World’s fastest hackers? Russian nation-state ‘bears’

'It's not a matter of if, but when' (James Yeager, vice president of CrowdStrike, talks cybersecurity defense with WTOP's J.J. Green)

Criminal hackers working on behalf of the Russian government are the fastest — by far — among all nation-state actors at breaking into computer networks and reaching other connected systems, a new threat report has found.

“Bears,” as they are called in CrowdStrike’s 2019 Global Threat Report, registered average “breakout times” of 18 minutes and 49 seconds.

James Yeager, vice president of public sector and health care at the firm, defines breakout time as “the critical window between when an intruder compromises the first machine and when they can move laterally to other systems on the network.”

Crowdstrike’s report said North Korean hackers, called “Chollimas,” are the second-fastest, with an average breakout time of 2 hours, 20 minutes and 14 seconds. Chinese nation-state actors, known as “pandas,” were clocked at 4 hours, 0 minutes and 26 seconds. “Kittens” are Iranian nation-state actors, who average 5 hours, 9 minutes and 4 seconds. 

A separate group of hackers called eCrime actors, or “spiders,” averaged 9 hours, 42 minutes and 23 seconds. But the report noted some eCrime actors are just as fast as highly skilled nation-state actors.

CrowdStrike based their ratings on more than 30,000 breach attempts that were thwarted in 2018. The report analyzes comprehensive threat data from various proprietary platforms, including the CrowdStrike Threat Graph™, a large, scalable, cloud-based graph database that processes 1 trillion events a week across 176 countries.

The hackers are principally engaged in an activity called “big game hunting.” Yeager said that’s “the practice of combining targeted, intrusion-style tactics for the deployment of ransomware across large enterprises.”

In addition to big game hunting, CrowdStrike identified a trend of increased collaboration between highly sophisticated eCrime threat actors. The report said, “The use of geo-targeting to support multiple eCrime families was observed through a variety of tactics.”

The industries at the top of the target list for malware-free intrusions include media, technology and academia, highlighting the need to aggressively strengthen their defenses against more sophisticated, modern attacks.

To defend against such aggressive actors, Yeager recommended what he calls the 1-10-60 strategy.

“You need to be able to detect an intrusion in 60 seconds or less, [and] perform a full investigation within 10 minutes or less. And, within an hour, you need to be able to fully remediate the intrusion and kick the bad guys out of your environment,” Yeager said.

SIGN UP TODAY for J.J. Green’s new national security newsletter, “Inside the SCIF.” The weekly email delivers unique insight into the intelligence, national security, military, law enforcement and foreign policy communities.

J.J. Green

JJ Green is WTOP's National Security Correspondent. He reports daily on security, intelligence, foreign policy, terrorism and cyber developments, and provides regular on-air and online analysis. He is also the host of two podcasts: Target USA and Colors: A Dialogue on Race in America.

Federal News Network Logo
Log in to your WTOP account for notifications and alerts customized for you.

Sign up