《Mandiant:2023年M-Trends威胁报告(英文版)(108页).pdf》由会员分享,可在线阅读,更多相关《Mandiant:2023年M-Trends威胁报告(英文版)(108页).pdf(108页珍藏版)》请在三个皮匠报告上搜索。
1、MANDIANT SPECIAL REPORTIntroduction 3By the Numbers 5 Data from Mandiant Investigations 6The Invasion of Ukraine:Cyber Operations During Wartime 53 Strategic Cyber Espionage and Pre-Positioning Prior to Invasion 56 Initial Destructive Cyber Operations and Military Invasion 57 Sustained Targeting and
2、 Attacks 60 Maintaining Footholds for Strategic Advantage 61 Renewed Tempo of Disruptive Attacks 62 Information Operations Surrounding Russias Invasion of Ukraine 63 Takeaways 64North Koreas Financial Operations Continue to Evolve 65 NFTs,Bridges,Ransomware and More:North Korean Cybercrime in 2022 6
3、7 Not Just Money:Continued Intelligence Collection Operations in Context 69Shifting Focus and Uncommon Techniques Brought Threat Actors Success in 2022 71 Initial Intrustions 73 Getting Around and Getting Out 74 Making Things Personal 76 Lessons Learned 77Red Team Case Study:Cloud-focused Operations
4、 78 Initial Compromise 79 Lateral Movement to Azure 80 Attacking a Password Manager Solution 81 Gaining Visibility within Azure 82 Privilege Escalation to Global Administrator Solution 83 Attacking the Software Development Life Cycle(SDLC)84 Outcomes 85 Targeted Attack Lifecycle Mapping 852022 Campa
5、igns and Global Events 86 CampaignsThreat Actors 87 Global EventsNotable Vulnerabilities 95Notable and Recently Graduated Threat Groups 101 How a Threat Cluster Becomes an APT or FIN Group 102 APT42 Conducts Highly Targeted Surveillance Operations 103Conclusion 105Bibliography 107Table of Contents2S
6、 P E C I A L R E P O R T|M A N D I A N T M-T R E N D S 2 0 2 32IntroductionThe lines separating the real world and the cyber realm have never been hazier.Were seeing Russia engage in information operations in an attempt to influence the narrative surrounding their invasion of Ukraine,and attempt to
7、disrupt critical infrastructure through both physical and cyber attacks.Were seeing the invasion have an influence on the broader cybercrime ecosystem,notably in Europe,where actors are choosing sides or shutting down operations altogether.And were seeing actors engage in cybercrime to fund espionag
8、e to support the North Korean regime,targeting information on topics ranging from nuclear to COVID-19.Every day Mandiant responders are investigating and analyzing the latest attacks and threats,and understanding how best to respond to and mitigate them.We pass these learnings on to our customers th
9、rough our various services,helping them to stay ahead of a constantly evolving threat landscape.In releasing our annual M-Trends report,we aim to provide some of that same critical intelligence to the greater security community.M-Trends 2023 continues our tradition of offering details on the evolvin
10、g cyber landscape,mitigation recommendations,and a wide variety of security incident-related metrics.Lets start with answering one of the biggest questions from our“By the Numbers”section.The answer is yes,attacks are being detected faster than ever before.From January 1,2022,to December 31,2022,the
11、 global median dwell time is now 16 days,down from 21 days in our M-Trends 2022 report.This may demonstrate an improved ability to detect attacks,but we also credit ransomware attacks to be a driving factor in reducing dwell time.Intrusions involving ransomware had a median dwell time of 9 days in 2
12、022,compared to 5 days reported in M-Trends 2022.The topics of M-Trends 2023 include:By the Numbers:Organizations were notified of breaches by external entities in 63%of incidents compared to 47%in M-Trends 2022,which brings the global detection rates closer to what defenders experienced in 2014.We
13、have many more signature metrics on targeted industries,attack types,threat groups,and malware use,along with new breakdowns based on trends and observations.The Invasion of Ukraine:Russias invasion of Ukraine has consumed almost every aspect of Russias international relationships,and has evolved as
14、 nearly the sole driver of cyber threat activity from Russia in 2022.We cover operations dating back to before the physical invasion in February,including use of destructive and disruptive attacks,and information operations.North Korean Financial Operations:For years,North Korea has reportedly condu
15、cted various illicit financial activities to fund the regime.The explosive growth of cryptocurrency is converging with aggressive and flexible North Korean cyber capabilities,making it natural that at least some North Korean threat groups would expand operations into this sector.Shifting Focus and U
16、ncommon Techniques:In 2022,Mandiant investigated a series of high-profile intrusions that were successful and impactful to the targeted organizations despite significant deviations from common threat actor behaviors,underscoring the threat posed to organizations by persistent adversaries willing to
17、eschew the unspoken rules of engagement.M-Trends 2023 additionally contains a red team case study,tales of threat actors and vulnerabilities from our Campaign and Global Events team,and details from our APT42 graduation.M-Trends builds on our dedication to continue providing critical knowledge to th
18、ose tasked with defending organizations.The information in this report has been sanitized to protect the identities of victims and their data.4S P E C I A L R E P O R T|M A N D I A N T M-T R E N D S 2 0 2 3By the NumbersData from Mandiant InvestigationsThe metrics reported in M-Trends 2023 are based
19、 on Mandiant Consulting investigations of targeted attack activity conducted between January 1,2022 and December 31,2022.Note that this edition of M-Trends returns to a 12-month period compared to the 15-month period reported in M-Trends 2022.Detection by Source In 2022,Mandiant observed a general i
20、ncrease in the number of organizations that were alerted by an external entity of historic or ongoing compromise.Organizations were notified of breaches by external entities in 63%of incidents.This continues the trend observed in 2021 and brings the global detection rates closer to what defenders ex
21、perienced in 2014.The increase in external notification observed in 2022 is likely impacted by Mandiants investigative support of cyber threat activity which targeted Ukraine and an increase in proactive notification efforts.Proactive notifications from security partners enable organizations to laun
22、ch response efforts more effectively.Analysis of Mandiants efforts in Ukraine are highlighted in The Invasion of Ukraine:Cyber Operations During Wartime.504030201002011External2012Detections(percent)20000226%94%37%37%63%63%33%67%31%69%47%53%53%53%47%47%62%
23、38%59%41%47%53%59%41%InternalInternal detection is when an organization independently discovers it has been compromised.External detection is when an outside entity informs an organization it has been compromised.Detection by Source,2011-20226S P E C I A L R E P O R T|M A N D I A N T M-T R E N D S 2
24、 0 2 3Detection by Source by Region,202202040608045%55%Detections (Percent)ExternalAMERICASInternal02040608026%74%Detections (Percent)ExternalEMEAInternal02040608033%67%Detections (Percent)ExternalAPACInternalHistorically,Mandiant has observed relatively stable detection rates for organizations head
25、quartered in the Americas.However,in 2022,organizations were notified by an external entity in 55%of incidents,compared to 40%of incidents last year.This is the highest percentage of external notifications the Americas has seen over the past six years.While organizations in the Americas continue to
26、improve detection capabilities,external notifications from trusted security partners remain the primary way organizations are made aware of incidents.In 2022,33%of the incidents Mandiant experts responded to in the Asia Pacific(APAC)region were originally identified by internal entities.However,over
27、 the past six years,Mandiant has observed a trend towards greater external notifications in the APAC region.This years 9-percentage point increase in internal detections when compared to 2021 demonstrates the strong variability Mandiant has observed in detection source in the APAC region.Organizatio
28、ns in Europe,the Middle East and Africa(EMEA)were alerted of an intrusion by an external entity in 74%of investigations in 2022 compared to 62%in 2021.This marked increase in external notifications could be explained by Mandiants investigative support to Ukraine and is likely an outlier from the gen
29、eral trend.Mandiant continues to see a shift to more external notifications in the EMEA region over the past six years,however because of extenuating circumstances in 2022,this trend may stabilize in the future.7S P E C I A L R E P O R T|M A N D I A N T M-T R E N D S 2 0 2 3Detection by Source by Re
30、gion,20172022APACAPACLinearInternal Detections (Percent)External Notifications (Percent)02040608002002002020212022EMEALinearEMEAInternal Detections (Percent)External Notifications (Percent)02040608002002002020212022AMERICASAmericasLinearInternal Detections
31、 (Percent)External Notifications (Percent)020406080020020020202120228S P E C I A L R E P O R T|M A N D I A N T M-T R E N D S 2 0 2 3020406080Detections (Percent)ExternalInternal70%30%39%61%RansomwareNon RansomwareAll investigationsAll investigationsExternal PartnerAdversary Not
32、ification8%4%33%67%Detection by Source,by Investigation Type,2022Ransomware Investigations External Notification SourceIn 2022,external notifications were more prevalent as a notification source regardless of the investigation type.In intrusions related to ransomware,organizations were notified by a
33、n external entity in 70%of investigations.Organizations were predominantly notified by adversaries due to a fully executed ransomware event with 67%of investigations(8%of all investigations)detected due to a ransom note.Notifications from external partners comprise the remaining 33%of ransomware rel
34、ated investigations(4%of all investigations).Similarly,organizations were notified by external entities of non-ransomware related intrusions more often than the organization was able to identify similar intrusions internally.However,Mandiant observed organizations in 2022 identify non-ransomware int
35、rusions internally more often than ransomware intrusions.This may be due to increased visibility allowing organizations to detect intrusions earlier in the Targeted Attack Life Cycle.While non-ransomware operations often prioritize avoiding detection mechanisms,the longer operations cycles provides
36、more detection opportunities when compared to the relatively short cycle employed by ransomware operators.Mandiant continues to see positive collaboration between organizations and external partners that perform compromise notifications.These external parties provide effective information that aids
37、an organizations ability to identify intrusions more quickly,regardless of the investigation type.A ransomware related intrusion provides access for,or is associated with,a malicious actor that has the primary goal of encrypting data with the intention of extracting payment from the target in order
38、to avoid further or undo the malicious action.9S P E C I A L R E P O R T|M A N D I A N T M-T R E N D S 2 0 2 3Global Median Dwell Time,2011-2022Dwell TimeGlobal Dwell Time Global median dwell time continued to improve year over year,with organizations detecting incidents in just over two weeks in 20
39、22.This is the shortest global median dwell time from all M-Trends reporting periods.Notable improvement in global median dwell time where an external entity was the notification source may indicate that organizations respond to external notifications more quickly.This reflects a growing recognition
