As the role of cybersecurity in large businesses increases remarkably year over year, the importance of Security Operations Centers (SOCs) is becoming paramount. This year’s Kaspersky Security Bulletin ends with tailored predictions for SOCs – from external and internal points of view. The first part of this report is devoted to the most current threats any SOC is likely to face in 2023. Based on our extensive Managed Detection and Response (MDR) experience and the dynamics we have seen over the years, we provide insights into the trends set to shape the threat landscape for enterprises this year. The second part is devoted to SOC trends from an internal point of view. Here we analyze challenges that managers will face regarding personnel, budgets and functions. They are closely intertwined with the threats looming over corporations in 2023, as only an effectively organized team can safeguard business against rapidly evolving malware and attack methods.

Part 1. What threats security operations centers will face in 2023

Ransomware will increasingly destroy data instead of encrypting it

Cyberspace reflects the global agenda, and geopolitical turbulence influences the attack surface. That’s why in 2023 we can expect the echoes of cyberwarfare to continue reverberating. The most common attack scenarios here are: attacks on employees (social engineering), attacks on IT infrastructure (DDoS), as well as attacks on critical infrastructure. Another interesting trend that started in 2022 and will continue in 2023 is that ransomware now not only encrypts companies’ data, but destroys it in certain cases. This threat looms large over organizations that are subject to politically motivated attacks, which look destined to be on the rise in the coming year.

Public-facing applications will continue to be exploited for initial access

Largely due to some notorious critical vulnerabilities in Exchange, in 2021 and 2022 we observed significant growth in successful initial compromise through the network perimeter, with the share of this type of initial access doubling in 2022 against 2021. Penetration from the perimeter requires less preparation than phishing, and rather old vulnerabilities are still exposed; we expect this tendency to continue in 2023.

Share of exploits in public applications, dynamics in 2021–2022, worldwide statistics (download)

More supply chain attacks via telecom

From year to year here at Kasperksy SOC we observe the interest of attackers for IT and telecom companies. According to the Kaspersky MDR report, in 2021 the telecom industry for the first time saw a prevalence of high severity incidents over medium and low in terms of expected number: on average 79 incidents per 10k systems monitored versus 42 incidents of medium severity and 28 of low severity (see this report for more details). In 2022 we continued to observe cybercriminal interest in telecom companies, although the share of high severity incidents was lower (roughly 12 per 10k computers versus 60 of medium and 22 of low severity). We encountered scenarios in which intruders attacked telecom companies in order to further target their customers. In 2023 we expect an increase in the number of supply chain attacks via telecom providers, which usually offer additional managed services.

Number of incidents in telecom companies per 10K systems in 2021 and 2022, worldwide statistics (download)

More reoccurring targeted attacks by state-sponsored actors

Kaspersky has provided MDR since 2016. During this time, we have observed targeted attacks (TA) across various industries – from automotive to government. Many of them are threatened by targeted attacks, especially large businesses and non-profits. Note that in cases with no signs of live targeted attacks, we still were able to find artefacts from previous targeted attacks.

It means there is a looming threat of reoccurring attacks in 2023: if a company was compromised once, with the attack successfully remediated, attackers are highly likely to try hacking this organization again. After an unsuccessful attack this organization is most likely to be attacked again, as it is a long-term goal of threat actors. This is especially noticeable in government organizations, which tend to get attacked by state-sponsored actors.

Number of incidents in government organizations per 10K systems in 2021 and 2022, worldwide statistics (download)

International conflicts are traditionally accompanied by information warfare where mass media inevitably play an important role. In recent years we have observed steady growth in attacks on this sector, and statistics for 2022 support this trend, with mass media one of the prime targets for attackers, along with government organizations.

Number of incidents in mass media companies per 10K systems in 2021 and 2022, worldwide statistics (download)

In 2023, these two sectors will most likely remain among the most frequently attacked, with the share of high severity incidents probably increasing.

To effectively guard against targeted attacks, it is necessary to implement active threat hunting in combination with MDR.

Part 2. What challenges will SOCs face internally: processes and efficiency

SOCs will be forced to raise requirements, while experiencing staff shortages

Looking at the internal challenges, we first need to consider human resources issues. The future of SOC development lies in intensive, not extensive, growth, meaning the value every team member (even unskilled ones) brings to SOC is increasing. Developing the skills of the SOC team is a proven way to counter the increasing amount of threats every SOC will be facing in 2023. That means incident response training, and all forms of SOC exercises, such as TTX, purple teaming, and adversary attack simulations, should be a significant part of 2023 SOC strategy. This gives SOC a goal: to enhance the SOC team, architecture, and operations for better performance. In the case of a mature SOC, it is just a question of time; in others, usually lack of experience and vision in terms of SOC development can be an issue. Commonly, the second case can be solved with a SOC review by external experts, who can identify gaps with fresh eyes to avoid the bias that prevents the internal team from seeing the bigger picture from the outside.

Another trend is related to the lack of skilled and experienced personnel that will continue to be present in 2023: the need for well-defined SOC processes. Therefore we predict an increasing role for SOC process development and related services.

Bigger budgets alongside efficiency as the cornerstone of SOC processes

The growing threat landscape is pushing cybersecurity and SOC budgets skywards. This trend will focus attention on budget spending, prompting “Why? What was the effect? What value does it bring?”- type questions for SOC managers.

With a mature approach, this circumstance should lead SOCs to implement “SOC efficiency management.” As part of this practice, companies will evaluate breach costs and map them to SOC performance in reducing such losses. Combined with analysis of prevented incidents, this can allow SOCs to evaluate the value they bring in monetary terms. But prior to implementing this approach, SOCs will need to deploy efficient metrics and their analysis, as well as established SOC governance processes.

Building full-scale threat intelligence and threat hunting

The growth of cyberattacks and threats will transform into high demand to predict attacks and attacker techniques, thus increasing the value of cyberthreat intelligence (CTI). From what we have observed so far in our daily practice, many SOCs’ CTI activities boil down to managing IOC feeds. This approach is ineffective against zero-day and APT attacks. Current trends already have shifted to establish full-scale CTI capabilities within companies, and in most SOCs have a dedicated CTI unit. That trend will grow and mature in 2023.

Cases of successful attacks being left unwatched for a long time are still common – and will be in 2023 due to the continuous growth of targeted attacks. And the Assume Breach Paradigm will stay with us in 2023 as well, which means that threat hunting has a good chance of becoming a trend.

So, we believe that threat hunting will form a vital part of any SOC development strategy. Although current thinking places it at the bottom of the list of must-have SOC technologies, in most cases this can be explained by poor understanding of how to conduct threat hunting or chaotic approach to delivery. But since threat hunting is part of SOC detection capabilities, which will be challenged by evolving threats, more companies will consider conducting threat hunting on a regular basis with clear goals and an understanding of how to reach them continuously.

These are our predictions for SOC specialists for 2023. Watch this space in 12 months’ time to see which of them came true.

Kaspersky detects an average of 400,000 malicious files every day. These add up to 144 million annually. The threat landscape is constantly updated through new malware and spyware, advanced phishing methods, and new social engineering techniques. The media routinely report incidents and leaks of data that end up publicly accessible on the dark web. Hacker attacks constantly hurt individuals, corporations, and entire countries, and not just financially. In certain cases, cyberattacks may threaten human lives, for example if they target critical infrastructure.

Last year, the cybersecurity of corporations and government agencies was more significant than ever before, and will become even more so in 2023. As part of the Kaspersky Security Bulletin, the DFI (Digital Footprint Intelligence) and DFIR (Digital Forensics and Incident Response) teams have come up with an overview of threats that will be relevant to the segment in question.

More personal data leaks; corporate email at risk

The trend for personal data leaks grew rapidly in 2022 and will continue into 2023. Last year saw, a number of high-profile cases, such as Medibank, Uber, and WhatsApp. The leaks affected various organizations and amounts of data. For example, last September, an attacker offered for sale a database containing 105 million records with information about Indonesian citizens. The compromised data included full name, place and date of birth, gender, as well as national identification number. The perpetrator valued the data, seemingly taken from the General Elections Commission of Indonesia, at US$5,000 and put it up for sale on the dark web.

A post on the dark web that offers Indonesian data for sale and was found with the help of Digital Footprint Intelligence

We often see people use work email addresses to register with third-party sites and services, which can be hacked and exposed to a data leak, putting the security of the company that owns the email at risk. The attack surface in its infrastructure increases with the number of potentially vulnerable objects. When sensitive data becomes publicly accessible, it may invoke the interest of cybercriminals and trigger discussions of potential attacks on the organization on dark web sites (forums, instant messaging channels, onion resources, etc.). In addition, the likelihood of the data being used for phishing and social engineering increases. 

Media blackmail: businesses to learn they were hacked from hackers’ public posts with a countdown to publication

Ransomware operators set up blogs where they post about new successful hacks of businesses and publish the data they stole. The number of posts in those blogs grew in 2022, both in open sources and on the dark web. Whereas we were seeing 200 to 300 posts in each of the first ten months of 2021, the number peaked at more than 500 monthly at the end of 2021 and the first half of 2022^[1].

Changes in the number of ransomware blog posts in 2021–2022, worldwide (download)

Extortionists used to try to settle matters with victim businesses in private, without attracting the attention of the broader public. Cybercriminals used to strive to keep a low profile until they got what they wanted, while the hack victims preferred to avoid reputational damage or any other consequences of the attack. These days, hackers post about the security breach in their blogs instead of contacting the victim, set a countdown timer to the publication of the leaked data, and wait for the victim’s reaction. This pattern helps cybercriminals win regardless of whether the victim pays up or not. Data is often auctioned, with the closing bid sometimes exceeding the demanded ransom.

Example: a post about the hack of the Australian company Medibank, found with the help of Digital Footprint Intelligence

We expect that in 2023, cybercriminals will try to reach out to victim businesses ever less often, while the number of blog posts and mentions of victims’ names in the news will increase.

Example of a countdown to the publication of leaked data as seen in the LockBit ransomware blog

Enjoying the fun part: cybercriminals to post fake hack reports more often

These days, hardly a day goes by without a new leak being reported. The number of fake reports grows along with that. We believe that in 2023, cybercriminals will more frequently allege, that they have hacked a company, as an ego trip and a rep boost. A leak report that appears in public sources can be used as a media manipulation tool and hurt the target business regardless of whether the hack happened or not. It is key to identify these messages in a timely manner and initiate a response process similar to that for information security incidents. This includes monitoring of dark and deep web sites for leak or compromise reports.

Cloud technology and compromised data sourced on the dark web to become popular attack vectors

The major attack vectors, such as vulnerabilities in publicly used applications, compromised credentials, and emailed malicious links and attachments, will be joined by activities and tools relating to cloud and virtualization technology. Businesses increasingly transfer their information infrastructures to the cloud, often using partner services for that. They place little focus on information security when migrating to the cloud: this is not even a task they assign to the virtualization service provider. An incident catches the company with insufficient data for investigation, as the cloud provider neither gathers nor logs system events. This essentially makes investigating the incident a difficult task.

Cybercriminals will tap dark web sites more often in 2023 to purchase access to previously compromised organizations. Our investigations have revealed a clear trend: the number of attacks utilizing pre-compromised accounts posted on dark web sites is on the rise. What is dangerous about that trend is that the preliminary phase of the attack, that is the account being compromised, can go unnoticed. The victim company will not learn about the attack until it is faced with major damage, such as their services suffering interruptions or ransomware encrypting their data.

