Key members of civil society—including journalists, political activists and human rights advocates—have long been in the cyber crosshairs of well-resourced nation-state threat actors but have scarce resources to protect themselves from cyber threats. On May 14, 2024, the Cybersecurity and Infrastructure Security Agency (CISA) released a High-Risk Communities Protection (HRCP) report developed through the Joint Cyber Defense Collaborative that addresses the threat to these vulnerable groups, with findings contributed by the X-Force Threat Intelligence team.

Cyber criminals seek stolen credentials

The HRCP report highlights the significant threat from stolen credentials for these groups—a theme that also plays a key role in the 2024 X-Force Threat Intelligence Index—as the threat from malicious actors stealing and using valid credentials for initial access into networks of interest surged throughout 2023. This threat underscores the necessity of implementing multifactor authentication to protect vulnerable accounts from hacking or takeover.

Credential-based attacks and threats to user identities are far from new, but their effectiveness positions them as a preferred tactic of choice for cyber criminals and state-sponsored actors alike. In fact, in 2020 and 2021, X-Force published details of ITG18 operations (overlaps with Charming Kitten, Phosphorous and TA453) against individuals that leaned on the exploitation of identity. Among other techniques, ITG18 threat actors would validate stolen credentials by copying and pasting stolen victim usernames and passwords into a wide variety of websites, highlighting some of the painstaking techniques used to target members of civil society.

Download the report

High-risk targets on the hook with a rise in phishing attacks

The HRCP report also urges vigilance against phishing – another common technique used against high-risk members of civil society that X-Force often observes in its incident response engagements.  According to X-Force, phishing played a prominent role in the 2024 X-Force Threat Intelligence Index—tying with the use of stolen credentials as the top technique used by threat actors for initial access.

Most recently, X-Force uncovered  ITG05 (overlaps with APT28, Fancy Bear and Forest Blizzard) operations targeting NGOs through phishing lures, emphasizing that this too is a technique threat actors lean on regularly to advance their objectives. Leveraging robust employee training, phishing security software and multifactor authentication can help to protect organizations from phishing attacks.

Ensure security fundamentals are solid

As governments seek to enhance both their cybersecurity posture and that of key members of civil society, it’s essential not to overlook the criticality of security fundamentals. This includes mitigating the risk of commonly exploited initial access vectors such as valid credential use and phishing. With multiple elections taking place globally in 2024, there is the potential for increased targeting of members of civil society, making it even more imperative to emphasize cybersecurity best practices.

To help governments, critical infrastructure and organizations enhance their cyber preparedness, the X-Force Cyber Range has opened a new location in Washington DC to assist federal government entities and private sector organizations prepare to face a cyber crisis event. Click here to learn more about this capability or to book a tour.

For more information about threat intelligence on the latest tactics, techniques and procedures threat actors are using, schedule a discovery session with the X-Force team.

More from X-Force

Strela Stealer: Today’s invoice is tomorrow’s phish

12 min read - As of November 2024, IBM X-Force has tracked ongoing Hive0145 campaigns delivering Strela Stealer malware to victims throughout Europe - primarily Spain, Germany and Ukraine. The phishing emails used in these campaigns are real invoice notifications, which have been stolen through previously exfiltrated email credentials. Strela Stealer is designed to extract user credentials stored in Microsoft Outlook and Mozilla Thunderbird. During the past 18 months, the group tested various techniques to enhance its operation's effectiveness. Hive0145 is likely to be…

Hive0147 serving juicy Picanha with a side of Mekotio

17 min read - IBM X-Force tracks multiple threat actors operating within the flourishing Latin American (LATAM) threat landscape. X-Force has observed Hive0147 to be one of the most active threat groups operating in the region, targeting employee inboxes at scale, with a primary focus on phishing and malware distribution. After a 3-month break, Hive0147 returned in July with even larger campaign volumes, and the debut of a new malicious downloader X-Force named "Picanha,” likely under continued development, deploying the Mekotio banking trojan. Hive0147…

FYSA – Critical RCE Flaw in GNU-Linux Systems

2 min read - Summary The first of a series of blog posts has been published detailing a vulnerability in the Common Unix Printing System (CUPS), which purportedly allows attackers to gain remote access to UNIX-based systems. The vulnerability, which affects various UNIX-based operating systems, can be exploited by sending a specially crafted HTTP request to the CUPS service. Threat Topography Threat Type: Remote code execution vulnerability in CUPS service Industries Impacted: UNIX-based systems across various industries, including but not limited to, finance, healthcare,…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today