Share this article on:
China is the leading source of nation-state-based cyber attacks in the first quarter of 2023 around the world, according to a new threat intelligence report.
Trellix’s CyberThreat Report has just dropped, and it breaks down the leading nation-state actors when it comes to aggressive cyber attacks and espionage — and China topped the list by a large margin.
Chinese threat actors were responsible for 79 per cent of nation-state attacks, followed distantly by North Korea, which was responsible for less than a quarter of such activity. Russia, Iran, and Pakistan fill out the rest of the top five.
As to actual groups, the China-based threat actor Mustang Panda was responsible for 72 per cent of the attacks. The group — which is also known as HoneyMyte, RedDelta, and Red Lich, among many other names — has been active since at least 2012 and has targeted organisations in Hong Kong and Taiwan, as well as many other south-east Asian countries.
The Lazarus Group, which is thought to be operated by the North Korean government, takes second place, having been responsible for 17 per cent of attacks in Q1. Lazarus was responsible for the 2017 WannaCry ransomware campaign that affected 200,000 machines in 150 countries and, more recently, the 2022 Horizon Bridge crypt-theft.
UNC4191, Common Raven, and APT34 rounded out the top 10 hacking groups, with just 1 per cent of attributed attacks each.
One of the most common tools used by state-based actors is actually a legitimate pen-testing tool. Cobalt Strike is used in 35 per cent of such attacks and is made by cyber security giant Fortra. However, cracked versions are commonly traded on the dark web, and while it is expensive to buy, there’s little to stop cashed-up hackers — especially if they’re backed by a nation’s treasury — from purchasing it legitimately.
The most popular tool, however, is the remote access Trojan PlugX. This malware boasts a range of plug-ins that make it a very versatile, and dangerous, tool.
The countries that have made the most detections of nation-state activity make for a fascinating list. The Philippines tops out with 34 per cent of detections in Q1, with India the next most targeted.
“India is one of the leading countries in Asia and neighbouring regions with capable cyber programs,” the Trellix report stated. “Some groups, predominantly Chinese-linked threat actors, have demonstrated great interest in India’s technological, military, and political developments. A notable number of detections in India can be attributed to Mustang Panda.”
As to the particular industries targeted by state-based hackers, the oil and gas industry is the leading victim, followed by the outsourcing and hosting, wholesale, financial, and education sectors.
The wider report also noted that the war in Ukraine had been a key driver in the uptick of attacks worldwide.
“A year into the Russia-Ukraine conflict, offensive cyber capabilities are being leveraged strategically by nation-states for espionage and disruption,” said John Fokker, head of threat intelligence at Trellix’s Advanced Research Center.
“For both leading and developing countries, we see risks to critical infrastructures like telecommunications, energy, and manufacturing by notable APT groups — a warning to public and private organisations to deploy modern protections to stay ahead of rapidly evolving threats.”
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.