40、 of the critical role partnerships and information exchange play in building a resilient cybersecurity ecosystem.As security partners are improving the critical information contained within external notifications,the improvement of information sharing will enable organizations to act more effectivel
41、y than if left to identify similar intrusions on their own.Defenders continue to detect events faster than external entities notify.The global median dwell time for internally detected incidents in 2022 returned to similar timeframes defenders saw in 2020.In 2022,the global median dwell time for int
42、rusions detected internally was 13 days.The global median dwell time was 18 days in 2021 and 12 days in 2020.Similarly,Mandiant experts observed another significant decrease in the global median dwell time for investigations with an external notification source in 2022,down 32%compared to 2021.Exter
43、nal notifications allowed for organizations to initiate response to intrusions within a median of 19 days of the initial compromise.Improvements in global median dwell time in 2022,regardless of detection source,enabled organizations to respond to incidents faster than ever before.Dwell time is calc
44、ulated as the number of days an attacker is present in a victim environment before they are detected.The median represents a value at the midpoint of a data set sorted by magnitude.200002020212022All46242116External3201732819Internal5
45、68057.550.530121813Change in Median Dwell Time21Days in 202116Days in 20221 0S P E C I A L R E P O R T|M A N D I A N T M-T R E N D S 2 0 2 301020304050Investigations (Percent)Dwell Time(Days)0-78-1415-3031-4546-6061-7576------10001001-20
46、002000+202220218Global Dwell Time Distribution Global dwell time distribution continues to improve.42%of intrusions were detected within a week or less,compared to 37%of intrusions in the last reporting period.Compared to previous years,Mandiant saw more evenly dispersed dwell times acros
47、s investigations in 2022.Continuing trends from the last M-Trends reporting period,this could indicate that detection is becoming more streamlined and detection abilities have improved to highlight actions in the environment during the initial infection or the reconnaissance phases of the Targeted A
48、ttack Lifecycle.However,as Mandiant continues to see a wider distribution for non-ransomware related investigations,organizations are still facing intrusions that go undetected for extensive periods of time.Variance in the detection capabilities of impacted organizations and the types of intrusions
49、they face are likely contributors to this distribution spread.Global Dwell Time Distribution,2018-20221 1S P E C I A L R E P O R T|M A N D I A N T M-T R E N D S 2 0 2 35Days in 20219Days in 2022Change in Global Median Dwell Time Ransomware14147 Days1416MedianDaysMedianDays9MedianDays60501
50、5020003030307 Days7 Days400700700403020100Percent of InvestigationsAll InvestigationsRansomwareInvestigationsNon-RansomwareInvestigations150200Investigations Involving Ransomware Mandiant experts note a decrease in the percentage of global intrusions involving ransomware between 2021 and
51、2022.In 2022,18%of intrusions involved ransomware compared to 23%in 2021.Ransomware attacks continue to be a driving factor in a reduced dwell time.Intrusions involving ransomware had a median dwell time of 9 days in 2022,compared to 5 days in 2021.Mandiant observed that in instances where external
52、entities are making the notification,the global median dwell time for intrusions involving ransomware was 7 days compared to 12 days when an organization detected the intrusion internally.Mandiant observed that adversaries leveraging ransomware remained undetected for longer periods of time in 2022
53、compared to 2021.Change in Global Median Dwell TimeNon-Ransomware36Days in 202117Days in 2022Change in Global Investigations Involving Ransomware23%in 202118%in 2022Global Dwell Time by Investigation Type,2022051015202530Dwell Time(Days)ExternalInternalRansomwareNon-Ransomware7121327Global Median Dw
54、ell Time by Detection Source1 2S P E C I A L R E P O R T|M A N D I A N T M-T R E N D S 2 0 2 3Americas Median Dwell Time,2016-2022Americas Median Dwell Time The median dwell time for intrusions investigated in the Americas decreased by a full week in 2022 to 10 days compared to 17 days in 2021 and 2
55、020.Mandiant observed consistent median dwell times for all detection types in the Americas,with internal detections decreasing to 9 days and external detections at its lowest with 12 days.Organizations in the Americas demonstrated another year of improvement for detecting adversaries faster than pr
56、evious years,quicker than the previously smallest timeframe of 17 days observed in 2021.Change in Americas Median Dwell Time17Days in 202110Days in 20220204060800Dwell Time(Days)200022AMERICAS9975.5124.542.571104137.54660320121810435ExternalAllInternalAmer
57、icas1 3S P E C I A L R E P O R T|M A N D I A N T M-T R E N D S 2 0 2 3Americas Dwell Time Distribution In the Americas,64%of intrusions were detected in 30 days or less and 70%of these intrusions(45%of total intrusions in the Americas)were detected in less than one week.In 2022,more than half of the
58、 intrusions in the Americas were detected in less than two weeks.However,Mandiant observed a small uptick in intrusions that go undetected for longer periods of time,with 7%of total intrusions in the Americas remaining undetected for more than a year.This is an increase from 4%observed in the report
59、ing period of M-Trends 2022.This shows that while organizations in the Americas were able to detect most intrusions within two weeks,due to detection improvements,they identified intrusions by adversaries that would have otherwise remained undetected for longer.Americas Dwell Time Distribution,2021-
60、202201020304050Investigations (Percent)Dwell Time(Days)0-78-1415-3031-4546-6061-7576------10+202220211 4S P E C I A L R E P O R T|M A N D I A N T M-T R E N D S 2 0 2 3Change in Americas Investigations Involving Ransomware2
61、2%in 202122%in 2022Americas Dwell Time Investigation by Type,202214147 Days10MedianDaysMedianDays5MedianDays605009090903030307 Days7 Days400700700403020100Percent of InvestigationsAll InvestigationsRansomwareInvestigationsNon-RansomwareInvestigations15014200Although the percent
62、age of intrusions involving ransomware has decreased globally,Mandiant observed a consistent percentage of investigations in the Americas involving ransomware compared to last year.Similarly,ransomware dwell time continues to remain the same in the Americas region.Mandiant noted that these investiga
63、tions have similar median dwell times regardless of internal or external detection source,with five days median dwell time for internally notified investigations,and six days when external entities make the notification.Mandiant continues to observe improvements in external notifications for non-ran
64、somware related intrusions.In 2022 organizations in the Americas detected intrusions that did not relate to ransomware in 12 days,compared to 17 days in 2021.Americas Median Dwell Time by Detection Source051015202530Dwell Time(Days)ExternalInternalRansomwareNon-Ransomware65921Change in Americas Medi
65、an Dwell Time Ransomware5Days in 20215Days in 2022Change in Americas Median Dwell Time Non-Ransomware17Days in 202112Days in 20221 5S P E C I A L R E P O R T|M A N D I A N T M-T R E N D S 2 0 2 3APAC Median Dwell Time Overall,median dwell time in APAC increased compared to the last M-Trends reportin
66、g period.However,organizations in APAC are still detecting intrusions more quickly than in previous years,with a median dwell time of 19 days for intrusions identified internally compared to 22 days in 2021.Organizations in APAC have consistently improved internal detection capabilities over the pas
67、t three years.Notifications from external entities resulted in a median dwell time of 58 days in 2022 compared to 16 days in 2021.While this represents an increase in median dwell time,it is still a 58%decrease compared to external notification median dwell time in 2020 which was 137 days.The increa
68、se to 58 days is likely a result of the median dwell time numbers normalizing from an abnormally short period of time observed in 2021.APAC Median Dwell Time,2016-2022Change in APAC Median Dwell Time21Days in 202133Days in 2022ExternalAllInternal020040060080010001200Dwell Time(Days)200192
69、02020212022APAC20.52046335822131APAC1 6S P E C I A L R E P O R T|M A N D I A N T M-T R E N D S 2 0 2 3APAC Dwell Time Distribution,2030254035Investigations (Percent)Dwell Time(Days)0-78-1415-3031-4546-6061-7576----6
70、--10+20222021APAC Dwell Time Distribution APAC dwell time distribution continues to show variability.Dwell time distribution shows 48%of APAC investigations had dwell times of 30 days or less with 76%of these intrusions(37%of all APAC intrusions)detected in on
71、e week or less.On the other side of the dwell time distribution,APAC organizations had a wider distribution of intrusions go undetected for longer periods of time,with 30%of investigations remaining undetected for a year or longer compared to 20%of investigations in 2021.Cyber security continues to
72、mature in APAC with ongoing detection capability improvements.This allows organizations to identify intrusions that would have otherwise gone long undetected,resulting in a wider distribution of intrusions.1 7S P E C I A L R E P O R T|M A N D I A N T M-T R E N D S 2 0 2 3Change in APAC Investigation
73、s Involving Ransomware38%in 202132%in 2022APAC Dwell Time by Investigation Type,2022307 Days33MedianDaysMedianDays18MedianDays6090400901509014 Days307 Days700403020100Percent of InvestigationsAll InvestigationsRansomwareInvestigationsNon-RansomwareInvestigations700Similar to th
74、e observed decrease in global investigations involving ransomware,APAC saw a 6-percentage point decrease in ransomware investigations,with 32%in 2022 compared to 38%in 2021.This number is still almost double the percentage of investigations from 2020(12.5%)and 2019(18%).The median dwell time for ran
75、somware investigations in APAC was 18 days compared to 60 days for non-ransomware investigations.Organizations in APAC are quicker to detect incidents internally than externally,regardless of the type of investigation.However,the timeframe observed with relation to ransomware median dwell time does
76、significantly impact dwell time as a whole.APAC Median Dwell Time by Detection Source00Dwell Time(Days)ExternalInternalRansomwareNon-Ransomware2355490Change in APAC Median Dwell Time Ransomware9Days in 202118Days in 2022Change in APAC Median Dwell Time Non-Ransomware38Days in 202160Days i
77、n 20221 8S P E C I A L R E P O R T|M A N D I A N T M-T R E N D S 2 0 2 3EMEA Median Dwell Time Organizations in EMEA detected incidents 58%faster in 2022 compared to 2021,with the overall median dwell time now less than three weeks.Looking closer at detection sources,median dwell time for intrusions
78、 that were detected by an internal source increased from 13 days seen in 2021 to 33 days in 2022.External notification sources decreased from 60 days seen in 2021 to 18 days in 2022.This large change may be influenced by Mandiants work in Ukraine,which makes up a notable portion EMEA investigations
79、in 2022.However,even outside of this work,the general trend shows that median dwell time continues to decrease year over year.Change in EMEA Median Dwell Time48Days in 202120Days in 20220500500450350250150Dwell Time(Days)200022ExternalAllInternalEMEA30524.
