Cybersecurity specialist Comodo has released the Comodo Threat Research Labs’ Global Malware Report 2017. The report can be downloaded here. It shows that the majority of malware spikes correlated with major geopolitical events. The use of such events to launch malware attacks is nothing new. What is different in 2017, is the scale of the attacks.
Hackers, believed to be state sponsored by Russia, took advantage of elections in Germany and France. They attacked candidates, stole and leaked data including emails and contributed to a surge of fake news.
The US Government, which saw the same type of attacks during the 2016 election has continued to suffer from fake news and allied malware attacks. Comodo saw a significant spike in use of the Kryptik trojan on Oct 24. It claims nearly 94% of Trojans that were detected that day were focused on the state of Virginia. This coincided with the election of a new senator in Virginia.
Major disasters and international tensions were also a backdrop for malware activity. The launch of nuclear missiles by North Korea generated a significant malware spike. This was matched by another spike when US President Donald Trump spoke at the United Nations and threatened to destroy North Korea. The naval dispute between the US and China also created a spike in attacks.
What types of malware attacks were recorded?
The most common type of malware detected was Trojans, accounting for 41% of attacks. There were over 3,704 unique families of Trojans detected over the year. The country with the most malware attacks was Russia (9%). Over 225 countries were affected by an increase in Trojan activity.
Malicious and unwanted applications hit 226 countries and accounted for 24% of recorded attacks. 708 unique application malware families were detected. This includes keyloggers which could also be installed as part of a corporate monitoring program. One of the growing categories is applications that pretend to provide help or to speed up a computer. They often download other programs related to adware and are generally seen as a scam. The US was the most hit with 3% of all attacks.
Backdoors which seek to allow attackers to bypass security accounted for 10% of attacks. Interestingly, while other types of attacks decline in Q4/2017, there was an increase in attempts to install backdoors. 1,621 families of backdoor malware were discovered in 2017. Many of these are targeted at specific users, companies or industries. As well as being used to steal data, they can be used to install other malware or launch additional attacks. The highest recorded number of attacks were in Russia at 19%.
2018 will see a continue of malware spikes.
2018 has already seen continuance of this type of activity. The Winter Olympics and Paralympics have both been used to disguise attacks. These attacks used a mix of fake news, attacks on infrastructure and, more importantly attacks on the supply chain for the venues in use. The fake news pretended to come from national sports organisations and sought to redirect users to sites that downloaded malware.
The Football World Cup which takes place in Russia during July is likely to cause another malware spike. The Commonwealth Games will be held in Australia in April is another target. In politics, the Italian General Election saw hacking and fake news but on a much lower scale than in Germany and France last year. Mid-term elections in the US will see fake news and hacking attacks.
There are over 50 major elections around the world either for national governments or presidents. Among the countries these will involve are Pakistan, Iraqi Kurdistan, Israel, Thailand, Russia, Cypriot, Hungary, Sweden, Georgia, Ireland, Barbados and Columbia.
What does this mean?
The use of major events such as politics, sporting, disasters and entertainment to disguise attacks is not new. Traditional criminals such as counterfeiters, ticket touts and fraudsters have always exploited these. Those same criminals now use the Internet for their campaigns.
They have also been joined by cybercriminals who prey of people’s interest and voyeurism in these events. These criminals are no longer single individuals. They are part of highly organised online criminal gangs.
More importantly, the rise of the state sponsored hacking groups has taken attacks to a new level. They are more complex, more sophisticated and much more effective. They don’t just rely on one attack vector, they use many from fake news to targeted spear phishing . Disappointingly this 51 page report fails to provide any insight into the campaigns and methods used in the attacks.
Perhaps the big worry here for IT security teams is how to stop the attacks. Users will follow their national football teams at the World Cup and be exposed to malware. When a major disaster occurs, natural curiosity will lead them to click on emails and sites that appear to give more information. During elections, people are often fascinated about the misbehaviour or poor decisions of their politicians.
All of these are fertile attack areas for hackers. Educating users, keeping patches and endpoint security up to date and increasing surveillance from IT security teams is the best way to protect against these attacks.