Antiy Annual Security Report 2023
1.Introduction
At the beginning of each year, it is the tradition of Antiy Security Research and Emergency Response Center (Antiy CERT) for many years to analyze and summarize the global network security threats in the previous year, release the overall review and make the outlook for the new year. For Antiy, this is the “annual report.” The preparation of the annual report usually starts in November of each year, the first draft is completed at the end of December, and the “Exposure Version” of the annual report is released at the network security winter training camp in early January to solicit the opinions and suggestions of participating experts. It will be supplemented and improved, and will be officially announced around the Spring Festival. However, if we carefully review the annual reports of threats made by Antiy over the past few years, we will find that they are all “solicitation version,” indicating that the report has not been approved by the technical committee of Antiy and can only be released in the form of “solicitation version.” For Antiy CERT, it is a pity that the annual work has not been completely closed, and for the whole Antiy, it is the confusion of knowing and doing apart in the face of great changes in scenarios, threats and customers.
The early “annual report” does not rely on the output of Antiy CERT, basically the annual sample analysis platform for every dimension of the statistical output of malware, supplemented by simple explanation, can be done with a small human input. It also conforms to the simple positioning of Antiy in the industrial system at that time as an upstream manufacturer of the anti-virus engine, rather than directly facing the scenarios of government and enterprise customers. However, since the seismic network incident, Antiy has extended its analysis and tracing capability to defense scenarios, and Antiy has started to develop the core and products for all-host platform protection, as well as released traffic-side and system-side tools to assist in tracing and hunting. We see the highly targeted killing chain of APT attacks superimposed on complex IT scenarios; the attack activities of various different threat actors are challenging network security governance. These appearances are increasingly not represented by simple statistical analysis. So we’ve moved from a data-based annual report to a point-of-view approach, and we’ve stuck to it for years, with a number of visions that we’re proud to see, including “ransomware will converge with worms (2016).” There are some pre-existing risk warnings such as “Ransom Attack Will Have APT Capability (2020),” but the outbreak of WannaCry is still the actual occurrence of the confluence of RaaS (Ransom as a Service) and targeted attacks. However, we cannot be “gratified” by the accurate advance warning, because we cannot judge whether our “front warning” has enabled users to make “front defense,” and even the protection capability of many IT facilities has been improved. We have yet to see that “disaster is compensated by progress” (Engels). And because of that, as a threat analyst and enabler of detection capabilities, we need to identify important issues and come up with key solutions – this is the executive governance security concept that Antiy has advocated and practiced over the past two years.
At the same time, we have made major new changes to the structure of our annual report this year, adding the threat enforcement and tactical statistical analysis for 2023. This is the full picture of malware returning to the annual report. A few years ago, we thought that these boring statistics and pie charts did not add much to the observational value of readers. However, in the past few years, we have found that, due to the lack of continuous release of various types and quantity of malwares, some users have begun to neglect the basic capacity building of anti-malwares and host security protection. More attention is paid to aligning more security means, forgetting that malware detection is not a function switch, and anti-virus engine is a security capability that requires comprehensive cAPTure capability, massive analysis and computing power, and the support of professional analysis teams. This is also our first release of TOP10 attack high frequency applications of non- malicious actors. We have also released ATT & CK’s annual Top 10 Attack Techniques and Tactics based on the cumulative analysis of attack techniques and tactics in attack incidents.
This year we have reinforced the summary of threat trends and added defensive and governance thinking. It should be noted that at the time when the annual report was prepared, it was also the time when a series of major targeted extortion attacks by Lockbit organizations were concerned. Therefore, we will be the annual report on the threat summary and defense governance thinking related to targeted blackmail attacks in advance to “Boeing encountered blackmail attack event analysis, resumption – targeted blackmail threat trend analysis and defense thinking. “In the analysis report.
The structure of threat analysis is similar to that of previous years, and Antiy also summarized the thinking and views of advanced persistent threat (APT), blackmail threat, mining threat, other black production threat, data leakage threat and threat generalization.
Network attack is not simply a kind of technical behavior, it is a special behavior activity that specific organization and individual carry out with specific intention. Therefore, analyzing the network attack from the angle of tactics and protection, we should focus on its payload (executor) and tactics, and take the asset environment as the scenario. At the same time, we should pay attention to the motive and the threatening actors behind it, and at the same time, we should analyze the damage caused by the impact of the target, and superimpose the national security, social governance security and the relevant levels of citizen’s personal security.
Table 1-1 Comparison Table of Operational Motives, Tactical Characteristics, Target Assets and Business Consequences of Typical Net-to-Air Threat Activists in 2023 ‑
Level / classification of net-space threat actors | On behalf of the organization / actor | Motivational factors | Tactical features | Target assets | Business Consequences |
Ultra-high capacity national / regional actors | Equation Longhorn horns | Persistent Net-Space Hegemony | Penetration can be realized through traffic hijacking or point-to-point delivery, a large number of 0day combinations, including power-raising vulnerabilities and zero-point strike vulnerabilities in the system kernel, control the target terminal, deep persistence, and operation is highly prudent. Strict control of the scope of infection and survival cycle, circumvention of testing. | Key, key units, industrial systems and intelligent equipment, IT facilities of scientific research institutes, backbone network traffic equipment | Theft of important data Critical system, flow controlled |
Advanced capabilityCountry / Area actors | Sea Lotus Lazarus Kimsuky APT37 APT38 Comfort bear Tula | The game of geo-security | With the aid of commercial arms and relatively simple self-developed weapons, use 0-Day or 1-Day, use cAPTured assets as a springboard, use network devices or business systems or mail as an attack portal, And has the horizontal movement and the backtrace technical ability. | It facilities for Guan Ji, key units and scientific research institutes | Theft of important data Critical systems charged |
General Capacity Country / Area actors | White elephant Rattlesnakes Bitter elephant Cnc Confucius Baby elephant | The game of geo-security | Using opportunistic hot-event guerrilla tactics, the attack activities are based on such attack means as social worker phishing and spear-mail, using open source remote control, at the same time upgrading and updating their own attack weapons, using loader to counter detection. | Key, key unit, scientific research institute system | Data loss The system is charged |
Green spot Sewage Human-faced horse APT33 APT35 Sidecopy | The game of geo-security | Keep up with current events and take email, website or social platform as the attack entrance, frequently launch phishing link email to retrieve account number and password, and the method of tracing back to the source is simple. Network communication infrastructure uses dynamic domain names, invades the normal website, the virtual host is mainly. | System of key units and scientific research institutes | Data loss Account charges | |
Internet extremist groups | The United Network Caliphate | Driven by religion, culture and ideology | Ddos or penetration attacks based on open vulnerabilities, open source tools, and Trojan horse attacks | Hostile target IT system | Data theft, paralysis, intimidation |
A network of criminal gangs or hacking groups | Ta505 Ta406 Fin7 | Religious conflict, war conflict, profit-driven | Have proprietary attack technologies, tools and platforms, vulnerability mining, exploitation technologies and development capabilities | Target Permission or Resource Occupation | Data tampering and business suspension |
Negroid tissue | Lockbit SwimSnakes | Profit-driven | Have certain professional technical ability and code ability, and have a small number of self-developed attack tools to launch attacks | Data assets or financial assets | Data stolen, business stopped |
Amateur hacker | / | Technical actual combat, economy, dazzling technology | Using open technology and tools, social engineering attacks | Random target system permissions or resources | The host is charged |
About Advanced Persistent Threat (APT): Antiy reviewed the distribution and activity of global APT organizations and actions in 2023, and produced the Map of Global APT Attacks, Organization Belonging and Geographical Distribution (Active). Among them, 556 APT organizations, and A2PT attack organizations representing the highest attack level were all distributed in the United States. Other attack organizations that pose a high threat to China and neighboring countries and regions come from countries such as India and China’s Taiwan region. We select the typical representative net-to-air threat actors in 2023 to analyze their threat level, motivation factors for launching attack activities, tactical characteristics, target assets and business consequences. Through analysis, it is found that cyber hegemony and geo-security game are still the main persistent motives and factors of current cyber attacks. This type of attack represents the highest capability of current net-to-air attacks, and its target breadth and depth are all covered, causing the most serious consequences. regional temporary conflict is the rising factor of this year’s net-to-air attacks. Such attacks are represented by net-air attacks in the context of the Russia-Ukraine conflict and the Palestine-Israel conflict, and their tactical characteristics differ according to the capabilities of each party. However, the overall focus is on the acquisition of intelligence, the creation of chaos and the destruction of paralysis, and the interest and money are the motivation and factors for the continuous rise of net-air attacks in recent years, with the rise of cryptocurrency and RaaS model. It is good at making use of the loophole window, attacking activities are more and more frequent, causing more and more harm, and ideological and religious conflicts are the motive and factors of launching cyber attacks in specific regions or organizations. The main purpose of the work is to spread the ideology, threaten and scare, and the last is to study the technology and the motive and factor of the personal hacker attack activity, whose goal is uncertain and some of them have no clear purpose. The consequence and the harm are relatively general.
The intelligent mobile terminal equipment faces the attack challenge of A2PT, but the closed-source system may not be found for a long time due to its systematic and ecological characteristics. At present, the security of mobile phone and intelligent terminal not only depends on the system itself, but also needs more security attention.
APT organizations draw on public information to produce false flag covert attack clues, and by creating and leaving obvious false flag clues to mislead analysts in the direction of tracing to the source, they can even play a role in concealing the fact. But experienced researchers can still spot inconsistencies in the technical details.
The high-level attack technology of A2PT has been widely adopted by more APT organizations for their own actions due to exposure, demonstration, uncontrolled leakage and other reasons. targeted extortion and other criminal activities are also being followed up by imitation. Traditional low – level APT organizations and black attacks will therefore be more difficult to detect, defend and trace.
About blackmail threat: The mainstream threat form of extortion attack has been transformed from the spread of extortion gangs or the widespread release of ransomware to the operation mode of RaaS + targeted attack to collect high ransom. Raas, short for Ransomware as a Service, is a ransomware attack infrastructure developed and operated by ransomware gangs, including customizable destructive ransomware, theft components, ransomware and toll channels. Various attack groups and individuals rent the RaaS attack infrastructure, and after receiving the ransom, they settle accounts with the RaaS attack organization separately. With the rise of RaaS, extortion attacks no longer have a technical threshold, through simple page click, that is, customization can generate theft, extortion and other attack payload, so insider attacks may proliferate. More attention should be paid to the transformation of traditional electronic fraud crime into social worker + extortion attack crime. At the same time, targeting large government and enterprise institutions, the actors who carry out targeted extortion attacks have reached the APT level, and targeted extortion attacks have become a nightmare for large government and enterprise institutions. Extortion attacks have consisted of continuous targeted intrusion, theft of data, destruction of encrypted data systems, extortion of money, secondary use of mining data-related value, trafficking of data and reporting to regulatory authorities. The public theft of data constitutes a value infringement chain, and has formed an extremely large-scale criminal industry. In such a context, the risk of being blackmailed is no longer simply a form of consequence of data loss and business suspension, but a series of chain risks that all data stolen will be trafficked and made public.
About the threat of mining: With the constant pursuit of profit by Trojan attackers, the Trojan combining Rootkit technology will become more and more complex. The use of the Shell Script Compiler (SHC) to encrypt scripts has become increasingly popular, and SHC has become a new tool of choice for attackers to enhance the invisibility of their mining scripts.
On the Black Property Threat: In 2023, the threat from the Black Property gang is characterized by changing means and rapid replacement of resources. Take the “SwimSnake,” the most active gang in the black industry in 2023, for example, its phishing attacks and swindling activities against domestic users in China are large in scale and last for a long time, causing certain economic losses to the enterprise. This kind of black product gang spread the malicious program variety, immune update speed, infrastructure changes frequently, attack the target involves the industry domain extensive. From the point of view of attack means, it is mainly to load malicious load with “white plus black,” execute Shellcode in memory, decrypt load file in memory, and finally put remote control Trojan load. Antiy CERT will have the above characteristics of the black production gangs collectively known as “SwimSnakes.”
About data breach threat: High-value data assets stored by some organizations are targeted by attackers, blackmail threats come with the risk of data breach, The impact of data breaches triggered by high-risk vulnerabilities can not be underestimated, and data breaches triggered by political factors can even affect the international situation.
About threat generalization: Threat generalization results in increased asset exposure of users, By using the increased attack surface, attackers can generate a wide range of security threats such as unauthorized access, springboard attack, intrusion into “isolated networks,” asset control, asset destruction, and data leakage.
2.Overall situation of threat actors and attack tactics in 2023
Weapons and tactics are two important basic elements in analyzing network attacks. most of attack weapons, which we often call attack payload, are “executors,” and attack tactics also rely on executor encapsulation. Most of the attack weapons are malware (malicious actors) developed for the purpose of attack, in order to further circumvent detection, The attacker also begins to use normal software (non-malicious executor) and malicious executor combination to drop the job to achieve the attack goal.
2.1 Statistics of malware Executor Analysis in 2023
As of December 31, 2023, a total of 1,361,149,760 valid malware executors (calculated according to MD5 value) have been cAPTured by Antiy, i.e. 1,361,149,760, and can be mapped to a Hash sample space of 10 billion yuan. (Antiy adheres to the statistical principle of valid samples to avoid statistical interference with judgment, including infectious virus, morphing virus, macro virus and Poly by Server). Based on the definition of transparent file structure and size of the host file, and on-line statistics of the number of samples required by the technical specifications, to avoid the quantity interference of a large number of different HASH but the same actual virus. Subsequent sample statistics, all of which refer to valid samples) Antiy classifies malware samples based on eight basic categories. That is, Trojan, Worm, Virus, HackTool, Grayware, Riskware, TestFile and JunkFile, According to this classification statistics, as shown in FIG. 2-1.

