How to Outsmart Stealthy E-Crime and Nation-State Threats

COMMENTARY

Throughout the past year, we've seen a sharp uptick in cross-domain threats. This activity spans multiple domains within an organization's IT architecture, including identity, cloud, and endpoint. These attacks leave minimal footprints in each domain, like separate puzzle pieces, making them harder to detect. 

While cross-domain intrusions vary in complexity, my team and I are increasingly observing attacks that leverage stolen credentials to breach cloud environments and move laterally across endpoints. This activity is fueled by sophisticated phishing techniques and the proliferation of infostealers. Once adversaries obtain or steal credentials, they can gain direct access to poorly configured cloud environments and bypass heavily defended endpoints. With this access, they often deploy remote monitoring and management (RMM) tools instead of malware, making these attacks particularly hard to detect and disrupt. 

Scattered Spider: A Master of Cross-Domain Tradecraft

One of the most proficient adversaries in cross-domain attacks is the prolific e-crime group Scattered Spider. Throughout 2023 and 2024, Scattered Spider demonstrated sophisticated cross-domain tradecraft within targeted cloud environments, frequently using spear-phishing, policy modification, and access to password managers. 

In May 2024, CrowdStrike observed Scattered Spider establish a foothold on a cloud-hosted virtual machine (VM) instance via a cloud service VM management agent. The adversary compromised existing credentials through a phishing campaign to authenticate to the cloud control plane. Once inside, they established persistence.  

This attack spanned three operational domains: email, cloud management, and within the VM itself. As a result, the detectable footprint in any single domain was minimal and difficult to identify with traditional signature-based detection methods. Identifying this attack relied on extensive threat intelligence and prior knowledge of Scattered Spider's tactics. By correlating telemetry from the cloud control plane with detections within the virtual machine, threat hunters were able to recognize and stop the intrusion in progress. 

A Massive Insider Scheme: DPRK's Famous Chollima

North Korea-nexus adversary Famous Chollima presented a unique challenge to threat hunters with a highly sophisticated attack campaign expanding beyond technology boundaries. In this massive insider threat scheme, malicious actors obtained contract or full-time positions using falsified or stolen identity documents to bypass background checks. Their résumés often listed employment at prominent companies, with no gaps, making them appear legitimate.  

In April 2024, CrowdStrike responded to the first of several incidents where Famous Chollima targeted more than 30 US-based companies, including those in the aerospace, defense, retail, and technology sectors. Leveraging data from a single incident, threat hunters developed a scalable plan to hunt this emerging insider threat and identified over 30 additional affected customers within two days. 

In many cases, the adversary attempted to exfiltrate data and install RMM tools using company network credentials to facilitate unauthorized access. CrowdStrike threat hunters searched for RMM tools paired with suspicious network connections to uncover additional data and identify suspicious behaviors. By mid-2024, the US Department of Justice indicted several individuals involved in this scheme, which likely enabled North Korean nationals to raise funds for the DPRK government and its weapons programs. CrowdStrike's coordinated efforts with law enforcement and the intelligence community were instrumental in bringing these malicious activities to light and disrupting the massive threat. 

Putting the Puzzle Pieces Together: Stopping Cross-Domain Attacks

Countering sophisticated cross-domain threats requires constant awareness of behavioral and operational shifts, making intelligence-driven hunting essential. Stopping these novel attacks takes a multipronged approach involving people, process, and technology. For organizations to protect against these attacks they should adopt the following approaches:  

In a time of increasingly sophisticated cross-domain attacks, relying solely on automated solutions isn't enough. As these stealthy threats operate across identity, cloud, and endpoint, they require a blend of advanced technology, the irreplaceable insights of human expertise, and cutting-edge telemetry to inform proactive decision making. Threat hunters and intelligence analysts, working in tandem with cutting-edge tools, are essential for identifying, understanding, and neutralizing these ever-evolving dangers before they can cause harm. 

Don't miss the latest Dark Reading Confidential podcast, where we talk about NIST's post-quantum cryptography standards and what comes next for cybersecurity practitioners. Guests from General Dynamics Information Technology (GDIT) and Carnegie Mellon University break it all down. Listen now!