Every Solution You Can Imagine – and More
What cybersecurity solution do you need? From Zero Trust to ADR, IAM, risk/privacy, data protection, AppSec and threat, securing digital transformation, to resiliency and remediation, we can build the right program to help solve your challenges.
A Single Partner for Everything You Need
Optiv works with more than 450 world-class security technology partners. By putting you at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can.
We Are Optiv
Greatness is every team working toward a common goal. Winning in spite of cyber threats and overcoming challenges in spite of them. It’s building for a future that only you can create or simply coming home in time for dinner.
However you define greatness, Optiv is in your corner. We manage cyber risk so you can secure your full potential.
Vertical Target Series: Technology, Telecommunications and Academic and Educational Services
Critical infrastructure verticals such as technology and telecommunications, as well as academic and educational services, are attractive targets for cybercriminals and advance persistent threat (APT) groups. These organizations, such as IT services, fintech, universities, professional education institutes, and more, are often targeted by both cybercriminals and APT groups due to the sensitive data these organizations maintain that could help other government bodies. Targeting organizations within these verticals could also lead to potentially negative societal impacts, including the privacy compromise of minors in the education system, as well as the decline of political and economic confidence. Ransomware operators frequently target these verticals because these organizations have valuable information, including the personally identifiable information (PII) of minors, parents, and staff, connections to other organizations that can be exploited in a supply chain attack, and the inability for these types of organizations to have a significant amount of downtime.
This blog leverages the Adversary Risk Matrix developed by Optiv’s Global Threat Intelligence Center (gTIC) - a multi-faceted, qualitative approach to determine an adversary or campaign’s potential risk to an organization or industry on a scale of 0 to 100. The matrix considers known and assessed non-technical capabilities and intentions. Please see our white paper for the full report.
The technology vertical includes technology equipment, software and IT services, and financial technology and infrastructure. Technology organizations are a frequent target for threat actors—including both cybercriminal and APT groups—due to the valuable data they contain including PII and intellectual property (IP). Technology organizations hold sensitive information, such as personal data, personal and corporate card data, access credentials. Additionally, technology companies, including MSSPs and service providers, typically have access to client environments—making technology companies an attractive target for supply chain attacks. Threat actors could gain access to hundreds or thousands of organizations as a result of a single intrusion. Three APT groups observed targeting the technology vertical include APT39 (Chafer, Cobalt Hickman, Radio Serpens, Remix Kitten), Lazarus Group (Labyrinth Chollima, Zinc, Hidden Cobra, Diamond Sleet), and Volt Typhoon (Bronze Silhouette, Vanguard Panda).
Volt Typhoon is an APT group that has been attributed to the Chinese government and has been active since 2021. The group has been observed targeting critical infrastructure organizations in the U.S. and Guam. The group is believed to conduct espionage campaigns and maintain persistent access to victim environments for as long as possible. While the Volt Typhoon group is purported to only have been active since 2021, there is an Even Chance that the group has been active for a longer period of time. APT groups attributed to China have been observed sharing infrastructure and tooling, indicating that Volt Typhoon could have been active under another group or moniker prior to 2021.
The MalasLocker ransomware operation was first observed in April 2023. The group participates in double extortion methods and maintains a data leak site where victim’s information is leaked if the ransom is not paid. The group claims to show disdain for corporations and socio-economic inequality. Rather than demand a ransom like other operations, the group claims that they will provide a decryption key to victim organizations that donate to a MalasLocker-approved charity. The operators target Zimbra servers and upload suspicious JSP files to specific directories. The initial access vector is not known at the time of writing.
Of the 171 victims listed on the MalasLocker data leak site from January 1, 2023 - December 15, 2023, 57 of them (33%) are in the technology vertical.