80、536622529334860201813301EMEAEMEA Median Dwell Time,2016-20221 9S P E C I A L R E P O R T|M A N D I A N T M-T R E N D S 2 0 2 301020304050Investigations (Percent)Dwell Time(Days)0-78-1415-3031-4546-6061-7576------10001001-20002
81、000+20222021EMEA Dwell Time Distribution Dwell time distribution in EMEA showed that 54%of intrusions investigated by Mandiant were identified within 30 days,with 76%of those intrusions(42%of total EMEA investigations)identified within a week.Organizations in EMEA showed improvement detecting a majo
82、rity of incidents more quickly.However,the general distribution of intrusions remains consistent with 2021 with 23%of intrusions being identified after a year of initial intrusion.EMEA Dwell Time Distribution,2021-20222 0S P E C I A L R E P O R T|M A N D I A N T M-T R E N D S 2 0 2 3In 2022,Mandiant
83、 saw a 10-percentage point decline in EMEA investigations related to ransomware.Additionally,Mandiant noted an increase in the median dwell time for ransomware specific investigations in EMEA to 33 days in 2022,up from just four days in 2021.This means that,in 2022,adversaries leveraging ransomware
84、against organizations in EMEA spent 89%longer in compromised environments before being detected.However,the median dwell time for ransomware related investigations in EMEA in 2021 was exceptionally short,making it unsurprising that this metric reverted in 2022.Organizations were notified by an exter
85、nal entity of a ransomware event faster than they were able to detect the event internally in 2022.Organizations in EMEA were notified by an external entity within 30 days of ransomware related intrusions however,when similar intrusions were identified internally,adversaries remained undetected for
86、51 days.Mandiant did see a significant improvement in non-ransomware dwell time.Organizations in EMEA detected non-ransomware intrusions nearly two thirds quicker,with the median dwell time at 19 days in 2022 compared to 60 days in 2021.Change in EMEA Investigations Involving Ransomware17%in 20217%i
87、n 2022EMEA Dwell Time Investigation by Type,20223014301420MedianDaysMedianDays33MedianDays605040090907 Days7 Days700403020100Percent of InvestigationsAll InvestigationsRansomwareInvestigationsNon-RansomwareInvestigations7 Days90400200150700EMEA Median Dwell Time by Detection So
88、urce00Dwell Time(Days)ExternalInternalRansomwareNon-Ransomware30511919Change in EMEA Median Dwell Time Ransomware4Days in 202133Days in 2022Change in EMEA Median Dwell Time Non-Ransomware60Days in 202119Days in 20222 1S P E C I A L R E P O R T|M A N D I A N T M-T R E N D S 2 0 2 3Industry
89、 TargetingOf the intrusions investigated by Mandiant in 2022,response efforts for government related organizations captured a quarter of all investigations.Compared to 9%in 2021,this primarily reflects the extensive work Mandiant has done in support of Ukraine.The next four most targeted industries
90、from 2022 are consistent with what Mandiant experts observed in 2021.Mandiant observed business/professional services,financial,high tech and healthcare industries to be favored by adversaries.These industries remain attractive targets for both financially and espionage motivated actors.25%14%12%9%9
91、%6%5%5%4%3%1%1%2%2%0510152025Percent of InvestigationsINDUSTRYFinancialHealthcareRetail and HospitalityHigh TechGovernmentTransportation and LogisticsConstruction and EngineersTelecommunicationsEducationEnergyEntertainment and MediaNonprofitUtilitiesBusiness and ProfessionalGlobal Industries Targete
92、d,20222 2S P E C I A L R E P O R T|M A N D I A N T M-T R E N D S 2 0 2 3Targeted AttacksInitial Infection VectorExploits continued to be the most leveraged initial infection vector used by adversaries in Mandiant investigations conducted in 2022.In intrusions where the initial infection vector was i
93、dentified,32%of intrusions began with an exploit.While this was a decrease from the 37%of intrusions identified in the reporting period of M-Trends 2022,exploits remained a critical tool for adversaries to use against their targets.In 2022,phishing returned to the second most utilized vector for ini
94、tial infection observed in intrusions,representing 22%of intrusions where the initial infection vector was identified.This was an increase from 12%of intrusions seen in 2021.Phishing continues to be a lucrative and mainstay vector for adversaries year over year.Adversaries leveraged stolen credentia
95、ls more often in 2022 than 2021 in investigations where the initial infection vector was identified,at 14%and 9%respectively.Mandiant investigations uncovered an increased prevalence in both the use of widespread information stealer malware and credential purchasing in 2022 when compared to previous
96、 years.In many cases,investigations identified that credentials were likely stolen outside of the organizations environment and then used against the organization,potentially due to reused passwords or use of personal accounts on corporate devices.32%14%22%12%7%4%4%2%2%2%PhishingExploitPrior Comprom
97、iseStolen Credentials Brute Force Website Compromise Internet Facing ServersThird Party Compromise OtherBYOD Initial Infection Vector(when identified)2 3S P E C I A L R E P O R T|M A N D I A N T M-T R E N D S 2 0 2 3AmericasExploit38%EMEAPhishing40%APACPrior Compromise33%Most Prevalent Initial Intru
98、sion Vector by RegionRegionally,adversaries made use of various vectors to gain access to targeted organizations and complete their missions.In the Americas,in intrusions where initial infection vectors were identified,the use of exploits remained the most leveraged vector at 38%of investigations.Ad
99、versaries targeting organizations in APAC used access from a prior compromise to perform their intrusions more often than other vectors by more than 10-percentage points.In EMEA,phishing was leveraged by adversaries in 40%of investigations where an intrusion vector was identified.This variety of vec
100、tors used across regions likely indicates that adversaries are not leveraging the same attack paths to accomplish their missions.Adversaries continue to leverage the intrusion vector that is the most effective to gain access to their targets that reside in each region.2 4S P E C I A L R E P O R T|M
101、A N D I A N T M-T R E N D S 2 0 2 3Mandiant investigations where an adversary was identified seeking financial gain decreased in 2022.However,financially motivated intrusions still comprised over a quarter of intrusions investigated by Mandiant.Of Mandiant investigations in 2022,26%of intrusions sur
102、faced adversaries seeking monetary gain through extortion,ransomware,sold access,illicit transfers,or payment card theft.Compared to the reporting period of M-Trends 2022,ransomware related investigations conducted by Mandiant decreased by 5-percentage points.In 2022,18%of all Mandiant investigation
103、s were related to ransomware.This represents the smallest percentage of Mandiant investigations related to ransomware since prior to 2020.18%26%RansomwareFinancial GainAdversary Operations2020202080100Intrusions(Percent)Financial GainNo Financial GainFinancial Gain,2020-2022Financial Gain
104、30%in 202126%in 20222 5S P E C I A L R E P O R T|M A N D I A N T M-T R E N D S 2 0 2 38%40%ExtortionData TheftMandiant experts identified that in 40%of intrusions in 2022,adversaries prioritized data theft.Mandiant defenders have observed threat actors attempting to steal,or successfully completing
105、data theft operations,more often in 2022 compared to previous years.In 19%of those intrusions(8%of all intrusions)the data stolen was used by the threat actor during negotiations for payment.Mandiant continues to observe threat actors performing data theft operations for numerous goals.However,adver
106、saries were observed prioritizing data theft that likely indicates intellectual property theft or espionage related end goals in 22%of investigations.The continued increase of observed data theft likely indicates that organizations are improving their ability to detect data theft operations,allowing
107、 investigators to conduct more complete investigations.29%in 202140%in 2022Data TheftData TheftLinear(Data Theft)Intrusions(Percent)002020212022Data Theft Observed,2020-20222 6S P E C I A L R E P O R T|M A N D I A N T M-T R E N D S 2 0 2 3Modus Operandi Mandiant experts continue to see a
108、small uptick in the occurrence of opportunistic compromise being leveraged as a source of targeted attack activity.Campaigns of broad scale non-targeted activity have,in some cases,translated into targeted attack activity as access to compromised environments is sold to targeted threat actors or cri
109、tical information gathered during the attack is leveraged to accomplish the goals of targeted attackers.In 2022,Mandiant experts identified this activity in 6%of intrusions compared to 4%in 2021 and 3%in 2020.As the use of exploits continues to rise,it is no surprise that use of compromised architec
110、ture is also increasing.As proof of concept(POC)code is made available for newly identified exploits,the ability to automate compromise increases.This shorter cycle from POC to widespread attack allows actors to gain quick wins which in turn provide necessary infrastructure for additional non-target
111、ed attacks.Of the Mandiant investigations where compromised architecture was observed,roughly 60%of the intrusions resulted in some type of crypto-mining activity.In the remaining nearly 40%of these intrusions,the architecture was leveraged for actions,including ongoing spam and/or phishing operatio
112、ns,as well as to further the distribution of botnets.Similar to previous years,intrusions related to insider threats made up 1%of Mandiant investigations in 2022.Compromised Architecture4%in 20216%in 20222 7S P E C I A L R E P O R T|M A N D I A N T M-T R E N D S 2 0 2 3Exploit Activity in 2022Advers
113、aries are still making use of exploits to conduct their operations.Mandiant observed evidence of successful exploit activity of at least one exploit against a vulnerability in 36%of investigations in 2022 compared to 30%of investigations from 2021.Mandiant continues to observe adversaries leveraging
114、 exploits to initiate and continue intrusions.Perimeter devices that are accessible via the internet-including firewalls,virtualization solutions and virtual private network devices-remain a highly sought after target for attackers.Across all investigations where a vulnerability was targeted,abuse o
115、f the Log4j1 vulnerability represented 16%of investigations.The second and third most notable vulnerabilities identified were related to F5 Big-IP2 and VMware Workspace ONE Access and Identity Manager3.202080100Intrusions(Percent)Involved ExploitsDid Not Involve ExploitsCVE-2021-44228CVE-
116、2022-1388OtherCVE-2022-22954 16%Exploit Activity When Identified2 8S P E C I A L R E P O R T|M A N D I A N T M-T R E N D S 2 0 2 3Multiple Threat Groups IdentifiedMultiple Threat GroupsLinear(Multiple Threat Groups)Victim Environments(Percent)0352002215%29%25%27%Environment In
117、more than a quarter of investigations,Mandiant experts identified multiple threat groups within the same environment.During these investigations,Mandiant observed threat groups working together to accomplish a central goal as well as instances where the target environment was enticing to multiple th
118、reat actors independently.The percentage of investigations where multiple threat actors were identified in 2022 increased to a similar percentage that was observed in 2020.This trend remains volatile,however Mandiant has observed a general rise in multiple threat groups identified in the same enviro
119、nment over the past four years.Multiple Threat Groups Identified(per environment)25%in 202127%in 20222 9S P E C I A L R E P O R T|M A N D I A N T M-T R E N D S 2 0 2 3Threat GroupsMandiant tracks more than 3500 threat groups,including 900+newly tracked threat groups in this M-Trends reporting period
120、.Of the newly tracked groups,265 threat groups were first identified during Mandiant investigations in 2022.Mandiant identified a total of 343 unique threat groups across all intrusions in 2022.Organizations faced intrusions by four named Advanced Persistent Threat(APT)groups.This includes governmen
121、t sponsored groups from China and Russia,five named financially motivated threat(FIN)groups,and 335 uncategorized threat(UNC)groups.Overall,organizations are still facing and responding to well-established threat groups while also contending with newly attributed groups.913265343Newly Tracked and Ob
122、served Threat Groups Newly Tracked Threat GroupsObserved Threat Groups Active UNC GroupsFrom These Geolocations Russia China Iran North Korea Nigeria United States India Pakistan United Kingdom Brazil BelarusTotal Groups3500+2Active FIN GroupsFrom These Geolocations Eastern Europe Mexico775335912Act
123、ive FIN GroupsActive UNC Groups4Active APT GroupsUNC GroupsIdentified in 2022(202 Merged)41*APT Groups(1 Graduated)13FIN GroupsFINAPTUNCActive APT Groups From These Nation-States China Russia2022 ActiveGeolocations2022 ActivityTotal Tracked Efforts4*Mandiant tracks Advanced Persistent Threat(APT)gro
