Black hat gangs: a tale of patriotism and profit


The kind of industries threat actors like to target depends at least partly on where they come from. And if you’ve never heard of “kerberoasting” then perhaps you might want to learn about it — it’s a major tool in the cyber sneak’s digital arsenal.

That’s the verdict from CrowdStrike, which has released its annual report to coincide with its presentation at the Black Hat cybersecurity conference this week in Las Vegas.

As grizzled cyber warriors line up to show off their weapons and expertise at the keenly anticipated event, CrowdStrike is understandably eager to demonstrate its latest findings after another grueling year in the field of digital conflict.

Said findings make up a pretty diverse smorgasbord of info nuggets — diverse that is, if you overlook the fact that CrowdStrike’s report focuses on Eastern “adversaries.” It’s a long-held tenet of the cybersecurity industry that the West is essentially doomed to play a defensive game of ‘catch-up’ while the predominantly Eastern threat groups go on the offense.

Whether or not this is actually true is a matter of debate, but regardless, there are some interesting insights to be gleaned from CrowdStrike’s scrutiny of nation-backed threat groups.

Take North Korea, for instance. The outfits it’s suspected of backing aren’t too keen on going after enemy government targets, but if CrowdStrike’s data is anything to go by, they “love to steal your money,” as Joe Strummer once sang. Its “heat map” breakdown of most targeted sectors indicates that the breakaway Asian state gets real hot for financial targets.

“North Korean adversaries are the most aggressive state-sponsored adversaries to target the financial sector,” it said. “They continue to engage in prolific, financially motivated operations primarily targeting financial and financial technology (fintech) organizations.”

But hey, a pariah state that nobody wants to do business with has to make a living somehow right?

Screenshot of graph of CrowdStrike's heat map of threat actors
Screenshot of graph of CrowdStrike's heat map of main threat actors, by country and motivation: the darker the color, the hotter the action

Not a patriot game (well, not always)

Of course, it isn’t just the patriots gunning for big business — enterprising threat actors simply out to line their digital pockets through cybercrime, dubbed by CrowdStrike as “eCrime” types, are after a slice too.

“eCrime threat actors also routinely target the financial sector,” said CrowdStrike. “Though some adversaries focus on stealing cryptocurrency or non-fungible tokens, opportunistic big-game-hunting ransomware and data theft campaigns remain the primary eCrime threat to financial institutions.”

And so much for the continual exhortations by the FBI and other law enforcement agencies to never cave into a ransomware actor’s demands. “Due to the victim organization's need to maintain system uptime and the sensitive nature of the sector, eCrime threat actors likely conclude that financial institutions are willing and able to pay ransom demands.”

Russia, on the other hand, doesn’t appear to be all that concerned with money. But then, after all, why would it be? Given it has shown a capacity to shrug off raft after raft of eye-watering global sanctions following its invasion of Ukraine, this should come as no surprise. You can say many things about the Kremlin’s foreign policy, but “we’re only in it for the money” probably won’t be among them.

Yes, you guessed it — the cyber target Russia is really interested in nowadays is governments. In fact, that is the only sector that lights up on CrowdStrike’s heat map for the disgraced superstate, further evidence that the Kremlin isn’t backing down from the wider digital conflict with its adversaries any time soon.

So how about China? Well, once again, the heat map appears to bear out trends that cyber analysts have been observing for some time now. The Asian superpower rival to the US is pretty hot for government targets, but not as hot for them as it is for technology and media.

Interestingly, transport and logistics also flare up on CrowdStrike’s heat table, suggesting that not only does China want to know about the goodies you are inventing and designing, it also wants to know how you’re getting them around.

That said, of the three categories, media appears to be the hottest on China’s cyber wishlist, suggesting that it’s keen to track, and perhaps leverage, what Western outlets are telling their respective masses.

Iran, we haven’t forgotten you…

Of course, no Eastern badboy list compiled by a Western cybersecurity firm would be complete in this day and age without a mention of Iran. The Islamist state is hottest for telecommunications — whether that means it wants to spy on its own citizens, or those of foreign powers, CrowdStrike doesn’t elaborate.

What it does specify however, is that these so-called “targeted intrusions” displayed on its heat graph are likely to be part of a bigger picture, as states seek to coordinate their cyberwar efforts across the various threat groups affiliated to them.

“Targeted intrusion activity during this period notably correlated with the respective intelligence collection requirements and other priorities of each adversary grouping,” said Crowdstrike, which gathered the data between July 2022 and last month.

