Major regional and global events – such as military exercises, political or economic summits, political conventions, and elections – drove cyber threat activities, according to Trellix.
“The last six months have been unprecedented – a state of polycrisis remains and everything from elections to warfare to law enforcement activity have accelerated cyber threat actor activity globally. We’re seeing radical shifts in behavior,” said John Fokker, Head of Threat Intelligence, Trellix. “The cat and mouse game of cybersecurity is becoming more complex. Security leaders need more operational threat intelligence in order to outpace cybercriminals.”
China and Russia increase attacks
China-linked threat groups, like Volt Typhoon, remain the most prolific originator of advanced persistent threat (APT) activities, generating 68.3% of all detections. The Trellix Advanced Research Center further found 23% of all activity from China-linked groups is directed at the global government sector.
Additionally, Russia-linked APT group, Sandworm, saw a sharp increase in activity, with 40% more detections in the period of this report compared to April – September 2023.
Iran-linked threat groups have also markedly ramped up cyber activities, with an 8% increase in detections and a 3.89% rise in proportional contribution. This highlights a significant expansion in Iran’s cyber operations, in line with its geopolitical aims and involvement in the Israeli-Hamas war.
Trellix found malicious emails aimed at tricking consumers into donating to elections. The emails abuse legitimate marketing services to create convincing but fake donation pages with the goal of scamming everyday people out of money disguised as donations to election campaigns.
Ransomware actors threatened the transportation and shipping sector the most, generating 53% and 45% of global ransomware detections in Q4 2023 and Q1 2024 respectively, and was followed by the finance industry. Also, following a global law enforcement action to disrupt ransomware gang LockBit, Trellix observed imposters copying the group.
GenAI usage by cybercriminals
Cobalt Strike remains a tool of choice for many threat groups, despite a 17% decrease in detections. Its relatively small decrease in proportional contribution variance (+1%) suggests it retains its popularity and effectiveness in cyber operations, underlining the challenge of defending against versatile and widely used offensive tools.
An EDR evasion tool called “Terminator” from cybercriminal developer Spyboy was used in a new campaign in January 2024 with 80% of detections targeted at the telecom sector. Given the specific targets, Trellix assesses with a high level of confidence that the campaign was related to the Russian-Ukrainian conflict.
Trellix observed a free ChatGPT 4.0 Jabber tool available in the cybercriminal underground, which allows threat actors to adopt GenAI into their operations and to create a GenAI knowledge base to learn from other cyber criminals or even steal their ideas and tools.
The dramatic shifts in targeting practices, with certain countries experiencing substantial increases in APT-related activities, highlight the geopolitical motivations driving these cyber operations. Similarly, the changes in tool usage, including the notable rise in “living off the land” tactics, emphasize the ongoing challenge of detecting and countering APT threats within a landscape where legitimate and malicious activities are increasingly intertwined.
The Trellix Advanced Research Center’s latest CyberThreat Report details findings from October 2023 – March 2024.