NETSCOUT Threat Intelligence Report — Powered by ATLAS Dawn of the Terrorbit Era

Findings from 2H 2018

The Terrorbit Era

We saw the growth of internet-scale campaigns that use a vast array of devices related solely by internet connectivity
to strike strategic targets.

Key Findings

When it comes to the global threat landscape, the second half of 2018 revealed the equivalent of attacks on steroids, as attackers bulked up existing tactics, rapidly evolved new ones, and applied smart business techniques to vastly accelerate their growth rate.

APT Groups

Innovative new TTPs combined custom tools and commodity crimeware, including the use of Chrome extensions to enable persistence in the STOLEN PENCIL campaign crimeware.

Map of Asia with Russia, Iran, North Korea and China highlighted.

Many new groups discovered while activity from key actors such as China, Russia, Iran, and North Korea shows no sign of ebbing.


An image of an infected computer bot.


Business practices such as the affiliate model drove rapid global expansion for Danabot crimeware campaign.


A wifi-enabled smart light bulb graphic.

5 Minutes To Attack

IoT devices are under attack 5 minutes after being plugged in and targeted by specific exploits within 24 hours.

DDoS Attacks

Global Attack Numbers


Global Max DDoS Attack


APT Groups

ASERT tracked approximately 35 APT groups worldwide. Activity from these groups is accelerating as they continually add additional facets of cyber espionage to their toolkit, including new targeting and new methods.

Stolen Pencil Campaign

Massive credential theft across four universities, targeting victims in biomedical research. Campaign notable for the use of Chrome extensions to enable persistence.

A graphic showing a pocket protector with a skull.

Accelerate Activity

A green paint blob background.

APT Groups Tracked in 2H 2018

Nation-state APT group activity was discovered at an accelerating rate as groups also evolved and expanded their capabilities.

Top Global Targets

  1. Academia
  2. Government
  3. Finance
  4. Telecommunications
A white target.

APT Malware Analysis

Analysis of APT malware samples found combinations of custom tools and crimeware as well as misuse of legitimate software such as lojax.

Zero-Day Attacks

An electrical cord and plug, pointing upwards.

New APT capabilities include a few observed zero-day attacks, the use of legitimate bootkit software, and at least one instance of a browser plugin.


For crimeware actors, the key word is more: more groups, more efficient attack monetization, more businesslike methods, and certainly more and better tools.

IoT Devices

Once plugged into the internet, IoT devices are attacked within 5 Minutes and targeted by specific exploits in 24 Hours

Increased Sophistication

A graphic of a brain, wired like a computer processor.

Increased sophistication and efficiency at monetizing malicious attacks. Modular, persistent crimeware that provides a better ROI than a simple smash-and-grab method.

Best Business Practices

A blue paint blob background. An image of an infected computer bot.

DanaBot campaign increased distribution efficiency and cut labor costs by using an affiliate model that encourages specialization among threat actors and substantially increases the pool of potential victims across the world.

Lifetime of Infections

The overall lifetime of crimeware infections sometimes lasts years, long after infrastructure goes offline.

Cyber Threat Actors

A wifi-enabled smart light bulb graphic.

Cyber threat actors learned from IoT malware, pivoting to add Linux servers to their targets.


The DDoS sector continues to reflect the indefatigable efforts of a busy and ever-more organized community, from state actors trying to influence geopolitical processes to an increasingly businesslike DDoS service-for-hire sector. We see a skyrocketing diversification of attack avenues, methods, and techniques, wiping away traditional expectations around both DDoS attack mechanisms and defense practices.

Attack Size and Numbers Grow

a bar graph and arrow, increasing as it moves to the right.

The number of global attacks increased 26 percent. Global max DDoS attack size increased 19 percent.

Mid-range Attacks Explode

100-200 Gbps


200-300 Gbps


Consulates + Embassies

a graphic of an embassy building.

186 percent increase in attacks for sub-vertical containing consulates and embassies, indicative of increase in politically motivated attacks.

Cloud Service Providers

a cloud with an up arrow.



Max Attack Size


for sub vertical containing cloud service providers.

Passenger Air Transportation

a graphic of an airplane.

More than 15,000 percent increase in size of attacks targeted at scheduled passenger air transportation.

Carpet Bombing

Increasing accessibility of attack vectors that were once the province of sophisticated attackers, such as the large increase in carpet bombing DDoS attacks observed in 2018.

An angry animated vacuum.

Hacker "stephenkings"

A magnifying glass inspecting a skull.

After posting research on MedusaHTTP DDoS, a botnet from a hacker known as stevenkings, the ASERT team was able to assist the FBI during an investigation that ultimately led to charges being filed.

The Takeaway

In the second half of 2018, we saw threat actors building crimeware that’s cheaper and easier to deploy—and more persistent once installed. At the same time, many groups applied business best practices that further extend the reach of attacks, while making it even easier for customers to access and leverage malicious software and DDoS attack tools.

The ASERT team continues to monitor the threat landscape and report on new actors, malware under develoment, and increasingly sophisticated techniques deployed. For a detailed summary of the latest trends, download the updated NETSCOUT Threat Intelligence Report for the second half of 2018.

Click here to access past reports

Subscribe to the ASERT Blog