Netskope Threat Labs tracks adversaries that are actively targeting Netskope customers to better understand their motivations, tactics, and techniques. We then leverage that information to help our customers defend their systems against those adversaries. The adversaries that Netskope Threat Labs tracks generally fall into two categories, based on their motivations.
The primary objective of criminal adversary groups is financial gain, and their toolset typically includes information stealers and ransomware. Extortion has been an extremely profitable business for cybercriminals for the past several years, with an estimated $457 million in ransom payments made in 2022. Most criminal adversaries have diversified their operations to use both ransomware and infostealers to increase the odds of a victim paying up. If encrypting their systems with ransomware wasn’t enough to convince them to pay, perhaps the public release of sensitive information stolen from the organization would help. Although we attempt to label each criminal adversary group according to the country in which they operate, many groups work transnationally. Furthermore, many are now operating in an affiliate model, making their operations even more dispersed. As a result, we typically associate a group with the country or region from which its core members are believed to be located.
Geopolitical adversary groups are motivated by geopolitical issues. They are typically either nation-states or their proxies, and their activities typically mirror broader political, economic, military, or social conflicts. For example, Russian adversary groups launched cyberattacks against Ukraine that coincided with their invasion of that country. Geopolitical groups typically engage in cyber operations against other nation-states, and such operations have become a critical component of modern international relations. The lines between geopolitical and criminal adversaries sometimes blur, with some geopolitical groups also engaging in financially motivated activities. For example, the current North Korean regime funds development of its missile program via cybercrime. The specific cyber-operations undertaken by geopolitical adversaries vary, including cyber-espionage against government and non-government organizations and sabotaging critical infrastructure to destabilize an adversary. Geopolitical adversaries also engage in information warfare, spreading propaganda, manipulating public opinion, and influencing popular elections.
Attributing activity to a specific adversary group can be challenging. Adversaries try to hide their true identities or even intentionally launch false-flag operations wherein they try to make their attacks appear as though they came from another group. Multiple groups often use the same tactics and techniques, some going as far as to use the same exact tooling or even share infrastructure. Even defining adversary groups can be challenging, as groups evolve or members move between groups. For these reasons, adversary attributions are fuzzy and subject to change and evolve as new information comes to light. In the remainder of this report, we present stats about the adversary activities observed on the Netskope Security Cloud platform and the groups most likely responsible for those activities.