China and Romania spawned the most cyber attacks last year, according to an in-depth study released this week by Verizon. Notably, whereas Romanian attackers were primarily prowling for financial data to score a big payday, Chinese perpetrators were engaged in espionage, focused on swiping trade secrets and internal data. Much of the responsibility for successful data breaches in 2012, however, can be pinned on IT's long-standing nemesis: single-factor authentication. Seventy-six percent of network intrusions in 2012 exploited weak or stolen credentials.
Verizon's 2013 DBIR (Data Breach Investigations Report) is brimming with information as to who was behind worldwide cyber attacks in 2012, what attackers were after, and what tactics they employed to pull of their crimes. Verizon's RISK (Research, Investigations, Solutions, Knowledge) Team, in conjunction with more than a dozen security-focused organizations, culled the data by analyzing more than 47,000 reported security incidents and 621 confirmed data breaches from the past year.
Whodunit?
Among the report's key findings, the vast majority of cyber attacks against organizations -- 92 percent -- were perpetrated by external parties; just 14 percent were pulled off by someone on the inside. Verizon pinned the remainder to partners. (The report notes that "many figures and tables in this report add up to more than 100 percent; this is not an error. It simply stems from the fact that items presented in a list are not always mutually exclusive, and thus, several can apply to any given incident.")
"The two big reasons for the dominance of external actors are their numerical advantage and greater attack scalability," according to the report. "An organization will always have more outsiders than insiders, and the Internet connects criminals to a virtually limitless host of potential victims."
As to who was responsible for most of the external attacks, the RISK Team reported that 55 percent were performed by organized crime syndicates. "This reflects the high prevalence of illicit activities associated with threat actors of this ilk, such as spamming, scamming, payment fraud, account takeovers, identity theft, etc."
These syndicates' primary motivation is money: "As economic and social activities continue to go online, criminals will follow in order to exploit the soaring amount of data that can be (all too easily) converted to cash."
Choosing targets
Attacks from organized cyber criminals tend to come from Eastern Europe and North America, and they primarily target the financial, retail, and food industries. Their tactics often include physically tampering with victims' equipment (ATMs, point-of-sale terminals, databases, and desktops); engaging in brute-force hacking; and using malware for spying, capturing store data, posing as admins, and RAM scraping. They tend to focus on grabbing payment cards, credentials, and bank account information.
Meanwhile, state-affiliated groups were behind 21 percent of all outside attacks, representing an increase over previous years -- and these folks weren't in it for the money. Rather, the report says "threat actors engaged in espionage campaigns ... seek data that furthers national interests, such as military or classified information, economy-boosting plans, insider information or trade secrets, and technical resources such as source code."
State-affiliated attacks primarily target manufacturing, transportation, and professional-service companies, and most of these attacks stem from East Asia (China). Their tactics of choice include phishing, hacking to swipe credentials, and using an array of malware for backdoor exploitation, password dumping, and swiping data via command-and-control servers. They generally target computers and servers of all types. The bounty they seek: credentials, internal organization data, trade secrets, and system info.
Just 2 percent of external activists were pinned to activists, and those attacks most commonly come from Western Europe and North America. They target information-service companies and public agencies, primarily with such tools and tactics as SQL hacking, brute-force attacks, using stolen credentials, backdoor malware, and RFI (remote file inclusion) hacking. Hacktivists primarily seek personal information, credentials, and internal data, according to the report.