The top three categories are Trojan horse, grey software and infected virus, and the number of malware executors is 732, 421, 518, 244, 231, 566 and 185,051,567, accounting for 53.81%, 17.94% and 13.60% respectively.
In particular, the number of newly cAPTured malware executors in 2023 is 157,328,081 (based on MD5), or 157,328,081. According to the eight basic categories of malware, the statistics are shown in Figure 2-2.

The first three categories with the largest number are Trojan horse, worm and grey software, and the number of malware executors is 114,891,344, 18,501,705 and 12,744,053, accounting for 73.03%, 11.76% and 8.10% respectively.
In comparison with that numb of newly-cAPTured malware executors in 2022 and their category distribution, as shown in figure 2-3.

Compared with the previous year (2022), Trojan horse is the category with the largest increase in the number of newly cAPTured malware executors in 2023, with an annual difference value of 50, 945,459. A year-on-year increase of 79.67%; the category with the largest decrease in number was grey software, with an annual difference value of 38,785,334, a year-on-year decrease of 75.27%.
More information on malware and statistics can be found in the Antiy computer virus classification and naming knowledge encyclopedia (virusview.net).
- Classification statistics of malware family number (total number)
In 2023, Antiy cAPTured the malware family classification statistics as shown in Figure 2-4.

- malware Family Number Classification Statistics (Increment)
In 2023, the malware family category increment statistics cAPTured by Antiy are shown in Figure 2-5.

- Comparison of the Number of malware Family Increments over the Years
According to the monitoring results of Antiy, the comparison between the number of newly-cAPTured malware families in 2023 and 2022 is shown in Figure 26. compared with the previous year, the Trojan horse is the biggest growth in absolute number in 2023. The number of Trojan families cAPTured in the whole year was 2503, an increase of 1216 compared with last year. ‑

- Classified statistics of the number of varieties of malware (total amount)
In 2023, Antiy cAPTured the malware variant classification statistics as shown in Figure 2-7.

- Classified statistics of malware variety number (increment)
In 2023, Antiy cAPTured the malware variety category incremental statistics as shown in Figure 2-8.

- Comparison and statistics of the number of malware varieties over the years
According to the monitoring results of Antiy, the comparison of the number of newly-cAPTured malware variants between 2023 and 2022 is shown in Figure -2-9.

- Statistics on operating platform of valid samples of malware (total amount)
As of the end of 2023, Antiy will conduct statistics on the cAPTured malware sample running platform, in which the number of TOP 5 and its corresponding families is shown in Figure 210 below.

- malware valid sample running platform statistics (incremental)
In 2023, Antiy will conduct statistics on the cAPTured malware sample running platform, and the number of TOP 5 and its corresponding families is shown in Figure 2-11.

- Statistics of malware Family Running Platform (Total Amount)
By the end of 2023, the company will be cAPTured malware family operating platform statistics, a total of 121. The number of TOP 20 and its corresponding families is shown in Figure 2-12.

- Statistics of malware Family Running Platform (Increment)
In 2023, the company will be cAPTured malware family operating platform statistics, a total of 121. Figure 2-13 shows the statistics of the number of TOP 20 and its corresponding families.

- Statistics of malware Variant Operating Platform (Total Amount)
By the end of 2023, the company will be cAPTured by the malware variant operating platform statistics, a total of 121. The number of TOP 20 and its corresponding families is shown in Figure2-14 .

- Statistics of malware Variant Running Platform (Increment)
In 2023, the company will be cAPTured by the malware variant operating platform statistics, a total of 121. The number of TOP 20 and its corresponding families is shown in Figure 2-15 .

- Statistics of Valid Sample File Format of malware (Total Amount)
As of the end of 2023, Antiy will make statistics on the cAPTured malware sample format, in which the TOP 10 and its corresponding number are shown in Figure 2-16.

- Statistics of Valid Sample File Format of malware (Increments)
In 2023, Antiy will make statistics on the cAPTured malware sample format, in which TOP 10 and its corresponding number are shown in Figure 2-17.

2.2 Common Non-malware Executors for Cyber Attacks in 2023
With the diversified development of network attack means and channels, APT organizations continuously improve their technical and tactical strategies, and gradually incorporate legitimate tools into their arsenals in addition to using commercial tools, self-research tools and open source tools. Based on the continuous monitoring and analysis of the global APT attacks in 2023, it is found that nearly 50 legitimate tools are involved in the attacks organized by APT, including but not limited to Mimikatz, PsExec, AnyDesk, AdFind and PLink. It involves not only high-ability APT organizations such as Gamaredon, Comfort Bear / APT29, Fantasy Bear / APT28, but also general-ability APT organizations such as Sewage / MuddyWater, Kimsuky, Lazarus / Lazarus. By using legitimate tools, APT organizations are able to hide malicious activity in normal network traffic, bypassing network security defenses. At the same time, the legal tools also greatly increase the difficulty for security personnel to trace and trace APT organizations. Under the security trend of increasing network security protection capability, APT organizations will continue to use legitimate tools to increase the success rate of attacks, and flexibly configure legitimate tools. In order to adAPT to APT attacks under different business scenarios, different malicious activities such as credential dumping, privilege promotion and information collection are secretly executed on the target system.
The legal tools used by the APT organization TOP 10 include Mimikatz, PsExec, AnyDesk, AdFind, Plink, Netcat, TeamViewer, Masscan, UltraVNC, Ligolo, and the description of the tools is as follows:
Mimikatz, a yellow hat (hacker) tool originally developed by French hacker Benjamin Delpy and first released in 2011, has a script type version in addition to an executable file version. The main function of Mimikatz is to obtain and manipulate credentials in the Windows operating system, such as user login passwords, Windows login credentials (NTLM hashes and Kerberos tickets), and credentials for various applications and services. Mimikatz is designed to reveal the weak points of password and credential management in Windows systems and is used for demonstration and educational purposes by security professionals. However, because it is powerful and widely used by hackers, Mimikatz is also seen as a dangerous tool for malicious attacks, data theft and potential extortion activities. By virtue of its high degree of flexibility and compatibility, Mimikatz has been used in attacks by APT organizations or cybercrime organizations, with Antiy monitoring the use of the Mimikatz tool in the form of PowerShell scripts by bitter organizations in 2020.
Psexec is a command line network management tool and part of Sysinterfaces Suite system components, which calls the internal interface of the Windows system and takes the remote Windows host account name, password and local executable file to be executed as input parameters. Based on the RPC $service implementation, the local executable file is pushed to the remote host for execution, which is designed to facilitate network administrators to achieve agile remote operation. However, because it is easy to be invoke and encapsulated as a command line tool, it is also easy to be use as an attack tool by an attacker. once that password is cracked, it can be put into execution. As early as 2003, a large number of “password worms” based on null passwords and common passwords spread widely, most of which used this mechanism. In particular, the team of Sysinternals, which produced the system’s components, was acquired by Microsoft on July 18, 2006, resulting in the subsequent versions all bearing Microsoft’s digital signature, which also resulted in the release of a large percentage of security software.
Anydesk is a remote desktop software launched by German company AnyDesk Software GmbH. The user can control the computer remotely through the software, and at the same time, the file can be transferred between the computer controlled by the software, which is mainly applied to the remote management of the customer’s daily operation and the host computer related to the business. This software is a commonly used network management tool, which is issued by regular software R & D enterprises, and has the corresponding manufacturer’s digital signature, and is often used as white list software. But this also enables the attacking organization to use the remote management function of this kind of software in the activity to realize the persistent access, the file transfer, and use it to be the legitimate signature executor to circumvent the detection.
Adfind is an information – gathering tool in a domain environment that allows users to easily gather all kinds of information in a domain environment. It provides a large number of options, can optimize search and return relevant details, is an intranet domain penetration of a sharp tool.
The Plink tool is a component of the PuTTY software that primarily functions similar to the ssh command line tool on Linux systems for SSH to connect to remote hosts while providing multiple ways to create or manage SSH sessions. Because it is a component of PuTTY software and has digital signature, it can avoid the detection of terminal protection software which uses digital signature as white list detection mechanism.
Netcat is a Unix utility that supports both Windows and Linux environments for reading and writing data to networks connected by TCP or UDP protocols. This utility can be used directly or started by other scripts, and because of its simplicity and flexibility, it is often used in network debugging or in various network scripts to establish network connections.
Teamviewer is a remote desktop tool that is compatible with Microsoft Windows, macOS, Linux, iOS, Android operating systems and supports features such as remote control and online collaboration.
Masscan is a high-speed port scanning tool with excellent scanning efficiency and large-scale scanning capability, supporting scanning of TCP and UDP protocols, and specifying multiple targets and ports according to user requirements. At the same time, Masscan also adopted network performance optimization technology, making full use of the operating system’s resources and multi-core processing capability to achieve excellent scanning efficiency and throughput.
Ultravnc is an open source remote management / remote desktop software utility. The client supports Microsoft Windows and Linux, but the server only supports Windows. It uses the VNC protocol, allowing one computer to remotely access and control another computer over a network connection.
Ligolo is a lightweight reverse tunneling tool designed for security testers and is easy to implement and use. It can help penetration test researchers to easily build a fully secure SOCKS5 or TCP communication tunnel through a reverse connection. Compared to tools such as Meterpreter, Ligolo runs faster and is more stable.
Table 2-1 Legal tools used by APT organizations
Equipment name | Type of equipment | Operation platform | Core functions | Associated threat groups |
Mimikatz | Normal tools | Windows | Privilege enhancement and credential theft | Lazarus / Lazarus, Sewage / MuddyWater, Sea Lotus / APT-TOCS, Comfort Bear / APT29, White Elephant, etc |
Psexec | Utility | Windows | Remote access, command execution | Gamaredon, Comfort Bear / APT29, Tula / Turla, Human Face Horse / APT34, etc |
Anydesk | Normal tools | Windows, Linux, macOS, Android , iOS and more | Remote control | Bitter Elephant / Bitter, Gamaredon, Cozy Bear / APT29, etc |
Find | Normal tools | Windows | Domain information gathering | Comfort Bear / APT29, Lazarus / Lazarus, etc |
Plink | Normal tools | Windows, Linux | Port forwarding | Lazarus / Lazarus, Sewage / MuddyWater, Charming Kitten / APT35, Chafer / APT39, etc |
Netcat | Utility | Windows, Linux | Remote access, file transfer, port scanning | Green Spot / GreenSpot, Sea Lotus / APT-TOCS, etc |
Teamviewer | Normal tools | Windows, Linux, macOS, Android , iOS and more | Remote control | APT37, Kimsuky, Black Shop / DarkHotel, etc |
Masscan | Normal tools | Windows, Linux, macOS | Port scanning | Gamaredon, TeamTNT, etc |
Ultravnc | Normal tools | Windows, Linux | Remote control | Chafer / APT39, Gamaredon, et al |
Ligolo | Normal tools | Windows, Linux, macOS | Network tunnel | Sewage / MudyWater |
2.3 Analysis and Statistics of Techniques and Tactics of Cyber Threat Framework Attack in 2023
Based on the continuous monitoring and analysis of the global APT attack events in 2023, the technical and tactical strategies involved in the APT attack events are sorted out and analyzed, and mapped to the net-to-air threat framework ATT & CK, covering 14 tactical phases. Over 230 technologies and sub-technologies, Most frequently used technologies and sub-technologies include, but are not limited to, phishing (T1566), discovery system information (T1082), discovery files and directories (T1083), discovery security software (T1518.001), virtualization / Sandbox Escape (T1497), Use of Application Layer Protocol (T1071), etc., involving many APT organizations such as White Elephant / White Elephant, Green Spot / GreenSpot, Sea Lotus / APT-TOCS, Cozy Bear / APT29, Lazarus / Lazarus, Cephalus / DoNot, Sewage / MuddyWater.
Table 2-2 Top 10 High Frequency Techniques and Tactics for APT Attack Activities in 2023
Tactics | Tactical name | Technology | Technical name | Associated with a typical threat organization |
Ta0007 | Findings | T1082 | Discovery of system information | Bellehead Worm / DoNot, Andariel, Rattlesnake / SideWinder, Comfort Bear / APT29, Lazarus / Lazarus, etc |
Ta0007 | Findings | T1083 | Find files and directories | Lazarus / Lazarus, Fantastic Bear / APT28, Kimsuky, Sewage / MuddyWater, etc |
Ta0001 | Initial access | T1566 | Phishing | White elephant / WhiteElephant, Green Spot / GreenSpot, Sea Lotus / APT-TOCS, SideCopy, Rattlesnake / SideWinder, et al |
Ta0005 | Defensive evasion | T1497 | Virtualization / Sandbox Escape | Sewage / MudyWater, Andariel, Comfort Bear / APT29, Bitter Elephant / Bitter, etc |
Ta0011 | Command and control | T1071 | The application layer protocol is used | Bitter elephant / Bitter, White elephant / WhiteElephant, Kimsuky, APT37, etc |
Ta0005 | Defensive evasion | T1027 | Confusion of documents or information | Transparent Tribe / APT36, Lazarus / Lazarus, Rattlesnake / SideWinder, Fantasy Bear / APT28, etc |
Ta0002 | Execution | T1129 | Execution using a shared module | Fantastic Bear / APT28, Sewage / Muddy Water, Lazarus / Lazarus, Cozy Bear / APT29, etc |
Ta0005 | Defensive evasion | T1036 | Counterfeit | Blind Eagle / BlindEagle, Human Face Horse / APT34, Lazarus / Lazarus, Kimsuky et al |
Ta0011 | Command and control | T1095 | Standard non-application layer protocols are used | Lazarus / Lazarus, Transparent Tribe / APT36, Bitter Elephant / Bitter, Cozy Bear / APT29, etc |
Ta0007 | Findings | T1018 | Discover remote systems | Bitter Elephant / Bitter, Cozy Bear / APT29, Andariel, White Elephant / WhiteElephant, Transparent Tribe / APT36, etc |
To sum up, except for the reconnaissance (TA0043) and resource development (TA0042) phases, which are not easy to be perceived and accurately counted, the techniques and tactics used by APT organizations in 2023 are classified into ultra-high frequency, high frequency, intermediate frequency, low frequency and ultra-low frequency. Among them, UHF techniques and tactics are mainly distributed in the initial visit (TA0001), execution (TA0002), discovery (TA0007), defense evasion (TA0005) and command and control (TA0011) tactical phases. all other techniques and tactics heat distribution errors can be seen! Reference source not found. Through the attack mapping of the threat framework, we can understand the threat situation of APT attack from the macro level, and support the security personnel to formulate the network security defense strategy.