Digitalization brings increased cybersecurity risks with it. If a corporation is to secure the loyalty of its customers and partners, it must ensure business continuity and robust protection of its critical assets, corporate data and the entire IT infrastructure to counter growing threats. Large businesses and government organizations often employ multilevel security, but even that is not a guarantee against compromise. Therefore, timely, adequate incident response and investigation are essential to both remedying the consequences and fixing the root cause, as well as to preventing similar incidents from happening again.

Malware-as-a-service: a greater number of cookie-cutter attacks, more complex tools

The malware-as-a-service model will continue to gain popularity in 2023, with blackmailer teams among others. Cybercriminals try to optimize their work efforts by scaling their operations and outsourcing certain activities just as a legitimate business would. For instance, LockBit — you can read about its evolution here — has been expanding its services like a software development company. The cybercriminals recently went so far as to announce a bug bounty program. Malware-as-a-service (MaaS) is lowering the entry threshold for wannabe cybercriminals: anyone can launch a ransomware attack by renting a fitting malware tool.

Meanwhile, the number of popular and well-known ransomware tools will decline, and attacks will grow in similarity. Companies might view this as a positive: a great number of ransomware tools will utilize similar MaaS techniques and tactics, so a smaller number of these will need to be considered for SOC response. That said, attackers’ tools will grow in complexity, rendering automated systems insufficient as a means of complete security.

The year 2023 will be a complicated one from an information security perspective, because the threat landscape is evolving rapidly. This sets a pace for businesses, which are forced to adapt. On the brighter side, researchers have the advanced tools to curb the growing threats.

These were our predictions for the year 2023. A year from now, we shall see which ones materialized and which ones did not.

^[1] The statistics contain data on sites that are covered by the Digital Footprint Intelligence monitoring system

At this point, it has become cliché to say that nothing in 2022 turned out the way we expected. We left the COVID-19 crisis behind hoping for a long-awaited return to normality and were immediately plunged into the chaos and uncertainty of a twentieth-century-style military conflict that posed serious risks of spreading over the continent. While the broader geopolitical analysis of the war in Ukraine and its consequences are best left to experts, a number of cyberevents have taken place during the conflict, and our assessment is that they are very significant.

In this report, we propose to go over the various activities that were observed in cyberspace in relation to the conflict in Ukraine, understand their meaning in the context of the current conflict, and study their impact on the cybersecurity field as a whole.

Timeline of significant cyber-events predating Feb 24th

In the modern world, it has become very difficult to launch any kind of military campaign without intelligence support in the field. Most intelligence is gathered from various sources through methods such as HUMINT (human intelligence, gathered from persons located in the future conflict area), SIGINT (signals intelligence, gathered through the interception of signals), GEOINT (geospatial intelligence, such as maps from satellites), or ELINT (electronic intelligence, excluding text or voice), and so on.

For instance, according to the New York Times, in 2003, the United States made plans for a huge cyberattack to freeze billions of dollars in Saddam Hussein’s bank accounts and cripple his government before the invasion of Iraq. However, the plan was not approved because the government feared collateral damage. Instead, a more limited plan to cripple Iraq’s military and government communication systems was carried out during the early hours of the war in 2003. This operation included blowing up cellphone towers and communication grids as well as jamming and cyberattacks against Iraq’s telephone networks. According to the same article, another such attack took place in the late 1990s when the American military attacked a Serbian telecommunications network. Inadvertently, this also affected the Intelsat communications system for days, proving that the risk of collateral damage during cyberwarfare is pretty high.

The lessons learned from these events may allow predicting kinetic conflicts by monitoring new cyberattacks in potential areas of conflict. For instance, in late 2013 and January 2014, we observed higher-than-normal activity in Ukraine by the Turla APT group, as well as a spike in the number of BlackEnergy APT sightings. Similarly, at the beginning of February 2022, we noticed a huge spike in the amount of activity related to Gamaredon C&C servers. This activity reached hitherto-unseen levels, suggesting massive preparations for a major SIGINT gathering effort.

As shown by these cases, during modern conflicts, we can expect to see significant signs and spikes in cyberwarfare relating to both collection of intelligence and destructive attacks in the days and weeks preceding military attacks. Of course, we should note that the opposite is also possible: for instance, starting in June 2016, but most notably since September 2016 all the way to December 2016, the Turla group intensified their satellite-based C&C registrations tenfold compared to its 2015 average. This indicated unusually high activity by the Turla group, which signaled a never-before-seen mobilization of the group’s resources. At the same time, there was no ensuing military conflict that we know of.

Key insights

• Today’s military campaigns follow gathering of supporting intelligence in the field; this includes SIGINT and ELINT among others
• Significant military campaigns, such as the 2003 invasion of Iraq, have been complemented by powerful cyberattacks designed to disable the enemy’s communication networks
• In February 2022, we noticed a huge spike in activity related to Gamaredon C&C servers; a similar spike was observed in Turla and BlackEnergy APT activity in late 2013 and early 2014
• We can expect to see significant signs and spikes in cyberwarfare in the days and weeks preceding military conflicts

Day one

On the very first day of the conflict (February 24, 2022), a massive wave of indiscriminate pseudo-ransomware and wiper attacks hit Ukrainian entities. We were not able to determine any form of consistency when it came to the targeting, which led us to believe that the main objective of these attacks may have been to cause chaos and confusion — as opposed to achieving precise tactical goals. Conversely, the tools leveraged in this phase were just as varied in nature:

• Ransomware (IsaacRansom);
• Fake ransomware (WhisperGate);
• Wipers (HermeticWiper, CaddyWiper, DoubleZero, IsaacWiper);
• ICS/OT wipers (AcidRain, Industroyer2).

Some of them were particularly sophisticated. As far as we know, HermeticWiper remains the most advanced wiper software discovered in the wild. Industroyer2 was discovered in the network of a Ukrainian energy provider, and it is very unlikely that the attacker would have been able to develop it without access to the same ICS equipment as used by the victim. That said, a number of those tools are very crude from a software engineering perspective and appear to have been developed hurriedly.

With the notable exception of AcidRain (see below), we believe that these various destructive attacks were both random and uncoordinated – and, we argue, of limited impact in the grand scheme of the war. Our assessment of the threat landscape in Ukraine in the first months of the war can be found on SecureList.

The volume of wiper and ransomware attacks quickly subsided after the initial wave, but a limited number of notable incidents were still reported. The Prestige ransomware affected companies in the transportation and logistics industries in Ukraine and Poland last October. One month later, a new strain named RansomBoggs again hit Ukrainian targets – both malware families were attributed to Sandworm. Other “ideologically motivated” groups involved in the original wave of attacks appear to be inactive now.

Key insights

• Low-level destructive capabilities can be bootstrapped in a matter of days.
• Based on the uncoordinated nature of these destructive attacks, we assess that some threat actors appear to be capable of recruiting isolated groups of hackers on short notice, to perform destabilizing tasks. We can only speculate as to whether those groups are internal resources reassigned to low-level cyberattacks or external entities that can be mobilized when the need arises.
• While the impact of these destructive cyber-attacks paled in comparison to the effects of the kinetic attacks taking place at the same time, it should be noted that this capability could in theory be directed against any country outside of the context of an armed conflict and under the pretense of traditional cybercrime activity.

The Viasat “cyberevent”

On the 24^th of February, Europeans who relied on the ViaSat-owned “KA-SAT” satellite faced major Internet access disruptions. This so-called “cyber-event” started around 4h UTC, less than two hours after the Russian Federation publicly announced the beginning of the “special military operation” in Ukraine. As could be read from government requests for proposals, the Ukrainian government and military are notable consumers of KA-SAT access, and were reportedly affected by the event. But the disruptions also triggered major consequences elsewhere, such as interrupting the operation of wind turbines in Germany.

ViaSat quickly suspected that disruptions could be the result of a cyberattack. It directly affected satellite modems firmwares, but was still to be understood as of mid-March. Kaspersky experts ran their own investigations and notably uncovered a likely intrusion path to a remote access point in a management network, while analyzing modem internals and a likely-involved wiper implant. The “AcidRain” wiper was first described later in March, while ViaSat published an official analysis of the cyber-attack. The latter confirmed that a threat actor got in through a remote-management network exploiting a poorly configured VPN, and ultimately delivered destructive payloads, affecting tens of thousands of KA-SAT modems. On May 10, the European Union attributed those malicious activities to the Russian Federation.

A lot of technical details about this attack are still unknown and may later be shared away from government eyes. Yet it is one of the most sophisticated attacks revealed to date in connection to the conflict in Ukraine. The malicious activities were likely conducted by a skilled and well-prepared threat actor, within an accurate timeframe which cannot be fortuitous. While the sabotage has likely failed to disrupt the Ukrainian defense badly enough, it had multiple effects beyond the battlefield: stimulating the US Senate to require a state of play on satellite cybersecurity, accelerating SpaceX Starlink deployment (and later, unexpected bills), as well as questioning the rules for dual-use infrastructure during armed conflicts.

Key insights

• The ViaSat sabotage once again demonstrates that cyberattacks are a basic building block for modern armed conflicts and may directly support key milestones in military operations.
• As it has been suspected for years, advanced threat actors likely preposition themselves in various strategic infrastructural assets in preparation for future disruptive actions.
• Cyberattacks against common communication infrastructures are highly likely during armed conflict, as belligerents might consider these to be of dual use. Due to the interlinked nature of the Internet, a cyberattack against this kind of infrastructure will likely have side-effects for parties that are not involved in the armed conflict. Protection and continuity planning are of utmost importance for this communications infrastructure.
• The cyberattack raises concerns about the cybersecurity of commercial satellite systems, which may support various applications, from selfie geolocation to military communications. While protective measures against kinetic combat in space are frequently discussed by military forces, and more datacenters are expecting to fly soon … ground-station management systems and operators still seem to be highly exposed to common cyberthreats.

Taking sides: professional ransomware groups, hacktivists, and DDoS attacks

As has always been the case, wartime has a very specific impact on the information landscape. It is especially true in 2022, now that humanity commands the most potent information spreading tools ever created: social networks and their well-documented amplification effect. Most real-world events related to the war (accounts of skirmishes, death tolls, prisoner of war testimonies) are shared and refuted online with varying degrees of good faith. Traditional news outlets are also affected by the broader context of information warfare.

DDoS attacks and, to a lesser extent, defacement of random websites have always been regarded as low-sophistication and low-impact attacks by the security community. DDoS attacks, in particular, require generating heavy network traffic that attackers typically cannot sustain for very long periods of time. As soon as the attack stops, the target website becomes available again. Barring temporary loss of revenue for e-commerce websites, the only value provided by DDoS attacks or defacement is the humiliation of the victim. Since non-specialized journalists may not know the difference between the various types of security incidents, their subsequent reporting shapes a perception of incompetence and inadequate security that may erode users’ confidence. The asymmetric nature of cyberattacks plays a key role in supporting a David vs. Goliath imagery, whereby symbolic wins in the cyberfield help convince ground troops that similar achievements are attainable on the real-life battlefield.

