The Great Data Heist by Threat Actors
By: Lim Wee Tee, Regional Vice President, Growth & Emerging Markets (Southeast Asia & Taiwan), Cloudera
Bad actors or threat actors is a term used to refer to an individual or group that intentionally engages in malicious activities. These activities include hacking, phishing or other cybercrimes with the intent to cause harm to systems, networks or data. Threat actors are motivated by many factors including financial gain, political ideology, grievances or vendettas.
There has been a significant increase in threat actor activity in recent years. IBM’s Threat Intelligence describes phishing (39%), exploiting public-facing applications (26%) and exploiting remote services (12%) as the three most common attack or threat vectors. Once a threat actor has exploited a vulnerability, the top five impacts are extortion (21%), data theft (19%), credential harvesting (11%), data leaks (11%) and damage to brand reputation (9%). That means that over 40% of the resulting impact directly relates to data.
However, as outlined in the report, the extent of cybercrime and threat actor activity are estimates based on imperfect data. The number of different categories of threat actors, disparate data sets relating to events and a lack of transparency almost certainly means the actual number of actors and events is far greater than the report suggests.
Among the major vertical industries, manufacturing (25%), Financial Services and Insurance (19%) and Professional and Consumer Services (15%) have received the greatest share of attacks. Sensitive Personally Identifiable Information (PII) data within the consumer sector is a significant target for threat actors seeking to monetise data. Disruption to processes and supply chains within manufacturing can result in significant financial losses and make extortion a serious threat.
According to the World Economic Forum, the total cost of cybercrime will be US$10.5 trillion by 2025. This includes the impact of threat actors targeting the commercial sector and coordinated attacks of critical public sector infrastructure. This is why today, cyber security and in particular the protection of data, is a rapidly growing priority for senior executives and government leaders.
Types and Examples of Cybercrime
When thinking about threat actors, it’s useful to break down activities and motivations into three areas: access vectors, actions of objectives and impact.
Access vectors are ways in which a threat actor gains access to a system or resource. The most common approach is using a spear phishing technique via email. This typically includes either a malware attachment (25%) or an embedded link to an external malware service (14%) that a user inadvertently clicks on. People are the weakest link in the security chain and provide a preferred route to gaining access to systems and networks.
The next most common access vector is exploitation of public-facing applications (26%). Web applications are increasingly providing us with convenient access to useful but often highly sensitive information. This includes mobile banking, medical records and corporate information. Organisations and policymakers continue to balance the convenience of access to data and services with the sensitivity of those services and the size and number of access vectors. Exploitation of public-facing applications can occur as a result of software bugs or misconfiguration. Exploited applications often include web and application servers, but can also include databases and network services that are inadvertently exposed to the internet.
Once a threat actor has gained access via an initial access vector, they may use this vantage point to gain even greater access to resources or engage in actions of objectives. The most common actions include installation of malware (backdoors and ransomware) (38%), server and remote tool access (10%) and compromising business emails (6%). Ransomware attacks are not restricted to an individual or organisation’s data but may target disruption to organisational network services that include authentication, authorisation, virtual compute, storage and networking. In 2019 the average time to deploy ransomware was two months, in 2021 it was only four days, a reduction of 94%. In addition to cybercrime being a significant area of growth, the exploitation of vulnerabilities and the harvesting of large amounts of sensitive data is happening more rapidly than ever before.
Notable data breaches from 2023 include ancestry data of 6.9 million users at 23andMe. The genetic testing company that provides information based on their DNA said the data breach was caused by customers reusing passwords, which allowed hackers to brute-force the victims’ accounts by using publicly known passwords released in other companies’ data breaches. While one could argue that brute-force attempts to crack passwords should be detectable with the authentication services of an application and accounts temporarily suspended to thwart threat actors, this could inadvertently result in a denial of service for users whose accounts are under attack. While reusing passwords is arguably a problem created by users, publicly accessible applications, especially those that can expose sensitive data should enforce two-factor authentication to safeguard against such brute-force attacks.
Our analysis of recent cybersecurity incidents in Asia reveals a concerning trend of breaches across diverse industries. This includes the theft of an alleged 2.2GB data trove from AirAsia, potentially compromising sensitive customer information. Similarly, a decade-long data leak at Toyota, exposing approximately 2 million customer records, raises questions about the world’s largest motor vehicle manufacturer’s cloud security practices. The fast-fashion sector is not immune, with Shein experiencing a data breach impacting nearly 39 million users, resulting in a significant $1.9 million fine. Furthermore, leading telecommunications providers like Singtel have faced breaches, with a recent incident compromising the data of 1.2 million customers. This incident, alongside a similar class-action lawsuit against Singtel subsidiary Optus in Australia, underscores the heightened focus on data security in the region.
Another example from 2023 includes the UK postal service, Royal Mail. A ransomware attack that in January led to months of disruption to the dispatch of letters or parcels to destinations outside of the United Kingdom. It also resulted in the theft of sensitive data including technical information, human resource and staff disciplinary records, details of salaries and overtime payments, and even one staff member’s COVID-19 vaccination records.
2022 was a challenging year for Australia, with major data breaches at Optus and Medibank Private and AHM). However, 2023 wasn’t without its challenges too with the high-profile data breach at Latitude Financial. The data breach included approximately 14 million records including the driver’s licence and passport numbers of Latitude’s customers.
Overwhelmingly the most common information stolen during a breach is PII. This includes names, addresses, social security numbers, driver’s licences, passports, medical data, credit cards and passwords. This information is then frequently sold on the dark web or other forums to conduct further operations against targets.
This is why the storage and handling of PII is highly regulated. This includes governing bodies, regulators and policymakers include the General Data Protection Regulation (GDPR) within the European Union, the California Consumer Privacy Act (CCPA) in the U.S. and the Health Insurance Portability and Accountability Act (HIPAA) also in the U.S.
While some of the data breaches may be attributed to organisations failing to meet the guidelines outlined in regulations and policies, many have fallen prey to threat actors silently gaining access to a user account or service with privileged access. In this case, threat actors are detected either by unusual behaviour or by a notification or demand from the threat actor in order to extort money from the individual or organisation.
Detecting abnormal behaviour is becoming increasingly difficult as the number of access vectors increases and organisations become more distributed and complex. Behaviour models will become increasingly dependent on Machine Learning models that detect complex patterns within large amounts of data. For example, Security Information Event Management (SIEM) systems are increasingly using real-time data and engineered features collected from across a complex network of interconnected systems and devices. This requires real-time data to be collected, filtered and routed for anomaly detection. This often includes engineering temporal features, normalising data, enriching data with network or geolocation data and identifying and tracking events of interest from the point of first occurrence. Coordinated attacks on complex networks and systems may take place over extended periods while threat actors gain valuable information to support future attacks.
Conclusion
As the number of access vectors and the value of data and data-related services increases, so will the amount of cyberattacks. Failure to defend against these attacks may result in costly remediation work, disruption to critical processes, irrevocable damage to the brand and fines from industry regulators.
Organisations will have to balance the need to provide timely access to data services while defending against threat actors. It will also be crucial to detect unusual behaviour of legitimate users that may indicate a compromised account. Carefully restricting access to data and systems and logging access to or attempts to access systems will play an increasingly important role. Being able to do so in near-real time with constantly evolving ML models will be a foundational capability to protect organisations in the future.