3.2023 Key Threats and Risks Review
3.1 Advanced Persistent Threat (APT) and Geo-Security Conflict
The overall situation for global advanced persistent threat (APT) activity in 2023 remains critical. Based on the internal and external intelligence sources continuously monitored by ANTEL, there were 696 global open security research reports in 2023, in which the disclosed security reports involved 162 APT organizations, and 66 new APT organizations were added in 2023. Antiy sorted out the distribution and activity of global APT organizations and actions in 2023, and produced the “Global APT Attack Action, Organization Ownership and Geographical Location (Active) Map,” as shown in Figure 31. Among them, 556 APT organizations are in total (limited picture space only shows the main attack organizations), which are mainly distributed in the United States, Russia, India, Iran, the Korean Peninsula and some countries and regions. Some organizations have not been able to identify the country or region due to lack of information.

3.1.1 The United States remains the world’s major cybersecurity threat
APT is a high-level sustainability threat [1], a technical concept proposed by Chinese cyber security practitioners in analyzing the attack activities of ultra-high-capacity national / regional threat actors. The “Formula” and other attack organizations with the NSA, CIA and other US intelligence agencies as the background rely on an organized network attack team, a huge supporting engineering system and a formulaic attack equipment base. Strong vulnerability procurement and analysis and mining capabilities, attack and infiltration of global critical information infrastructure, important information systems and key personnel, and conduct so-called intelligence sharing within the member states of the Five Eyes Alliance. Pose a serious threat to the network security of all countries in the world.
On April 11, 2023, the China Cyber Security Industry Alliance (CCIA) released a long-form report titled “A Historical Review of Cyber Attacks by US Intelligence Agencies – Based on the Analysis of Disclosure Information in the Global Cyber Security Circle” [2]. Based on nearly 1,000 historical research documents of dozens of network security enterprises, research institutions and experts and scholars around the world, the analysis process and research results of all parties shall be fully integrated, and the analysis and demonstration by the industry and academic circles shall be carried out. Efforts will be made to present cyber attacks by relevant US agencies on other countries, and reveal the major damage and grave threat posed by cyber hegemony to the global cyberspace order. The Report is divided into 13 articles in terms of time and sequence of events, mainly including US intelligence agencies attacking key infrastructure of other countries, conducting indiscriminate cyber theft and monitoring, and implanting backdoor pollution standards and supply chain sources. Developing cyber-attack weapons and causing leakage, and selling commercial attack platforms out of control and becoming sharp tools for hackers to disrupt and suppress normal international technical exchange and cooperation, and to create standards and order in line with the interests of the United States. Hinder that development of global information technology, and create division and confrontation in cyberspace. The report, published in both Chinese and English, has evoked great repercussions both at home and abroad.
On April 13, 2023, the Pentagon “leakgate” incident once again exposed the US eavesdropping on government information of key allies, including Israel, Japan, South Korea, and the interception of communications of the UN Secretary-General, And spying on his “ally” Ukrainian President Volodymyr Zelensky.
Starting from June 1, 2023, Russian security manufacturer Kaspersky released a series of reports on “Triangulation Action,” which revealed a malicious iOS code and several zero-day vulnerabilities of iOS that had been lurking for several years. In response, Russia’s Federal Security Service (FSB) issued a statement accusing the US-based Apple of “working closely” with the NSA and of hacking thousands of Apple phones through sophisticated malware [4]. Action Triangulation uses iOS’s built-in iMessage messaging service and iOS’s zero-day vulnerability to enable zero-hit attacks on Apple devices. In that begin, the attacker use the WebKit memory corruption and font parsing vulnerability to obtain the execution permission, then use the shaping overflow vulnerability to enhance the kernel permission, and then use multiple memory vulnerabilities to break through the security defense function of Apple hardware, To execute and plant a malicious program on a device. The entire process is completely hidden and does not require the user to perform any action. Kaspersky reports that [5] error! No reference source found. in the face of a complex attacker, any protection can be breached, and a system that relies on “security through obscurity” can never be truly secure. On June 10, Antiy released a report titled “Quantum System Breakdown of Apple Mobile Phone – Analysis of Historical Samples of Equation Group Attacks iOS System” [6], which disclosed that the US relies on the quantum system. Historical Sample Analysis of Attacks Launched to Mobile Browser.
On July 26, 2023, the Wuhan Emergency Management Bureau released a public statement saying that “Wuhan Earthquake Monitoring Center has suffered a cyber attack by overseas organizations. The network equipment of the acquisition point of some seismic data front-end stations is implanted into the backdoor program. “According to a joint investigation by the National Computer Virus Emergency Response Center and a domestic network security manufacturer, [7], backdoor malware with very complex technology has been found in the networks of the victim units. It conforms to the characteristics of the US intelligence agencies, has strong concealment, and through the judgment of the functions of the malware and the affected systems, the attackers aim to steal the data related to earthquake monitoring. Moreover, it has obvious military reconnaissance purpose.
In October 2023, MATA, a cross-platform remote control framework under the Lazarus Group, was found to be committed to cyber espionage against Eastern European industrial companies [8], which was first discovered in 2019 [9] Error! No reference source found. the early version of the main performance of Windows, Linux, macOS three-way cross-platform capability, with rich security control plug-ins and unique multi-layer algorithm communication encryption, typical enough but not advanced. Through the updated iteration of the 5th generation version, the developers of the MATA framework have clearly referred to years of technical research in the security industry on the attack capabilities of the Five Eyes Alliance APT. And weapons leaks from Vault7 and The Shadow Broker. Kaspersky reports that [8] error! No quotation was found. the APT has traces of the North Korean Lazarus group on its surface, but the complex technology and process, as well as the rich degree of luxury of attacking resources, suspected that the real group behind the APT may be the Five Eyes Alliance.
3.1.2 Critical personnel phones have been a key target of the A2PT attack group
In recent years, smart phones have become an indispensable part of people, and smart phones carry multiple demands for personal communication, entertainment, work, study, and social interaction. Mobile phone stores a large number of personal work, life data, for many people, the mobile phone may be more important than the PC. At the same time, intelligent terminal devices such as mobile phones have a wide range of sensing capabilities far beyond traditional PC nodes, which are equipped with a variety of sensors (including sensors for obtaining high-precision positioning). Acceleration sensors, gravity sensors, gyroscopes and rotation vector sensors) can be used to cAPTure the high precision instantaneous dynamics of current equipment. In addition to high-precision sensors, there are cameras, microphones, such as input and output hardware acquisition devices, and even Wi-Fi, Bluetooth module based on the peripheral environment and equipment scanning and collection. This feature makes it possible to turn a mobile phone into a professional stealer of an attacker’s images, voice, and location once it is successfully hacked.
However, for a long time, many people believe that the mobile phone system ecology is safer, on the one hand, the intelligent terminal system is delivered with security software and authority management, and the software application is approved by the market. On the other hand, it is believed that the closed operating system represented by iOS gives a sense of security like a “black box,” and many users believe that no attack can occur without seeing the attack. As everyone knows, attackers have a variety of entrances to attack smart phones, but also have a variety of technical means to hide themselves.
In 2016, Antiy cAPTured an equation sample for iOS by the Formula Organization under the US NSA, and identified the Trojan as the DoubleFantasy family of the Formula Organization, which was delivered to iOS through the quantum system. The relevant analysis result Antiy was made public on June 10 this year, and matched with the “quantum” system traffic hijacking attacks to the terminal guess graph, such as error! Reference source not found. 2. relying on the system, the US can launch vulnerability attacks on global intelligent terminal devices and implant Trojans [6]. In 2021, the BBC reported that NSO, an Israeli software monitoring company, had sold a mobile-phone spyware program called Pegasus to some countries to monitor key personnel and even relevant dignitaries in other countries. Pegasus can easily hack into iOS and Android, and easily intercept all kinds of information, pictures, videos, e-mail content, call logs and even secretly turn on the microphone for real-time recording.
In 2023, Russian security firm Kaspersky released a series of “triangulation action” reports [3], revealing a number of years of latent malicious iOS code and a number of zero-day iOS vulnerabilities. Kaspersky’s researchers initially found abnormalities in the traffic, and faced the problem of being unable to fully evidence the iOS system when analyzing the terminals. At this time, the closed system becomes a disadvantage that it is difficult to carry out environmental analysis and evidence collection effectively. At the end of the latest “Operation Triangulation” report [5], Kaspersky researchers believe that “in the face of a complex attacker, any protection may be breached. A system that relies on “security through obscurity” can never be truly secure. “The above cases show that intelligent terminal devices are not secure, but may remain undetected for a long time due to their systematic and ecological characteristics, At present, the security of mobile phone and intelligent terminal not only depends on the system itself, but also needs more security attention.

In addition, base on that Snowden revelations, the company comb through the N.S.A. ‘s system of ANT attack equipment. There are 15 types of attack equipment used for scanning, monitoring and data collection of mobile communication equipment in the attack equipment system listed around 2008, accounting for about one third of all 48 types of equipment that have been exposed.

3.1.3 The demonstration effect of A2PT has led to follow-up imitation and arms race in other organizations
A2pt has a rigorous system of scale and control the systematic research and development of attack equipment and the collection and operation of attack resources. The weaponry developed and used by A2PT usually has a modular and framework architecture, which can be developed based on extensible script engine, defense software to avoid confrontation, adopt high-strength encryption algorithm, and support kernel-level Rootkit. A complete set of complex high-level capability designs including component non-landing resource hiding, VFS virtual file system, isolated network penetration, tailored attack, and rich ability to collect secrets. It embodies the obvious advantages of a huge supporting engineering system. Such threats as A2PT, which have the background of the Five Eyes Alliance members, include Stuxnet, Duqu, Flame, Equation Group and ProjectSauron. Most of the “Regin” and others have the above-mentioned advanced advantages. In contrast to that proliferation of cyber-armament of the super-Power, typified by the “shadow Broker” leak of the weapons arsenal of the formula organization, In recent years, the high-order attack technology used by A2PT attack organizations has been widely used in their attack activities by APT organizations. the influence brought by this trend appears to be more subtle and far-reaching.
In October 2023, MATA, a cross-platform remote control framework under the Lazarus Group, was found to be committed to cyber espionage against Eastern European industrial companies [8], which was first discovered in 2019 [9], The early version mainly has the cross-platform capability for Windows, Linux and macOS [10], and has rich security control plug-ins and unique multi-layer algorithm communication encryption, which is typical enough but not advanced. Through the updated iteration of the 5th generation version, the developers of the MATA framework have clearly referred to years of technical research in the security industry on the attack capabilities of the Five Eyes Alliance APT. For example, the C2 communication process of the MATA framework adopts a TTLV (Type-Tag-Length-Value) data encoding format, a multi-layer protocol and a finite state machine (FSM) handshake mechanism. This technology has been used in the early days by Lambert and EQ in a number of weapons; the MATA attack process uses the self-contained vulnerable driver (BYOVD) technology to access the system kernel to jam the detection response of EDR software, The technology has also been used by the Lambert organization; the MATA backdoor supports a combination of active connection / passive activation, This type of backdoor enablement mode is widely used by equational organization equatiovector, straitbizare, and lamberts organization of goldlambert equipment; the mata component supports attempts to launch attacks against isolated networks by infecting software programs in removable storage devices, Using the ferry attack strategy to break through the isolation network is the standard capability of classic A2PT attacks such as Stuxnet, Fanny, Sauron’s Eye. Kaspersky reports that the APT has traces of North Korea’s Lazarus organization on the surface, but complex technology and process as well as the rich luxury of attacking resources, it is suspected that the APT may be the “Five Eyes Alliance.”
3.1.4 APT organizations draw on open source intelligence to conceal attacks with “false flag” beacons
In that field of network security, “false flag” is a very common covert strategy of attack behavior, In general, a relatively high-level attacker will deliberately bury false information in the stages of resource presetting, near-breaking, residence and latency, and control effectiveness in the attack flow. For example, information such as language, location and identity can be left to conceal the direction of the source, or regular threats such as mining, extortion, bank Trojan horse can be spread to conceal the intention to effect. It may also be the reuse of exclusive weapon tools, feature code data, outdated infrastructure, reproduction of exclusive vulnerabilities, specific implementation of combat technology, operational tactical path, software coding style, etc. To point the attack behavior trace to other specific known threat actors. The implementation of the “false flag” strategy, whether in setting the position or planting the target, is usually less than more in terms of quantity and should be more precise and concise, which can lead to a certain tracking and analysis cost and can often increase the effect better. At present, a large number of public APT research data in the industry over ten years have also become an important reference source for the “false flag” idea of attacking organizations. The following figure illustrates the “false flag” imitation method organized by the sea lotus group.