According to Kaspersky DDoS Protection, since the beginning of 2022 during 11 months the service registered ~1.65 more attacks than in the whole 2021. While this growth may be not too significant, the resources have been under attack 64 times longer compared to 2021. In 2021 the average attack lasted ~28 minutes, in 2022 – 18.5 hours, which is almost 40 times longer. The longest attack lasted 2 days in 2021, 28 days (or 2486505 seconds) in 2022.

Total duration of DDoS attacks detected by Kaspersky DDoS Protection in seconds, by week, 2021 vs 2022

Since the start of the war, a number of (self-identified) hacktivist groups have emerged and started conducting activities to support either side. For instance, a stunt organized by the infamous collective Anonymous involved causing a traffic jam in Moscow by sending dozens of taxis to the same location.

Kaspersky DDoS protection also reflects this trend. Massive DDoS attacks were spread unevenly over the year with the most heated times being in spring and early summer.

Number of DDoS attacks detected by Kaspersky DDoS Protection in seconds, by week, 2021 vs 2022

The attackers peaked in February-early March, reflecting growth of hacktivism, which has died down by autumn. Currently we see a regular anticipated dynamic of attacks, though their quality has changed. In May-June we detected extremely long attacks. Now their length has stabilized, nevertheless, while typical attacks used to last a few minutes, now they last for hours.

On February 25, 2022, the infamous Conti ransomware group announced their “full support of Russian government”. The statement included a bold phrase: “If anybody will decide to organize a cyberattack or any war activities against Russia, we are going to use our all possible resources to strike back at the critical infrastructures of an enemy“. The group followed up rather quickly with another post, clarifying their position in the conflict: “As a response to Western warmongering and American threats to use cyber warfare against the citizens of Russian Federation, the Conti Team is officially announcing that we will use our full capacity to deliver retaliatory measures in case the Western warmongers attempt to target critical infrastructure in Russia or any Russian-speaking region of the world. We do not ally with any government and we condemn the ongoing war. However, since the West is known to wage its wars primarily by targeting civilians, we will use our resources in order to strike back if the well being and safety of peaceful citizens will be at stake due to American cyber aggression“.

Two days later, a Ukrainian security researcher leaked a large batch of internal private messages between Conti group members, covering over one year of activity starting in January 2021. This dump delivered a significant blow to the group who saw their inner activities exposed before the public, including Bitcoin wallet addresses related to many million of US dollars received in ransom. At the same time, another cybercriminal group called “CoomingProject” and specializing in data leaks, announced they would support the Russian Government if they saw attacks against Russia:

Other groups, such as Lockbit, preferred to stay neutral, claiming their “pentesters” were an international community, including Russians and Ukrainians, and it was “all business”, in a very apolitical manner:

On February 26, Mykhailo Fedorov, the Vice Prime Minister and Minister of Digital Transformation of Ukraine, announced the creation of a Telegram channel to “continue the fight on the cyber front”. The initial Telegram channel had a typo in the name (itarmyofurraine) so a second one was created.

IT ARMY of Ukraine Telegram channel

The channel operators constantly give tasks to the subscribers, such as DDoS’ing various business corporations, banks, or government websites:

List of DDoS targets posted by IT ARMY of Ukraine

Within a short time, the IT Army of Ukraine, composed of volunteers coordinating via Twitter and Telegram, reportedly defaced or otherwise DDoSed over 800 websites, including high-profile entities such, as the Moscow Stock Exchange^[1].

Parallel activity has also been observed by other groups, which have taken sides as the conflict was spilling over into neighboring countries. For instance, the Belarusian Cyber-Partisans claimed they had disrupted the operations of the Belarusian Railway by switching it to manual control. There goal was to slow the movement of Russian military forces through the country.

Belarusian Cyber-Partisans post

A limited and by far not exhaustive list of some of the ransomware or hacktivist groups that expressed their opinion about the conflict in Ukraine include:

Among the openly pro-Russian groups, Killnet, which was originally established as a response to the “IT Army of Ukraine”, is probably the most active. In late April, they attacked Romanian Government websites in response to statements by Marcel Ciolacu, president of the Romanian Chamber of Deputies, after he promised Ukrainian authorities “maximum assistance”. On May 15, Killnet published a video on their telegram channel declaring war on ten nations: the United States, the United Kingdom, Germany, Italy, Latvia, Romania, Lithuania, Estonia, Poland, and Ukraine. Following these activities, the international hacking collective known as “Anonymous” declared cyber war against Killnet on May 23.

Killnet continued its activities throughout 2022, preceding their attacks with an announcement on their Telegram channel. In October, the group started attacking organizations in Japan, which they later stopped due to a lack of funds. It later attacked a US airport and governmental websites and businesses, often without significant success. On November 23, Killnet briefly took down the website of the European Union. Killnet also repeatedly targeted websites in Latvia, Lithuania, Norway, Italy, and Estonia. While Killnet’s methods are not sophisticated, they continually make headlines and drive attention to the group’s activities and stance.

Key insights

• The conflict in Ukraine has created a breeding ground for new cyberware activity by various parties including cybercriminals and hacktivists, who rushed to support their favorite sides
• We can expect the involvement of hacktivist groups in all major geopolitical conflicts from now on.
• The cyberware activities are spilling over into neighboring countries and affecting a large number of entities, including governmental institutions and private companies
• Some groups, such as the IT Army of Ukraine, have been officially backed by governments, and their Telegram channels include hundreds of thousands of subscribers
• The majority of attacks have relatively low complexity
• Most of the time, attacks conducted by these groups have a very limited impact on operations but may erroneously be reported as serious incidents and cause reputational damage.
• These activities may originate from genuine “grassroots” hacktivists, groups encouraged or supported by one of the belligerents, or from the belligerents themselves – and telling which is which may well prove impossible.

Hack and leak

On the more sophisticated end of attacks attempting to hijack media attention, hack-and-leak operations have been on the rise since the beginning of the conflict. The concept is simple: breaching into an organization and publishing its internal data online, often via a dedicated website. This is significantly more difficult than a simple defacing operation, since not all machines contain internal data worth releasing. Hack-and-leak operations, therefore, require more precise targeting, and will, in most cases, also demand more skill from attackers, as the information they are looking for is, more often than not, buried deep within in the victim’s network.

An example of such a campaign is the “doxing” of Ukrainian soldiers. Western entities were also targeted, such as the Polish government or many prominent pro-Brexit figures in the UK. In the latter cases, internal emails were published, leading to scrutiny by investigative journalists. In theory, these data leaks are subject to manipulation. The attackers have all the time they need to edit any released document or could just as well inject entirely forged ones.

It is important to note that it is absolutely unnecessary for the attacker to go to such lengths for the data leak to be damaging. The public availability of the data is proof itself that a serious security incident took place, and the legitimate, original content may already contain incriminating information.

Key insights

• In our 2023 APT predictions, we foresee that hack-and-leak operations will be on the rise next year, as they are very efficient against entities that already have high media exposure and corruption levels (i.e. politicians).
• Information warfare is not internal to a conflict, but instead directed at all onlookers. We expect that the vast majority of such attacks will not be directed at the belligerents, but rather at entities who are perceived as being too supportive (or not supportive enough) of either side.
• Whether it is hack-and-leak operations or DDoS, cyberattacks emerge as a non-kinetic means of diplomatic signaling between states.

Poisoned open-source repositories, weaponizing open-source software

Open-source software has many benefits. Firstly, it is often free to use, which means that businesses and individuals can save money on software costs. However, since anyone can contribute to the code and make improvements, this can also be abused and in turn, open security trapdoors. On the other hand, since the code can be publicly examined for any potential security vulnerabilities, it also means that given enough scrutiny, the risks of using open-source software can be mitigated to decent levels.

Back in March, RIAEvangelist, the developer behind the popular npm package “node-ipc”, published modified versions of the software that contained a special functionality if the running systems had a Russian or Belarusian IP address. On such systems, the code would overwrite all files with a heart emoji, additionally deploying the message, WITH-LOVE-FROM-AMERICA.txt, originating in another module created by the same developer. The node-ipc package is quite popular with over 800,000 users worldwide. As is often the case with open-source software, the effect of deploying these modified “node-ipc” versions was not restricted to direct users; other open-source packages, for instance “Vue.js”, which automatically include the latest node-ipc version, amplified the effect.

Packages aimed to be spread in the Russian market did not always lead to destruction of files, some of them contained hidden functionality such as adding a Ukrainian flag to a section of the website of software or political statements in support of the country. In certain cases the functionality of the package is removed and replaced with political notifications. It is worth noting that not all packages had this functionality hidden with some authors announcing the functionality in the package description.

One of the projects encourages to spread a file that once opened will start hitting various pages of the enlisted servers via JavaScript to overload the websites

Other repositories and software modules found on GitHub included those specifically created to DDoS Russian governmental, banking and media sites, network scanners specifically for gathering data about Russian infrastructure and activity and bots aimed at mass reporting of Telegram channels.

Key insights

• As the conflict drags on, popular open-source packages can be used as a protest or attack platform by developers or hackers alike
• The impact from such attacks can extend further that the open-source software itself, propagating to other packages that automatically rely on the trojanized code

Fragmentation

During the past years, most notably after 2014, this process began to expand to the IT Security world, with nation states passing laws banning each other’s products, services, and companies.

Following the start of the conflict in Ukraine in February 2022, we have seen a lot of western companies exiting the Russian market and leaving their users in a difficult position when it comes to receiving security updates or support. At the same time, some western nations have pushed laws banning the use of Russian software and services due to a potential risk of these being used to launch attacks.

Obviously, one cannot totally rule out the possibility of political pressure being applied to weaponize products, technologies, and services of some minor market players. When it comes to global market leaders and respected vendors, however, we believe this to be extremely unlikely.

On the other hand, searching for alternative solutions can be extremely complicated. Products from local vendors, whose secure development culture, as we have often found, is usually significantly inferior to that of global leaders, are likely to have “silly” security errors and zero-day vulnerabilities, rendering them easy prey for both cybercriminals and hacktivists.

Should the conflict continue to exacerbate, organizations based in countries where the political situation does not require addressing the above issues, should still consider the future risk factors that may affect everyone:

• The quality of threat detection decreases as IS developers lose some markets, resulting in the expected loss of some of their qualified IS experts. This is a real risk factor for all security vendors experiencing political pressure.
• The communication breakdowns between IS developers and researchers located on opposite sides of the new “iron curtain” or even on the same side (due to increased competition on local markets) will undoubtedly decrease the detection rates of security solutions that are currently being developed.
• Decreasing CTI quality: unfounded politically motivated cyberthreat attribution, exaggerated threats, lower statement validity criteria due to political pressure and in an attempt to utilize the government’s political narrative to earn additional profits.

Government attempts to consolidate information about incidents, threats, and vulnerabilities and to limit access to this information detract from overall awareness, since information may sometimes be kept under wraps without good reason.

Key insights

• Geopolitics are playing an important role and the process of fragmentation is likely going to expand
• Security updates are probably the top issue when vendors end support for products or leave the market
• Replacing established, global leaders with local products might open the doors to cybercriminals exploiting zero-day vulnerabilities

Did a cyberwar happen?

Ever since the beginning of the conflict, the cybersecurity community has debated whether or not what was going on in Ukraine qualifies as “cyberwar”. One indisputable fact, as documented throughout this report, is that significant cyberactivity did take place in conjunction with the start of the conflict in Ukraine. This may be the only criteria we need.

