Threat Actors Deviate From Common Tactics in Global Cyberattacks, Mandiant Observes

April 21, 2023 - Mandiant observed threat actors favoring the financial, professional services, high tech and healthcare industries in 2022, according to its newly released M-Trends 2023 report. The report aimed to provide organizations with insight into the attacks observed on the “frontlines of incident response.”

Healthcare accounted for 9 percent of Mandiant investigations in 2022, remaining an attractive target for financially motivated threat actors. A quarter of Mandiant’s response efforts in 2022 were devoted to government organizations due to the conflict in Ukraine.

“The large majority of our investigations involve attackers motivated by money or espionage; however, a growing number of our engagements involve attackers who are more motivated by notoriety and bragging rights,” the report noted. “Many of these investigations still involved extortion, data theft, financial loss, and reputational damage, but financial gain wasn’t necessarily the motivating factor.”

On a positive note, the global median dwell time, or the time it takes to detect an attack, dropped from 21 days in 2022 to 16 days in 2021, signifying a significant improvement in incident response efforts.

Even as detection times improve, Mandiant observed threat actors increasingly deviating from tried-and-true tactics and techniques to target victims in new ways.

“In 2022, Mandiant investigated a series of high-profile intrusions that were successful and impactful to the targeted organizations despite significant deviations from common threat actor behaviors, underscoring the threat posed to organizations by persistent adversaries willing to eschew the unspoken rules of engagement,” the report noted.

For example, Mandiant experts observed threat actors bullying and threatening victims, utilizing clever social engineering schemes, and issuing bribes to carry out account takeovers. The report specifically detailed the tactics of UNC3661 (Lapsus) and UNC3944, two threat clusters that have been known to carry out sophisticated attacks without relying on new tools, zero-days, or custom malware.

Lapsus was the focus of an April 2022 threat brief by the Health Sector Cybersecurity Coordination Center (HC3), which noted the group’s unique strategy of using bribery and non-ransomware extortion.

“It is important organizations understand the potential ramifications of this new, more outspoken threat, and adjust both protections and expectations accordingly,” Mandiant advised.

Both Lapsus and UNC3944 have succeeded by targeting credentials rather than endpoints, signifying a deviation from typical threat actor techniques.

“As organizations prepare and work to position their security teams and infrastructure, keeping an eye toward protecting against unsophisticated yet persistent attackers should be part of their design goals,” Mandiant continued.

The M-Trends 2023 report also provided organizations with a red team case study and additional data about cyberattack trends in the past year. The firm advised organizations to consider tabletop exercises, improvements to vulnerability and exposure management, and other tactics to defend against today’s top cyber threats.