124、ups 0-42.Over the years,APT 11 and APT 13 were merged into other groups and subsequently deprecated resulting in 41 APT groups actively tracked by Mandiant.Threat Groups 20223 0S P E C I A L R E P O R T|M A N D I A N T M-T R E N D S 2 0 2 3Financial GainUnknownEspionageOther01020304050Threat Groups(
125、Percent)48%27%18%9%Observed Threat Groups by Goal,2022These threat groups are clusters of cyber activity that include artifacts such as adversary infrastructure,tools,and tradecraft.When a threat grouping is first created,Mandiant assesses a primary goal for the group.As our knowledge of a threat gr
126、ouping becomes sufficiently mature,in-depth research aids in assigning a formal designation based on established Mandiant naming conventions.Of all threat groups observed in 2022,Mandiant assessed that 48%of these threat groups to have financially motivated operations,18%with espionage related motiv
127、ations and 9%with other motivations like,destructive operations,hacktivism,and being a nuisance.In the remaining 27%of threat groups,the motivation was not able to be assessed.This is often because the adversary was detected before they were able to complete their mission or direct evidence was not
128、uncovered to establish a credible goal.Destructive Operations-The threat groups assessed goal is to destroy or damage a targets infrastructure,such as DDoS or a destructive ICS attack.Hacktivism-The threat groups assessed goal is defamation,to obtain press,and/or to influence policy.Nuisance-The thr
129、eat groups assessed goal is to obtain access and propagate through the victim environment such as botnets and spam.3 1S P E C I A L R E P O R T|M A N D I A N T M-T R E N D S 2 0 2 3In 2022,Mandiant graduated one group to a named threat group,APT42,and merged 202 threat groups into other threat group
130、s based on extensive research into activity overlaps.For details on how Mandiant defines and references UNC groups and merges,please see “How Mandiant Tracks Uncategorized Threat Actors.4Of the active groups in 2022,335 of the threat groups,which Mandiant tracks as uncategorized(UNC)groups,were obse
131、rved in intrusions.Mandiant assesses that 44%of these threat groups were motivated by financial gain and 12%were motivated by espionage related actions.Notably,these UNC groups can have more than one motivation.In order to continuously refine our understanding of these threat groups and their activi
132、ty,Mandiant continuously analyzes adversary actions from frontline investigations in order to generate and integrate actionable intelligence across all Mandiant products and services.Through this work,as well as analysis of public reporting,information sharing and other research,Mandiant continues t
133、o expand its threat actor knowledge base through continuous clustering and merging.Financial GainUnknownEspionageOther01020304050UNC Groups(Percent)44%39%12%7%Observed Threat Groups by Goal,20223 2S P E C I A L R E P O R T|M A N D I A N T M-T R E N D S 2 0 2 3MalwareIn 2022,Mandiant began tracking 5
134、88 new malware families to increase its knowledge base of malware.Compared to the 700+newly tracked malware reported in the reporting period for M-Trends 2022 which covers 15 months,Mandiants newly tracked malware equates to roughly 49 new malware families identified each month in 2022,compared to 4
135、5 new families a month in 2021.This may indicate that adversaries are continuing to expand their toolsets at a similar rate compared to previous years.Of these new malware families,157 families were observed in intrusions investigated by Mandiant.This represents a little less than half of the total
136、number of malware families,321,seen in Mandiant investigations.This indicates that while adversaries continue to deploy new tools,previously observed malware families still make up a significant portion of their arsenal.588157321Newly Tracked and Observed Malware FamiliesNewly Tracked Malware Famili
137、esObserved Malware Families A malware family is a program or set of associated programs with sufficient“code overlap”among the members that Mandiant considers them to be the same thing,a“family”.The term family broadens the scope of a single piece of malware as it can be altered over time,which in t
138、urn creates new,but fundamentally overlapping pieces of malware.3 3S P E C I A L R E P O R T|M A N D I A N T M-T R E N D S 2 0 2 3New Malware Families by CategoryOf the 588 newly tracked malware families,the top five categories consisted of backdoors(34%),downloaders(14%),droppers(11%),ransomware(7%
139、)and launchers(5%).These categories of malware remain consistent over the years and backdoors continue to represent slightly over one third of the newly tracked malware families.Newly tracked credential stealers fell out of the top five categories tracked by Mandiant in 2022.Considering that stolen
140、credentials appeared for the first time in the most frequently seen intrusion vectors,this seems to suggest that threat actors are leveraging previously created credential stealers to obtain stolen credentials.A malware category describes a malware familys primary purpose.Each malware family is assi
141、gned only one category that best describes its primary purpose,regardless of functionality for more than one category.Malware CategoryPrimary PurposeBackdoorA program whose primary purpose is to allow a threat actor to interactively issue commands to the system on which it is installed.Credential St
142、ealerA utility whose primary purpose is to access,copy or steal authentication credentials.DownloaderA program whose sole purpose is to download(and perhaps launch)a file from a specified address,and which does not provide any additional functionality or support any other interactive commands.Droppe
143、rA program whose primary purpose is to extract,install and potentially launch or execute one or more files.LauncherA program whose primary purpose is to launch one or more files.Differs from a dropper or an installer in that it does not contain or configure the file,but merely executes or loads it.R
144、ansomwareA program whose primary purpose is to perform some malicious action(such as encrypting data),with the goal of extracting payment from the victim in order to avoid or undo the malicious action.TunnelerA program that proxies or tunnels network traffic.OtherIncludes all other malware categorie
145、s such as utilities,keyloggers,point-of-sale(POS),tunnelers and data miners.3 4S P E C I A L R E P O R T|M A N D I A N T M-T R E N D S 2 0 2 3An observed malware family is a malware family identified during an investigation by Mandiant expertsObserved Malware Families by CategoryMandiant experts obs
146、erved 321 unique malware families in intrusions over the course of 2022.Backdoors remain a mainstay for threat groups,with threat actors using malware with backdoor capabilities in 33%of Mandiant investigations.Comparatively to 2021,this is a 7-percentage point decrease,however malware families with
147、 backdoor capabilities are still observed in vastly more investigations than the next most seen capability type.The next categories show a small variance in order compared to 2021,with downloaders(10%),ransomware(10%),droppers(9%)and launchers(5%)to round out the top five.34%14%11%7%5%29%DownloaderB
148、ackdoorRansomwareDropperOtherLauncherNewly Tracked Malware Families by Category,2022Observed Malware Families by Category,202210%9%10%5%28%DownloaderRansomwareDropperOtherLauncherBackdoor33%3 5S P E C I A L R E P O R T|M A N D I A N T M-T R E N D S 2 0 2 3Usage of unique ransomware families in inves
149、tigations between 2021 and 2022 remained relatively stable.While the percentage of ransomware intrusions has decreased,adversaries are still leveraging similar percentages of distinct ransomware malware families to carry out their missions for financial gain.The use of unique downloaders increased 3
150、-percentage points in 2022 from the 7%of investigations observed in 2021.Meanwhile,the use of unique droppers decreased by the same amount,from 12%observed in 2021 to 9%observed in 2022.The use of unique malware that provide tunneling capabilities which increased from 4%could likely also be a contri
151、buting factor to the decrease in unique droppers and backdoors across missions.Notably,credential stealers fall off the top five observed malware families by category list in 2022,despite the use of stolen credentials appearing in the initial infection vector top five.However,Mandiant observed an ex
152、plosion of credential and information stealer type malware,such as REDLINESTEALER,VIDAR and RECORDSTEALER to name a few delivered through abuse of search engine optimization(SEO)and malicious advertisements.Mandiant also observed that the usage of other types of malware may indicate that adversaries
153、 are becoming more flexible with tooling to accomplish missions.Backdoors40%in 202133%in 2022Dropper12%in 20219%in 2022Downloaders7%in 202110%in 2022Launcher4%in 20215%in 2022Ransomware10%in 202110%in 2022Tunneler4%in 20215%in 2022Other22%in 202128%in 2022RECORDSTEALER,aka Raccoon Stealer V2(Sekoia)
154、,Record Stealer(AhnLab),and RecordBreaker(Proofpoint),is a credential stealer written in C with the capability to obtain sensitive data from common web browsers,crypto wallets and be configured as a downloader.REDLINESTEALER,aka RedLine(Minerva Labs and Proofpoint),and Redlinestealer(Fortinet),is a
155、credential stealer malware that is capable of stealing credentials from web browsers,files,FTP applications and cryptocurrency wallets.It also collects extensive system survey information such as the basic hardware specifications,desktop screenshot,username,OS,language,geographic location,installed
156、software,process listing and Global IP address.The malware can download and launch additional payloads or launch a hidden command shell for the attacker.Redline Stealer has been advertised for sale on hacking forums.VIDAR,aka Mosaicloader(Bitdefender),is a data miner written in C+that targets data f
157、rom multiple web browsers,cryptocurrency wallets,chat software,the Authy two-factor authentication utility,and various other applications.Collected data is compressed and uploaded to a remote server using HTTP.VIDAR appears to be based on a similar data miner named ARKEI.3 6S P E C I A L R E P O R T
158、|M A N D I A N T M-T R E N D S 2 0 2 3A publicly available tool or code family is readily obtainable without restriction.This includes tools that are freely available on the Internet,as well as tools that are sold or purchased,as long as they can be purchased by any buyer.A non-public tool or code f
159、amily is,to the best of our knowledge,not publicly available(either for free or for sale).They may include tools that are privately developed,held or used,as well as tools that are shared among or sold to a restricted set of customers.Malware by AvailabilityAvailability of both newly tracked and obs
160、erved malware families remains consistent year over year.In both categories,malware families were more often privately developed or had restricted availability.Mandiant noted that 29%of malware families used during an intrusion were publicly available,which is a 1-percentage point increase from 28%i
161、n 2021.While adversaries continue to make use of a wide variety of non-publicly available malware and develop malware to achieve their goals per target environment,many adversaries continue to use the same publicly available malware families(e.g.BEACON).16%84%PublicNon-PublicNewly Tracked Malware Fa
162、milies by Availability,2022PublicNon-Public29%71%Observed Malware Families by Availability,20223 7S P E C I A L R E P O R T|M A N D I A N T M-T R E N D S 2 0 2 3Consistent with previous years,the most common malware family identified by Mandiant in investigations was BEACON.BEACON was identified at
163、15%of all intrusions investigated by Mandiant and remains by far the most seen in investigations across regions.It has been used by a wide variety of threat groups tracked by Mandiant including state backed threat groups attributed to China,Russia and Iran,as well as financially motivated threat gro
164、ups including FIN6,FIN7,FIN9,FIN11 and FIN12,and over 700 hundred UNC groups.This ubiquity is likely due to the common availability of BEACON combined with the malwares high customizability and ease of use.While the overall usage of BEACON in 2022 is still the most notable,it is more than a 10-perce
165、ntage point decrease in usage compared to 2021,which makes it the smallest percentage of observed BEACON activity in recent years.Use of BEACON across intrusions was captured in 28%of all of intrusions in 2021 and 24%in 2020.The second and third most common malware families observed were SYSTEMBC an
166、d METASPLOIT.These malware families provide adversaries similar capabilities to BEACON,however with various limited capabilities.The use of malware that acts as a tunneler increased in 2022.This likely reflects the increased usage of malware like SYSTEMBC which is used heavily by actors who deploy r