On the other hand, many observers had envisioned that in the case of a conflict, devastating preemptive cyberattacks would cripple the “special operation” party. With the notable exception of the Viasat incident, whose actual impact remains hard to evaluate, this simply did not take place. The conflict instead revealed an absence of coordination between cyber- and kinetic forces, and in many ways downgraded cyberoffense to a subordinate role. Ransomware attacks observed in the first weeks of the conflict qualify as distractions at best. Later, when the conflict escalated this November and the Ukrainian infrastructure (energy networks in particular) got explicitly targeted, it is very telling that the Russian military’s tool of choice for the job was missiles, not wipers^[2].

If you subscribe to the definition of cyberwar as any kinetic conflict supported through cyber-means, regardless of their tactical or strategic value, then a cyberwar did happen in February 2022. Otherwise, you may be more satisfied with Ciaran Martin‘s qualification of “cyberharassment”^[3].

Key insights

• There is a fundamental impracticality to cyberattacks; an impracticality that can only be justified when stealth matters. When it does not, physical destruction of computers appears to be easier, cheaper, and more reliable.
• Unless very significant cyberattacks have failed to reach public awareness, at the time of writing this, the relevance of cyberattacks in the context of open war has been vastly overestimated by our community.

Conclusion

The conflict in Ukraine will have a lasting effect on the cybersecurity industry and landscape as a whole. Whether the term “cyberwar” applies or not, there is no denying that the conflict will forever change everyone’s expectations about cyberactivity conducted in wartime, when a major power is involved. Unfortunately, there is a chance that established practice will become the de facto norm.

Before the war broke out, several ongoing multiparty processes (UN’s OEWG and GGE) attempted to establish a consensus on acceptable and responsible behavior in cyberspace. Given the extreme geopolitical tensions we are currently experiencing, it is doubtful that these already difficult discussions will bear fruit in the near future.

A promising initiative in the meantime is the ICRC’s “digital emblem” project: a proposed solution to clearly identify machines used for medical or humanitarian purposes, in the hopes that attackers will refrain from damaging them. Just like the real-life red cross and red crescent emblems cannot stop bullets, digital emblems will not prevent cyberattacks on a technical level – but they will at least make it obvious to everyone that medical infrastructure is not a legitimate target.

As it seems more and more likely that the conflict will drag on for years, and with the death toll already being high… we hope that everyone can at least agree on that.

^[1] The point of this section is not to evaluate the accuracy of those numbers, which are self-reported in many cases, but to study how these cyberattacks are used to shape narratives.

^[3] We recognize that information about ongoing cyberattacks and their impact isn’t exactly forthcoming. This assessment may be revised at a later date, when more data becomes available.

All statistics in this report are from the global cloud service Kaspersky Security Network (KSN), which receives information from components in our security solutions. The data was obtained from users who had given their consent to it being sent to KSN. Millions of Kaspersky users around the globe assist us in collecting information about malicious activity. The statistics in this report cover the period from November 2021 to October 2022, inclusive.

Figures of the year

• During the year, 15.37% of internet user computers worldwide experienced at least one Malware-class attack.
• Kaspersky solutions blocked 505,879,385 attacks launched from online resources across the globe.
• 101,612,333 unique malicious URLs triggered Web Anti-Virus components.
• Our Web Anti-Virus blocked 109,183,489 unique malicious objects.
• Ransomware attacks were defeated on the computers of 271,215 unique users.
• During the reporting period, miners attacked 1,392,398 unique users.
• Attempted infections by malware designed to steal money via online access to bank accounts were logged on the devices of 376,742 users.

Fill the form below to download the Kaspersky Security Bulletin 2022. Statistics full report (English, PDF)

Our last edition of privacy predictions focused on a few important trends where business and government interests intersect, with regulators becoming more active in a wide array of privacy issues. Indeed, we saw regulatory activity around the globe. In the US, for example, the FTC has requested public comments on the “prevalence of commercial surveillance and data security practices that harm consumers” to inform future legislation. In the EU, lawmakers are working on the Data Act, meant to further protect sensitive data, as well as a comprehensive AI legal strategy that might put a curb on a range of invasive machine-learning technologies and require greater accountability and transparency.

On the other hand, we saw the repeal of Roe vs Wade and the subsequent controversy surrounding female reproductive health data in the US as well as investigations into companies selling fine-grained commercial data and facial recognition services to law enforcement. This showed how consumer data collection can directly impact the relationships between citizens and governments.

We think the geopolitical and economic events of 2022, as well as new technological trends, will be the major factors influencing the privacy landscape in 2023. Here we take a look at the most important developments that, in our opinion, will affect online privacy in 2023.

1. Internet balkanization will lead to more diverse (and localized) behavior tracking market and checks on cross-border data transfer.

   As we know, most web pages are crawling with invisible trackers, collecting behavioral data that is further aggregated and used primarily for targeted advertising. While there are many different companies in the business of behavioral ads, Meta, Amazon, and Google are the unquestionable leaders. However, these are all US companies, and in many regions, authorities are becoming increasingly wary of sharing data with foreign companies. This may be due to an incompatibility of legal frameworks: for example, in July 2022, European authorities issued multiple rulings stating use of Google Analytics may be in violation of GDPR.

   Moreover, the use of commercial data by law enforcement (and potentially intelligence bodies) makes governments suspicious of foreign data-driven enterprises. Some countries, such as Turkey, already have strict data localization legislation.

   These factors will probably lead to a more diverse and fragmented data market, with the emergence and re-emergence of local web tracking and mobile app tracking companies, especially on government and educational websites. While some countries, such as France, Russia, or South Korea, already have a developed web tracking ecosystem with strong players, more countries may follow suit and show a preference for local players.

   This might have various implications for privacy. While big tech companies may spend more on security than smaller players, even they have their share of data breaches. A smaller entity might be less interesting for hackers, but also faces less scrutiny from regulatory bodies.

2. Smartphones will replace more paper documents.

   Using smartphones or other smart devices to pay via NFC (e.g., Apple Pay, Samsung Pay) or QR code (e.g., Swish in Sweden, SBPay in Russia or WeChat in China) is rapidly growing and will probably render the classic plastic debit and credit card obsolete, especially where cashless payments already dominate. COVID-19, however, showed that smartphones can also be used as proof of vaccination or current COVID-negative health status, as many countries used dedicated apps or QR codes, for example, to provide access to public facilities for vaccinated citizens.

   Why stop there? Smartphones can also be used as IDs. A digitized version of an ID card, passport or driver license can be used instead of the old-fashioned plastic and paper. In fact, several US states are already using or plan to use digital IDs and driver licenses stored in Apple Wallet.

   Having your ID stored on a phone brings both convenience as well as risks. On the one hand, a properly implemented system would, for example, allow you to verify at a store that you are of legal age to buy alcohol without brandishing the whole document with other details like name or street address to the cashier. Also digitized IDs can significantly speed up KYC procedures, for example, to apply for a loan online from a smartphone.

   On the other hand, using a smartphone to store an increasing amount of personal data creates a single point of failure, raising serious security concerns. This places serious demands on security of mobile devices and privacy-preserving ways of storing the data.

3. Companies will fight the human factor in cybersecurity to curb insider threat and social engineering to protect user data.

   As companies deploy increasingly comprehensive cybersecurity measures moving from endpoint protection to XDR (eXtended Detection & Response) and even proactive threat hunting, people remain the weakest link. According to estimates, 91% of all cyberattacks begin with a phishing email, and phishing techniques are involved in 32% of all successful data breaches. Also, a lot of damage can be done by a disgruntled employee or a person who joined the company for nefarious purposes. The FBI has even warned recently that deep fakes can be used by those seeking remote jobs to confuse the employer, probably with the goal of gaining access to internal IT systems.

   We expect less data leaks caused by misconfiguration of S3 buckets or Elasticsearch instances, and more breaches caused by exploiting the human factor. To mitigate these threats, companies might invest in data leak prevention solutions as well as more thorough user education to raise cybersecurity awareness.

4. We will hear more concerns about metaverse privacy – but with smartphones and IoT, aren’t we already in a metaverse?

   While skeptics and enthusiasts keep fighting over whether a metaverse is a gamechanger or just a fad, tech companies and content creators continue to polish the technology. Meta has recently announced Meta Quest Pro, and an Apple headset is rumored to appear in 2023. Some, however, raise concerns over metaverse privacy. While smartphones with their multiple sensors from accelerometers to cameras can feel quite intrusive, a VR headset is in a league of its own. For example, one of the latest VR headsets features four front-facing cameras, three cameras on each controller and several cameras to track eyes and facial expressions. This means that in a nightmare scenario such devices would not only have a very deep insight into your activity in the metaverse services provided by the platform, they may be very effective, for example, in reading your emotional reaction to ads and making inferences about you from the interior of your home — from what colors you like to how many pets and children you have.

   While this sounds scary (which is why Meta addresses these concerns in a separate blog post), the fears might actually be exaggerated. The amount of data we generate just by using cashless payments and carrying a mobile phone around during the day is enough to make the most sensitive inferences. Smart home devices, smart cities with ubiquitous video surveillance, cars equipped with multiple cameras and further adoption of IoT, as well as continuous digitalization of services will make personal privacy, at least in cities, a thing of the past. So, while a metaverse promises to bring offline experiences to the online world, the online world is already taking hold of the physical realm.

5. Desperate to stop data leaks, people will insure against them.

   Privacy experts are eagerly giving advice on how to secure your accounts and minimize your digital footprint. However, living a convenient modern life comes with a cost to privacy, whether you like it or not: for example, ordering food deliveries or using a ride-hailing service will generate, at the very least, sensitive geodata. And as the data leaves your device, you have little control over it, and it is up to the company to store it securely. However, we see that due to misconfigurations, hacker attacks and malicious insiders, data might leak and appear for sale on the dark web or even on the open web for everyone to see.

   Companies take measures to protect the data, as breaches cause reputation damage, regulatory scrutiny and, depending on local legislation, heavy fines. In countries like the US, people use class action lawsuits to receive compensation for damages. However, privacy awareness is growing, and people might start to take preventive measures. One way to do that might be to insure yourself against data breaches. While there are already services that recoup losses in case of identity theft, we could expect a larger range of insurance offers in the future.

We have looked at several factors that, in our opinion, will most prominently affect the way data flows, and possibly leaks, between countries, businesses and individuals. As the digital world continues to permeate the physical realm, we expect even more interesting developments in the future.

The consumer threat landscape constantly changes. Although the main types of threats (phishing, scams, malware, etc.) remain the same, lures that fraudsters use vary greatly depending on the time of year, current major events, news, etc. This year, we have seen spikes in cybercriminal activity aimed at users amid the shopping and back-to-school season, big pop culture events, such as Grammy and Oscar, movie premieres, new smartphone announcements, game releases, etc. The list can go on, as cybercriminals are quick to adapt to new social, political, economic, and cultural trends, coming up with new fraudulent schemes to benefit from the situation.

Below, we present a number of key ideas about what the consumer-oriented threat landscape will look like in 2023, and describe how users could be lured into cybertraps with fake content and third-party apps.

