Content, Breach, Channel partners, Content

Trellix Detects Leading Threat Actor Countries Behind Nation-State Activity

Credit: Getty Images

More cyber threat groups linked to China actively target nation-states than operatives from any other country worldwide.

That news comes via a new report from Trellix, an extended detection and response (XDR) provider.

80% of Threat Groups Tracked to China

Advanced persistent threat (APT) groups tied to China generate nearly 80% of all activity detected by Trellix. Indeed, risks to critical infrastructures such telecommunications, energy and manufacturing by notable APT groups serve as a “warning to public and private organizations to deploy modern protections to stay ahead of rapidly evolving threats,” Trellix’s head of threat intelligence John Fokker said.

What Trellix Learned About China APT Groups

Insights for the 2023 version of Trellix’s CyberThreat Report were gleaned from a global network of researchers who analyzed more than 30 million detections of malicious samples daily. Combined telemetry is collected from one billion sensors, and data from open and closed-source intelligence. The report covers the first quarter of the year.

Key findings include:

  • APT groups linked to China, including Mustang Panda and UNC4191, are the most active in targeting nation-states, generating 79% of all activity detected. Trellix predicts APT groups will continue cyber espionage and disruptive cyberattacks in tandem with physical military activity.
  • Motivations for ransomware are still financial, reflected in the insurance (20%) and financial services (17%) sectors having the most detections of potential attacks.
  • The most common leak site victims are US-based (48%) mid-sized businesses with 51-200 employees (32%) and $10 million to $50 million in revenue (38%).
  • Despite attempts in 2022 to make it harder for threat actors to abuse the tool, Cobalt Strike grows as a tool favored by cybercriminals and ransomware actors. Trellix detected Cobalt Strike in 35% of nation-state activity and 28% of ransomware incidents, almost double from Q4 2022.
  • Many critical vulnerabilities consist of bypasses to patches for older CVEs, supply chain bugs utilizing outdated libraries, or long-patched vulnerabilities that were never properly addressed.
  • Though more sophisticated attacks with multi-factor authentication, proxy penetration, and API execution continue, the dominant attack technique uses valid accounts. Rogue access to legitimate accounts in remote-work environments remains significant.
D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.