From 2022 to 2023, APT29 has frequently adopted the model of spear-phishing mail delivery of attachment packages to mobilize other sequences of white-and-black components by inducing victims to execute shortcuts in packages. Multi-layer loading decryption runs the remote control payload of Red Team tools such as CobaltStrike, RatelC4 in memory only, and the scope of activity of such attacks is basically limited to political and military targets in Europe and America. A large number of them have been repeatedly analyzed and exposed by mainstream manufacturers. throughout 2023, Antiy has repeatedly found similar attack patterns in important government and enterprise units in China. And in the attack technique and tactics, weapon tool and infrastructure also found a lot of APT28, APT29 organization characteristic trace which has been publicly exposed. For example, the decryption key of the loader in the initial stage is completely consistent with the APT29 activity that has been exposed in 2022 [11]; the loader component in the delivery stage mimics the information theft and hidden window execution code used by the APT28 organization Zebrocy loader in 2018. In addition to ADS stream data storage technology and that same characteristic parameter, In-depth analysis reveals that the attacker’s purpose is only to execute the custom loader code to call other modules; the injector component in the delivery stage is statically consistent with the Zebrocy remote control of APT28 organization exposed in 2018 [13]. In-depth analysis reveals that the attacker tampered with the code flow of the old Zebrocy sample and instead executes the remote control payload hidden in the sample resource section; the remote control payload in the final control stage uses the CobaltStrike of the specific cracked version. The watermark value of this version is known to be frequently used by threat organizations such as APT29, TrickBot, SmokeLoader, etc., and the user information field of the digital certificate supporting the relevant C2 infrastructure also contains typical Wellness organization characteristics [14]. The above multiple characteristic traces appear to be deliberate, and Antiy basically believes that they belong to the “false flag” created by the attacker, and the analysis and judgment show that the organizational background involved in the attack is actually suspected to be the sea lotus organization. The attacker’s attempt was purely an attempt to mislead the source of the investigation and did not collect the results of the implementation of other tools of threat organization forged in the “false flag.”
3.1.5 Cyber warfare of geopolitical conflict is accompanied by a great deal of hacktivist activity
The Palestinian-Israeli conflict is a new geopolitical security hotspot this year. Before the Israeli-Palestinian conflict broke out, In the Middle East, a number of APT organizations with Iranian backgrounds, Agrius, APT35, MuddyWater and OilRig, have continuously targeted Israeli critical infrastructure and other industries, as well as APT organization TA402, which has long supported Palestinian intelligence collection. Wildcard, which was linked to Hamas after the outbreak of the Israeli-Palestinian conflict, [16] attempted to modify TTPs (including C2 switching from Google Drive to OneDrive). Changes in SysJoker samples from C + + to Rust) Strategic APT activities such as a new round of attacks against Israel, but limited by its own technology and frequent exposure of many network security manufacturers in the US and Israel. Generally speaking, these APT organizations have extensive information collection capability (CNE), but their IT technology for targeted network attack capability (CNA) is not used well. Similarly, as a hotspot of geo-security, cyber conflicts have intensified, and the dominant cyber attacks in the Russia-Ukraine conflict are mainly combat operations carried out by Russia, Ukraine, NATO and other state actors. Aiming at military systems and key information infrastructure, the Bank will acquire long-term control rights through intrusion and penetration and malware implantation, realize continuous information theft, can be paralyzed, and interfere with the operation of key systems. During the period, although there are a large number of civil hacker organizations based on their own position team sworn, but the symbolic significance of these activities is mostly. The Palestinian-Israeli conflict is a conflict with no equal strength but more complicated entanglements, with more complicated national, ethnic, religious and other geosecurity backgrounds, and Israel’s intelligence agencies having extremely strong attack capabilities. It always attacks and infiltrates the neighboring countries, and the network and air intelligence ability is the important support of its strategic intelligence ability. But Pakistan itself does not have a particularly mature information infrastructure and network-to-air operation force. It was basically a free-for-all between a large number of civil actors and the israeli side. Moreover, in retaliation for the support of Israel, targets such as Singapore, Japan, and Italy have all been attacked, and the risk is spilling over quickly.
The relative balance of hacker groups is not the same, in the conflict between palestine and israel, most civil society organizations are on the side of the sympathies. In the wake of the Israeli-Palestinian conflict, both pro-Palestinian and pro-Israeli hacker groups have been promoting hacktivism on social media. It is a typical non-state actor, the activities of an ideological – driven hacker organization. However, the media hyped “network warfare of the conflict between palestine and israel” has little influence on the actual conflict process, and its effect is far weaker than the network-air cognitive warfare. In contrast to the Russia-Ukraine cyber war, the DDoS and erasable malwares in the Palestine-Israel conflict are not similar to the “copying operation” in the Russia-Ukraine conflict, but different from the state actors’ attack activities in the Russia-Ukraine cyber war. The palestinian-israeli conflict is more about hacktivist actors. There are obvious differences in the operation mode and result of network warfare between Palestine and Israel and the conflict between Russia and Ukraine. First, considering the geopolitical background of the outbreak of the conflict, the targets of Russia-Ukraine cyber warfare attacks are basically the same, organized and planned cyber attacks, while in the Palestinian-Israeli conflict, A number of different groups of hackers lack coordination and clear targets, most of them in retaliation, for example, hacking into targets including Singapore, Japan and Italy to retaliate against them for supporting Israel. Second, considering the background of state actors and the actual impact of cyber warfare, Russia-Ukraine cyber warfare activities exist in a number of national backgrounds of actors, and can combine the network attacks initiated by hacker organizations such as Trickbot to produce practical impact, for the real conflict won the first opportunity.
While Storm-1133, a hacking team allegedly linked to Hamas, claims to have hacked into Israel’s Defense Ministry website to steal data, its cyber-attack activities have limited impact on real-life conflicts. Third, in terms of attack intention, the radical hacktivist activities in the Palestinian-Israeli conflict attempt to create more influence in the short term, while the Russia-Ukraine conflict is a long-term and sustained cyber attack activities in the geopolitical context. From the overall situation in the Middle East, there are constant cyber attacks including Iran, Syria, Israel and other countries, such as the suspected Israeli hacking attack on Iranian gas stations on December 18, 2023. With the explosion of the “powder keg” between palestine and israel, more and more hacktivists will pose a threat to critical infrastructure in cyberspace, affecting sensitive nerves in the middle east.
3.2 Blackmail attacks and other online criminal activity trends
3.2.1 Blackmail attack adopts the combination mode of targeted + RaaS, forming a chain operation of “targeted blackmail + theft + exposure + sale.
3.2.1.1 Targeted extortion attacks with “APT” levels have become more common
In the current network security arena, targeted blackmail attack has become a very common and threatening form of attack. In the 2019 [17] and 2020 [18] annual reports of Antiy, we noted that extortion attack organizations tend to be more targeted in terms of target selection, focusing on targeted extortion of valuable targets. In the annual report of Andays for 2021 [19], we assessed that the capability of targeted blackmail attacks had reached the “Advanced Persistent Threat” (APT) level. At present, this kind of attack is no longer just a brief storm in cyberspace, but has been deeply integrated into the mainstream of modern threat landscape. Targeted blackmail attack is a kind of cyberattack that specifically targets a particular target and aims to force the victim to pay a ransom by threatening it. Through in-depth target analysis and reconnaissance, attackers selectively attack critical systems, data or information, forcing victims to make choices in the face of threats such as high ransom payments or data breaches.
Back in 2023, large corporations are frequently targeted for targeted extortion attacks, with the likes of Royal Mail, the port of Nagoya in Japan and Boeing all facing varying degrees of threat. The blackmail attack on Boeing is a targeted extortion attack on well-known companies based on the RaaS infrastructure provided by the Lockbit Blackmail Attack Group. The attacker takes the boundary device of the ADC network as the initial penetration point, grasps the opportunity window brought by the failure of the relevant device to respond in time after the occurrence of the vulnerability, and realizes the first time excavation and utilization after the occurrence of the relevant vulnerability utilization code. In order to achieve that theft of credentials. After that, the voucher will be used to complete further horizontal movement and on-demand delivery to the scenario. The attack organization uses a large number of open-source and commercial tools as attack components to realize different functions, and by breaking through key hosts such as domain control, further stealing credentials and rights to realize accurate and effective launch. Data related to the compromised host was stolen, enabling the deployment of ransomware.
Typically, large enterprises have deployed network security protection facilities on their network architecture that are sufficient to withstand a wide range of non-targeted attacks. However, when faced with targeted blackmail attacks, the enterprise’s network security system appears to be relatively weak, because the perpetrators of such attacks have essentially the level of APT and combine them with ransomware, The capability of countermeasures has gone far beyond the limits of individual protection products, especially the defense scope of products such as terminal protection systems. At the same time, the threat level of targeted blackmail attacks is gradually escalating, and the tools and means of attackers are also constantly evolving. With the rise of ransomware-as-a-service (RaaS), even individuals without advanced technology can easily purchase and use specialized ransomware tools, further expanding the scope of targeted ransomware attacks. The attackers are no longer limited to highly skilled professional teams, but include a wider range of players, which gives targeted extortion attacks a more diverse profile. Overall, the current “APT” level of targeted blackmail attacks has become a normal.
3.2.1.2 The increasingly sophisticated blackmail-as-a-service model has led to blackmail attacks
The commercialized trend of cyber crime promotes the degree of complexity of threatening behavior. Similar to the normal supply chain, these actors demonstrate skilled expertise within specific areas of the cybercrime supply chain, leading to a trend towards efficient operation across the industry. The cybercrime industry has adopted an “as-a-service” (aaS) business model that has greatly improved the ease with which cybercrime can be committed; even relatively immature threat actors have easy access to advanced tools and services. This trend allows cyber crime practitioners to conduct attacks more quickly and easily, thus posing greater challenges to cyber security.
The wide application of the RaaS model has promoted the rise of many ransomware organizations, including BlackCat, Crank and LockBit, among which LockBit has become one of the most active ransomware organizations in the world. The blackmail attack organization absorbs affiliated members through the RaaS mode, and the affiliated members establish the initial access rights through the Initial Access Broker (IAB) to realize the detailed operation of their respective professional fields. The RaaS operator is focused on improving and updating its malware, while affiliate members and IAB are responsible for developing and optimizing ways to penetrate the system. Gold Melody is an economically motivated IAB hacking group [20], aka Prophet Spider or UNC961. The group uses a variety of means to hack into target systems, steal credentials and then sell them for blackmail and targeted attacks.
The commercialization of cyber crime promotes the attack complexity of the threat actors, and forms the trend of specialization and efficient operation. The adoption of the “as-a-service” business model has made it easier to commit cybercrime, and even actors with no technical skills can generate theft and extortion tools by clicking on a web page. This will be an unending nightmare for the global digital age.
3.2.1.3 Extortion attack organizations use the weaponization of loopholes to make efficient penetration
Under the background of the current network threat, it has become one of the most effective methods of ransomware to weaponize the vulnerability to invade the target. According to statistics from CISA, a security agency for cybersecurity infrastructure in the US, as of December 25, 2023, 1,053 vulnerabilities have been used in cyber attacks [21], of which 212 are explicitly used in extortion attacks. The vulnerabilities involved Microsoft, QNAP, VMware, Acceleron, Citrix and MOVEit, among others. In the face of network security protection facilities deployed by enterprises, it may be difficult for an attacker to break the defense line through traditional means, but the weaponization of unpatched vulnerabilities is used as a penetration tool. Attackers can easily implement malicious behavior by bypassing security detection and authentication.
In early 2023, security researchers identified two vulnerabilities in print management software PaperCut [22], CVE-2023-27350 and CVE-2023-27351. Multiple ransomware attack groups used the vulnerabilities to successfully hack the PaperCut supply chain and subsequently drop ransomware on users downstream of the supply chain, including ransomware attack groups such as Clop, LockBit and Bloody. In May of the same year, the Clop Ransom Attack Group launched large-scale ransomware attacks with the help of the vulnerability CVE-2023-34362 [23] of the file transfer software MOVEit. The attack caused numerous MOVEit software users to fall victim to the Clop. The attacker made full use of the flaw, successfully broke through the defense line of the target system, implemented the operation of “stealing and encryption,” and disclosed the information of 658 enterprises that were victimized by the blackmail attack. And in October, the LockBit blackmail attack group used the Citrix loophole CVE-2023-4966 [24], known as Citrix Bleed, to name Boeing as one of the victims. The exploit code (POC) of the CVE-2023-4966 vulnerability used in this incident appeared on Github on October 26, and the attackers announced the successful invasion of Boeing on October 27. We tend to attack after the POC code is made public. Citrix was fixed Oct. 10, but no fixes were made by Boeing and others. This reflects that the attacker is far more efficient and sensitive to the use of vulnerability resources than the defense. This series of events highlights the harm of vulnerability in supply chain attacks and large-scale extortion activities, and weaponization of vulnerabilities has become an effective way for extortion attack organizations to break through defense.
Since attackers are skilled in using open-source intelligence such as cyberspace mapping engines, and have long focused on accumulating exposed faces of important information targets, after the POC code appears, There’s going to be a whole bunch of attackers that quickly match up for penetrable targets. From the perspective of vulnerabilities, the previous concept of 0day-1day-Nday is mostly based on the release or disclosure of vulnerabilities, but when the POC code is disclosed, it is a node that requires high attention. It means that the summit of attack will come quickly, taking advantage of the instant reduction in difficulty. Antiy CERT calls similar attacks the 1Exp attack. As RaaS + targeted blackmail itself constitutes a “crowdfunding crime” model, which leads to a large number of attackers who focus on different target resources or have targeted information resources. It is possible to turn the window of opportunity into an actual benefit when the window of opportunity is discovered.
3.2.1.4 Extortion attacks form a chain of “targeted extortion + theft + exposure + sale.
As can be seen from the analysis of the Boeing Blackmail Report, the current RaaS model of ransomware is not only about providing technical infrastructure, Instead, the Bank will exert pressure on the victims by means of publicity and speculation, exposure and theft of data, auction and reporting the victims to regulatory authorities, create hot news and improve the brand effect. In a way that snowball into that notorious brand effect of extortion organizations. Targeted extortion is targeted at high-value targets, and affiliated members of RaaS improve their penetration capability by various means, including purchasing 0Day vulnerabilities, developing advanced malwares, buying corporate ghosts and intelligence. Improve that landing success rate of the blackmail load. This combination of targeted + RaaS forms a chain operation of “targeted extortion + theft + exposure + sale” to coerce the victim to pay ransom for profit [25].
3.2.2 Mining Trojans use core-level tools with SHC encryption to improve concealment and difficulty of detection
3.2.2.1 Kernel-level tools make mining Trojans more difficult to detect
In 2023, Antiy CERT monitored the use of core Rootkit tools, such as yayaya Miner [26], TeamTNT [27] and “8220” [28]. Rootkit kernel-level tools are favored primarily for their ability to lurk at the bottom of the system, providing a deeper level of invisibility and control. These tools can go directly to the core of the operating system and load malicious kernel modules to realize states that cannot be detected by traditional security software. They can effectively hide malicious processes and files, and because of the high level of control these tools have over the system, they can continue to run in the background even when the system is restarted, ensuring that continuous mining activity is not disrupted. With the constant pursuit of profit by Trojan horse attackers, the Trojan horse combined with Rootkit technology will become more and more complex. They are not only satisfied with using the computing resources of the victim, but also more likely to penetrate deeply into the network and cause potential threats to other terminals in the network.
