“The Year of the Entrepreneurial Adversary”: Hackers Set New Records for Speed and Sophistication in 2024
CrowdStrike Forecasts an Era of Lightning-Fast Attacks and AI-Enhanced Social Engineering
CrowdStrike Forecasts an Era of Lightning-Fast Attacks and AI-Enhanced Social Engineering
Cybersecurity company CrowdStrike has released its Global Threat Report 2025, documenting a major leap in the behavior of cybercriminals and state-sponsored groups. Specialists call 2024 “the year of the entrepreneurial adversary” — attackers operate like mature business structures, innovating, building resilient access supply chains, and actively using artificial intelligence.
Breakout Time at Historic Low
The key metric — breakout time (the period from initial intrusion to the start of lateral movement across the network) — fell to an all-time low: an average of 48 minutes versus 62 minutes the year before. The absolute record: 51 seconds, leaving defenders virtually no time to respond.
In 79% of detected cases, attackers avoided malicious files altogether, using legitimate administration tools and “hands-on-keyboard” actions. This approach lets them blend in with normal user activity and evade EDR. Remote administration tools (RMM), including Microsoft Quick Assist and TeamViewer, are used especially often.
Vishing and Social Engineering Surge
The year saw a 442% surge in vishing attacks in the second half of 2024 compared to the first. Groups like CURLY SPIDER, CHATTY SPIDER, and PLUMP SPIDER relied on phone calls as the initial vector, often combined with “spam bombing” — mass complaint email floods serving as a pretext for a “support call.” In some cases, these schemes ended with backdoor installation and deployment of Black Basta ransomware.
Attacks via help desk social engineering are also spreading — where adversaries pose as company staff to convince operators to reset passwords or disable MFA. This tactic, used notably by SCATTERED SPIDER, has become a key method for compromising cloud accounts and SaaS applications.
Generative AI Becomes a Cybercrime Tool
2024 marked a turning point in cybercriminal and state-operator use of generative AI (GenAI). LLM models were used to:
- Create fake profiles and images (e.g., by North Korea’s FAMOUS CHOLLIMA)
- Generate phishing emails and websites with a 54% higher click-through rate than human-written ones
- Produce deepfakes for BEC schemes — one case netted $25.6 million
- Write malicious scripts and tools
- Create “decoy” websites in NITRO SPIDER campaigns
A new phenomenon emerged — LLMJacking: stealing access to corporate cloud AI services for resale or use in other attacks.
Rise in Chinese-Linked Attacks
Chinese-attributed attacks rose 150% overall, and 200–300% in finance, media, manufacturing, and engineering sectors. New specialized groups were identified: LIMINAL PANDA, LOCKSMITH PANDA, OPERATOR PANDA, VAULT PANDA, and ENVOY PANDA, each with niche focuses from telecommunications and finance to diplomatic targets. These operators actively use ORB networks — hundreds or thousands of compromised devices to mask traffic — and share previously unique tools like the KEYPLUG malware.
FAMOUS CHOLLIMA’s “Laptop Farms”
FAMOUS CHOLLIMA expanded campaigns involving fake IT workers who secure jobs in foreign companies, obtain corporate devices, and send them to “laptop farms” for backdoor installation. CrowdStrike recorded 304 incidents involving them, 40% tied to insider threats.
Cloud and Credential Attacks
Cloud breaches increased by 26%, with 35% starting from the compromise of valid accounts. Attackers often avoid changing passwords to prevent raising suspicion. Credential theft via infostealers (Stealc, Vidar) and abuse of trusted intercompany connections were common.
Exploit Chaining and Legitimate Feature Abuse
Many attacks combined exploit chaining and misuse of legitimate software features. For example, OPERATOR PANDA used a chain of Cisco IOS vulnerabilities to target telecoms and consulting firms in the U.S.
CrowdStrike’s Outlook
CrowdStrike predicts continued acceleration of attack speed and broader AI use, particularly in social engineering and cloud environments. Experts recommend prioritizing identity protection, implementing proactive patch management, strengthening cloud account controls, and deploying AI-driven threat hunting tools.