167、ansomware.In 2022,Mandiant observed four distinct ransomware families emerge as a formidable threat to organizations.Mandiant observed that ransomware families such as HIVELOCKER,ALPHAV,LOCKBIT and BASTA,make up a majority of ransomware related intrusions.0246810121416Investigations(Percent)SYSTEMBC
168、BEACONMETASPLOIT HIVELOCKERQAKBOTALPHVLOCKBITBASTA15%3%3%2%2%2%4%4%Most Frequently Seen Malware Families,20223 8S P E C I A L R E P O R T|M A N D I A N T M-T R E N D S 2 0 2 3While intrusions related to ransomware decreased,Mandiant also observed a general decrease in the volume of organizations add
169、ed to data leak sharing sites related to ransomware families tracked in 2022 compared to that of 2021.Of the most prevalent and destructive ransomware families,Mandiant observed a nearly 10%decrease in organizations added to ransomware data leak sites related to ransomware families such as LOCKBIT,A
170、LPHV,BASTA,CONTI and HIVELOCKER.In 2022,Mandiant observed the LOCKBIT data leak sharing sites captured the most change compared to posts in 2021.Mandiant also assesses that with the CONTI group disruption in early 2022,former affiliates began using other ransomware families such as BASTA,ROYALLOCKER
171、 and HIVELOCKER to carry out their operations.This likely explains the wider assortment of ransomware families in use in 2022 compared to 2021.05101520Investiagtions(Percent)BEACONHIVELOCKERSYSTEMBC16%4%6%AMERICAS05101520Investiagtions(Percent)BEACONTANKTRAPMETASPLOIT12%5%5%EMEA05101520Investiagtion
172、s(Percent)BEACONDRAGONJUICESODINOKIBI17%7%8%APACRegional BreakdownWhile BEACON was the most frequently seen malware family across all regions,the next most popular malware families varied regionally.In the Americas,SYSTEMBC and the cross-platform HIVELOCKER ransomware were seen most frequently after
173、 BEACON.In APAC,SODINOKIBI ransomware and the reconnaissance tool DRAGONJUICE were most common.In EMEA,METASPLOIT and the PowerShell utility TANKTRAP rounded out the top three.Over the years,Mandiant has observed increasing regional variation in common malware families as adversaries progressively s
174、pecialize in their missions.3 9S P E C I A L R E P O R T|M A N D I A N T M-T R E N D S 2 0 2 3Malware DefinitionsBEACON is a backdoor that is commercially available as part of the Cobalt Strike software platform and commonly used for penetration testing network environments.The malware supports seve
175、ral capabilities,such as injecting and executing arbitrary code,uploading and downloading files and executing shell commands.Mandiant has seen BEACON used by a wide range of named threat groups including APT19,APT32,APT40,APT41,FIN6,FIN7,FIN9,FIN11,FIN12 and FIN13,as well as more than 750 UNC groups
176、.SYSTEMBC is a tunneler written in C that retrieves proxy-related commands from a C2 server using a custom binary protocol over TCP.A C2 server directs SYSTEMBC to act as a proxy between the C2 server and a remote system.SYSTEMBC is also capable of retrieving additional payloads via HTTP.Some varian
177、ts may use the Tor network for this purpose.Downloaded payloads may be written to disk or mapped directly into memory prior to execution.SYSTEMBC is often used to hide network traffic associated with other malware families.Observed families include DANABOT,SMOKELOADER,and URSNIF.Mandiant has seen SY
178、STEMBC used by FIN12 and as more than 20 UNC groups with goals related to financial gain.METASPLOIT is a penetration testing platform that enables users to find,exploit,and validate vulnerabilities.Mandiant has seen METASPLOIT used by APT28,APT35,APT40,APT41,FIN6,FIN7,FIN11,FIN12,FIN13 and 152 UNC g
179、roups with end goals ranging from espionage and financial gain to penetration testing.HIVELOCKER is a ransomware family that has impacted Windows and Linux operating systems.It was originally written in GoLang,however was rewritten in Rust in early 2022.It can encrypt both logical drives and remote
180、network shares.On execution,the ransomware will parse command-line arguments that specify its behavior,such as processes to terminate and services to stop prior to encryption.HIVELOCKER can skip files based on file size,filename,or file extension specified in a command line argument during the encry
181、ption process.Mandiant tracks more than 15 UNC groups associate with the distribution or usage of HIVELOCKER ransomware.QAKBOT is a backdoor written in C/C+that implements a plug-in framework to extend its capabilities via embedded and downloaded plugins that provide capabilities such as keylogging,
182、file transfer,and file execution.QAKBOT also targets credentials by intercepting browser activity,injecting malicious code into browser sessions,and extracting credentials stored by browsers,email clients,and FTP clients.QAKBOT is capable of propagating to other systems on a network via SMB and sett
183、ing up port forwarding on a connected router via the UPnP protocol.Mandiant has seen QAKBOT used by more than 20 UNC groups including distribution clusters that have provided access for the usage of BASTA ransomware.4 0S P E C I A L R E P O R T|M A N D I A N T M-T R E N D S 2 0 2 3Operating System E
184、ffectivenessIn line with previous M-Trends reports,malware effective on Windows was by far the most common newly tracked and observed malware,with 92%of the newly identified malware families and 93%of observed malware able to run on Windows.Compared to 2021,Mandiant observed relatively stable usage
185、of newly tracked malware effective on the Linux platform in 2022 with a slight decrease in observed malware,15%of observed malware was effective on Linux,compared to 18%in 2021.Similarly,compared to previous years,Mandiant has observed adversaries making use of malware families that are effective on
186、 one or more operating systems more often than leveraging malware that is designed to focus on one operating system.In instances where malware is effective on only one operating system,it will likely target the Windows OS.This year marks the first time Mandiant highlights malware effective on the VM
187、Ware created operating system,VMkernel.While the general volume of malware effective on this operating system is not significant,this is notable for defenders due to the prevalence of VMWare architecture,specifically ESXi hosts.These types of operating systems do not have significant capability for
188、Endpoint Detection and Response(EDR)tool monitoring.As a result,monitoring and investigations into the platform can be challenging for defenders.The operating system effectiveness of a malware family is the operating system(s)that the malware can be used against.Operating System Effectiveness of New
189、ly Tracked Malware Families,2022Operating System Effectiveness of Observed Malware Families,2022WindowsLinuxmacOSUnixBSDVMkerneliOS00708090100Percent of EffectivenessEffectiveness on specific operating system onlyEffective on multiple operating systems92%85%12%4%1%Android1%1%5%1%3%1%2%1%W
190、indowsLinuxmacOSUnixBSDVMkernel00708090100Percent of EffectivenessEffectiveness on specific operating system onlyEffective on multiple operating systems93%83%15%4%1%1%6%3%1%41S P E C I A L R E P O R T|M A N D I A N T M-T R E N D S 2 0 2 3Threat TechniquesMandiant continues to support the
191、community by mapping its findings to the MITRE ATT&CK framework.Organizations should prioritize which security measures to implement based on the likelihood of a specific technique being used during an intrusion.Mandiant has mapped an additional 150 Mandiant techniques to the updated MITRE ATT&CK fr
192、amework,bringing the total to 2300+Mandiant techniques and subsequent findings associated with the ATT&CK framework.In 2022,the MITRE ATT&CK Framework was updated to version 12 resulting in ATT&CK for Enterprise now containing 193 techniques and 401 sub-techniques.Mandiant provides metrics around mo
193、st observed techniques used by observed adversaries as a resource to organizations as they make decisions on how to further improve their detection capabilities.Prioritizing the detection of the most leveraged techniques can help organizations build a solid foundation on the way to creating a strong
194、er security ecosystem.Mandiant observed 73%of MITRE ATT&CK techniques in investigations in 2022 compared to 70%of techniques during the last M-Trends reporting period.In 2022,71%of the techniques observed(17%of all techniques)were seen in more than 5%of intrusions,compared to 43%of techniques observ
195、ed(30%of all techniques)in 2021.This convergence in the techniques commonly used by adversaries underscores the defensive value from prioritizing implementation of security measures to protect against the most commonly used techniques.Only a small number of techniques had high prevalence,with just 4
196、.3%of observed techniques(1%of all techniques)seen in over 30%of intrusions.Notably,the highest frequency techniques remain consistent with what Mandiant observed in 2021,indicating enduring defender value from efforts to detect and mitigate their use.MITRE ATT&CK is a globally-accessible knowledge
197、base of adversary tactics and techniques based on real-world observations.The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector,government and the cyber security product and service community.MITRE ATT&CK Techniques Us
198、ed Most Frequently,2022Seen in More Than 5%of IntrusionsObserved in Mandiant Investigations73%17%4 2S P E C I A L R E P O R T|M A N D I A N T M-T R E N D S 2 0 2 3In half of the investigations conducted by Mandiant in 2022,adversaries leveraged a command or scripting interpreter to further intrusion
199、s(T1059)with 65%of those cases(one third of all intrusions)involving the use of PowerShell(T1059.001).Mandiant also continues to observe frequent use of web protocols(T1071.001)and Remote Desktop(T1021.001)across intrusions,indicating that adversaries continue to depend heavily on the organizations
200、existing technologies in their operations.These sub-techniques have been in the top five for the past three years.However,this could indicate that detection for these techniques has continued to improve and other evidence sources have been prioritized to capture evidence of additional techniques.Top
201、 10 Most Frequently Seen TechniquesTop 5 Most Frequently Seen Sub-Techniques1.T1059:Command and Scripting Interpreter50.9%2.T1027:Obfuscated Files or Information43.5%3.T1071:Application Layer Protocol33.1%4.T1082:System Information Discovery31.6%5.T1070:Indicator Removal31.5%6.T1083:File and Directo
202、ry Discovery29.5%7.T1140:Deobfuscate/Decode Files or Information27.3%8.T1021:Remote Services26.4%9.T1105:Ingress Tool Transfer24.9%10.T1543:Create or Modify System Process24.7%1.T1059.001:PowerShell33.2%2.T1070.004:File Deletion25.2%3.T1071.001:Web Protocols24.3%4.T1569.002:Service Execution21.8%5.T
203、1021.001:Remote Desktop Protocol20.3%4 3S P E C I A L R E P O R T|M A N D I A N T M-T R E N D S 2 0 2 3MITRE ATT&CK Techniques Related to Mandiant Targeted Attack Lifecycle,2022Mandiants Targeted Attack Lifecycle is the predictable sequence of events cyber attackers use to carry out their attacks.Fo
204、r more information:https:/ CompromiseInitial AccessT1190:Exploit Public-Facing Application21.2%T1566:Phishing16.5%T1566.001:Spearphishing Attachment8.2%T1566.002:Spearphishing Link3.7%T1566.003:Spearphishing via Service0.2%T1133:External Remote Services12.6%T1078:Valid Accounts9.3%T1189:Drive-by Com
205、promise4.6%T1199:Trusted Relationship2.4%T1091:Replication Through Removable Media1.5%T1200:Hardware Additions0.4%T1195:Supply Chain Compromise0.2%T1195.002:Compromise Software Supply Chain0.2%Initial ReconnaissanceReconnaissanceT1595:Active scanning1.3%T1595.002:Vulnerability Scanning0.5%T1595.001:
206、Scanning IP Blocks0.5%T1595.003:Wordlist Scanning0.2%Resource DevelopmentT1608:Stage Capabilities8.8%T1608.003:Install Digital Certificate6.0%T1608.005:Link Target2.7%T1608.002:Upload Tool0.5%T1608.004:Drive-by Target0.2%T1608.001:Upload Malware0.2%T1583:Acquire Infrastructure7.5%T1583.003:Virtual P
207、rivate Server7.5%T1584:Compromise Infrastructure3.5%T1587:Develop Capabilities2.6%T1587.003:Digital Certificates1.3%T1587.002:Code Signing Certificates1.3%T1588:Obtain Capabilities2.2%T1588.003:Code Signing Certificates1.6%T1588.004:Digital Certificates0.5%T1585:Establish Accounts0.2%T1585.002:Email
208、 Accounts0.2%4 4S P E C I A L R E P O R T|M A N D I A N T M-T R E N D S 2 0 2 3Establish FootholdPersistenceT1543:Create or Modify System Process24.9%T1543.003:Windows Service13.6%T1543.002:Systemd Service0.9%T1053:Scheduled Task/Job18.3%T1053.005:Scheduled Task12.8%T1053.003:Cron0.9%T1098:Account M
209、anipulation14.1%T1098.005:Device Registration1.5%T1098.004:SSH Authorized Keys1.1%T1098.001:Additional Cloud Credentials0.7%T1098.002:Additional Email Delegate Permissions0.5%T1133:External Remote Services12.6%T1505:Server Software Component11.9%T1505.003:Web Shell11.7%T1505.004:IIS Components 0.2%T
210、1547:Boot or Logon Autostart Execution10.8%T1547.009:Shortcut Modification3.1%T1547.004:Winlogon Helper DLL0.7%T1136:Create Account9.2%T1136.001:Local Account3.8%T1136.003:Cloud Account0.7%T1136.002:Domain Account0.7%T1574:Hijack Execution Flow8.2%T1574.001:Registry Run Keys/Startup Folder7.7%T1574.