3.2.2.2 Shc encryption scripts make mining Trojans more covert
In 2023, Antiy CERT combed through the mining Trojans it monitored and discovered that the Trojans attackers began to use various obfuscation and encryption techniques to hide their malware in order to evade security detection. Among them, the use of the Shell Script Compiler (SHC) to encrypt scripts has become increasingly popular, and SHC has become a new tool of choice for attackers to enhance the invisibility of mining scripts. Shc is a tool to encrypt a shell script into a binary executable file, which can effectively hide the source code of the script, making it difficult for analysts to directly view the content of the code. This encryption not only prevents script source code from being analyzed, it also bypasses signature-based detection mechanisms because the binary generated after each encryption has a different signature. In 2023, CERT analyzed mining Trojans such as Hoze [29], Yayaya Miner and Diicot [30], all of which launched initial attacks using scripts encrypted by SHC, facilitating the dissemination of mining Trojans. Increasing the risk of infection of the user’s system.
3.2.3 The use of remote control Trojan horse to implement the black property threat activity frequent
In 2023, the threat from black-property gangs is characterized by ever-changing means and rapid replacement of resources. Take the “SwimSnake,” the most active gang in the black industry in 2023, for example, its phishing attacks and swindling activities against domestic users in China are large in scale and last for a long time, causing certain economic losses to the enterprise. This kind of black product gang spread the malicious program variety, immune update speed, infrastructure changes frequently, attack the target involves the industry domain extensive. From the point of view of attack means, it is mainly to load malicious load with “white plus black,” execute Shellcode in memory, decrypt load file in memory, and finally put remote control Trojan load. Antiy CERT will have the above characteristics of the black production gangs collectively known as “SwimSnakes.”
3.2.3.1 Through a variety of ways to spread malicious files into remote control Trojan horse
The “snake swimming” gang spread malicious files through instant messaging software, malicious promotion of search engines, and phishing emails. Under the scenario of using instant messaging software such as WeChat and enterprise WeChat to spread malicious programs, the attacker will deliver malicious files disguised as documents to the target user. In that scenario of spread the malicious program by the search engine, the gang of black property disguised the malicious file as the installation package of various commonly-used software, In a search engine, a phishing download station set up by that search engine is maliciously promote, which causes a us to download and execute a disguised malicious file by mistake; in the scenario of spreading the malicious file by using the phishing mail, The criminal gangs will send phishing emails with relevant topics and contents of “invoices” and “summonses” to the targets of attack, and add links to phishing websites of the tax authorities and counterfeit bill services in the text of the emails. And put malicious files in phishing sites.
Compared with the latter two channels of transmission, it takes more labor and time to transmit malicious files using instant messaging software. therefore, gangs of gangs create groups in overseas social networking software through “agents.” In order to recruit a large number of “vendetta” by order settlement, teach them all kinds of fishing skills, and then the “vendetta” will distribute malicious files to attack targets in a variety of industries through online push, online chat and local push. And induces target users to execute. The gang has established a three-level structure with itself as the upper stream, “agent” as the middle stream, and “drug-throwing” as the lower stream, thus realizing the spread of malicious documents on a large scale. Thus, an operation mode of remote control Trojans delivered through instant messaging software is formed [31].
3.2.3.2 Use open source remote control Trojan horse and frequent update kill-free means
Black property gangs frequently update kill-free means and carry out continuous confrontation with security products, such as “white plus black” loading malicious load, memory execution Shellcode, memory decryption load, etc. The white program, encryption and decryption methods and the key encryption payload are replaced with emphasis. In order to bypass the conventional detection of security products, the gang will usually save the prepared Shellcode into a text file, read the contents of the text through its loader, execute Shellcode in the memory, Shellcode is used to perform multi-layer decryption operations, and finally the remote control Trojan payload is loaded in the memory. This attack mode increases the concealment of remote control Trojan horse execution and makes security products face new challenges.
In terms of remote control Trojan horse, the gang directly selected mature open-source remote control Trojan horse code for secondary development, which has been found to include Gh0st remote control Trojan horse and its variants, winos, AsyncRAT, DCRAT, SiMayRAT, etc. These remote control Trojans are composed of a controlled end and a control end, and the controlled end embedded in the victim host will collect various information in the host, including system basic information, window information and security product information, etc. In this way, the online packet is sent to the C2 server, so that the communication with the control terminal is established, and the communication content is encrypted and decrypted usually by using the self-defined algorithm. In addition, these remote control Trojans can receive remote control instructions and execute corresponding functions, and usually support the expansion of their functional modules in the form of downloaded execution plug-ins. The attacker can view the online information of the controlled end, monitor the screen of the controlled end, manage the system files of the controlled end and remotely control the controlled end through the control end program.
3.2.3.3 Using remote control instant messaging software and disguised identity to commit fraud on target users
In the 2023 attack, the gang combined social worker methods with fraud routines, and after the remote control of the Trojan horse, The gangs mainly control the instant messaging software such as WeChat and enterprise WeChat in the host computers of the victims to carry out subsequent attacks. Black property gangs screen and classify victims according to industry, identity, position and other factors, and adopt different subsequent attack methods for different types of target user groups [32].
As the main purpose of the gang is to seek economic benefits, so the persons engaged in the financial related industries and the financial personnel of the companies are the key targets of the gang. For such target groups, the gang mainly remotely controls the victim host through remote control Trojan horses, and deletes the real micro signal of a leader according to the remarks in the victim’s WeChat address book. Add a disguised micro signal with the same profile and name as the leader, and use the disguised micro signal to gradually induce the victim to transfer money, so as to complete the fraud activity. An attacker could also use the chat log to obtain more information about the victim and his or her associated contacts, thus making it more realistic to disguise himself as an identity.
For e-commerce customer service, corporate customer service and contact persons of other stores, black property gangs mainly add the victim’s WeChat or corporate WeChat to the pre-created group. Remove victim accounts after adding their friends to the group. Since most of the friends added by such people are its customers, the gang of black property will disguise the group it created and implement centralized fraud to the users in the group. The black property gangs will lower the vigilance of the users by sending red envelopes or small amounts of money to the group, and further induce the users to join the group or add the so-called receptionist’s WeChat, so as to conduct layer-by-layer screening. And induce the final selected targets to transfer funds.
3.3 Trend of Vulnerability Generalization
In 2013, Antiy used the word Malware / Other to describe the evolution of security threats to new areas such as smart devices and the Internet of Things, and since then “Generalization” has been an important threat trend in Antiy’s research. Generalization means that the target of attackers is no longer limited to traditional smart devices such as mobile phones and computers. New areas blessed by smart technologies, such as the smart home, the industrial Internet of Things, and critical infrastructure, are also targets that attackers actively exploit.
According to the Guidelines for the Construction of a New Infrastructure Standard System for the Internet of Things (2023 Edition) [33], by 2025, a new infrastructure standard system for the Internet of Things will be basically established. The Bank has formulated over 30 new national and industrial standards and participated in the formulation of over 10 international standards, providing strong support for the development of IoT. The state has also issued a number of policies to encourage the application of the Internet of Things (IoT) technology to promote the intelligent, refined and network-based transformation of production, life and social management.
However, the high-speed development of the Internet of Things also implies security risks that cannot be underestimated. Compared with 2022, the worldwide trend of malware attacks against IoT devices is increasing at a high speed, particularly in the manufacturing sector, which relies heavily on IoT and OT systems. The further integration of IT and OT will not only improve the efficiency of system operation, but also bring about a series of severe security problems such as increasing vulnerability management difficulty, increasing security risk of supply chain and expanding attack surface.
In addition, the number of IoT devices is increasing year by year, the camera of IoT technology is integrated, and wireless APs are widely available in various organizations and enterprises. But due to defects in management and use, For example, the initial password is not changed, telnet remote login function is opened by default, management authority is opened to the Internet, vulnerability management is lacking after deployment, and patches are not or cannot be updated in time. Enabling attackers to build IoT botnets using such devices to launch DDoS attacks or conduct other malicious activities. For example, in November 2023, the InfectedSlurs botnet infected routers and video recorders that used default credentials with two vulnerabilities that enabled remote code execution. Compared with traditional botnets, IoT botnets can form traffic peaks up to 1-2Tbps, and are larger in device scale than traditional botnets.
The rapid development of AI technology has brought positive impacts to society, but it is also important to watch out for the increasing threat of AI-driven cyber crime. Ai’s ability to learn and optimize means that it can analyse individual characteristics, preferences and behavioural patterns from large amounts of data to target social engineering attacks, Learning from the results of each attack, the attack strategy is optimized constantly, and the possibility of cheating the victim is improved. Based on deepfake technology, AI can also create highly realistic personal audio and video to spread rumors, damage reputations and even carry out criminal activities by faking the identities of others. In August 2023, for example, attackers posed as employees of Retool, a software development company, using deep forgery technology to trick victims into providing multiple identity verification (MFA) codes, citing problems with their own accounts, And eventually led to the disclosure of account information of 27 of the company’s customers.
In the context of increasing global threats, critical infrastructure is also facing the threat of cyber attacks from many aspects, and has become a key target of cyber attacks. In cyber-warfare, attackers attack such facilities, causing large-scale paralysis of power, network, medical system and so on, and seriously affecting the normal operation of the society. For example, in December 2023, Italian cloud service provider Westpole was hit by a Lockbit3.0 ransomware attack, which brought down more than 1,300 public administration services in as many as 540 cities and forced some cities to resume manual operations to provide services. In addition, the digital transformation of critical infrastructure also increases its risk of attack. Many organizations have defensive shortcomings in high priority areas such as defense depth construction, exposed surface management, remote access management, host system security, vulnerability response and employee security awareness, which can be exploited by attackers. Attackers also generally attack the upstream software and hardware supply chain through infiltration to gain attack advantages in advance. In a word, the penetration from one of the links to the key system, to the whole system brought security risks. The lack of defense investment, the low defense ability, the exposure of the defense surface, and the failure of defense to cover the whole life cycle all provide opportunities for the attacker. In the complex and volatile international situation, the risks faced by China’s key infrastructure are severely escalating, and we need to prepare for high winds and even fierce waves.
Currently,
the generalization of security threats has become the norm. In that same way as
in its annual report released in the past few year, “network security
threat generalization and distribution,” a new chart shows the situation
of threat generalization in 2023.
3.4 Network security risks are fully translated into data and business risks
Today, data is one of the most important assets of an organization. A large amount of data storage provides an environment for the growth of AI, and AI enables the world to see the vision of massive data changing from quantitative change to qualitative change, and the value of data assets has been improved unprecedentedly. However, with the bright side, there are shadows, where high-value data assets stored by some organizations are targeted by attackers, and blackmail attacks are accompanied by the risk of data leakage. The impact of data breaches triggered by high-risk vulnerabilities can not be underestimated, and data breaches triggered by political factors can even affect the international situation.
3.4.1 Data breach losses hit a record high
In the digital age where everything is connected, the digital economy has been rising rapidly, making data an important asset and strategic resource, and the risks associated with it continue to rise. According to relevant statistics, in 2023, the global average loss per data breach reached 4.45 million US dollars, a record high [34]. The organizations with serious data leakage have become more and more inclined to the fields of critical information infrastructure and the middle and upper reaches of the industrial chain, and the health and medical industry has been the “leading” industry in the cost of data leakage for 12 consecutive years. The data stored by these organizations has a certain degree of “credibility,” and the data stored is relatively complete, authentic, large in volume and complete in data type, so such data is considered to be of high value. According to the study, 83% of the leaks are for economic reasons [35], and this kind of high-value data will be more coveted by attackers. With the constant updating of attack methods and the weaponization of vulnerabilities, the cost of attacking these organizations with high-value data becomes lower, so the target of data stealing will be more and more inclined to choose these organizations.
3.4.2 Data breach risks associated with ransomware attacks
The target of blackmail attacks and the target of data leakage are very high, the targets that are blackmailed often contain high-value data, blackmailing these organizations also tend to get higher returns. Extortion attacks have evolved to selectively attack critical systems, data, or information through in-depth target analysis and reconnaissance. Forcing victims to choose between paying a high ransom or suffering damage from a critical data breach. Whether or not ransom is paid, the right to dispose of the stolen data is in the hands of the attacker, still posing a data breach risk to the victim. Extortion attacks are generally for economic benefits, the victim’s high-value data also provides a “side business” for the blackmailer, so the existence of extortion attacks will be accompanied by the risk of data leakage.
In order to compel the injured party to pay the ransom, some extortion organizations will publish some leaked sample documents in advance, threaten or induce the injured party to meet their demands, and use this as a bargaining chip with the injured party. Msi, a Taiwan-based computer component manufacturer, was attacked by Money Message, a ransomware gang, which claimed to have stolen source code from MSI’s corporate network and displayed CTMS and ERP databases in a post on its website. And screenshots containing the software source code, the private key, and the BIOS firmware file. Threatening to meet its ransom demand, or it will release the stolen documents within five days. In the end, MSI refused its request for blackmail, but also led to a huge cost to companies such as MSI, Intel.
3.4.3 Exploit is still the main point of attack of stealing data
The MOVEIT breach, one of the high-profile breaches of 2023, began with a wave of cyber attacks and data breaches after MOVEIT was found to have multiple high-risk breaches (CVE-2023-34362, CVE-2023-36932, CVE-2023-36933, CVE-2023-36934). Using these vulnerabilities, attackers can view, modify and delete databases, and also increase user privileges and execute code. Since May, the MOVEit vulnerability has been used by hacking organizations, according to statistics, as of September, the number of organizations that only extorted organizations Cl0p used the MOVEit vulnerability to attack has exceeded 2,000, and the number of people affected has exceeded 60 million. The list of victims of the MOVEit breach is continuing to grow, while the ransomware group Cl0p has also temporarily abandoned its use of ransomware in favour of stealing only sensitive data and threatening to pay a ransom or leak its data [37]. As of December 20, the number of organizations under attack has grown to 2,611, as shown in Figure 35. ‑