Games and streaming services

Users will face more gaming subscription fraud. Sony’s PlayStation Plus is starting to compete with Microsoft’s subscription service, GamePass, and offers to play subscription games not only on consoles, but also on the PC, to increase the market share. The larger the subscription base, the greater the number of fraudulent key-selling schemes and attempts at stealing accounts. These schemes can be very similar to the streaming scams that we have been observing for the past several years.

Gaming console shortage to be exploited. The shortage of consoles, relieved slightly in 2022, could start to increase again already in 2023, spurred by the release of the PS VR 2 by Sony. The headset, which requires a PS5 to function, will be a convincing reason for many to buy the console. A further factor is expected to be the release of “pro” console versions, rumors about which began to circulate in the middle of 2022, and which may trigger more demand than can be satisfied. Fake presale offers, generous “giveaways” and “discounts”, as well as online store clones that sell hard-to-find consoles—we expect all these types of fraud to exploit the console shortage.

In-game virtual currencies will be in demand among cybercriminals. Most modern games have introduced monetization: the sale of in-game items and boosters, as well as the use of in-game currencies. Games that include these features are cybercriminals’ primary targets as they process money directly. In-game items and money are some of the prime goals for attackers stealing players’ accounts. This summer for instance, cyberthieves stole 2 million dollars’ worth of items from an account that they hacked. To get a hold of in-game valuables, scammers may also trick their victims into a fraudulent in-game deal. In the coming year, we expect new schemes relating to resale or theft of virtual currencies and items to emerge.

Cybercriminals will capitalize on long-awaited titles. This year, we have already seen an attacker claim to leak several dozen gameplay videos from GTA 6. Chances are that in 2023, we will see more attacks relating to games slated for release in that year: Diablo IV, Alan Wake 2, and Stalker 2. Besides possible leaks, we expect to see the increase in scams that target these games, as well as in Trojans disguised as those games.

Streaming will remain cybercriminals’ bottomless source of income. Every year, streaming services produce more and more exclusive content that gets released on select platforms. A growing number of TV shows are becoming not just a source of entertainment, but a cultural phenomenon that influences fashion and trends in general. 2023 promises a wealth of new releases. We expect cybercriminals to use these anticipated titles along with streaming service names when distributing Trojans, creating phishing pages and implementing scams.

The talked-about movies and shows that could be exploited by cybercriminals include the new seasons of Euphoria and The Mandalorian; the long-awaited show starring Lily Rose Depp and The Weeknd, “The Idol”; the Barbie movie; and the post-apocalyptic drama series based on the video game “The Last of Us”. The list of potential bait films to be exploited can go on and on, since fraudsters are quick to adapt to consumer tastes. If they see that users are looking for the latest episode of a popular show, they will simply find their way to benefit from that interest.

Social media and the metaverse

New social media will bring more privacy risks. We would like to believe that the near future will see a new revolutionary phenomenon in the world of social networks. Perhaps this will happen already in VR, but rather in AR. As soon as a new trendy app appears, so do risks for its users. Cybercriminals can start distributing fake trojanized applications to infect victims’ phones for further malicious purposes. Further dangers are associated with data and money theft, as well as phishing pages aimed at hijacking accounts in the new social media. Privacy most probably will be a major concern, too, as many startups neglect to configure their applications in accordance with privacy protection best practices. This attitude may lead to a high risk of personal data compromise and cyberbullying in the new social media, however trendy and convenient it may be.

Exploitation of the metaverse. Right now, we are only taking the first steps toward complete immersion in virtual reality, already using metaverses for entertainment while testing industrial and business applications of this new technology. Although so far, there are only a few metaverse platforms, they already have revealed risks that future users will face. As the metaverse experience is universal and does not obey regional data protection laws, such as GDPR, this might create complex conflicts between the requirements of the regulations regarding data breach notification.

Virtual abuse and sexual assault will spill over into metaverses. We have already seen cases of avatar rape and abuse, despite efforts to build a protection mechanism into metaverses. As there are no specific regulation or moderation rules, this scary trend is likely to follow us into 2023.

New source of sensitive personal data for cybercriminals

Data from mental health apps will be used in accurately targeted social engineering attacks. Taking care of your mental health is no longer just some kind of whim or trend, but an absolutely necessary activity. And if, at some point, we are accustomed to the fact that the Internet knows almost everything about us, we are yet to realize that now our virtual portrait can be enriched with sensitive data about our mental state. As usage of mental health apps increases, the risk of this sensitive data being accidentally leaked or obtained by a third party through a hacked account will also grow. Armed with details on the victim’s mental state, the attacker is likely to launch an extremely precise social engineering attack. Now, imagine that the target is a key employee of a company. We are likely to see stories of targeted attacks involving data on the mental health of corporate executives. And, if you add here data, such as facial expressions and eye movement, that sensors in VR headsets collect, the leakage of that data may prove disastrous.

Education platforms and the learning process

Online education platforms will attract more cybercrime. In the post-pandemic times, online education has proven to be no less efficient than offline classes, we expect investment in online education platforms and learning management systems (LMS) to increase significantly. The trend is not new, but the relevance of concomitant threats will grow along with the growth in digitalization: trojanized files and phishing pages mimicking online educational platforms and videoconferencing services, as well as LMS credential theft are all set to grow in 2023.

A greater number of innovative technologies embedded in the learning process. These can be the use of virtual and augmented reality, voice interfaces, process automation (including robotization of communication), machine analysis of user actions, and AI-assisted testing and grading.

Gamification of education. In 2023, we will see greater use of gamification technologies in online learning to achieve functional goals: user acquisition and engagement, holding attention, personalized learning, inclusivity, and reducing resistance to learning. This will expose students to additional risks, the like of which have plagued the gaming industry, among them trolls, phishing, and bullying, on platforms built for communication, competition, and teamwork.

Cybersecurity incidents were plentiful in 2022, causing many problems for industrial infrastructure owners and operators. However, luckily, we did not see any sudden or catastrophic changes in the overall threat landscape – none that were difficult to handle, despite many colorful headlines in the media.

As we see it, the coming year looks to be much more complicated. Many people may be surprised by unexpected twists and turns, though we should already be examining these eventualities today. Below we share some of our thoughts on potential developments of 2023, though we cannot claim to be providing either a complete picture or a high degree of precision.

As we analyze the events of 2022, we must profess that we have entered an era where the most significant changes in the threat landscape for industrial enterprises and OT infrastructures are mostly determined by geopolitical trends and the related macroeconomic factors.

Cybercriminals are naturally cosmopolitan; however, they do pay close attention to political and economic trends as they chase easy profits and ensure their personal safety.

APT activity, which is traditionally ascribed to intelligence agencies of various governments, always occurs in line with developments in foreign policy and the changing goalposts inside countries and inter-governmental blocks.

Developments in the APT world

Internal and external political changes will deliver new directions for APT activity.

Changes in attack geography

Attack geography will inevitably change following transformations of existing and the emergence of new tactical and strategic alliances. As alliances shift, we see cybersecurity tensions arise between countries where such tensions had never existed. Yesterday’s allies become today’s targets.

Changes in industry focus

We are going to see APT activity change the focus on specific industries very soon because the evolving geopolitical realities are closely intertwined with economic changes. Therefore, we should soon see attacks targeting the following sectors representing the real economy:

• Agriculture, manufacturing of fertilizers, agricultural machinery and food products – all as a result of upcoming food crises and shifting food markets;
• Logistics and transport (including transportation of energy resources) due to the on-going changes in global logistics chains;
• The energy sector, mining and processing of mineral resources, non-ferrous and ferrous metallurgy, chemical industry, shipbuilding, instrument and machine-tool manufacturing, as the availability of these companies’ products and technologies is part of the foundation for the economic security of both individual countries and political alliances;
• The alternative energy sector, specifically where it is on the geopolitical agenda;
• High-tech, pharmaceuticals and medical equipment producers, since these are integral for ensuring technological independence.

Continuing attacks on traditional targets

Naturally, we will still see APT attacks on traditional targets, with the main APT attack focus definitely including:

• enterprises in the military industrial complex, with geopolitical tensions, confrontations escalating to red alert status, along with the rising possibilities of military confrontations being the main drivers for the attackers;
• the government sector – we expect attacks to focus on information gathering regarding government initiatives and projects related to the growth of industrial sectors of the economy;
• critical infrastructure – attacks aiming to gain a foothold for future use, and sometimes, for instance when conflicts between specific countries are in the “hot” phase, the goal may even be to inflict immediate and direct damage.

Other changes in the threat landscape

Other important changes in the threat landscape which we already see and which we believe will increasingly contribute to the overall picture include the following:

• A rising number of hacktivists “working” to internal and external political agendas. These attacks will garner more results – quantity will begin to morph into quality.
• A growing risk of volunteer ideologically and politically motivated insiders, as well as insiders working with criminal (primarily ransomware) and APT groups – both at enterprises and among technology developers and vendors.
• Ransomware attacks on critical infrastructure will become more likely – under the auspices of hostile countries or in countries unable to respond effectively to attacks by attacking the adversary’s infrastructure and conducting a full-blown investigation leading to a court case.
• Cybercriminals’ hands will be untied by degrading communications between law enforcement agencies from different countries and international cooperation in cybersecurity grinding to a halt, enabling threat actors to freely attack targets in ‘hostile’ countries. This applies to all types of cyberthreats and is a danger for enterprises in all sectors and for all types of OT infrastructure.
• Criminal credential harvesting campaigns will increase in response to the growing demand for initial access to enterprise systems.

Risk factors due to geopolitical ebb and flow

The current situation forces industrial organizations into making an extremely complicated choice – which products and from which vendors should they be using and why.

On the one hand, we are seeing failing trust relationships in supply chains for both products and services (including OEM), which in turn increases the risks in using many of the products companies are used to:

• It becomes more difficult to deploy security updates when vendors end support for products or leave the market.
• This is equally applicable to degrading quality of security solutions when regular updates cease due to security vendors leaving the market.
• We cannot totally rule out the possibility of political pressure being applied to weaponize products, technologies and services of some minor market players. When it comes to global market leaders and respected vendors, however, we believe this to be extremely unlikely.

On the other hand, searching for alternative solutions can be extremely complicated. Products from local vendors, whose secure development culture, as we have often found, is usually significantly inferior to that of global leaders, are likely to have ‘silly’ security errors and zero-day vulnerabilities, rendering them easy prey for both cybercriminals and hacktivists.

Organizations based in countries where the political situation does not require addressing the above issues, should still consider the risk factors which affect everyone:

• The quality of threat detection decreases as IS developers lose some markets, resulting in the expected loss of some of their qualified IS experts. This is a real risk factor for all security vendors experiencing political pressure.
• The communication breakdowns between IS developers and researchers located on opposite sides of the new ‘iron curtain’ or even on the same side (due to increased competition on local markets) will undoubtedly decrease the detection rates of security solutions that are currently being developed.
• Decreasing CTI quality – unfounded politically motivated cyberthreat attribution, exaggerated threats, lower statement validity criteria due to political pressure and in an attempt to utilize the government’s political narrative to earn additional profits.

• Government attempts to consolidate information about incidents, threats and vulnerabilities and to limit access to this information detract from overall awareness, since information may sometimes be kept under wraps without good reasons.

