Hackers have become more likely to use compromised accounts.

More than a third (37%) of successful cyber attacks on Russian companies in 2024 began with compromising employee credentials. In 2023, such attacks accounted for 19% of incidents. This follows from the data of experts from the Solar 4RAYS Cyber Threat Research Center of the Solar Group of companies, which was reviewed by Izvestia on March 13.

Last year, attackers actively used the techniques of Valid Accounts (legitimate compromised accounts), as well as External Remote Services (external remote services), which also involve the use of legitimate credentials to access the infrastructure of companies, said Gennady Sazonov, an expert at the Solar 4RAYS cyber Threat Research Center at Solar Group.

"In attacks where these techniques were used for initial access, we observed, for example, the bruteforce of an FTP server account followed by malware download. In one of the cases, the attackers connected via RDP (remote access) using a privileged account, which was later used to scan the network and steal credentials. After that, the hackers encrypted part of the infrastructure and demanded a ransom. Stealing confidential information or financial gain are the two main goals of using these techniques," he added.

From a black approach: hackers have quadrupled their attacks on Russia

The public sector, postal services and cargo and passenger transportation were among the most affected industries.

Experts clarified that attackers most often use web application vulnerabilities to overcome the external IT perimeter, but over the year the proportion of such incidents has decreased from 56% to 46%. These are often vulnerable corporate portals published in the public domain, web applications that have not been controlled for a long time, and services that run on non-updated software. The share of phishing attacks has also decreased over the year: from 19% to 11%. The percentage of attacks through contractors was 6%.

Among the targets of hackers: cyber espionage (it accounted for 58% of cyber incidents), hacktivism and hooliganism (10%). There is also financial motivation, such as extortion using encryption viruses and mining cryptocurrencies.

Earlier, on February 21, it was reported that the average duration of a cyberattack on Russian companies in 2024 was 51 minutes, which is 21% less than in 2023. This follows from the data of the Informzashita company. Experts attribute this negative trend to the proliferation of stilers, the development of hacker service platforms, and the use of artificial intelligence by attackers.