211、011:Services Registry Permissions Weakness6.0%T1574.002:DLL Side-Loading1.8%T1574.008:Path Interception by Search Order Hijacking0.9%T1574.010:Services File Permissions Weakness0.2%T1574.005:Executable Installer File Permissions Weakness0.2%T1574.001:DLL Search Order Hijacking0.2%T1546:Event Trigger
212、ed Execution4.8%T1546.003:Windows Management Instrumentation Event Subscription2.4%T1546.008:Accessibility Features1.3%T1546.012:Image File Execution Options Injection0.4%T1546.002:Screensaver0.4%T1546.010:AppInit DLLs0.4%T1546.004:Unix Shell Configuration Modification0.4%T1546.007:Netsh Helper DLL0
213、.2%T1546.001:Change Default File Association0.2%T1037:Boot or Logon Initialization Scripts1.1%T1037.001:Logon Scrips(Windows)0.4%T1037.004:RC Scripts0.2%T1542:Pre-OS Boot0.2%T1542.002:Component Firmware0.2%T1176:Browser Extensions0.2%T1137:Office Application Startup0.2%T1137.006:Add-ins0.2%4 5S P E
214、C I A L R E P O R T|M A N D I A N T M-T R E N D S 2 0 2 3Escalate PrivilegesPrivilege EscalationT1543:Create or Modify System Process24.9%T1543.003:Windows Service13.6%T1543.002:Systemd Service0.9%T1055:Process Injection23.1%T1055.003:Thread Execution Hijacking1.5%T1055.001:Dynamic-link Library Inje
215、ction0.7%T1055.002:Portable Executable Injection0.5%T1055.004:Asynchronous Procedure Call0.5%T1055.012:Process Hollowing0.5%T1134:Access Token Manipulation16.3%T1134.001:Token Impersonation/Theft8.1%T1134.004:Parent PID Spoofing0.4%T1134.002:Create Process with Token0.4%T1547:Boot or Logon Autostart
216、 Execution10.8%T1547.001:Registry Run Keys/Startup Folder7.7%T1547.009:Shortcut Modification3.1%T1547.004:Winlogon Helper DLL0.7%T1078:Valid Accounts9.3%T1574:Hijack Execution Flow8.2%T1574.011:Services Registry Permissions Weakness6.0%T1574.002:DLL Side-Loading1.8%T1574.008:Path Interception by Sea
217、rch Order Hijacking0.9%T1574.010:Services File Permissions Weakness0.2%T1574.005:Executable Installer File Permissions Weakness0.2%T1574.001:DLL Search Order Hijacking0.2%T1546:Event Triggered Execution4.8%T1546.003:Windows Management Instrumentation Event Subscription2.4%T1546.008:Accessibility Fea
218、tures1.3%T1546.012:Image File Execution Options Injection 0.4%T1546.002:Screensaver0.4%T1546.010:AppInit DLLs0.4%T1546.004:Unix Shell Configuration Modification0.4%T1546.007:Netsh Helper DLL0.2%T1546.001:Change Default File Association0.2%T1548:Abuse Elevation Control Mechanism2.7%T1548.002:Bypass U
219、ser Account Control1.8%T1548.003:Sudo and Sudo Caching0.5%T1548.001:Setuid and Setgid0.4%T1484:Domain Policy Modification2.0%T1484.001:Group Policy Modification2.0%T1037:Boot or Logon Initialization Scripts1.1%T1037.001:Logon Scrips(Windows)0.4%T1037.004:RC Scripts0.2%T1086:Exploitation for Privileg
220、e Escalation0.2%4 6S P E C I A L R E P O R T|M A N D I A N T M-T R E N D S 2 0 2 3Internal ReconnaissanceDiscoveryT1082:System Information Discovery31.3%T1083:File and Directory Discovery29.3%T1033:System Owner/User Discovery22.5%T1012:Query Registry22.3%T1622:Debugger Evasion21.1%T1057:Process Disc
221、overy20.7%T1087:Account Discovery18.3%T1087.002:Domain Account5.5%T1087.002:Local Account5.1%T1087.004:Cloud Account0.9%T1087.003:Email Account0.4%T1016:System Network Configuration Discovery15.8%T1016.001:Internet Connection Discovery1.1%T1518:Software Discovery15.4%T1497:Virtualization/Sandbox Eva
222、sion13.7%T1497.001:System Checks10.1%T1497.003:Time Based Evasion0.2%T1007:System Service Discovery10.4%T1135:Network Share Discovery9.7%T1069:Permission Groups Discovery9.3%T1069.002:Domain Groups6.0%T1069.001:Local Groups1.8%T1069.003:Cloud Groups0.9%T1010:Application Window Discovery8.4%T1049:Sys
223、tem Network Connections Discovery8.2%T1482:Domain Trust Discovery6.8%T1614:System Location Discovery5.9%T1614.001:System Language Discovery5.7%T1046:Network Service Discovery2.7%T1580:Cloud Infrastructure Discovery1.5%T1018:Remote System Discovery1.3%T1538:Cloud Service Dashboard0.9%T1615:Group Poli
224、cy Discovery0.9%T1040:Network Sniffing0.5%T1201:Password Policy Discovery0.4%T1124:System Time Discovery0.4%T1120:Peripheral Device Discovery 0.2%47S P E C I A L R E P O R T|M A N D I A N T M-T R E N D S 2 0 2 3Lateral MovementLateral MovementT1021:Remote Services26.4%T1021.001:Remote Desktop Protoc
225、ol20.3%T1021.002:SMB/Windows Admin Shares6.6%T1021.004:SSH6.4%T1021.005:VNC1.3%T1021.006:Windows Remote Management0.2%T1091:Replication Through Removable Media1.5%T1570:Lateral Tool Transfer1.5%T1550.002:Pass the Hash0.5%T1550.001:Application Access Token0.2%T1550.003:Pass the Ticket0.2%T1550:Use Al
226、ternate Authentication Material1.1%T1550.002:Pass the Hash0.7%T1550.001:Application Access Token0.4%T1534:Internal Spearphishing0.9%T1563:Remote Service Session Hijacking0.2%4 8S P E C I A L R E P O R T|M A N D I A N T M-T R E N D S 2 0 2 3Maintain PresencePersistenceT1543:Create or Modify System Pr
227、ocess24.9%T1543.003:Windows Service13.6%T1543.002:Systemd Service0.9%T1053:Schedule Task/Job18.3%T1053.005:Scheduled Task12.8%T1053.003:Cron0.9%T1098:Account Manipulation14.1%T1098.005:Device Registration1.5%T1098.004:SSH Authorized Keys1.1%T1098.001:Additional Cloud Credentials0.7%T1098.002:Additio
228、nal Email Delegate Permissions0.5%T1133:External Remote Services12.6%T1505:Server Software Component 11.9%T1505.003:Web Shell11.7%T1505.004:IIS Components0.2%T1547:Boot or Logon Autostart Execution10.8%T1547.001:Registry Run Keys/Startup Folder7.7%T1547.009:Shortcut Modification3.1%T1547.004:Winlogo
229、n Helper DLL0.7%T1136:Create Account9.2%T1136.001:Local Account3.8%T1136.003:Cloud Account0.7%T1136.002:Domain Account0.7%T1574:Hijack Execution Flow8.2%T1574.011:Services Registry Permissions Weakness6.0%T1574.002:DLL Side-Loading1.8%T1574.008:Path Interception by Search Order Hijacking0.9%T1574.01
230、0:Services File Permissions Weaknes0.2%T1574.005:Executable Installer File Permissions Weakness0.2%T1574.001:DLL Search Order Hijacking0.2%T1546:Event Triggered Execution4.8%T1546.003:Windows Management Instrumentation Event Subscription2.4%T1546.008:Accessibility Features1.3%T1546.012:Image File Ex
231、ecution Options Injection0.4%T1546.002:Screensaver0.4%T1546.010:AppInit DLLs0.4%T1546.004:Unix Shell Configuration Modification0.4%T1546.007:Netsh Helper DLL0.2%T1546.001:Change Default File Association0.2%T1037:Boot or Logon Initialization Scripts1.1%T1037.001:Logon Scrips(Windows)0.4%T1037.004:RC
232、Scripts0.2%T1542:Pre-OS Boot0.2%T1542.002:Component Firmware0.2%T1176:Browser Extensions0.2%T1137:Office Application Startup0.2%T1137.006:Add-ins0.2%4 9S P E C I A L R E P O R T|M A N D I A N T M-T R E N D S 2 0 2 3Mission CompletionCollectionT1560:Archive Collected Data17.2%T1560.001:Archive via Ut
233、ility7.3%T1560.002:Archive via Library0.5%T1213:Data from Information Repositories10.4%T1213.002:Sharepoint3.5%T1213.003:Code Repositories 1.6%T1213.001:Confluence0.9%T1056:Input Capture6.8%T1056.001:Keylogging6.6%T1056.003:Web Portal Capture 0.2%T1113:Screen Capture5.1%T1115:Clipboard Data4.9%T1114
234、:Email Collection3.8%T1114.002:Remote Email Collection1.5%T1114.001:Local Email Collection0.5%T1114.003:Email Forwarding Rule0.4%T1074:Data Staged3.8%T1074.001:Local Data Staging3.1%T1074.002:Remote Data Staging0.4%T1039:Data from Network Shared Device2.9%T1005:Data from Local System1.1%T1602:Data f
235、rom Configuration Repository0.7%T1602.002:Network Device Configuration Dump0.7%T1119:Automated Collection0.4%T1530:Data from Cloud Storage0.4%T1125:Video Capture0.2%T1557:Adversary-in-the-Middle0.2%T1557.002:ARP Cache Poisoning0.2%ExfiltrationT1567:Exfiltration Over Web Service4.4%T1567.002:Exfiltra
236、tion to Cloud Storage2.4%T1020:Automated Exfiltration1.3%T1041:Exfiltration Over C2 Channel 0.7%T1030:Data Transfer Size Limits0.2%5 0S P E C I A L R E P O R T|M A N D I A N T M-T R E N D S 2 0 2 3ImpactT1486:Data Encrypted for Impact18.3%T1489:Service Stop13.0%T1529:System Shutdown/Reboot7.5%T1496:
237、Resource Hijacking5.3%T1490:Inhibit System Recovery5.1%T1565:Data Manipulation2.0%T1565.001:Stored Data Manipulation2.0%T1485:Data Destruction1.8%T1561:Disk Wipe0.7%T1561.001:Disk Content Wipe0.4%T1561.002:Disk Structure Wipe0.2%T1531:Account Access Removal0.7%T1491:Defacement0.7%T1491.002:External
238、Defacement0.4%T1498:Network Denial of Service0.4%T1498.001:Direct Network Flood0.4%T1499:Endpoint Denial of Service0.2%T1491.001:Internal Defacement0.2%5 1S P E C I A L R E P O R T|M A N D I A N T M-T R E N D S 2 0 2 3Additional Malware DefinitionsALPHV,aka BlackCat(internet)and Noberus(Symantec),is
239、 ransomware written in Rust.The ransomware may contain a plaintext JSON configuration that specifies the ransomware functionality.ALPHV may be able to escalate its privileges and bypass UAC,likely contains AES and ChaCha20(or Salsa)encryption functionality,may use the Restart Manager as part of its
240、operations,deletes volume shadow copies,may enumerate disk volumes and network shares,and may kill processes and services.BASTA,aka Basta Ransomware,is a ransomware written in C+that encrypts local files.The malware uses.basta as the extension for encrypted files.DRAGONJUICE is a comprehensive,modul
241、ar,cross-platform,customizable scanning tool based on the Ladon project.LOCKBIT is a ransomware written in C that encrypts files stored locally and on network shares.LOCKBIT can also identify additional systems on a network and propagate via SMB.Prior to encrypting files,LOCKBIT clears event logs,de
242、letes volume shadow copies,and terminates processes and services that may impact its ability to encrypt files.LOCKBIT has been observed using the file extension.lockbit for encrypted files.ROYALLOCKER is a privately managed windows-based ransomware capable of encrypting local files,disabling running
243、 processes and deleting shadow copies.The ransomware is also capable of encrypting VMDK disk formats.SODINOKIBI,aka Revil(Internet),Sodin(Internet),and Trickgate(Check Point)is ransomware written in C that encrypts files stored locally and on network shares.It can delete files from specified directo
244、ries,backup files,and volume shadow copies.SODINOKIBI may be configured to send basic system information to a remote server via HTTP.System information includes the current username,hostname,domain name,and locale.TANKTRAP is a utility written in PowerShell that utilizes Windows group policy to spre
245、ad and launch a wiper.TANKTRAP has been observed being used with NEARMISS,SDELETE,PARTYTICKET,and CADDYWIPER.5 2S P E C I A L R E P O R T|M A N D I A N T M-T R E N D S 2 0 2 3The Invasion of Ukraine:Cyber Operations During WartimeRussia began amassing troops along its border with Ukraine in the fall
246、 of 2021,prompting warnings from U.S.and European officials of the threat of a Russian invasion.Mandiant identified extensive cyber espionage,disruptive and destructive cyber attacks,and information operations leading up to and since Russias invasion of Ukraine on February 24,2022.The Kremlins escal
247、ating attempts to bring Ukraine into the Russian sphere of influence culminated with Russias invasion and created unprecedented circumstances for cyber threat activity.The invasion of Ukraine represents one of the first instances in which a major cyber power has conducted disruptive attacks,espionag
248、e,and information operations concurrently with widespread,kinetic military operations.Mandiant has never observed threat actor activity that matches the volume of attacks,variety of threat actors,and coordination of effort as was seen during the first months following the invasion by Russia.The inva
249、sion has also caused temporary disruption to the Russian-speaking cybercrime ecosystem,in some cases splitting criminal groups along political lines,and it has seemingly triggered the biggest revival in international hacktivism since 2015.The evolution of Russian cyber operations during the conflict
250、 can be loosely mapped to five main phases:Strategic Cyber Espionage and Pre-Positioning(prior to February 2022)Initial Destructive Cyber Operations and Military Invasion(February 2022 April 2022)Sustained Targeting and Attacks(May 2022 July 2022)Maintaining Footholds for Strategic Advantage(August
251、2022 September 2022)Renewed Campaign of Disruptive Attacks(October 2022 December 2022)Mandiant also observed Chinese,Belarusian,and Iranian threat groups targeting Ukraine in each of these phases.We believe that the intrusions by Chinese and Iranian groups were aimed at gathering intelligence for th
