CrowdStrike 'Global Threat Report': Cloud intrusions up 75%

Cloud environment intrusions increased by 75% in 2023, according to CrowdStrike's '2024 Global Threat Report.'

Published Wednesday, CrowdStrike's 'Global Threat Report' is the security firm's annual report dedicated to emerging and continuing trends in the cyberthreat landscape. As per usual, the report spends a significant amount of time on financially motivated cybercrime -- eCrime, per CrowdStrike. But this year, it also gives significant real estate to ongoing geopolitical crises, such as the Israel and Hamas conflict.

Attacks involving the cloud saw a significant boost year over year. Cloud environment intrusions increased by 75% last year compared with 2022. Cloud-conscious cases, in which threat actors intentionally compromise cloud workloads, increased by 110%. In addition, 84% of cloud-conscious intrusions attributed to threat actors were focused on financially motivated cybercrime.

CrowdStrike attributed a significant portion of this activity -- 29% -- to Scattered Spider, a prolific ransomware actor credited with a number of high-profile attacks, such as those against Okta as well as gaming giants Caesars Entertainment and MGM Resorts.

"Throughout 2023, SCATTERED SPIDER demonstrated progressive and sophisticated tradecraft within targeted cloud environments to maintain persistence, obtain credentials, move laterally and exfiltrate data," the report read.

CrowdStrike also touched on data extortion attacks, which involve the theft of data but do not use ransomware to encrypt victim data. According to the company, the method continued to be a more attractive and easier monetization route for threat actors, "as evidenced by the 76% increase in the number of victims named on BGH [big game hunting] dedicated leak sites (DLSs) between 2022 and 2023."

Other notable data points in the report include the following:

• There was a 73% increase in hands-on attacks, or interactive intrusions, in the second half of 2023 compared with the second half of 2022.
• The average breakout time -- the amount of time between an initial intrusion and lateral movement -- decreased from 79 minutes in 2022 to 62 in 2023.
• Malware-free activity, such as identity-based attacks, represented 75% of detections in 2023 -- an increase from 71% the previous year.

On the geopolitical front, the security firm dedicated a portion of the report to the ongoing Israel-Hamas conflict that began on Oct. 7 of last year. Similar to Google's research released last week, CrowdStrike observed Iranian actors targeting Israeli entities. On the Hamas side, the firm said that although CrowdStrike "tracks multiple adversaries associated with the Hamas militant group," no activity attributed to said adversaries has been observed related to the ongoing conflict.

"This is likely due to unavailable resources or the degradation of internet and electricity-distribution infrastructure in the conflict zone," the report read.

TechTarget Editorial asked Adam Meyers, CrowdStrike's senior vice president of counter adversary operations, about Israel's cyber activities during a group press call last week. "[Israel] cut the power and the internet to Gaza. So you can't really do a cyberattack if the lights are off," he said.

Looking ahead, CrowdStrike's predictions include a number involving global elections in 2024. The firm observed that 55 countries representing more than 42% of the global population will participate in presidential, parliamentary or general elections this year, including India, the U.S., Russia, Mexico and others. Other high-profile elections will occur in countries "involved in, or proximal to, major geopolitical conflicts," including Iran, Taiwan, Belarus, and the aforementioned Russia and India.

The firm said information operations and simple "hacktivism" -- historically common with election activity -- will likely continue this year.

"The most common malicious activities targeting elections have historically involved information operations likely conducted by state-nexus entities against citizens of countries that hold specific geopolitical interest to the threat actor and simple, short-lived hacktivism -- including DDoS attacks and website defacements -- against state and local government entities," CrowdStrike said. "This trend is highly likely to continue in 2024."

Alexander Culafi is an information security news writer, journalist and podcaster based in Boston.