  And at the same time, this results in an increased risk of confidential data leaks (example: PoC of an RCE published by mistake in a national vulnerability database). This issue could be addressed by building broad cybersecurity capacity in the public sector to ensure that responsible treatment of sensitive cybersecurity information and efficient coordinated vulnerability disclosure can always be guaranteed.

• Additional IS risks due to the growing role of governments in the operations of industrial enterprises, including connections to government clouds and services, which may sometimes be less protected than some of the best private ones.

Additional technical and technological risk factors

• Digitalization in a race for higher efficiency – IIoT and SmartXXX (including predictive maintenance systems and digital twin technology) leads to significantly increased attack surfaces. This is confirmed by the attack statistics on CMMS (Computerized Maintenance Management Systems).

  Top 10 countries ranked by the percentage of CMMS attacked in H1 2022:

  It is significant that in this Top 10 ranking by the percentage of attacked CMMS in H1 2022 we see the traditionally ‘secure’ countries which are not seen in rankings based on the overall percentage of OT computers attacked in the country or based on the percentage of attacked OT computers by sector.

• Rising energy carrier prices and the resulting rises in hardware prices, on the one hand, will force many enterprises to abandon plans to deploy on premise infrastructure in favor of cloud services from third party vendors (which increases IS risks). In addition, this will negatively impact budgets allocated for IT/OT security.
• The deployment of various unmanned vehicles and units (trucks, drones, agricultural equipment and so forth), which can be abused as either targets or tools for attacks.

Most noteworthy techniques and tactics in future attacks

Let’s not indulge in any fantastic suppositions about tactics and techniques used by the most advanced attackers, such as APTs connected to intelligence agencies in leading countries, as we can then be waylaid by unexpected twists and turns. Let’s also not discuss the tactics and techniques used by the numerous threat actors at the other end of the spectrum – the least qualified ones, since it is unlikely that they will come up with something interesting or new, and the security solutions already in place at most organizations can effectively block their attacks.

Let’s focus instead on the middle of the spectrum – the techniques and tactics used by the more active APT groups, whose activity is usually ascribed as being in line with the interests of countries in the Middle East and the Far East, as well as being used by more advanced cybercriminals, such as ransomware gangs.

Based on our experience of investigating such attacks and the related incidents, we believe that ICS cybersecurity specialists need to focus on the following tactics and techniques:

• Phishing pages and scripts embedded on legitimate sites.
• The use of Trojanized “cracked” distribution packages, “patches” and key generators for commonly used and specialist software (this will be stimulated by rising license costs and the departure of vendors from certain markets due to political pressure).
• Phishing emails about current events with especially dramatic subjects, including events the root causes of which are political in nature.
• Documents stolen in previous attacks on related or partner organizations being used as bait in phishing emails.
• The distribution of phishing emails disguised as legitimate work correspondence via compromised mailboxes.
• N-day vulnerabilities – these will be closed even more slowly as security updates for some solutions will become less accessible.
• Exploiting foolish configuration errors (such as failing to change default passwords) and zero-day vulnerabilities in products from ‘new’ vendors, including local ones. Mass rollouts of such products are inevitable, despite the serious doubts about the developers’ security maturity.

For instance, recommendations such as “enter password xyz in the password field” can be found in installation instructions and user manuals in a surprising number of products from small ‘local’ vendors. Furthermore, you will rarely find information about vulnerabilities inherited from common components and OEM technologies on such vendors’ websites.

• Exploiting inherent security flaws in cloud services from ‘local’ service providers and government information systems (see above).
• Exploiting configuration errors in security solutions. This includes the possibility of disabling an antivirus product without entering an administrator password (antivirus is almost useless if an attacker can easily disable it). Another instance would be the weak security of the IS solution centralized management systems. In this case, IS solutions are not only easy to bypass, but they can also be used to move laterally – for instance to deliver malware or to gain access to ‘isolated’ network segments and to bypass access control rules.
• Using popular cloud services as CnC – even after an attack is identified, the victim might still be unable to block it because important business processes could depend on the cloud.
• Exploiting vulnerabilities in legitimate software, for instance, using DLL Hijacking and BYOVD (Bring Your Own Vulnerable Driver) to bypass endpoint security solutions.
• Distributing malware via removable media to overcome air gaps, in those instances where air gaps actually do exist.

Some final thoughts

When writing about potential future issues, we did not aim to describe a full set of potential threats. Instead, we attempted to convey the impression of a global character of upcoming developments and to encourage our readers to assess those issues (including similar ones not mentioned specifically in this paper) which are most relevant to their organization.

We included only those developments and described only those risks which we believe to be most widespread and generally applicable to many organizations in many countries. Therefore, we kept the predictions less specific on purpose.

Only you can determine which threats are relevant for you. Naturally, if you need some assistance with this rather complicated task, we are always ready to help.

Our predictions are the sum of the opinions of our entire team based on our collective experience in researching vulnerabilities and attacks and investigating incidents, as well as our personal vision of the main vectors driving changes in the threat landscape. We will be very glad if any of our negative predictions do not come true in 2023.

We are always happy to discuss our ideas and we welcome your questions at ics-cert@kaspersky.com.

This is the first edition of our policy analysis and observations of trends in the regulation of cyberspace, and cybersecurity, within the Kaspersky Security Bulletin.

This year so far has been very challenging: increased tensions in international relations have had a huge impact on both cyberspace and cybersecurity. Further to this, we share below our key observations regarding the trends we believe have been the highlights of this year and have the potential to shape the future of cyberspace in the year ahead.

#1 Fragmentation shifting to polarization: governments and multistakeholder communities are all the more divided — and have formed into groups based on like-mindedness

The previously observed and discussed fragmentation of cyberspace on the whole — and the internet in particular (also referred to as the ““splinternet” or the balkanization of the internet) — is taking on a new form. In the past we observed the first signs of governments’ diverging views on how cyberspace and cybersecurity should be regulated. Although by no means all governments stepped into this arena, the few countries that did managed to establish initial laws with extraterritorial effect (such as the EU’s GDPR, which established extraterritorial requirements for many organizations outside the EU) that produced a far larger impact beyond their national borders.

The year 2022, however, has overhauled the existing fragmentation: it does still exist, but only among the emerging alliances of the like-minded, covering not only governments but also non-state actors. The war in Ukraine has further deepened polarization between different groups of states and communities. The biggest challenge stems from the IT security community (which traditionally sticks together and is supposed to act as “neutral firefighters” in cyberspace) splitting into separate closed groups as well. For example, the global Forum of Incident Response and Security Teams (FIRST) suspended all member organizations originating from Russia or Belarus, thereby undermining the fundamental principle of trust in cybersecurity. Such a decision also prevents further threat information exchange between those in charge of responding to cyberincidents. Perhaps naturally, this has triggered talk among those left out regarding launching their own alternative communities.

The growing polarization in cyberspace poses a security risk for many of us, given the borderless nature of the threats and incidents we face. Even when the initial intention of threat actors is to target a particular organization, this can easily spill over to many others in ICT supply chains, going far beyond the initial target (as already occurred with, for example, WannaCry). Will organizations from different jurisdictions be able to exchange threat information with each other, and will they be able to cooperate across borders for incident response? Some of them will, but overall more and more barriers are emerging to this, creating security risks.

#2 Tech localization and “digital sovereignty” is no longer just about data

Globalization is still with us in 2022, but it’s becoming less popular: there’s a move toward buying local or domestic products because it could be safer. Unfortunately, cyberspace and the tech sector have already become one more arena for economic and geostrategic competition among states, while vaguely-defined (most likely intentionally so) concepts about “digital sovereignty”, “data sovereignty”, “strategic autonomy”, etc. are discussed more in different communities — from decision-makers to the media. Though initially perceived as attempts by governments to regulate and protect data (after the first data localization laws appeared), this now has the potential to affect far more areas, including microchip and other hardware manufacturing and software development. In some critical sectors of cybermature jurisdictions this already exists: mostly domestic companies are preferred for procurement. But could it expand further into the consumer market?

If so, in a global context, widespread application of data localization rules in particular would most likely create challenges for cybersecurity (i.e., for better and more effective threat intelligence to fight cyberthreats). With less visibility into the cyberthreat landscape, the lower the chances of developing effective detection tools or producing high-quality threat intelligence. These risks will increase if more and more countries impose data localization rules on their markets.

Thus, a dilemma could arise where attempts to provide more cybersecurity through strengthening data security, on the one hand, may actually lead to weaker cybersecurity (from less visibility and threat intelligence), on the other. The solution could lie in developing smart regulation approaches as well as defining clear security criteria for vendors to be trusted enough for cyberthreat-related data processing.

#3 Do cyberdiplomacy and international cybersecurity still exist? If so, they’ve taken a back seat this year

Kaspersky has been actively involved in many multistakeholder initiatives to advance cyberdiplomacy, including at the UN and regional levels. Subjectively speaking, 2022 has seen the discussion of cyberdiplomacy and international cybersecurity become less widespread and profound. What does this mean? The war in Ukraine and ongoing tensions in international relations have placed onto the agenda issues about security in its conventional sense, where cyber is just one of its aspects. What will happen next is hard to predict, but if military action continues, cyberdiplomacy will most likely stay sat firmly on the back seat; however, it’s to be hoped that it won’t disappear completely.

#4 Full-blown cyberwar hasn’t occurred, and this is of course good news. But we seem to be facing a more complex challenge — hybrid operations

Cyber Armageddon hasn’t occurred. Though many experts predicted it, it hasn’t materialized in the current war in Ukraine. This is good news, for sure. At the same time, unfortunately, the unfolding events have shown that cyberweapons are being used in the conflict to create hybrid warfare, where actions take place both in the digital realm (including with data manipulation and misinformation operations) and on the ground. The challenge is that the international community hasn’t developed clear responses to deal with this, and most likely any technological and technical solutions will be insufficient.

#5 Liability of digital products: a new area in future regulatory efforts

Safety and security labels don’t exist yet for software. And where a vulnerability may create security or safety risks, users may wonder whom to reach out to for liability issues. So far, different vertical legislative approaches do provide solutions for consumers, such as personal data protection laws for cases where personal data has been affected. The financial and banking sector is well-regulated too. But what about a mass-market photo-editing app that can be exploited by stalkerware? Should the developer be responsible? Some jurisdictions apparently already have the answer. The EU — as a norm-setter — has been among the first to propose a game-changing draft law titled the Cyber Resilience Act, with proposed fines as high as those in the GDPR. And in the U.S. there have been some first attempts to define baseline criteria for cybersecurity labeling of consumer software, as discussed in a separate blog post. Most likely, next year and beyond, other governments will find the regulation of software development liability a good idea, and we could well see even further fragmentation as a result of the different approaches taken among states.

A look back on the year 2022 and what to expect in 2023

Every year, as part of the Kaspersky Security Bulletin, we predict which major trends will be followed in the coming year by attackers, who target financial organizations. The predictions, based on our extensive experience, help individuals and businesses improve their cybersecurity and prevent the vast range of possible risks.

As the financial threat landscape has been dramatically evolving over the past few years, with the expansion of such activities as ransomware or cryptofraud, we believe it is no longer sufficient to look at the threats to traditional financial institutions (like banks), but rather assess financial threats as a whole. The cybercriminal market has been developing extensively, with the overwhelming majority of cybercriminals pursuing one goal — financial profit, no matter the source. However, the way they do it varies from year to year, and understanding the changes in their tactics and tools can help organizations improve their security.