Although most of the victims are in Europe and the US, they also sound the alarm bell to the domestic network security field. the extortion organization Cl0p has used high-risk loopholes to steal data and extort money for many times. Need to be wary of their “demonstrative role” that may attract other hacking groups to follow suit. High-value data has enabled ransomware organizations to temporarily give up ransomware and directly use data to extort money, the impact of data systems being attacked cannot be underestimated, and data security needs to be taken seriously by all walks of life. Preventive measures need to be timely and effective.
3.4.4 Data breaches triggered by political factors threaten national security and affect the international situation
The geo-political turmoil in the world in 2023 has led to heated exchanges between hacker groups or individuals from different camps, which has also resulted in a large number of data breaches. For example, the NATO military archives data leakage incident, leaked a large number of aircraft, missiles, drones, warships and other military facilities drawings, technical parameters and other information. Xvigil, the AI digital risk platform of cybersecurity firm CloudSEK, discovered [38] that multiple hacking groups had orchestrated cyber attacks on India due to its long-standing support of Israel. The motivation behind these attacks mainly revolves around political factors, resulting in a number of data breaches that have seriously affected the security of countries, organizations and individuals.
The leakage of confidential documents related to the conflict between Russia and Ukraine has directly affected the direction of the conflict between Russia and Ukraine. The leaked documents relate to intelligence on the Russia-Ukraine conflict, detailing the deployment and status of Ukrainian and Russian forces and, in particular, exposing potential vulnerabilities in Ukraine’s air defense system, This poses an intelligence threat to Ukraine’s planned spring counter-offensive. Other documents focused on defense and security issues in the Middle East and the Indian Ocean and the Pacific, exposing “spying” activities by the United States to spy on allies such as South Korea, Israel and Ukraine. This may trigger a new crisis of confidence [39]. The leak has been called by foreign media as the largest leak in the US since the “Prism-gate” incident in 2013 [40].
In the Palestine-Israel conflict and the Russia-Ukraine conflict, the deep involvement of intelligence agencies and hacker organizations of various countries has formed a “cyber battlefield” in the periphery, and the data leakage triggered by political factors will threaten national security. Affect regional or international situations. In the complex and changeable international situation, our country is also facing the challenge of data security, and we need to be well prepared for the challenge.
4.Summary of 2023 Threat Trends
Looking back at key threats in 2023, the overall situation of Advanced Persistent Threat (APT) activity remains critical, and targeted extortion as a service (RaaS) model is becoming more mature, leading to the intensification of extortion attacks, The black production threats such as mining, remote control and data theft under the drive of interests become more hidden and complicated, and the attack surface caused by the extensive threat is constantly spreading and expanding. Threats never sleep and attacks with various political, economic and military intentions pose more pertinent and deeper challenges to the governance of China’s cyberspace security.
Whether it is an ultra-high capacity country / region actor, a high capacity country / region actor, a general capacity country / region actor, Or the network attacks launched by cyber terrorist organizations, cyber criminal gangs or hacker organizations, black organizations and amateur hackers are likely to penetrate the existing defense system, and the attackers resort to the “False Flag” strategy. We shall exhaust all kinds of attack means (or even directly recruit insiders), and launch offline and online attacks to the personnel of the organization who conduct high-frequency and in-depth interaction with the Internet, such as human resources, finance, operation and maintenance, and customer service. Take a social engineering approach and make use of the safety awareness that personnel are negligent in prevention to break through the organization’s safety defense line. Defense-in-depth and resource allocation should not only be based on uniform allocation based on topology and asset distribution, but should be targeted and focused.
Since attackers are skilled in using open-source intelligence such as cyberspace mapping engines, and have long focused on accumulating exposed faces of important information targets, after the POC code appears, There’s going to be a whole bunch of attackers that quickly match up for penetrable targets. Antiy CERT calls similar attacks the 1Exp attack. As RaaS + targeted blackmail itself constitutes a “crowdfunding crime” model, which leads to a large number of attackers who focus on different target resources or have targeted information resources. It is possible to turn the window of opportunity into an actual benefit when the window of opportunity is discovered.
Since network devices and network security devices are easily accessible resources, security products themselves are easy to be ignored as attack portals, These key threats clearly reveal the fact that a security product (device) or a product (device) with a certain security capability is not in itself absolutely secure, The whole design mechanism is that the security capability is applied to external environment objects or traffic objects, and it does not really take itself as the target that may be attacked by the attacker to strengthen its security characteristics. At the same time, these products (devices) in the reality application, because they have the security function, often bring to the user “their own is safe” the cognitive illusion, thus make it easier to become the breakthrough point of the attacker.
Unified identity authentication mechanism, authority management and access control mechanism are the important cornerstone of the security and compliance system. In particular, the unified identity authentication brings convenience in use under the condition of supporting security. However, it is easy for that attackers in the Boeing case to steal relevant credential and identities, and then to use these credentials to attack and move sideways. Because the relevant behavior is not a general probe scan, but is based on the binding certificate of targeted implantation and delivery, resulting in a completely insensitive attack on the Boeing side. This indicates that without the support of effective, fine-grained perception and agile closed-loop operation capability, once the identity and authority mechanism is broken, it becomes the cover of the attacker in turn. In order to make that attacker in the entire compliance system unimpeded.
Attackers at different levels constantly learn from and improve their techniques and tactics, and gradually incorporate legitimate tools into their arsenals in addition to using commercial tools, self-research tools and open-source tools. In some similar targeted blackmail or APT-level targeted attacks, based on the sorting of attack equipment lists, a large proportion of malware is no longer in the traditional sense, They are tools or scripts written for normal network management applications, many of which are well-known open source tools and commercial products that often carry the digital signature of the publisher. This combination uses multiple sources of executor attacks, which Antiy CERT calls hybrid executor attacks. This makes the attack move from the penetration to the host based on immunity in the early stage, and further to the hybrid attack which can break the dual security system of anti-virus engine + trusted authentication. Protection against this attack, a simple combination of anti-virus engine + trusted verification, is obviously insufficient granularity.
In essence, that attack must rely on the host side to deliver, load, run the payload and finally achieve the effect by using various way to penetrate the boundary defense measures and establish the persistent access, In that case of blackmail, Boeing’s defense system was almost insensitive, indicate that its host-side security products and operational capability are extremely inadequate, and this problem is even more serious at home: In the context of digital development, Insufficient understanding of the inevitable trend of “returning the cornerstone of security to the host system side,” and the security requirements of the host side are still understood as compliant host anti-virus software or protection software. And are more likely to choose products at a lower price than with a more efficient ability. In addition, because that work on the host side is more complex and delicate, and involve more relations with the information and use departments, the defense is not willing to invest the main security cost and management resources on the host side. All this makes it increasingly difficult for the last line of security to resist directed attacks.
5.A Look at the Threat in 2024
6.Defense and governance thinking
6.1 A deeper focus on the way attacks operate and the laws of society can help to re-understand defense
The study of cyber attacks should not be divorced from the elements of geopolitical security and economic and social soil, and should pay close attention to the motive and operation mode of various kinds of attacks. Taking the blackmail attack as an example, from the perspective of crime profit, obtaining a high amount of ransom corresponds to a higher crime cost for the criminal gangs. Including the purchase of 0 – day vulnerabilities, research and development of high-level malware, buy corporate ghosts and intelligence. From another perspective, the attackers created the plight of “if the ransom is not paid, the victim will suffer a far higher combined loss than the ransom.”
Network security confrontation and protection have already been a kind of competition between economic operation mechanism. On the defensive side, in terms of budget input, we usually take the proportion of network security in informatization as a measurement standard, which makes network security dependent, supporting and suppressed for a long time. Whether the consequences of cyber security risks should be the first measure of security input also needs us to think about.
From the opposite, let us think about the investment in network security and benchmarking what should be the yardstick? We believe that from the perspective of planning and budget, network security must be a set of independent budget with an independent evaluation reference frame, rather than simply set as an information-based component. The reasonable measurement standard of network security investment is the value of its operation assets and the risk loss caused by security incidents, rather than the IT-based investment. The traditional idea of planning network security investment through a limited proportion in informatization has become an obstacle to the construction of security capability. The logic error lies in the mistake of defining the security object of network security – because network security capability guarantees not the value of IT fixed assets investment, but the value of business and data assets. For infrastructure facilities and government-enterprise institutions that are highly dependent on the operation of information systems, the network security guarantees the full value of the institution, and the corresponding institution is an enterprise, and the value is the business value and revenue value of the enterprise. Judging the rationality of network security investment based on this value is the true measurement standard of targeting, rather than the cost measurement standard which is only related to informatization investment. For centrally administered enterprises and key infrastructure sectors, it is also necessary to further assess the extent to which the corresponding security risks extend from the risk chain of enterprises to national security, the safety of social governance and relevant individual citizen risks. Through the LockBit Ransom Rule, we can see that it is necessary to pay attention to the fact that the cyber attacker is more aware of this rule than the cyber defender.
6.2 The correct perception of threat is the basis for effective defense improvement
At present, the network-to-air threat attacks against critical information infrastructure and important network information systems are no longer general technical events and technical risks. But with the complex international security situation and the geo- security background, with the nature of intelligence operations or cyber – warfare activities. We need to penetrate attacks and phenomena such as “website tampering,” “data leakage,” “extortion paralysis,” and “phishing emails,” and recognize threats based on scientific methods and engineering methods. In order to better support the threat analysis work, and further promote the improvement of protection capability. The traditional protection method is only the basic work of establishing the network defense system, which is effective to prevent the general network attack, but it is not enough to protect the super-high-capability network-to-air threat actors. In order to cope with “systematic attacks,” the key information infrastructure defense system must be aligned to be able to defend against high-capacity opponent attacks and establish “systematic defense.” To withstand the “multiple tests” of attackers and peepers.
In addition, the protection against blackmail attacks often remains at the stage of the original ransomware, Many people do not realize that extortion attacks have been committed by persistent targeted intrusions, stealing data, disabling encrypted data systems, extorting money, mining data-related value for secondary use, selling data and reporting to regulators. The public theft of data constitutes a value infringement chain, and has formed an extremely large-scale criminal industry. In such a context, the risk of being blackmailed is no longer simply a form of consequence of data loss and business suspension, but a series of chain risks that all data stolen will be trafficked and made public.
In terms of the operation mode of the targeted blackmail attack, it is a highly customized operation process similar to the APT attack before the crypto-destruct action is triggered. The attacker or professional attack operation team has a firm will to attack, a high attack capability, sufficient available vulnerability resources, and a large amount of available vulnerability intelligence and attack entry resources. It could have been an inside attacker. This is also the reason why RaaS-based targeted extortion attacks are often successful in the face of large organizations with strong IT operation capabilities and defense input.