252、eir governments,while the Belarusian group both collected intelligence and used the intrusions to enable information operations.Across all phases of the invasion,Mandiant has supported dozens of organizations in Ukraine with incident response,remediation,intelligence,managed services,cyber defense,a
253、nd general advisory,and we continue to respond to incidents across Ukraine in 2023.While Mandiant conducted engagements across nearly every sector of Ukrainian industry,our investigations overwhelmingly supported Ukrainian National Government organizations.Mandiant also identified related informatio
254、n operations conducted throughout each of these phases,including those leveraging traditional cyber threat activity.5 4S P E C I A L R E P O R T|M A N D I A N T M-T R E N D S 2 0 2 32019-Jan 22January-September 2022PHASE 1Strategic CyberEspionage andPre-positioningPHASE 2Initial DestructiveCyber Ope
255、rations and Military InvasionPHASE 4Renewed EspionageTargetingFeb-April 22Aug-Sept 22Target IndustriesFIVE PHASES OF RUSSIAN CYBER OPERATIONS DURING THE 2022 WAR IN UKRAINESHADYLOOK,PAYWIPEPARTYTICKETPARTYTICKETNEARMISSNEARTWISTSDELETESKYFALLGovernmentTelecomINDUSTROYER.V2,CADDYWIPER,SOLOSHRED,AWFUL
256、SHREDCADDYWIPERFinancialJUNKMAILMediaPHASE 5Renewed Campapign of Disruptive AttacksOCT-DEC 22CADDYWIPERPARTYTICKETCADDYWIPERCADDYWIPERDHARMACADDYWIPERPRESSTEARANSOMBOGGS*As reported by ESETEnergyPHASE 3Sustained Targetingand AttacksMay-July 22CADDYWIPERCADDYWIPERCADDYWIPERCADDYWIPERCADDYWIPERFigure
257、1.Phases of Russian Cyber Operations in Ukraine observed in 2022.5 5S P E C I A L R E P O R T|M A N D I A N T M-T R E N D S 2 0 2 3Strategic Cyber Espionage and Pre-Positioning Prior to InvasionIntrusion Activity Mandiant observed multiple threat groups conducting intrusion campaigns in the timefram
258、e leading up to the invasion.Most notably,we observed activity by UNC2589 and APT28 prior to the invasion of Ukraine.UNC2589 UNC2589,which Mandiant suspects operates on behalf of Russian government interests,conducted extensive espionage collection in Ukraine,particularly in late 2021 and early 2022
259、 preceding the Russian invasion.Notably,we assess UNC2589 conducted the January 14,2022,disruptive attacks on Ukrainian entities with PAYWIPE(aka WHISPERGATE).This may have been a preliminary but premature strike that Russian military doctrine characterizes as preparing the information sphere for ar
260、med conflict in an attempt to shake Ukrainians trust in their government and fracture support for a strong defense against Russian aggression.Additional UNC2589 operations in January and February 2022 targeted Ukrainian critical infrastructure supporting that aim as well,however,distributed denial-o
261、f-service(DDoS)attacks were also conducted against financial institutions.APT28 and Other GRU Clusters Mandiant identified multiple instances where Main Directorate of the General Staff of the Armed Forces of the Russian Federation(GRU)-related clusters relied on opportunistic access from historical
262、 compromises for current,persistent accesses once the war began.In late February 2022,APT28,a threat group sponsored by the GRU,reactivated a dormant 2019 EMPIRE infection to move laterally within the environment and use the SDELETE utility to delete files and directories from the infected systems.I
263、n another case,APT28 targeted VPNs to gain access and deploy the FREETOW dropper to multiple victims in April 2021.In at least one case,upon gaining a foothold,the attacker laid dormant until conducting a series of wiper attacks in February and March 2022 during Phase II of the war.APT28 has been th
264、e most active Russian cluster of activity in Ukraine since the war began and has prioritized disruptive cyber attacks over espionage operations in Ukraine.5 6S P E C I A L R E P O R T|M A N D I A N T M-T R E N D S 2 0 2 3Mandiant observed more destructive cyber attacks in Ukraine during the first fo
265、ur months of 2022 than in the previous eight years.Ukrainian organizations were impacted by threat actors using six unique wipers during the first few phases of the war.These destructive cyber attacks were timed to coincide with,and likely support,Russias invasion of Ukraine on February 24,2022,and
266、did not target organizations directly related to or supporting the war effort.While the destructive cyber attacks did initially achieve significant widespread disruption in some Ukrainian networks,they were likely not as impactful as previous Russian cyber attacks targeting Ukraine.In comparison,Rus
267、sia had launched successful cyber attacks targeting power grid disruptions in 2015 and 2016 that interrupted power for hundreds of thousands of Ukrainians for hours,and the 2017 NOTPETYA attacks disrupted operations throughout Ukraine and beyond.APT28 Wiper Attacks and GRU Living on the EdgeMandiant
268、 observed APT28 targeting multiple Ukrainian entities with disruptive and espionage operations similar to the efforts undertaken at the outset of war.APT28s wartime operations have deviated from historical APT28 activity.The group has demonstrated a preference toward compromising edge infrastructure
269、 to conduct a variety of operations,a technique we call“Living on the Edge.”APT28 has also used a variety of disruptive and espionage malware over a short period of time,and leveraged several recently published exploits during wartime,including Follina,the PROXYSHELL exploitation chain,and several E
270、xchange vulnerabilities.“Living on the Edge”has become a key part of GRU operations during wartime.Since the outset of the war in Ukraine,the GRU has attempted to conduct successive and almost constant campaigns of cyber espionage and disruption aimed against key services and organizations within Uk
271、raine.This balance of access to and action against targeted organizations relies on the compromise of edge infrastructure such as routers and other internet connected devices.Where destructive actions necessitate the loss of direct access to endpoints,compromised edge devices allow for continued re-
272、entry to the network.Compromise of these routers can also be harder for defenders to detect as most EDR technologies do not cover these types of devices.Initial Destructive Cyber Operations and Military Invasion(February 2022April 2022)5 7S P E C I A L R E P O R T|M A N D I A N T M-T R E N D S 2 0 2
273、 3Renewed Russian Interest in Industrial Control Systems Capabilities Between February and April 2022,the software company ESET reported on a suspected Russian threat actor targeting a Ukrainian electric utility in an operation that resulted in the deployment of multiple wiper malware families.The a
274、ttack also involved a variant of the Industrial Control Systems(ICS)-oriented disruption framework INDUSTROYER.V2,of which a previous version had been leveraged during a similar attack in December 2016 to cause power outages in Ukraine.While it is unclear if this operation was effective in its impac
275、t to the utilitys electric transmission and distribution operations,the event reinforced the notion that Russia has a reusable capability to affect electric energy systems.Reemergence of Hacktivist Personas and Cyber-Enabled Information Operations Mandiant observed a significant increase in hacktivi
276、sm after the invasion of Ukraine,including activity emanating from Russian-backed groups.The Russian intelligence services have an extensive history of using false hacktivist personas to support information operations,along with disruptive and destructive cyber activity.In particular,Mandiant has fo
277、cused on analyzing a set of self-proclaimed hacktivist groupsXakNet Team,Infoccentr,and CyberArmyofRussia_Rebornall of which likely at least coordinate their operations with GRU-sponsored APT28.Mandiant has directly observed the deployment of wipers used by APT28 on the networks of multiple Ukrainia
278、n organizations,and the subsequent leaks of data on Telegram by threat actors claiming to be hacktivists,likely originating from those entities within 24 hours.We identified at least 16 data leaks from these groups,four of which coincided with wiping attacks by APT28.On the Telegram channels,the thr
279、eat actors claimed to have targeted victims with traditional hacktivist activity such as DDoS attacks,website defacements,and hack-and-leak operations.Such activity serves two possible influence objectives that benefit Russia in the invasion of Ukraine.The groups promote Russian interests abroad thr
280、ough their threat activity,and they promote the idea of average Russians supporting the government to domestic audiences through their claims to be patriotic volunteers.Both efforts have been amplified by the Russian media,on social media platforms,and elsewhere online.During this phase Mandiant als
281、o observed an increase in hacktivist activity by the KillNet collective.KillNet claimed activity against Poland,Lithuania,and other NATO countries,which seemed to align with priorities of the Russian government.However,Mandiant has not yet uncovered direct evidence linking KillNet to Russian Intelli
282、gence.5 8S P E C I A L R E P O R T|M A N D I A N T M-T R E N D S 2 0 2 3Use of Physical Access to Enable Cyber Operations During an investigation into activity targeting a Ukrainian government organizations network,Mandiant uncovered evidence the compromise occurred after Russian military units phys
283、ically accessed the network in early 2022.The actor,which Mandiant tracks as UNC3762,used this physical access to conduct network reconnaissance,harvest credentials,and move laterally using remote desktop and web shells.UNC3762 also exploited the PROXYSHELL vulnerability chain(CVE-2021-34473,CVE-202
284、1-34523,CVE-2021-31207),deployed THRESHGO malware,and stole data from the environment.5 9S P E C I A L R E P O R T|M A N D I A N T M-T R E N D S 2 0 2 3After the initial waves of destructive attacks,the pace and variety of cyber operations targeting Ukraine shifted.Mandiant observed continued attemp
285、ts to deploy wiper malware,but these attacks appeared less coordinated than the initial wave in February 2022.These attacks often occurred more quickly after the attacker gained or re-gained access,often via compromised edge infrastructure.In many instances,Ukrainian defenders were able to identify
286、and mitigate attempted attacks before any disruption occurred.Mandiant also saw attempts at access and collection operations between waves of disruptive activity,demonstrating Russias requirement for continued access to previously wiped entities.Continued Intrusions and Operational TempoThroughout t
287、his phase of the war,Russian cyber actors continued to attempt to either re-gain access to multiple victim environments via compromised edge infrastructure or to maintain persistence on networks despite ongoing mitigation,often via GRE tunnels.This pattern was demonstrative of cyclical collection an
288、d disruptive operations undertaken by Russia-aligned threat actors.GRU clusters maintained their high operational tempo by adopting newly published exploits while also working to standardize their destructive operations.Between waves of disruptive activity,one phishing campaign leveraging a compromi
289、sed legitimate mail server attempted to exploit the Follina vulnerability to enable APT28 access and collection operations using the EARLYBLOOM and DARKCRYSTALRAT backdoors.The GRU also shifted away from using multiple different wipers to relying heavily on CADDYWIPER and variants thereof to wipe or
290、ganizations in quick-turnaround operations.This high operational tempo led to operators making several mistakes.In one instance a threat actor attempted to deploy the PARTYTICKET payload using the arguments for NEARMISS.They were able to adjust and successfully deploy NEARMISS,but the error caused a
291、 delay and potentially impaired their effectiveness.GRU intrusion operations maintained several themes between their operations at the outset of the war,and those that have occurred during this sustained targeting phase.Overall,GRU continued to target and leverage edge infrastructure to gain access
292、to strategic targets.Once within an environment,GRU clusters leveraged IMPACKET and publicly available backdoors to maintain a foothold.Mandiant also observed another GRU cluster,UNC3810,demonstrate proficiency at targeting and operating on Linux systems.UNC3810 has largely leveraged proxying toolin