This year, we have decided to adjust our predictions accordingly, expanding them to encompass crimeware developments and financial cyberthreats as a whole.

This report assesses how accurately we predicted the developments in the financial threats landscape in 2022 and ponder at what to expect in 2023.

Analysis of forecasts for 2022

• Rise and consolidation of information stealers. Our telemetry shows an exponential growth in infostealers in 2021. Given the variety of offers, low costs, and effectiveness, we believe this trend will continue. Additionally, they might even be used as bulk collectors for targeted and more complex attacks.

  Yes. While we haven’t seen exponential growth in the use of stealers, their advancement and evolution has been very noticeable. In 2022, we uncovered some new malicious families actively sold on dark markets, such as Rhadamanthys, BlueFox, and Parrot, stealing sensitive information from the victims’ devices. One of the most striking new stealers has been OnionPoison. Unlike common stealers, this malware gathered data that can be used to identify the victims, such as browsing histories, social networking account IDs and Wi-Fi networks. Previously discovered stealers have not been left behind. This year we observed the updates of AcridRain and Racoon stealers, and the remarkable evolution of RedLine stealer, making it a self-spreading threat that attacks gamers via YouTube. Also of note in 2022 are campaigns impersonating well-known software brands like Notepad++. The trend remains solid, and these types of campaigns impact a large number of users, hitting the target brand’s bottom line. Moreover, the ransomware gang ransomExx also abuses open source software by recompiling it to load a malicious shellcode; Notepad++ was also used in one of their attacks.

  While there are still top-level threats that are not distributed openly, the vast majority of stealers have become more affordable and cheaper for average cybercriminals, making this threat more likely to evolve even more in the following year.

• Cryptocurrency targeted attacks. The cryptocurrency business continues to grow, and people continue to invest their money in this market because it’s a digital asset and all transactions occur online. It also offers anonymity to users. These are attractive aspects that cybercrime groups will be unable to resist. And not only cybercrime groups, but also state-sponsored groups who have already started targeting this industry. After the Bangladesh bank heist, the BlueNoroff group is still aggressively attacking the cryptocurrency business, and we anticipate this activity will continue.

  Despite these uncovered campaigns, attackers were still more likely to hunt for cryptocurrency using phishing, offering dubious cryptocurrency exchange platforms, and launching cryptojacking to illicitly mint cryptocurrency. Previously, mining was mostly a threat for general users, but today miners are stealing power from large businesses and critical infrastructures. Even big ransomware operators, for example, AstraLocker, are shutting down their operations to switch to cryptojacking.

• More cryptocurrency-related threats: fake hardware wallets, smart contract attacks, DeFi hacks, and more. In the scramble for cryptocurrency investment opportunities, we believe that cybercriminals will take advantage of fabricating and selling rogue devices with backdoors, followed by social engineering campaigns and other methods to steal victims’ financial assets.

  Yes. In 2022, we observed many other cryptocurrency-related threats potentially costing users millions of dollars. Since the start of 2022, cybercriminals have stolen $3 billion from DeFi protocols, with 125 crypto hacks in total. According to the freshest data on DeFi, every hour 15 newly deployed scams against smart contracts are detected. At this rate, 2022 will likely surpass 2021 as the biggest year for hacking on record. The lack of state-of-the-art security for smart contracts leads to attacks on these platforms and, based on how the business model works, the potential theft of a lot of money.

• Targeted ransomware — more targeted and more regional. With the international efforts to crack down on major targeted ransomware groups, we will see a rise in small, regionally derived groups focused on local The adoption of Open Banking in more countries may lead to more opportunities for cyberattacks.

  Yes. We’ve observed a rise in the number of targeted and regional ransomware attacks. One of the reasons why ransomware attacks have become more regional is the decrease in collaboration between ransomware groups. In the past, many actors would join forces to attack and encrypt as many organizations around the world as possible. But thanks to international efforts, such as No More Ransom, to crack down on their work, global attacks have become much rarer.

  Interestingly, this trend was also influenced by geopolitical conflict, which we did not anticipate last year. Many ransomware groups took sides in the conflict between Russia and Ukraine, focusing their activities on destructive attacks or limiting the range of their targets by geography. The most significant reaction of all was likely by the Conti ransomware group, who announced that it would retaliate with full capabilities against any “enemy’s” critical infrastructure if Russia became a target of cyberattacks. On the other side, Kaspersky discovered Freeud, a wiper under the guise of ransomware whose creators proclaimed support for Ukraine.

• Access broker specialists — professionalize access to compromised networks. Instead of major efforts to compromise access to a corporate or public entity, we can expect Ransomware-as-a-Service operators to seek to buy access to another cybercriminal group that already has access to the target, focusing their activity on ransomware deployment.

  Yes. Attackers have indeed resorted to buying initial access to compromised services more often than hacking it themselves. This has become a real stand-alone business in the dark web (Malware-as-a-Service, MaaS). This year we detected a malicious spam campaign targeting organizations tenfold growth in a month, spreading Emotet malware, which is used by Conti ransomware affiliates to gain initial access. Once access is obtained, the organization is placed into a pool of potential ransomware targets. This growth in the Emotet campaign suggests that the Access-as-a-Service continues to be actively used by cybercriminal groups, and the trend of hiring access broker specialists is likely to continue in 2023.

• Mobile banking Trojans on the rise. As mobile banking experienced booming adoption worldwide due to the pandemic (in Brazil it represented 51% of all transactions in 2020), we can expect more mobile banking Trojans for Android, especially RATs that can bypass security measures adopted by banks (such as OTP and MFA). Regional Android implant projects will move globally, exporting attacks to Western European countries.

  Yes. Security remains the biggest problem for users who want to make regular mobile payments. As predicted, the number of mobile banking Trojan detections increased considerably in 2022 worldwide compared to the last year, reaching more than 55,000 attacks in the second quarter of 2022 alone. With the rising number of attacks, cybercriminals have evolved new banking Trojans, targeting mobile users. In 2022, Kaspersky researchers have so far discovered more than 190 applications distributing Harly Trojan with more than 4.8 million downloads. While these apps were available in official stores and disguised as legitimate apps, the fraudsters behind them subscribed unsuspecting users to unwanted paid services.

• Rise of threat to online payment systems. Amid the pandemic, many companies went digital and moved their systems online. And the longer people stay at home because of quarantine and lockdowns, the more they rely on online markets and payment systems. However, this rapid shift is not accompanied by the appropriate security measures, and it is attracting lots of cybercriminals. This issue is particularly severe in developing countries, and the symptoms will last for a while.

  No. This year, we have not observed a lot of new fintech players that went big and which could become new targets for cybercriminals.

• With more fintech apps out there, the increasing volume of financial data is attracting cybercriminals. Thanks to online payment systems and fintech applications, large amounts of important personal information is stored on mobile. Many cybercrime groups will continue to attack personal mobile phones with evolved strategies such as deep fake technology and advanced malware to steal victims’ data.

  No. Mobile malware techniques haven’t changed much in the course of 2022.

• Remote workers using corporate computers for entertainment purposes, such as online games, continue to pose financial threats organizations. In a previous post, we wrote that users rely on corporate laptops to play video games, watch movies, and use e-learning platforms. This behavior was easy to identify because there was a boom in the Intel and AMD mobile graphic cards market in 2020-2021 compared to previous years. This trend is here to stay, and while during 2020 46% of employees had never worked remotely before, now two-thirds of them state they wouldn’t go back to the office, with the rest claiming to have a shorter office work week.

  Yes. The level of cybersecurity after the pandemic and the initial adoption of remote work by organizations en masse has become better. Nevertheless, corporate computers used for entertainment purposes remain one of the most important ways to get initial access to a company’s network. Looking for alternative sources to download an episode of a show or a newly released film, users encounter various types of malware, including Trojans, spyware and backdoors, as well as adware. According to Kaspersky statistics, 35% of users who faced threats under the guise of streaming platforms were affected by Trojans. If such malware ends up on a corporate computer, attackers could even penetrate the corporate network and search for and steal sensitive information, including both business development secrets and employees’ personal data.

• ATM and PoS malware to return with a vengeance. During the pandemic, some locations saw PoS (point of sale) and ATM transaction levels drop significantly. Lockdowns forced people to stay at home and make purchases online, and this was mirrored in PoS/ATM malware too. As restrictions are lifted, we should expect the return of known PoS/ATM malware and the appearance of new projects. Cybercriminals will regain their easy physical access to ATMs and PoS devices at the same time as customers of retailers and financial institutions.

  Yes. As predicted, with the lift of COVID-19 restrictions, attackers have stepped up their activities again in 2022. In the first eight months of the year, the number of unique devices affected by ATM/PoS malware grew by 19% as compared to the same period in 2020, and by nearly 4% compared to 2021. Kaspersky researchers have also discovered cybercriminals creating and deploying new never-seen-before tools targeting ATM and PoS devices. For instance, the Prilex threat group, famous for stealing millions of dollars from banks, has evolved substantially. Specifically, Prilex has upgraded its tools from a simple memory scraper to an advanced and complex malware that now targets modular PoS terminals and is the first malware able to clone credit card transactions, even those protected by CHIP and PIN.

  Perhaps one of the biggest shifts is PoS malware becoming a service sold on the dark web, which means it is now available to other cybercriminals, and the risk of losing money is increasing for businesses worldwide.

Forecasts for 2023

Led by gaming and other entertainment sectors, Web3 continues to gain traction and so will threats for it

With the increasing popularity of cryptocurrencies, the number of crypto scams has also increased. However, we believe that users are now much more aware of crypto and will not fall for primitive scams, such as a video featuring an Elon Musk deepfake promising huge returns in a dodgy cryptocurrency investment scheme that went viral. Cybercriminals will continue to try to steal money through fake ICOs and NFTs along with other cryptocurrency-based financial theft (like exploitation of vulnerable smart contracts), but will make them more advanced and widespread.

Malware loaders to become the hottest goods on the underground market

Many actors have their own malware, but that alone is not enough. Entire samples used to consist solely of ransomware, but the more diverse the modules in a piece of ransomware, the better it will evade detection. As a result, attackers are now paying much more attention to downloaders and droppers, which can avoid detection. This has become a major commodity in the MaaS industry, and there are even already favorites among cybercriminals on the dark web — the Matanbunchus downloader, for example. All in all, stealth execution and bypassing EDRs is what malicious loader developers are going to focus on in 2023.

More new “Red Team” penetration testing frameworks deployed by cybercriminals

At the same time as vendors create and improve penetration testing frameworks to protect companies, crimeware actors are expected to use them much more actively for illegal activities. The most remarkable example of this trend starting to spread globally is Cobalt Strike. The tool is so powerful that threat groups have added it to their arsenal, already using it in a wide variety of attacks and cyberespionage campaigns. In 2022, the news hit the headlines that another pentester toolkit dubbed Brute Ratel C4 had been hacked, and is now being distributed on hacker forums. We predict that, along with the development of new penetration tools, cybercriminals will increasingly use them for their own malicious purposes — and Brute Ratel C4 and Cobalt Strike are just the beginning of this trend.

