Mandiant Inc., a subsidiary of Google Cloud, unveils its M-Trends 2023 report, now in its 14th year. The report offers up-to-date data and expert insights into the evolving threat landscape, drawing on Mandiant’s frontline investigations and remediation efforts for significant cyber-attacks across the globe.
The new report reveals the progress organisations globally have made in strengthening defences against increasingly sophisticated adversaries.
Jurgen Kutscher, VP, Mandiant Consulting at Google Cloud said, “M-Trends 2023 makes it clear that, while our industry is getting better at cyber security, we are combating ever evolving and increasingly sophisticated adversaries,”
“Several trends we saw in 2021 continued in 2022, such as an increasing number of new malware families as well as rising cyber espionage from nation-state-backed actors.,”
“As a result, organisations must remain diligent and continue to enhance their cyber security posture with modern cyber defence capabilities,”
Ongoing validation of cyber resilience against these latest threats and testing of overall response capabilities are equally critical,” said Kutscher
Global Median Dwell Time – Declines to Just Over Two Weeks
According to the M-Trends 2023 report, the global median dwell time – which is calculated as the median number of days an attacker is present in a target’s environment before being detected – continues to drop year-over-year down to 16 days in 2022
Mandiant’s latest M-Trends report reveals the shortest median global dwell time recorded so far, with a median dwell time of 21 days in 2021.
Additionally, Mandiant observed a trend of increased external entity notifications for historic or ongoing compromise, with organisations in the Americas receiving notifications in 55% of incidents, up from 40% last year – the highest percentage in the past six years.
Similarly, organisations in Europe, the Middle East, and Africa (EMEA) received external entity alerts in 74% of investigations in 2022, compared to 62% in 2021.
Furthermore, Mandiant experts noted a decrease in the percentage of investigations involving ransomware, with only 18% of investigations in 2022 involving ransomware, down from 23% in 2021 marking the smallest percentage of Mandiant investigations related to ransomware since prior to 2020.
Sandra Joyce, VP, Mandiant Intelligence at Google Cloud. said, “While we don’t have data that suggests there is a single cause for the slight drop in ransomware-related attacks that we observed, there have been multiple shifts in the operating environment that have likely contributed to these lower figures,”
“These factors include, but are not limited to: ongoing government and law enforcement disruption efforts targeting ransomware services and individuals, which at minimum require actors to retool or develop new partnerships; the conflict in Ukraine; actors needing to adjust their initial access operations to a world where macros may often be disabled by default, as well as organisations potentially getting better at detecting and preventing or recovering from ransomware events at faster rates.” she said.
Malware Families Increase Globally, Cyber Espionage
Mandiant identified extensive cyber espionage and information operations leading up to and since Russia’s invasion of Ukraine on February 24, 2022.
Most notably, Mandiant saw activity by UNC2589 and APT28 prior to the invasion of Ukraine, and observed more destructive cyber attacks in Ukraine during the first four months of 2022 than in the previous eight years.
In 2022, Mandiant began tracking 588 new malware families, revealing how adversaries are continuing to expand their toolsets.
Of the newly tracked malware families, the top five categories consisted of backdoors (34%), downloaders (14%), droppers (11%), ransomware (7%) and launchers (5%). These categories of malware remain consistent over the years and backdoors continue to represent a little over one third of the newly tracked malware families.
Consistent with previous years, the most prevalent malware family detected in Mandiant investigations was BEACON, a versatile multi-function backdoor.
In 2022, BEACON was identified in 15% of all intrusions investigated by Mandiant, making it the most frequently encountered malware across regions.
BEACON has been utilised by various threat groups monitored by Mandiant, including nation-state-backed groups associated with China, Russia, and Iran, as well as financial threat groups and over 700 UNC (uncategorised) groups.
The wide prevalence of BEACON can be attributed to its widespread availability, combined with its high level of customisability and user-friendly features, as highlighted in the report.
Charles Carmakal, CTO, Mandiant Consulting at Google Cloud said “Mandiant has investigated several intrusions carried out by newer adversaries that are becoming increasingly savvy and effective.
“They leverage data from underground cybercrime markets, conduct convincing social engineering schemes over voice calls and text messages, and even attempt to bribe employees to obtain access to networks,” said Carmaka
“These groups pose a significant risk to organisations, even those with robust security programs, as these techniques are challenging to defend against,”
“As organisations continue to build their security teams, infrastructure, and capabilities, protecting against these threat actors should be part of their design goals.” he said
Additional takeaways from M-Trends 2023 Report include:
- Infection vector: For the third year in a row, exploits remained the most leveraged initial infection vector used by adversaries at 32%.
While this was a decrease from the 37% of intrusions identified in 2021, exploits remained a critical tool for adversaries to use against their targets. Phishing returned as the second most utilised vector, representing 22% of intrusions as compared to 12% in 2021. - Target industries impacted: Response efforts for government-related organisations captured 25% of all investigations, compared to 9% in 2021. This primarily reflects Mandiant’s investigative support of cyber threat activity which targeted Ukraine.
The next four most targeted industries from 2022 are consistent with what Mandiant experts observed in 2021, with business & professional services, financial, high tech, and healthcare industries being favoured by adversaries. These industries remain attractive targets for both financially and espionage motivated actors. - Credential theft: Mandiant investigations uncovered an increased prevalence in both the use of widespread information stealer malware and credential purchasing in 2022 when compared to previous years.
In many cases, investigations identified that credentials were likely stolen outside of the organisation’s environment and then used against the organisation, potentially due to reused passwords or use of personal accounts on corporate devices. - Data theft: Mandiant experts identified that in 40% of intrusions in 2022, adversaries prioritised data theft. Mandiant defenders have observed threat actors attempting to steal, or successfully completing data theft operations more often in 2022 compared to previous years.
- North Korea’s Use of Crypto: Alongside traditional intelligence collection missions and disruptive attacks, in 2022, Democratic People’s Republic of Korea operators showed more interest in stealing—and using—cryptocurrency.
These operations have been highly lucrative and will likely continue unabated throughout 2023. For more on how North Korean threat actors are using cybercrime as a way to fund their espionage operations, check out Mandiant’s APT43 report.
M-Trends – Primary Aim
The primary aim of M-Trends is to equip security professionals with valuable insights into the latest attacker activity observed directly on the frontlines.
These insights are supported by actionable intelligence to enhance organizations’ security postures in the face of an ever-evolving threat landscape. To fulfill this objective, Mandiant provides in-depth analysis of prominent threat actors and their evolving tactics, techniques, and procedures.
In order to further facilitate this objective, Mandiant has mapped an additional 150 Mandiant techniques to the updated MITRE ATT&CK® framework, resulting in a total of 2,300+ Mandiant techniques and associated findings aligned with the ATT&CK framework.
With Mandiant’s cutting-edge expertise and comprehensive analysis, the M-Trends 2023 Report empowers organisations to proactively identify potential cybersecurity risks, safeguard their critical assets and stay one step ahead in the ongoing battle against cyber threats.