At the same time, the reliability guarantee of a complex system can not depend on the fact that no problem occurs at each node, compared to the scale of a modern information system, especially the operational capability in the face of high-level threat actors, Single point failures are inevitable. The need for a systematic defense match-up of a systematic attack is the most basic understanding that there is no silver bullet defense. The protection of the host system, which acts as the last line of defense in blackmail protection, and the backup recovery as the last response, is a single point in the defense system. In that proces of responding to high-level directional attack, they are responsible for detecting and blocking the attack within their own capability, reducing the success rate of the attack, increasing the attack cost and reducing the risk loss. Can’t fight systematic attacks with a single point.
We must seriously point out that the threat of targeted extortion attacks is simply the same as the threat of early non-targeted proliferation or widespread release of ransomware. It is an extremely backward and one-sided security cognition that the anti-blackmail attack is simply regarded as a single point of crypto-destruct paralysis vs. backup recovery. If there is not a complete set of protection system and operation mechanism, it is believed that data backup recovery is relied on to deal with blackmail attacks. It’s like playing one goalkeeper against an opposing team.
6.3 Objective enemy situation is the premise of network security defense
In recent year, China’s overall network security protection level has made great progress, but in that face of high-level network and air threat, the ability to effectively deploy defense is still insufficient, one of the reasons is that, That is, the ability system, operation intention, equipment and support system of the ultra-high-capacity threat actor are not well understood, and the analysis and deduction are not deep enough. There is a lack of limit deduction for important factors such as attacking behaviors imposed on relevant scenarios and potential risk consequences. This leads to the deviation of the construction direction and the lag of the construction thinking.
The work of network security protection is not wishful thinking and closed-door planning and implementation, but a systematic and rigorous work that must face up to threats, confront adversaries and superimpose elements of adversaries and threats on the defense system. It is a great struggle for the future of our country and the well-being of our people. We should fully realize the high severity of the enemy situation faced by cyber security, and thoroughly implement the overall concept of national security based on the background of great power games and geopolitical security struggles. The construction of the enemy scenario should be taken as an important step in network security planning, the “enemy within” should be taken as the basic scenario, and the countermeasures scenarios and conditions should be analyzed pertinently. The interaction between the target value, the actions of the threatening actor and the consequences shall be comprehensively studied and judged, and the intention and purpose of the opponent shall be deeply understood. Truly based on the organizational structure, supporting system, attack equipment, operation means, operation system and action characteristics of high-capability cyber threat actors, they are superimposed on specific defense scenarios for deduction and analysis. Improve the understanding of the laws of network security defense, and form the standards for effective defense-oriented capacity building and actual combat testing. We should always adhere to the principle that objective thinking of the enemy situation is the prerequisite for network security work, not be afraid to recognize the long-term, continuous and arduous complexity of the enemy situation, and not be confused by the low visibility of the enemy situation in the network and air. Do not be misled by outdated perceptions and wrong concepts, persist in strategically defying and tactically attaching importance to adversaries, and base cyber security defense on the correct enemy scenario. To build a dynamic, comprehensive and effective network security defense capability.
In term of that damage caused by target blackmail attack, we must change the cognition paradigm of security risk and value. Targeted extortion attacks have resulted in a combination of stealing data, disabling systems and businesses, trafficking data and exposing data. The biggest risk is not only that the system and business are paralyzed and cannot be recovered, but also that the core assets of the attacked enterprise such as user information, key data, documents, materials and codes are sold off and exposed to the public. And then there’s a bigger ripple effect. Judging from the long-term realities in the security field at home and abroad, the motivation of many government and enterprise institutions to improve their own security does not come from their initiative to improve their protection level. Many enterprises and public institutions believe that the most likely security risk is not an attack but a punishment due to failure to meet the compliance standards. Therefore, the field of safety protection constitutes a set of “input – compliance – exemption” low-limit construction operation logic. As for the consequences of targeted blackmail attacks, IT decision-makers must judge the extreme risks, and judge the value of network security through the loss of extreme risks. How to avoid such extreme situations as long-term business interruption, complete unrecoverable data, stolen data assets being purchased by competitors, or serious depreciation due to exposure are all risks that IT decision makers and every institution must deal with.
The protection against this kind of directional attack is not necessarily to break through the encirclement with a single point, but must proceed from the overall protection, and insist on advancing the gateway to the front, forward deployment, constitute the depth, the closed-loop operation. Finally, through the protection system to achieve the perception, interference, blocking and display of the targeted attack party killing chain of the actual combat operation results.
In addition to compliance requirements and existing stock, the cases represented by targeted blackmail attacks can be seen. Analyzing the related elements of network security input also needs to consider: The global value of business and data assets; the maximum risk loss that may be caused by an attack; The possibility of encountering an attacker and the attack cost that the attacker’s ability can bear, the above factors are the effective measure of the rationality of security investment. Relying solely on the government and enterprise institutions themselves, it is often only a confidant without knowing the enemy, and it is difficult to complete a high-quality assessment, thus requiring the empowerment of public goods.
6.4 High-quality technical analysis is an important strategic support capability
In-depth system threat analysis capability has always been a long board in the domestic network security industry. In the course of the long-term threat analysis struggle (including the analysis of virus samples in the late 1980s, the analysis of major worm events starting at the beginning of this century and the analysis of series of APT events around 2010), China’s cyber security industry has exported a large number of high-quality analysis results, promoted technological innovation, product development and continuous operation, and effectively supported decision-making in the relevant public security field. A large number of engineers with high analytical level have been accumulated. from the perspective of industry, there are more and more security enterprises that can carry out effective threat analysis.
However, attention should be paid to the following: 1. in the past few years, the high-quality analysis results have declined. In that analysis work, the relatively quick and quick pursuit of the early-onset leak, hot event, However, it is quite common to be unwilling to continuously track deep threat for a long time and at a large cost; 2. regular network security enterprises also regard the maintenance and improvement of analysis capability as a kind of high enterprise human cost. However, they are not willing to expand the analysis team and improve the system; 3. in the user units and management departments, there are also some people who have a biased understanding that “the analysis report is the soft and wide enterprise.” It is very important to ignore this kind of analysis to judge the threat accurately, to trace the source of the threat actor and to judge the key direction of defense.
What needs to be vigilant is, under the effect of these negative feedback, the analysis ability as our country industry long board ability will continue to degenerate.
6.5 Reconstruct the defense foundation of the security level of host system
The host system is the bearer of the value of business and asset data, and also the ultimate target of attack by the attacker. Host protection capability has a long history, from the middle and late 80’s of last century, has begun to popularize the terminal anti-virus software, but today we in the actual analysis, evidence collection, disk duplication, The discovery of host security has instead become one of the weakest links. Under the background of constant migration of asset value to cloud hosts (workloads) and ubiquitous intervention, the value of traditional security links such as firewalls is dramatically weakened. The widespread use of encrypted traffic further weakens the visibility of security capabilities on the traffic side, both of which force the underpinning of security back to the host system, Security boundaries are built on top of each host system, and these fine -grained security boundaries are organized into defenses.
In the host security defense system, a large number of security functions such as host environment shaping, malware investigation and killing, active monitoring, media control and host firewall are integrated into building blocks to realize flexible deployment on demand. In that face of attack mode such as phishing launch, vulnerability penetration, malicious medium insertion and the like, the micro-defense depth including host boundary protection, object detection, behavior control and sensitive data protection can be formed on the host side. Effectively build the defense foundation of host system security level.
6.6 Continuous closed-loop operation centered on executive governance
The main paradigm of net-to-air warfare, for a very long period in the past and future, is operational warfare. Operation is the process of transforming data into instructions based on execution entry. the dependent condition of operation is the key opportunity of defense. In that meantime, we have to see that information system run with computing pow on a host of executors, The basic mode of completing its functions and tasks will not change; the operation mode of the information system that relies on data input and output will not change; the objective fact that the threat actor continues to write and produce malicious executors will not change. The executor is not only the attack target, but also the “weaponized” attack equipment, and also the carrier of the defense mechanism. All objects that have the ability to be executed and have the opportunity to be converted into instructions can be classified into the scope of the executor, and the executor is the smallest governable unit from the system IO level.
Most of the attack tactics rely on the executor to complete, and the attackers continuously invade the trust chain, steal the certificate, add white, supply chain pollution and so on are more and more common. A large number of mixed-actor attacks break the traditional defense detection paradigm of “threat detection + trusted signature.” Attackers pay more attention to taking advantage of available execution objects (such as system shells) that already exist in the system environment, and take a large number of open source and commercial normal tools as the paths and tools to implement attacks. These open-source and commercial software are widely used in government and business organizations, and some software itself has the reputation of being legitimate or even well-known organizations. This enables us to minimize the size of the identification for the execution object to reach at least every active and new object, minimize the execution entry, and maximize the control of the system. These tasks not only require strong common capabilities, but also require each key infrastructure and important information system to establish its own executive governance baseline and closed-loop operation mechanism. Of course, these jobs can not be separated from the executive governance, effective host security protection software.
It is of great value to the basic capability of network security to carry out the defense and governance work with the execution object as the core. In the identification step, the supporting relationship between the behavior and business of the executor can be grasped, the executor and its required authority can be understood, and the capacity of the executor and its corresponding relationship with vulnerabilities and exposed areas can be grasped; in the shaping step, In that protection link, it is possible to identify the object of resource access, connection, creation, writing and execution of the execute, and judge the behavior purpose of the object. Refuse to stop violations; in the detection process, we can select noteworthy and unknown executors based on the distribution of executors and behavior monitoring; in the response process, Based on the potential and activation capability of the executor, the channel can be created, and the attack source can be traced.
Executive governance is a continuous process for network security operators to ensure network security by identifying and controlling the executive. In that continuous proces, not only the basic protection of detecting, defend, removing malicious executors and controlling network access of non-malicious executors, but also the closed loop of identify, shaping, detecting, defending and responding should be established. On the basis of the closed loop of process operation, the static distribution of executors and composition of business applications shall be fully grasped, a reputation list shall be established, and execution actions of executors shall be identified and controlled according to the baseline. After the baseline is established, all executors shall be identified, and the supporting relationship between the behaviors and business of executors and executors shall be fully grasped, and quantitative indicators such as reputation indicators, behavior indicators and business impact indicators shall be established. Set up supporting control rule base, baseline base and model base for different scenarios under the guidance of indicators, and realize continuous operation to keep pace with the times and improve efficiency. In order to keep that initiative of defense, build the uncertainty and unpredictability of the defense ability to the attacker, enhance the difficulty of bypassing the attack, control the attack activity, and reduce the risk of collapse.
