INTELLIGENT BRANDS // Enterprise Security
Rise of the Nigerian threat group SilverTerrier
Palo Alto Network ’ s Unit 42 gives a detailed growth analysis of the Nigerian threat actor group and their modus operandi bringing them into the global front stage .
In July 2014 , Palo Alto Networks Unit 42 released its first threat intelligence report on Nigerian cyber actors . This report documented the observed evolution from traditional 419-style email scams to the use of commodity malware for financial gain .
Applying advanced analytics across more than 8,400 samples resulted in the identification of over 500 domains supporting malware activity and roughly 100 unique actors or groups , which continue to be tracked under the code name SilverTerrier .
The data exhibited that the ability of these actors to distribute malware has grown steadily over the past two years to its current rate of 5,000 – 8,000 attacks per month . Moreover , using email as the primary means of distribution , the majority of these attacks were focused against the high technology , higher education and manufacturing industries .
While these attacks originate from actors with varying degrees of technical expertise , all of the actors continue to rely on commodity malware tools , which require minimal infrastructure to set up and can be acquired on underground forums at nominal costs .
Through analysis , it has become clear that Nigerian cyber actors have demonstrated significant growth in size , scope and capability over the past two years . They have learned how to successfully apply simple malware tools with precision in order to create substantial losses ranging from tens of thousands up to millions of dollars for victim organisations . They have broadened their scope well beyond targeting unsuspecting individuals .
In 2008 , Federal Bureau of Investigation released its annual Internet Crime Report listing Nigeria as third in the world for conducting cybercriminal activity . While the country ’ s position on the list has fluctuated over the years , it once again claimed the number three position in last year ’ s report .
Since 2014 , Nigerian actors have been linked to various popular malware tools , including Zeus , DarkComet and others . All of these tools have something in common : they are commodity malware tools that require minimal infrastructure to set up and can be purchased at nominal costs on underground forums . Traditionally , this fact has been used to justify assessments that suggest these actors lack the technical aptitude required for more advanced tools .
But research suggests that these tools may be chosen intentionally to support easy scalability among a distributed actor network similar to an organised crime model .
In May 2016 , they demonstrated the added ability to surge distribution efforts by launching nearly 19,000 attacks in one month . While the malware itself can be distributed at scale and in far greater numbers than observed above , the benefits of doing so are often diminished for these actors .
As a basic principle , there is generally a correlation between the amount of malware distributed and the time it takes for antivirus vendors to identify and block it . Thus , these Nigerian actors have refined their attack methods over time from sending malware in bulk across the internet to a more focused , deliberate and targeted approach . Specifically , data showed that 86 % of the malware samples analysed were observed in 20 or fewer attacks against Palo Alto Networks customers .
Using AutoFocus contextual threat intelligence , combined with advanced analytic practices , Unit 42 is currently tracking roughly 100 Nigerian cyber actors responsible for operating the infrastructure associated with the five identified malware families . These actors were predominately identified using domain registration details , which , in many cases , enabled Unit 42 to link these actors directly to their social media profiles .
Performing this practice on a large scale has produced tremendous insights into the size , scope , motivations and interactions of these actors .
At any point in time , many of these actors are engaged in multiple categories of scams ranging from their traditional 419 emails , to fake websites , to the most recent malware initiatives . Thus , in order to account for the range of their activities , it becomes necessary to discuss the domains that SilverTerrier actors are building to support their activities . These domains can be grouped into
44 INTELLIGENTCIO www . intelligentcio . com