It added: “The most straightforward of these is North Korean adversaries’ targeting of financial sector entities — as well as finance-related consulting services — as part of a widespread currency generation effort meant to leverage cryptocurrency theft and, to a lesser extent, ransomware.

By contrast, “the diversity of sectors targeted by Iranian and Chinese state-nexus adversaries are reflective of two distinct, but similar, tradecraft strategies.” Where the former “increasingly rely on opportunistic exploitation of entities of interest,” the latter “continue to expand operations to achieve coverage across as many targets as possible.”

Game, set, and match: enter the kerberoasters

In terms of precise methodology used by threat groups, the one technique that looms large in this year’s CrowdStrike report is kerberoasting. As a former armchair tennis fan, I must admit when I first read this I was immediately left wondering if the German former world No. 1 Angelique Kerber had been getting trolled on social media — but apparently I’m far from the truth here.

Kerberoasting in fact entails a manipulation of “Kerberos” tickets that fall squarely under the master machine manipulator’s category of Very Nice To Have. Or as CrowdStrike puts it: “Windows devices use the Kerberos authentication protocol, which grants tickets to provide users access based on service principal names (SPNs). Kerberoasting specifically involves the theft of tickets associated with SPNs [that] contain encrypted credentials that can be cracked offline using brute-force methods to uncover the plaintext credentials.”

What this means in layperson’s terms is that a threat actor can use the kerberoasting technique to penetrate deeper into a target system, exploiting the higher access privileges normally reserved for SPNs associated with an Active Directory account, which “usually have higher privileges and allow the adversary to extend their reach and gain access to sensitive files or systems.”

So, now you know. And apparently the cybercriminals increasingly do too: CrowdStrike says that kerberoasting attacks soared by 583% during the past year, almost a sevenfold increase. Looks like seven could be the magic number for your digital thieves and spies.

Or maybe not so much the latter. Crowdstrike further notes that kerberoasting, despite being widely used, is mainly the preserve of eCrime types not associated with any nation-state backer. Perhaps the North Koreans will find this report helpful in that case, assuming they can get around their paymaster’s own internet censorship to access it.

At any rate, kerberoasting appears to be facilitating plenty of cybercriminal activity observed by CrowdStrike, including password spraying to force system access, remote hijacking of target machines, and exploiting vulnerable servers. Well, at least Angelique is safe for now.

Lightning strikes a lot more often than twice

Cybercriminals are also becoming more adept at defense — and they aren’t slow to pick up any legal tools that might be lying around to help them cover their tracks. CrowdStrike pinpointed a 312% year-on-year rise in attacks involving remote monitoring tools, known as RRMs.

“Adversaries are increasingly using legitimate and well-known remote IT management applications to avoid detection and blend into the noise of the enterprise in order to access sensitive data, deploy ransomware, or install more tailored follow-on tactics,” it said.

Well, come on, you didn’t seriously expect them to play nice, did you? One thing the digital foe is doing is playing fast, though: threat actors are moving ever more swiftly into a system once the first line of defense has been breached.

CrowdStrike discloses that the average time taken “to move laterally from initial compromise to other hosts in the victim environment” fell from 84 minutes in 2022 to a record 79 minutes this year.

It adds: “Additionally, the fastest breakout time of the year was recorded at just seven minutes.” Dang, that’s fast. So fast, indeed, that if Usain Bolt were a cybersecurity professional, he’d say…. oh, you got it? Alrighty then.

Pssst! I can get you in, real easy…

No less swift have been the abettors to ransomware attacks and other seedy cybercrimes. Also known somewhat euphemistically as initial access brokers, they have been mushrooming on the dark web, offering their nefarious services for a fee, a growing phenomenon that CrowdStrike notes as having increased by 147% in the past year.

“Ready access to valid accounts for sale lowers the barrier to entry for eCrime actors looking to conduct criminal operations, and allows established adversaries to hone their post-exploitation tradecraft to achieve their objectives with more efficiency,” said CrowdStrike.

The cybersecurity analyst says it monitored some 215 threat groups during the twelve-month research period to arrive at its findings, which can be scrutinized in further detail here.

“We have seen a threat landscape that has grown in complexity and depth as threat actors pivot to new tactics and platforms, such as abusing valid credentials to target vulnerabilities in the cloud and in software,” said Adam Meyers, head of counter-adversary operations at CrowdStrike.

“When we talk about stopping breaches, we cannot ignore the undeniable fact that adversaries are getting faster and they are employing tactics intentionally designed to evade traditional detection methods,” he added. “Security leaders need to ask their teams if they have the solutions needed to stop lateral movement from an adversary in just seven minutes.”