victim’s industry.
IABs have significantly expanded their presence worldwide, with the number of countries where they broke into corporate networks increased by 41%: from 68 to 96 during this period. Similar to the previous year, US-based companies were the most sought after target among IABs, , with almost a quarter of all discovered access offers related to US companies (558). The industries most affected by IABs were manufacturing (5.8% of all companies), financial services (5.1%), real estate (4.6%), and education (4.2%).
“Initial access brokers play the role of oil producers for the whole underground economy,” says Dmitry Volkov, CEO of Group-IB. “They fuel and facilitate the operations of other criminals, such as ransomware and nation-state adversaries. As access sales continue to grow and diversify, IABs are one of the top threats to watch in 2023. Private and public companies in the Asia Pacific region should consider setting up a threat intelligence program to monitor for compromised credentials of their workforce.”
The Asia-Pacific region saw a significant number of network access offers with India (16.8%) recording the highest number, followed by Australia (12.8%), China (11.8%), Indonesia (7.3%), Thailand (7.3%), Malaysia (4.5%), Taiwan (4.5%), Vietnam (4.2%), Japan (3.4%), and Singapore with 3.4% of all network access offers in the region detected between the second half of 2021 and the first half of 2022. One of the most prolific initial access brokers active in APAC, nicknamed NikaC, offered access to seven financial companies’ networks, mainly in the Asia-Pacific. Most involved access to the corporate email of top managers.
Group-IB’s analysis of the threat posed by ransomware gangs also revealed that globally, the largest number of ransomware-related data leak victims were found in the following sectors: manufacturing (295 companies), real estate (291), professional services (226), and transportation industries (224). In the APAC region, most of the victims posted on DLS conducted business in the manufacturing (45), financial (20), and energy (15) sectors.
“Ransomware is likely to remain the major threat for businesses and governments across the globe in 2023,” says Dmitry Volkov, CEO at Group-IB. “Ransomware gangs have been able to craft a stable market for their criminal enterprises, and the ransom demands issued to companies once they have been attacked are continuing to rise rapidly. Many of the most prominent ransomware gangs have turned into criminal start-ups. They have a rigid hierarchy and bonuses for overachievement. While the growth trends might slow down, it is likely that the ransomware market could consolidate further, continuing a trend seen in H2 2021 – H1 2022.”
Stealing the limelight
One of the most notable changes to the global threat landscape is the increasing popularity of logs obtained with the use of information stealers — malware that gathers personal details from the user’s browser metadata. These stealers can obtain credentials, bank cards, cookies, browser fingerprints, etc. Group-IB found that between July 1, 2021 and June 30, 2022, over 96 million logs were offered for sale, with most of the compromised data coming from US users (80%), with the UK (5.4%), India (4.6%), Indonesia (2.4%), and Brazil (2%) trailing behind.
Group-IB experts discovered over 400,000 Single Sign-On logs among these 96 million logs. SSO is a widely used corporate authentication method that uses a single pair of credentials to get access to multiple services, making them highly sought after by cybercriminals as they allow them to get into several systems at a time with little effort. As discovered by Group-IB researchers, the threat actor behind the recent attack on Uber purchased stealer logs on one of the underground marketplaces for US$20. These logs contained SSO credentials of at least two Uber employees.
“It is quite concerning what a cybercriminal with US$20 and modest technical skills is capable of these days,” says Dmitry Volkov, CEO at Group-IB. “With remote work and SSO services becoming more prevalent, instances of access to corporate networks started appearing in stealer logs more often. Attacks on companies through their employees will become one of the main infection vectors. A silver bullet against such attacks doesn’t exist. This trend highlights the need for companies to improve their cybersecurity across all layers, including training employees to respond to social engineering, enhancing detection and response capabilities, and of course, monitoring the cybercriminal underground for compromised employee records and offers to sell access to their networks.”
APAC — main theater of APT operations
The Group-IB Threat Intelligence team found that the largest number of attacks conducted by nation-state threat actors took place in the Asia-Pacific region. Between H2 2021 – H1 2022, the activity of more than 35 APT groups was detected in APAC. Threat actors from India, China, Taiwan, South Korea and Vietnam were the most active. Due to growing tensions in cyberspace globally, new players have emerged. For instance, at the end of 2022, Group-IB researchers discovered a previously unknown APT Dark Pink that is believed to originate from the Asia-Pacific region. Dark Pink’s confirmed victims include two military bodies in the Philippines and Malaysia, government agencies in Cambodia, Indonesia and Bosnia and Herzegovina, and a religious organization in Vietnam.
“It is not surprising that the overwhelming majority of known APT victims were government and military organizations (33%), followed by financial (6.3%) and telecommunications companies (5.8%),” says Dmitry Volkov. “The tense political environment will lead to further increase in attacks on energy, telecommunications, and manufacturing infrastructure in 2023. Not only politically motivated groups will be highly active, but also financially-driven cybercriminals. This could lead to far-reaching DDoS attacks and substantial leaks of sensitive information, as well as major financial thefts.”
About Hi-Tech Crime Trends report
Group-IB has been presenting its annual report since 2012, integrating data gathered as a result of the company's own investigations with incident response findings worldwide. Serving as a practical guide for a wide range of experts — in risk management, digital business transformation, strategic planning in the cybersecurity field and investing in information system protection — the report provides annual forecasts that have always proved to be accurate. For technical specialists, including СISOs, SOC and DFIR teams, researchers and malware analysts, as well as Threat Hunting experts, Group-IB’s report provides an opportunity to analyze the relevance of cybersecurity policies, adjust security settings for their systems and strengthen their expertise in countering cyberthreats relevant to their industry. Thanks to the use of unique tools for tracking the infrastructure of cybercriminals, as well as a thorough study of research by various cybersecurity teams worldwide, Group-IB experts annually identify and confirm common patterns that form a full picture of the development of cyberthreats in the world. This forms the basis of future forecasts set out in the report that help companies around the world build effective cybersecurity strategies based on relevant threats.
More analytics on Group-IB’s research hub