The telecommunications vertical has been increasingly targeted by threat actors. This is likely because people use a growing number of mobile devices to store and process both personal and corporate data, as well as activate multi-factor authentication. This vertical includes both internet and cellular service providers, and the vertical plays a critical role in facilitating global communications. As organizations become more connected, it is Likely that threat actors will continue to target organizations within this vertical. Telecommunications organizations are often targeted for espionage attacks, technology theft, and data harvesting campaigns. Three APT groups observed targeting the telecommunications vertical are APT34 (aka Europium, Hazel Sandstorm, OilRig, Chrysene), APT27 (aka Budworm, Emissary Panda, Threat Group-3390, LuckyMouse), and APT39 (aka Chafer, Cobalt Hickman, Radio Serpens, Remix Kitten).
APT34 (aka OilRig, Helix Kitten) is an Iranian state-associated threat group that has been in operation since at least 2014. However, attacks attributed to them date back to 2012. The group has targeted several organizations and is most commonly known for sophisticated social engineering scams designed to enable initial access. The group’s motivation is believed to be establishing access to target networks that can be used at a later date, conduct supply chain compromise, and move laterally to other targets. APT34 has also been associated with destructive wiper attacks against the energy and ICS industries. APT34 relies on stolen account credentials for lateral movement.
BianLian is a ransomware written in Google’s Go programming language. BianLian has been active since at least July 2022. The operators are not as active as some of the more prolific groups, such as LockBit, Alphv, and Black Basta. The operators do participate in double extortion and maintain a data leak site. BianLian uses a custom toolkit, including homemade encryptors and encryption backdoors.
Of the 194 victims listed on the BianLian data leak site from January 1, 2023 - December 15, 2023, 5 of them (2.6%) are in the telecommunications vertical.
The academic and educational services vertical includes public and private school districts, primary and secondary schools, universities, and professional and business education services and providers. Despite many defensive frameworks and policies that academic and educational services institutions have adopted to improve security, institutions in this vertical remain an attractive target for threat actors due to the high-value information and critical nature of these organizations. Often the goal of state-sponsored attacks targeting these organizations is for strategic gain by collecting sensitive intellectual property, such as research or stealing credentials for future malicious activities. Three of the APT groups observed targeting the education vertical are Mustang Panda (aka Bronze President, Camero Dragon, Stately Taurus, TA416), Deep Panda (aka KungFu Pandas, Pink Panther, Shell Crew), Earth Lusca (aka Aquatic Panda, Bronze University, Charcoal Typhoon, Chromium).
Mustang Panda (aka Bronze President, HoneyMyte, TEMP.Hex) is a China-linked APT group that has been active since at least 2014. The group is notable for their social engineering attacks using lure documents related to current global events, including the Russia-Ukraine war, COVID-19, and human rights conditions in China. Mustang Panda is known for using both open-source and custom malware variants.
Rhysida is a RaaS group that was first observed in May 2023 and gained notoriety in May 2023 after launching an attack against the Chilean army. The U.S. Department of Health and Human Services indicates that the name, “Rhysida,” refers to the Rhysida Longpipes centipede genus, which is also displayed on their data leak site.
Of the 73 victims listed on the Rhysida data leak site from January 1, 2023 - December 15, 2023, 23 of them (31.5%) are in the academic and educational services vertical.
Despite high-profile ransomware incidents and government/law enforcement attention on ransomware operations and facilitators, there is currently little motive for ransomware operations to cease. Ransomware operators have continued to operate and adapt throughout 2023 and are assessed to focus on continuing to build infrastructure and capabilities around themselves as a one-stop shop with less reliance on marketplaces and forums.
Optiv’s gTIC assesses with Moderate Confidence that state-sponsored adversaries will increase the use of destructive wiper malware and ransomware as part of their campaigns over the next 12 months. Although the overall probability of a targeted state-sponsored attack across all verticals and organizations is Unlikely, these verticals have a historical record of being targeted by state-sponsored APT groups. For a full report, please see our white paper.
Optiv Security: Secure greatness.®
Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.
Let us know what you need, and we will have an Optiv professional contact you shortly.