293、g such as GoGetter and Chisel to maintain access and move laterally within target environments.Sustained Targeting and Attacks(May 2022July 2022)6 0S P E C I A L R E P O R T|M A N D I A N T M-T R E N D S 2 0 2 3Through the end of the previous phase,we had not observed any direct evidence of activity
294、 associated with suspected FSB-cyber threat actors Turla or Temp.Isotope.However,between August and September,GRU clusters stepped away from disruptive activity targeting Ukraine and clusters associated with the FSBRussias Federal Security Servicebegan to emerge.While one GRU-associated cluster,UNC3
295、810,remained active in an espionage capacity,Mandiant observed activity from the Russia nexus threat group TEMP.Armageddon targeting four distinct government entities in Ukraine.Though we primarily observed GRU clusters at the helm of cyber operations against Ukraine since the inception of the war,T
296、EMP.Armageddona Russia-nexus threat actor that collects information on Ukrainian national security and law enforcement entities in support of Russias national interest,focusing exclusively on Ukrainian targetshas targeted Ukrainian and other European organizations throughout with evolving tooling an
297、d techniques.The breadth of operations observed from TEMP.Armageddon is consistent with the prolific campaigns the group undertook in years past.In addition to TEMP.Armageddon targeting of Ukrainian government entities,Mandiant identified suspected Turla activity in August and September.Turla is a R
298、ussia-based cyber espionage actor active since 2006 that is known to target diplomatic,government,and defense entities.Mandiant identified a compromise dating back to a late 2021 compromise at a Ukrainian government agency that aligns with Turlas tactics,techniques and procedures.Maintaining Foothol
299、ds for Strategic Advantage(August 2022September 2022)6 1S P E C I A L R E P O R T|M A N D I A N T M-T R E N D S 2 0 2 3The most recent phase of operations was characterized by a resurgence in disruptive cyber attacks in Ukraine.Though some of the attacks appeared similar to disruptive attacks seen i
300、n previous phases,this new wave of disruptive attacks appeared to deviate from the historical norm.Earlier attempts relied on quick-turnaround operations using CADDYWIPER variants,but the attacks undertaken in October to December saw GRU clusters deploying ransomware variants on targeted networks.Th
301、is shift is consistent with Microsofts reporting on the Prestige(PRESSTEA)ransomware deployment by IRIDIUM in Poland.Though the cycle of access and action appears to have continued during this phase,GRUs shift to using ransomware may be a sign they are undergoing tooling shifts and dont have the res
302、ources to rely on writing or modifying custom malware.During this phase,Mandiant also observed GRU disruptive operations against the Ukrainian energy sector that coincided with the broader Russian kinetic campaign targeting Ukrainian energy infrastructure.While it is possible that cyber operations a
303、re supporting the kinetic campaign,we do not have sufficient insight to confirm it.Renewed Tempo of Disruptive Attacks(October 2022December 2022)6 2S P E C I A L R E P O R T|M A N D I A N T M-T R E N D S 2 0 2 3Russias war against Ukraine has generated a disproportionate amount of disinformation on
304、the topic.Mandiant observed disinformation campaigns ranging from cyber-enabled information operations to campaigns leveraging coordinated and inauthentic networks of accounts to promote fabricated content across online media.Mandiant has identified multiple Russia-aligned information operations lin
305、ked to known actors promoting a narrative related to the conflict,including the Belarus-linked Ghostwriter campaign,the Secondary Infektion campaign,and activity reportedly linked to individuals affiliated with Russias Internet Research Agency.Russias disinformation campaigns appear to serve the dua
306、l purposes of tactically responding to or shaping events on the ground,and strategically influencing the shifting geopolitical landscape.The narratives being promoted seek to demoralize Ukrainians and foment internal unrest,isolate Ukraine from its allies,and bolster positive perceptions of Russia.W
307、hile much of the disinformation activity has targeted audiences in Ukraine and Europe,Mandiant has identified information operations promoting messaging aimed at Russian domestic audiences,further underscoring Russias need to sell the war to its own people.Mandiant anticipates that such operations,i
308、ncluding those involving cyber threat activity and potentially other disruptive and destructive attacks,will continue as the conflict progresses.Meanwhile,Mandiant has also observed pro-PRC and pro-Iran campaigns leveraging the Russian invasion opportunistically to further progress long-held strateg
309、ic objectives.Though some of these operations have promoted narratives that appear to be aligned with Russian interests,they also demonstrate how events of global significance have the power to attract third-party actors.Mandiant expects this dynamic to continue and is actively monitoring for expans
310、ions in their scope of information operations activity surrounding the conflict.Information Operations Surrounding Russias Invasion of Ukraine 6 3S P E C I A L R E P O R T|M A N D I A N T M-T R E N D S 2 0 2 3Russias invasion of Ukraine has demonstrated the potential overlap of cyber operations and
311、kinetic warfare as a new de facto standard.The war has consumed almost every aspect of Russias international relationships and has evolved as nearly the sole driver of cyber threat activity from Russia in 2022.While Russian threat actors are responsible for the vast majority of the espionage campaig
312、ns and all of the disruptive or destructive operations that Mandiant has investigated,Chinese and Iranian state sponsored groups have also been active in the region,highlighting how states will use cyber to gain information on intelligence priorities.The tactical and strategic choices by Russian act
313、ors demonstrate both the versatility of cyber operations and the tradeoffs.Russias use of a pre-existing compromise to conduct a wiper operation shows how an intrusion that was started for espionage purposes can be used for an attack if the geopolitical situation changes,and demonstrates the imperat
314、ive for defenders to identify and fully remediate intrusions.The tactical choice by Russian actors to focus on edge devices also allowed flexibility and enabled the actors to potentially continue to collect information following a disruptive event.These devices are difficult for defenders to monitor
315、,but they should be promptly patched,and any suspicious traffic originating with them should be thoroughly investigated.Any armed conflict brings with it the possibility of disruptive actions aimed at the populations and governments.Governments and private sector organizations both play an important
316、 role in the functioning of a country.Preparations to defend against and recover from these types of attacks should be standard as even countries not directly impacted by hostilities may be targeted if they are perceived to be supporting one of the sides.Takeaways6 4S P E C I A L R E P O R T|M A N D
317、 I A N T M-T R E N D S 2 0 2 3North Koreas Financial Operations Continue to Evolve Alongside their traditional intelligence collection missions,in 2022 DPRK operators showed more interest in stealingand usingcrypto,with their activity expanding to new parts of the digital asset ecosystem as the regi
318、me looks to mitigate the economic impact of sanctions.Since at least 2016,threat actors associated with the Democratic Peoples Republic of Korea(DPRK)have expanded cyber operations beyond traditional espionage collection and disruptive attacks to leverage their capability for financially motivated c
319、ampaigns and intrusions.Historically,North Korean threat actors have targeted financial entities,investment services,eCommerce,cryptocurrency users and exchanges,and transaction processing organizations throughout the globe.These activities have included compromises into traditional financial entiti
320、esmost famously targeting the central bank of Bangladeshand the burgeoning cryptocurrency and digital asset sector.In 2022,Mandiant observed North Korean threat actors continuing to evolve their targeting as part of an effort to identify alternative revenue streams and mitigate the impact of sanctio
321、ns.While these groups appear to continue to take advantage of various financial targets,Mandiant has observed an increasing and evolving focus on the cryptocurrency ecosystem in 2022.Threat actors leveraged creative means through which the North Korean regime and their own operations could be funded
322、.Notably,over the past year Mandiant also observed a shift away from targeting fewer,larger organizations toward targeting a larger number of smaller entities for modest financial gains.Media reports have highlighted how North Korean operators stole approximately$1.7 billion in cryptocurrency in 202
323、2,eclipsing the$428 million stolen in 2021.Additionally,the regime allegedly has$170 million in unlaundered cryptocurrency holdings,which are potentially being stored as reserves.The United nations(UN)suggests these illicit funds are being used to finance the countrys missile programs.6 6S P E C I A
324、 L R E P O R T|M A N D I A N T M-T R E N D S 2 0 2 3Early Mandiant analysis of North Korean crypto-focused operations highlighted their centering around targeting cryptocurrency exchanges,and was predominantly driven by TEMP.Hermit and clusters suspected of being linked to APT38.Since then,the numbe
325、r of suspected DPRK groups involved in thefts of cryptocurrency,and the nature of their targets,has continued to expand.North Korean threat actors have targeted interdisciplinary aspects of cryptocurrencies,including Non-Fungible Tokens(NFTs),cross-blockchain connection mechanisms,and even online ga
326、mes.In one broad,months-long cryptocurrency phishing campaign by suspected North Korea-nexus UNC4469,thousands of smart contracts were used to deliver malicious NFTs to over a million unsuspecting users.UNC4469 leveraged malicious,mass NFT airdrops to user wallets,phishing pages,and social media pla
327、tforms with themes designed to socially engineer the victim into connecting their wallets.Once the wallets were connected,UNC4469 was able to collect and transfer assets,including NFTs,to UNC4469-controlled wallets.Assets stolen from phishing victims were quickly sold,and the funds moved through var
328、ious blockchains to launder the funds and obscure their trail.The automation,duration,and volume of activity spanning multiple blockchains indicates an ongoing sophisticated and mature operation.Alongside NFTs,“bridges”are another part of the cryptocurrency ecosystem that has grown in usage in recen
329、t years.Bridges facilitate movement of assets between different blockchains without the need to use a cryptocurrency exchange.Bridges can accumulate value as they become more widely used,making them attractive targets.This was demonstrated in 2022 with the$100 million compromise of Harmonys Horizon
330、Bridge by actors,which the FBI attributed to North Korea5.Online games with cryptocurrency and blockchains as a central feature have gained popularity with the rise of cryptocurrency,and thus have also gained the interest of North Korean groups.In April 2022 the U.S.Department of the Treasury allege
331、d that North Korea-based threat actors were responsible for a$600 million theft from a digital ledger used by players of the online game Axie Infinity.The U.S.Government managed to seize$30 million in cryptocurrency related to the heist,which it attributed to the Lazarus cybercrime gang.The North Ko
332、rean actor TEMP.Hermit has demonstrated a history of targeting cryptocurrency services,and many of these incidents are publicly attributed to Lazarus.NFTs,Bridges,Ransomware and More:North Korean Cybercrime in 2022 6 7S P E C I A L R E P O R T|M A N D I A N T M-T R E N D S 2 0 2 3Separately,Mandiant
333、 investigated open source reports of multiple suspected DPRK efforts to gain employment at cryptocurrency-focused organizations in April and May 2022.The accounts seem consistent with a May 2022 U.S.government advisory on North Korean IT workers posing as non-North Korean nationals to gain employment in areas where they would have an opportunity to generate revenue for DPRK programs.While the scal