2021 - Annual Bulletin

C3 TOP – Threat Observatory Platform

Threat Agent activities

Behind every cyber-attack there is an actor with a specific intent. However, for many events, the identity and general motivation are unknown. On the other hand, some groups have been well known for years and their criminal activities and techniques are documented and monitored. Typically, they conduct targeted attacks against specific organisations, using relatively sophisticated tools and attack procedures.

Some of them are considered as State-sponsored, but the actual link with various countries stays often subject of controversies and should be considered with prudence.

During 2021, a significant decrease in the activity of the identifiable threat groups was observed, estimated at a decrease in the order of 50 % compared to the previous year.

As during previous year, the attribution rate of events is very low. This means that most of the ongoing attacks are not attributable.

During the first quarter, a new malware group, codenamed Hafnium, emerged and it massively targeted Microsoft Exchange servers. Attacks caused major impacts and disruptions worldwide. The exploitation of Microsoft Exchange allowed HAFNIUM to install web shells for persistent access to systems and then to move laterally, using compromised credentials to authenticate.

During December 2021, a variety of groups, including some state-sponsored, exploited Log4Shell vulnerabilities as an access vector to enable ransomware operations and other criminal activities.

According to the attribution found in the MISP records, the following groups were particularly active during the year:

HAFNIUM: this group is apparently operating from China. As documented by several security or IT organisations including Microsoft, it conducted a mass attack on Microsoft's Exchange software, which allowed to take control of many corporate servers, stealing e-mails, calendars, and any other sensitive information. The mass attack started in late February and early March. Thousands of companies fell victim. Many more were affected in the days following Microsoft's distribution of an emergency patch due to companies not updating their systems in time. The campaign was identified as a potential espionage mission due to the nature of the information stolen. Hafnium is believed to be affiliated with the Chinese State;

External transfer pathway and infrastructures

The transfer of the malicious artefacts or payloads is done through a number of different types of technical procedures and infrastructures.

Also, during 2021, it was confirmed that the most frequently used strategy is associated with scams that use email or similar approaches to reach potential victims.

Phishing is the most common strategy, but there has also been an increase in malspam and smishing events. In most of these cases, the pathway is a human to human or machine to human infrastructure.

Recorded phishing events recorded by the monitoring system have increased significantly over 2021, with an increase of about 69 %.

During 2021, the monitoring system recorded an increase in Domain Name Server (DNS) hijacking. DNS hijacking is a type of attack in which DNS queries are incorrectly resolved in order to unexpectedly redirect users to malicious sites. To carry out the attack, the perpetrators install malware on users' computers, take control of routers, or intercept or violate DNS communication.

DNS hijacking can be used for pharming (in this context, attackers typically display unwanted ads to generate revenue) or phishing (displaying fake versions of sites users access and stealing data or credentials).

The attribution rates are significantly better than for threat actors, even if still fairly low. Attribution means that it was possible to identify the external transfer pathway for a given event.

Infrastructures represent the type of systems being used for supporting attacks. Some are meant to compromise or help compromise, the targeted system, others are more focused on helping to maintain the foothold in it. Indeed, once access to a system device has been gained, a communication channel is maintained through the use of command and control (C2) infrastructures. The specific mechanisms vary greatly between attacks, but C2 generally consists of one or more covert communication channels between devices in a victim organization and a platform that the attacker controls. These communication channels are supporting the malicious activities. They are used to issue instructions to the compromised devices, download additional malicious payloads, and pipe stolen data back to the cyber-actor.

The monitoring system revealed an increase in the number of cases of DGA (Domain Generation Algorithms) and the use of malicious networks.

On the contrary, it recorded a significant decrease in the use of IoT and malicious websites.


The monitoring system showed a substantial prevalence of the use of Malware especially associated with IoT systems.

During 2021, there was a significant increase (+ 136% increase) in events using malware and in delivery of payloads by email (+82% increase).

It should also be highlighted a significant increase in stealers of credentials and environmental information.

In contrast, the monitoring system recorded a decrease in the number of ransomware attacks along with the use of Trojan tools.

Compared to the other dimensions of the interpretation model, this dimension is confirmed as having the highest attribution rate.

Points of access

The most common access point reported by monitoring system is e-mail, which isn’t too surprising as it’s an effective ingress vector for several types of attacks. It’s often exploiting users’ weaknesses, be they voluntary (negligence) or involuntary (lack of knowledge about a specific threat.

As already highlighted in previous chapters, phishing activities have increased significantly. However, it’s important to keep in mind that the attribution rate is rather low. Most of the attacks’ point of access is not known.

In any case, it should be noted that a number of high-profile vulnerabilities were exploited during 2021. Of these, the vulnerabilities associated with the following systems should be noted for the number of endpoints potentially affected:

With regard to component and system vulnerabilities, the monitoring system identified the following:

It is extremely important to highlight that some events exploited vulnerabilities already identified in 2020:

IT Target

Information on the attacked IT target is not sufficiently described by the analysed events.

Type of Impact

Information on the type of consequences for the victim is mainly related to ransom demands, although fewer events were recorded in 2021 than in the previous year.

Type of Victim

During 2021 the monitoring system recorded a significant decrease in the exposure of airlines and public utilities. Attacks on banks, critical infrastructures and financial institution are still in evidence.