Verizon data breach report: State-sponsored attacks surge

Espionage campaigns seek data that furthers national interests, such as military or classified information, economy-boosting plans, insider information or trade secrets, and technical resources such as source code.
Written by Larry Dignan, Contributor

An annual survey by Verizon's security unit found that 19 percent of data breach attacks were connected to state-sponsored organizations in a sign that corporate espionage may be ramping.

The data breach investigations report (DBIR) is based on 19 global companies, their attacks, forensics and reporting agencies. Overall, the report features 47,000 reported security incidents and 621 confirmed data breaches. Over nine years, the DBIR has documented 1.1 billion compromised records and 2,500 data breaches.

Regarding state sponsored attacks, Mark Spitler, a senior security analyst at Verizon, said that the report "found quite a few" state sponsored attacks. Verizon determined that attacks were state sponsored based on known tactics, indicators of what was being examined and malware signatures. Cooperation and data sharing among participants also put the spotlight on state-sponsored attacks.

On state sponsored attacks, Verizon said in its report:

State-affiliated groups rise to the number two spot for the 2012 dataset, and there are several plausible explanations for this. On one hand, we saw a dip in financially motivated cases against small organizations in our dataset, and that dip allows other trends to become more pronounced. Another factor is the larger set of data sharing partners in this report that widens the population of incidents we can analyze. Furthermore, our own investigations comprised more espionage cases than any previous year, and this was bolstered by increased efforts to collect, share, and correlate IOCs that greatly improve the ability to uncover targeted attacks. So, it may be true that espionage activity is up, but it’s also true that better sharing and improved detection capabilities result in more detection. Threat actors engaged in espionage campaigns leave a completely different footprint than those motivated by direct financial gain. They seek data that furthers national interests, such as military or classified information, economy-boosting plans, insider information or trade secrets, and technical resources such as source code. They will generally not target payment systems and information, and according to our data, they aren’t even targeting certain industries that have topped the charts for financially motivated attackers (e.g., Retail and Food Services).

The high level takeaways:

  • 37 percent of breaches hit financial organizations;
  • 24 percent of breaches happened in retail and restaurants;
  • 20 percent of network intrusions involved manufacturing, transportation and utilities;
  • 38 percent of breaches were aimed at large companies;
  • 92 percent of breaches were perpetrated by outsiders;
  • 19 percent were attributed to state-affiliated actors;
  • And finally weak defenses make things a bit easy for the bad guys.

Verizon's DBIR report noted that best practices can't be applied to every industry. Verizon noted:

Any attempt to enforce a one size-fits-all approach to securing our assets may result in leaving some organizations under-protected from targeted attacks while others potentially over-spend on defending against simpler opportunistic attacks. For example, small retailers and restaurants in the Americas should be focusing on the basics because attackers are leveraging poorly configured remote administration services to pull payment data from point of sale systems. But the basics won’t be enough for the finance and insurance industry, which sees its ATMs targeted by skimming campaigns. And when we peel back that physical attack layer, we see a much higher proportion of attacks in its web applications than all other sectors. When we focus on manufacturing, engineering, consulting, and IT service firms, we see a whole different set of attacks exploiting human weaknesses through targeted social attacks to get multi-functional malware on internal systems.



Editorial standards