Hunting the Hunters: Kaspersky Lab Reflects on Q1 Cyberthreats

The first quarter of 2015 saw the revelation of the most sophisticated advanced persistent cyberespionage threat to date: Equation. The Death Star of the Malware Galaxy and linked to the infernal Stuxnet and Flame super-threats, its first known sample dates back to 2002 and it is still active. The same period also saw Kaspersky Lab publish a detailed report on Carbanak, the most profitable cybercriminal operation to date, with up to 1bln USD stolen directly from banks; the discovery of the first known Arabic cyberespionage group, Desert Falcons and attacks by Animal Farm, a French speaking cyberespionage campaign.

In Q1, Kaspersky Lab’s experts confirmed they had discovered a threat actor that surpassed anything known to date in terms of complexity and sophistication of tools – The Equation Group. Among its special features are the ability to infect hard drive firmware, the use of an “interdiction” technique to infect victims and an ability to mimic criminal malware.

“In the last few years, Kaspersky Lab has observed many advanced cyberthreat actors, appearing to be fluent in many languages, such as Russian, Chinese, English, Korean or Spanish. In 2015 we reported on cyberthreats “speaking” Arabic and French, and the question is “who will be next?” During many years of analyzing malware code we also have seen different levels of malicious skills – from the standard “pack” of backdoors and the exploitation of known vulnerabilities to complex cyberespionage platforms, or even tools as powerful as those used by the Equation Group. What’s special in our job is the discovery of a new threat, one that surpasses anything you knew before. You think: this is it, the lord of malicious creation. But within months you discover something new that surpasses the previous discovery. This is how the cyberworld works: we are hunting the hunters, who constantly upgrade the tools they use to trick us, but we learn, too,” – commented Alex Gostev, Chief Security Expert in the Global Research and Analysis Team (GReAT).

Money flow

Ten months ago Kaspersky Lab reported on the Luuuk cyber fraud campaign targeting the clients of a large European bank. In the space of just one week, cybercriminals stole more than half a million Euros from accounts in the bank. Then, in October 2014, Kaspersky Lab’s Global Research and Analysis Team revealed the Tyupkin malware cybercriminal attacks targeting multiple ATMs around the world. A piece of malware infecting ATMs allowed attackers to empty the cash machines via direct manipulation, stealing millions of dollars without a credit card. In December, 2014, Costin Raiu, Director of GReAT, published his advanced persistent threats forecast for 2015, saying that the days when cybercriminal gangs focused exclusively on stealing money from end users are over. “Criminals now attack the banks directly because that’s where the money is. And they use APT techniques for these complex attacks,” – said Raiu. Two months later, in Q1 2015, the Carbanak advanced persistent threat (APT) that had stolen up to 1$bln was revealed, opening up an era of APT-style attacks in the cybercriminal world.

Q1 in figures: twice as many malicious attacks

Alongside an overview of major malware outbreaks, Kaspersky Lab has counted the overall level of cyberthreats globally:
• According to Kaspersky Security Network data, Kaspersky Lab products blocked a total of 2.2 billion malicious attacks on computers and mobile devices in the first quarter of 2015, which is double the number blocked in Q1 2014.
• Kaspersky Lab solutions repelled 469 million attacks launched from online resources located all over the world, a third (32.8%) more than in Q1, 2014.
• More than 93 million unique URLs were recognized as malicious by web antivirus, 14.3% more than in Q1, 2014.
• 40% of web attacks neutralized by Kaspersky Lab products were carried out using malicious web resources located in Russia. Last year Russia shared the first place with the USA, with the two countries accounting for 39% of web attacks between them.
Declining but still dangerous: mobile threats in Q1
• 103, 072 new malicious programs for mobile devices (6.6% lower than in Q1 2014)
• 1,527 new mobile banking Trojans, only 29 percentage points more than in Q1 2014. The rate of increase is slowing down: in all of 2014 Kaspersky Lab counted 12,100 mobile banking Trojans, nine times as many as in 2013.
The full Q1 cyberthreats report is available at
Cyberthreat real-time map

Be the first to comment

Leave a Reply

Your email address will not be published.