6.7 Stick to a dynamic, integrated defense system rather than always swinging
The constant occurrence of various major security threats is likely to cause doubts as to whether the most important task is to prevent blackmail attacks or APT attacks. In terms of level, the level of the leading attack part of a few blackmail attacks has approached the APT attack level of the high-level net-air threat actor. Moreover, blackmail attacks will bring more direct and faster economic losses and explicit effects on the organization’s reputation than APT attacks. Directed extortion attacks are indeed a combination of APT capabilities and extortion behavior. However, from another point of view, since that blackmail attack organization must benefit in a relatively short period, it does not have the critical willpower that the APT attack has to break through the central target, It will not show the strategic patience of the APT attacker in terms of long-term latency, persistence and covert operations. Therefore, for every government and enterprise institution, its assets and personnel are exposed, on the one hand, they are bound to face the judgment of multiple attack organizations at the same time, but they are likely to encounter the highest intensity or level of attack. It is necessary to make assumptions based on the value of its comprehensive business assets in the context of complex social security and geo-security.
However, it must be pointed out that for a large number of agencies, the issue is not the choice of whether to focus on APT attacks or blackmail attacks, but the issue of not completing the defensive fundamentals. All kinds of complex combined attacks need to be developed at the defense level, and there is no flexible adjustment of all resources, human resources and strategic input. Its premise is to have completed the basic action of defense basic ability construction, basically formed the dynamic synthesis, the effective closed-loop defense system. This can be done in response to changes in the threat to implement targeted defense. It can be said that if the defense system can effectively defend against APT attacks, then it can also effectively defend against directed blackmail attacks.
Facing the Threat
Challenge. It is important to attach great importance to tactics and strengthen
confidence strategically. We should firmly believe that although it is very
difficult to prevent targeted blackmail attacks, there are still systematic
methods and hands-on measures. For systematic attacks, it is necessary to move
forward the gateway, forward deployment, form a deep, closed-loop operation.
Increases the ability of the attacker to detect fire and advance to the
outside. reduces the possibility of the attacker entering the core. Improving
the manageability of networks and assets is the basis of the work: Actively
shaping and reinforcing the security environment, strengthening the constraint
and management of exposed and attack-able surfaces, and strengthening the
control of upstream entry points of the supply chain. Initiate a comprehensive
log audit analysis and monitoring operation. Build the depth of defense from
topology to system side, build layers of defense against attacker detection,
launch, exploit vulnerabilities, code operation, persistence, horizontal
movement and other behaviors, and especially build host system side protection.
Take it as the last line of defense and the cornerstone of defense, and build
the fine-grained governance capability around the identification and control of
enforcement entities. Finally, based on the defense system to realize the
perception, interference, blocking the directional attack killing chain of the
actual combat operation results.
Appendix I: Reference
[1]. Antiy.attacking Weapons in A2PT and Quasi-APT Incident “China Internet Conference [R / OL]. (2015-07-23)
[2] Http: / / www.china-cia.org.cn / AQLMWebManage / Resources / Kindle / attached / file / 20230411 / 20230411080655 _ 1326.pdf
Https: / / securelist.com / trng-2023 /
[3]Kaspersky.operation Triangulation [R / OL]. (2023-06-01)
Https: / / securelist.com / trng-2023 /
[4]FSB. ФСБ РОССИИ ВСКРЫТА РАЗВЕДЫВАТЕЛЬНАЯ АКЦИЯ АМЕРИКАНСКИХ СПЕЦСЛУЖБ С ИСПОЛЬЗОВАНИЕМ МОБИЛЬНЫХ УСТРОЙСТВ ФИРМЫ APPLE [N/OL].(2023-06-01)
Http: / / www.fsb.ru / fsb / press / message / single.htm% 21id% 3D10439739% 40fsbMessage.html
[5] Kaspersky.operation Triangulation: The last (hardware) mystry [R / OL]. (2023-12-27)
Https: / / securelist.com / operation-triangulation-the-last-hardware-mystry / 111669 /
[6] Antiy.quantum SYSTEM BREAKDOWN ON APPLE CELL-HISTORICAL SAMPLE ANALYSIS OF EQUATION ORGANIZATIONS ‘ATTACK ON IOS SYSTEM [R / OL]. (2023-06-09)
Https: / / www.antiy.com / response / EQUATION _ iOS _ Malware _ Analysis.html
[76] Wuhan Earthquake Monitoring Center Attacked by Internet “Behind the Scenes” Located US Mystery Reconnaissance System Will Be Exposed [N / OL]. (2023-08-14)
Https: / / 3w.huanqiu.com / a / 5e93e2 / 4E7OihgjqWJ
[8] Kaspersky. Updated MATA attacks industrial companies in Eastern Europe [R / OL]. (2023-10-18)
Https: / / securelist.com / updated-mata-attacks-industrial-companies-in-eastern-europe / 110829 /
[9] 360. Lazarus Group Attacks Linux Platform with Dacls RAT [R / OL]. (2019-12-17)
Https: / / blog.netlab.360.com / dacls-the-dual-platform-rat /
[10] Kaspersky.mata: Multi-platform targeted malware framework [R / OL]. (2020-7-22)
Https: / / securelist .com / mata-multi-platform-targeted-malware-framework / 97746 /
[11] Unit42.when Pentest Tools Go Brutal: Red-Teaming Tool Being Abused by Malicious Actors [R / OL]. (2022-07-05)
Https: / / unit42.paloaltoneworks.com / brute-ratel-c4-tool /
[12] Vitali Kremez.Let’s Learn: Progression of APT28 / Sofacy Golang Zebrocy Loader’Project2.Go ‘: Wmic & Hex Decode [R / OL]. (2018-12-30)
[13] Unit42. sofacy Group’s Parallel Attacks [R / OL]. (2018-06-06)
Https: / / unit42.paloaltoneworks.com / unit42-ofacy-groups-parallel-attacks /
[14]Riskiq.bear Tracks: Infrastructure Patterns Lead to More Than 30 Active APT29 C2 Servers [R / OL]. (2021-07-30)
Https: / / community.riskiq.com / article / 541a465f / description
[15] Infosecurity Magazine.Pro-Palestine APT Group Use Novel Downloader in New Campaign
Https: / / www.infosecurity-magazine.com / news / propalestine-APT-group-novel /
[16] Intezer.wildcard: The APT Behind SysJoker Targets Critical Sectors in Israel
Https: / / intezer.com / blog / research / wildcard-evolution-of-sysjoker-cyber-threat /
[17] Antiy.2019 cybersecurity threats review and outlook [R / OL]. (2020-01-08)
Https: / / www.antiy.cn / research / notice & report / research _ report / 2019 _ annualreport.html
[18] Antiy.2020 cybersecurity threats review and outlook [R / OL]. (2021-01-07)
Https: / / www.antiy.cn / research / notice & report / research _ report / 2020 _ annualreport.html
[19] Atian. cyber Security Threats Review and Outlook in 2021 [R / OL]. (2022-01-28)
Https: / / www.antiy.cn / research / notice & report / research _ report / 2021 _ annualreport.html
[20] Secureworks.gold MELODY: Profile OF AN INITIAL ACCESS BROKER [R / OL]. (2023-09-21)
Https: / / www.secureworks.com / research / gold-melody-profile-of-an-initial-access-broker
[21] Cisa .Known Expanded Vulnerabilities Catalog [R / OL]. (2023-12-25)
Https: / / www.cisa.gov / known-expanded-vulnerabilities-catalog
[22]Papercut security post-incident report from April 2023 [R / OL]. (2023-11-15)
Https: / / www.papercut.com / blog / news / security-post-incident-report-april-2023 /
[23] Blackfog.what we know about the MOVEit exhaust and ransomware attacks [R / OL]. (2023-11-21)
Https: / / www.blackfog.com / what-we-know-about-the-moveit-exploit /
[24] Cisa .StopRansomware: Lockbit 3.0 Ransomware Affiliates Expand CVE 2023-4966 Citrix Bleed Vulnerability [R / OL]. (2023-11-21)
Https: / / www.cisa.gov / news-events / cybersecurity-advice / a23-325a
[25] Antiy.boeing Encountered with Blackmail Attack Analysis and Resuming – Threat Trend Analysis and Defense Thinking of Targeted Blackmail [R / OL]. (2023-12-30)
Https: / / www.antiy.cn / research / notice & report / research _ report / BoeingReport.html
[26] Antiy.yayaya Miner Mining Trojan Analysis [R / OL]. (2023-05-11)
Https: / / www.antiy.cn / research / notice & report / research _ report / 20230511.html
[27] Antiy.analysis of typical mining family series II TeamTNT mining organization [R / OL]. (2022-12-07)
Https: / / www.antiy.cn / research / notice & report / research _ report / 20221207.html
[28] Antiy.analysis of “8220” Mining Organization Activity [R / OL]. (2022-04-28)
Https: / / www.antiy.cn / research / notice & report / research _ report / 20220428.html
[29] Antiy.active Hoze Mining Trojan Analysis [R / OL]. (2023-02-28)
Https: / / www.antiy.cn / research / notice & report / research _ report / 20230228.html
[30] Analysis of Recent Attacks by the Diicot Mining Organization [R / OL]. (2023-06-29)
Https: / / www.antiy.cn / research / notice & report / research _ report / Diicott _ Analysis.html
[31] Antiy.analysis on the Activities of the “SwimSnakes” Black Producers Using WeChat to Spread malware [R / OL]. (2023-08-22)
[32] Antiy.special Analysis Report on the Black Production Group of “SwimSnakes” [R / OL]. (2023-10-12)
[33] Standardization Committee. guidelines for the Construction of a New Infrastructure Standard System for the Internet of Things (2023 Edition) (Exposure Draft) [R / OL]. (2023-08-21)
Https: / / www.sac.gov.cn / xw / zqyj / art / 2023 / art _ 2c41928c029c4304b66006747a8886fb .html
[34] Statista.average cost of a data break worldwide from 2014 to 2023 [R / OL]. (2023-10-10-10)
Https: / / www.statista.com / statistics / 987474 / global-average-cost-data-break /
[35] Verizon.2023 Data Breach Investigations Report [R / OL]. (2023-09-29)
Https: / / www.verizon.com / business / resources / reports / dbir /
[36] Security internal reference. a well-known Taiwan-owned micro-star is suspected of being subjected to blackmail and demanded a huge ransom of RMB27.5 million [R / OL]. (2023-04-07)
Https: / / www.secrss.com / articles / 53509? App = 1
[37] Konbriefing.moveit hack victim list [R / OL]. (2023-12-20)
Https: / / konbriefing.com / en-topics / cyber-attacks-moveit-victim-list.html
[38] Hackernews.israel’s Hamas conflict sets off cyber warfare [R / OL]. (2023-10-12)
Https: / / hackernews.cc / archives / 46119
[39] The “leakage gate” continues to ferment: The US-entrapped ally confidence crisis, the Russia-Ukraine conflict is affected [R / OL]. (2023-04-12)
Https: / / m.thepaper.cn / newsDetail _ forward _ 22665834? From =
[40] Bright International. us Media: Suspected US Secret Documents Involved in Russia-Ukraine Conflict and US Surveillance of Other Countries [R / OL]. (2023-04-11)
Https: / / world.gmw.cn / 2023-04 / 11 / content _ 36488867.htm
Appendix II: About Antiy
Anty is committed to enhancing the network security defense capabilities of its customers and effectively responding to security threats. Through more than 20 years of independent research and development, Antiy has developed technological leadership in areas such as threat detection engines, advanced threat countermeasures, and large-scale threat automation analysis.
Antiy has developed IEP (Intelligent Endpoint Protection System) security product family for PC, server and other system environments, as well as UWP (Unified Workload Protect) security products for cloud hosts, container and other system environments, providing system security capabilities including endpoint antivirus, endpoint protection (EPP), endpoint detection and response (EDR), and Cloud Workload Protection Platform (CWPP) , etc. Antiy has established a closed-loop product system of threat countermeasures based on its threat intelligence and threat detection capabilities, achieving perception, retardation, blocking and presentation of the advanced threats through products such as the Persistent Threat Detection System (PTD), Persistent Threat Analysis System (PTA), Attack CAPTure System (ACS), and TDS. For web and business security scenarios, Antiy has launched the PTF Next-generation Web Application and API Protection System (WAAP) and SCS Code Security Detection System to help customers shift their security capabilities to the left in the DevOps process. At the same time, it has developed four major kinds of security service: network attack and defense logic deduction, in-depth threat hunting, security threat inspection, and regular security operations. Through the Threat Confrontation Operation Platform (XDR), multiple security products and services are integrated to effectively support the upgrade of comprehensive threat confrontation capabilities.
Antiy provides comprehensive security solutions for clients with high security requirements, including network and information authorities, military forces, ministries, confidential industries, and critical information infrastructure. Antiy has participated in the security work of major national political and social events since 2005 and has won honors such as the Outstanding Contribution Award and Advanced Security Group. Since 2015, Antiy’s products and services have provided security support for major spaceflight missions including manned spaceflight, lunar exploration, and space station docking, as well as significant missions such as the maiden flight of large aircraft, escort of main force ships, and Antarctic scientific research. We have received several thank-you letters from relevant departments.
Antiy is a core enabler of the global fundamental security supply chain. Nearly a hundred of the world’s leading security and IT enterprises have chosen Antiy as their partner of detection capability. At present, Antiy’s threat detection engine provides security detection capabilities for over 1.3 million network devices and over 3 billion smart terminal devices worldwide, which has become a “national-level” engine. As of now, Antiy has filed 1,877 patents in the field of cybersecurity and obtained 936 patents. It has been awarded the title of National Intellectual Property Advantage Enterprise and the 17th (2015) China Patent Excellence Award.
Antiy is an important enterprise node in China emergency response system and has provided early warning and comprehensive emergency response in major security threats and virus outbreaks such as “Code Red”, “Dvldr”, “Heartbleed”, “Bash Shellcode” and “WannaCry”. Antiy conducts continuous monitoring and in-depth analysis against dozens of advanced cyberspce threat actors (APT groups) such as “Equation”, “White Elephant”, “Lotus” and “Greenspot” and their attack actions, assisting customers to form effective protection when the enemy situation is accurately predicted.