Ransomware negotiations and payments begin to rely less on Bitcoin as a transfer of value

As sanctions continue to be issued, the markets become more regulated, and technologies improve at tracking the flow and sources of Bitcoin, cybercrooks will rotate away from this cryptocurrency toward other forms of value transfer.

Ransomware groups following less financial interest, but more destructive activity

Perhaps a surprising prediction in a report about future financial threats, yet ransomware has been one of the biggest threats in recent years, inflicting massive financial damage on organizations. As the geopolitical agenda increasingly occupies the attention not only of the public but also of cybercriminals, we expect ransomware groups to make demands for some form of political action, instead of demands for ransom money. One of such examples is Freeud, a brand-new ransomware with wiper capabilities.

It is fair to say that since last year’s predictions, the world has dramatically changed. While the geopolitical landscape has durably shifted, cyberattacks remain a constant threat and show no signs of receding – quite the contrary. No matter where they are, people around the world should be prepared for cybersecurity incidents. A useful exercise in that regard is to try to foresee the future trends and significant events that might be coming in the near future.

We polled our experts from the GReAT team and have gathered a small number of key insights about what APT actors are likely to focus on in 2023. But first, let’s examine how they fared with the predictions for 2022.

What we predicted in 2022

Mobile devices exposed to wide attacks

Although 2022 did not feature any mobile intrusion story on the scale of the Pegasus scandal, a number of 0-days have still been exploited in the wild by threat actors. Last June, Google’s TAG team released a blog post documenting attacks on Italian and Kazakh users that they attribute to RCS Lab, an Italian offensive software vendor. In another publication, Google also followed up on the activities of a similar vendor named Cytrox that had leveraged four 0-day vulnerabilities in a 2021 campaign.

The cyber-offense ecosystem still appears to be shaken by the sudden demise of NSO Group; at the same time, these activities indicate to us that we’ve only seen the tip of the iceberg when it comes to commercial-grade mobile surveillance tooling. It’s also likely that the remaining actors will make every effort to reduce their public exposure from now on, limiting our visibility into their activities.

From a different angle, reporting from The Intercept revealed mobile surveillance capabilities available to Iran for the purposes of domestic investigations that leverage direct access to (and cooperation of) local telecommunication companies. Looking back at past leaks of private companies providing such services, such as in the case of Hacking Team, we learned that many states all over the world were buying these capabilities, whether to complement their in-house technologies or as a stand-alone solution they couldn’t develop. This reveals a likely blind spot for defenders and endpoint vendors: in a number of cases, perhaps even the majority, attackers have no need for 0-days and malware deployment to gain access to the information they need. This story also raises questions about whether attackers who have breached telecommunication companies would also be able to leverage these legal interception systems.

Verdict: some incidents, but no major event ❌

Private sector supporting an influx of new APT players

The previous discussion covered a number of private companies that have filled the void left by NSO and have made a business of providing offensive software to their customers. In 2022, the GReAT team tracked several threat actors leveraging SilentBreak’s toolset as well as a commercial Android spyware we named MagicKarakurt. One question mark here is that it’s difficult to tell whether we’re seeing new APT actors being bootstrapped by commercial toolsets, or established ones updating their TTPs.

BruteRatel, an attack tool comparable to CobaltStrike, remains on our radar when it comes to APT adoption. A recent leak has put it in the hands of cybercrime actors and it is very likely that by the end of the year we will see it involved in APT cases too.

A worrying trend we did not explicitly mention is underlined by a Meta report published shortly after last year’s predictions. In the report, they describe the emergence of a “surveillance-for-hire” sector composed of companies all around the world that provide cyber-offensive services for (hopefully) law-enforcement customers. In practice, Facebook found that not only criminals or terrorists were targeted by such groups, but journalists, dissidents and human rights activists as well. Our own research confirms that mercenary threat actors such as DeathStalker were very active in 2022.

Source: Meta

Verdict: prediction fulfilled ✅

More supply chain attacks

Following the SolarWinds incident, we foresaw that attackers would notice the enormous potential of the supply chain attack vector. In 2022, we spotted malicious Python packages distributed through the PyPI archive (CheckPoint also detected 10 of them). As Cisco Talos notes, Python is not alone in this: NPM, NuGet or RubyGems are all potential candidates for such attacks and all it would take for a catastrophic event would be the compromise of a single developer’s credentials. Doubling down on developer-specific threats, IBM presented noteworthy research at this year’s edition of BlackHat, evidencing how source code management or continuous integration systems could be leveraged by attackers.

Another aspect of supply chain security is the reliance on open-source software components that may contain vulnerabilities: this was the root cause of a Zimbra 0day massively exploited in the wild this year.

When it comes to stealthy malware pushed to customers in the form of a software update however, we are not aware of any significant event in 2022, so we’ll only count this prediction as partially accomplished.

Verdict: prediction partially fulfilled 🆗 (more cases, no major event)

Continued exploitation of remote work

The reasoning behind this prediction is that we expected that in 2022, companies would still be lagging behind the transformative effects the COVID-19 crisis had on work organization. In many cases, this led to a rushed deployment of remote access means for employees, in the form of appliances that could be misconfigured, or hadn’t received much security attention until now.

A massive number of vulnerabilities were patched in such devices this year (firewalls, routers, VPN software…) – whether or not each of these vulnerabilities were exploited in the wild before being discovered, they affect devices that are not typically updated in a timely fashion and become prime targets for hackers immediately after vulnerability details are published. Such discoveries usually lead to massive and indiscriminate exploitation, and compromised machines are sold on dark markets to secondary buyers for the purposes of ransomware deployment.

Our own telemetry also confirms that RDP brute-force attacks have remained predominant throughout 2022.

Verdict: prediction fulfilled ✅

Increase in APT intrusions in the META region, especially Africa

At the end of last year, we expected the rise of Africa to be one of the major geopolitical events of the year in lieu of the ever-increasing investment and relationships with China and the Middle East.

We have indeed seen an increase in the number of persistent, sophisticated attacks targeting various states in META and specifically Africa. Starting from the most recent publication about Metador targeting telecommunication companies, HotCousin expanding its operations to this region, the numerous campaigns deploying various IIS backdoors, DeathStalker and Lazarus attacking multiple industries there and a mysterious SSP-library backdoor discovered on governmental and non-profit entities, we saw quite a few new threats active in the region over the last year.

Statistically speaking, we released information about an increase of backdoor infections on the continent. While such raw statistics are difficult to interpret and are not necessarily linked to strong APT activity, it could correlate to the increase in APT attacks we’ve seen in the region in 2022.

One glaring example is Iran, which faced a series of spectacular hacks and sabotages. Its atomic energy agency, live television and steel industry have been targeted, among others.

Verdict: prediction fulfilled ✅

Explosion of attacks against cloud security and outsourced services

One of the major cyber-incidents of 2022 took place early this year: the Okta hack. Okta was breached through one of its service providers, Sitel, itself compromised via the insecure VPN gateway of a recently acquired company. Fortunately for them, the hacker appears to have been a lone 16-year-old. Unfortunately for us, it demonstrates how easy it must be for sophisticated attackers to penetrate (and, in all likelihood, remain undetected) major platforms. Okta is a widely used authentication services provider, and it is safe to assume that a hacker controlling their network would be able to infect any of their customers.

In related news, CISA released an advisory in May warning managed service providers that they saw an increase of malicious activity targeting their sector. Beyond this, we also saw reports of important data leaks related to misconfigured AWS S3 buckets, although those are nothing new. Overall, we count this prediction as having turned out to be accurate.

Verdict: prediction fulfilled ✅

The return of low-level attacks: bootkits are ‘hot’ again

In line with our predictions, we released two blog posts in 2022 introducing sophisticated low-level bootkits. The first one, in January, was MoonBounce; the other was CosmicStrand in July 2022. In both cases, we described new UEFI firmware bootkits that managed to propagate malicious components from the deepest layers of the machine up to Windows’ user-land. Amn Pardaz also released a report about a malicious program called iLOBleed, which affects a management module present on HP servers and should be counted in the same category. Such highly sophisticated implants remain rare, and witnessing three separate cases in a single year is significant.

Worthy of mention is Binarly’s excellent work on firmware vulnerability research with 22 high-severity vulnerabilities discovered in low-level components for 2022, indicating an enormous attack surface remains. As Gartner once put it: “There are two types of companies – those who have experienced a firmware attack, and those who have experienced a firmware attack but don’t know it.”

Verdict: prediction fulfilled ✅

States clarify their acceptable cyber-offense practices

The rise of hacker indictments as part of states’ retorsion measures led us to believe that each of them would be forced to clarify their vision of what acceptable behavior in cyberspace is. Indeed, since most states admit to having their own cyber-offense program, there is a need to clarify why their own activities are tolerable while those of their adversaries deserve legal action. We therefore expected various parties to release a sort of taxonomy indicating which types of ends would justify the means.

Shortly after the release of our predictions (yet still in 2021), the UK released its Integrated Review of Security, Defence, Development and Foreign Policy in which it describes its vision of what a “responsible democratic cyber power” should be. No other country followed suit. With many key “cyber powers” engaged one way or another in the Ukrainian conflict, cyber-diplomacy has unfortunately taken a back seat and we are seeing less transparency (as well as less calls for transparency) in the cyber realm. In the end, our assessment that the world was moving towards a clarification of cyber-policies didn’t come to pass.

Verdict: very limited fulfillment of the prediction ❌

APT predictions for 2023

And now, we turn our attention to the future. Here are the developments we think we could be seeing in 2023.

The rise of destructive attacks

2022 bore witness to brutal geopolitical shifts that will echo for years to come. History shows that such tensions always translate to increased cyber-activities – sometimes for the purpose of intelligence gathering, sometimes as a means of diplomatic signaling. With the antagonism between the West and the East having reached the maximum possible level short of open conflict, we unfortunately expect 2023 will feature cyberattacks of unprecedented gravity.

Specifically, we foresee that a record number of disruptive and destructive cyberattacks will be observed next year, affecting both the government sector and key industries. One caveat is that in all likelihood, a proportion of them will not be easily traceable to cyber-incidents and will look like random accidents. The rest will take the form of pseudo-ransomware attacks or hacktivist operations in order to provide plausible deniability for their real authors.

In addition, we also fear that a limited number of high-profile cyberattacks against civilian infrastructure (energy grid or public broadcasting for instance) will take place. A last point of concern is the safety of underwater cables and fiber distribution hubs in such a context, as they are particularly difficult to protect from physical destruction.

Mail servers become priority targets

In the past years, we have seen vulnerability researchers increasingly focus on emailing software. The reason is simple: they represent huge software stacks that must support many protocols and have to be internet-facing to operate properly. The market leaders, Microsoft Exchange and Zimbra have both faced critical vulnerabilities (pre-authentication RCEs) that were exploited, sometimes massively, by attackers before a patch was available.

We believe that research into mail software vulnerabilities is only getting started. Mail servers have the double misfortune of harboring key intelligence of interest to APT actors and having the biggest attack surface imaginable. 2023 will very likely be a year of 0-days for all major email software. We encourage system administrators to immediately set up monitoring for these machines, due to the unlikelihood that patching (even in a timely fashion) will be sufficient to protect them.

The next WannaCry

Statistically, some of the largest and the most impactful cyber epidemics occur every 6-7 years. The last incident of the sort was the infamous WannaCry ransomware-worm, leveraging the extremely potent EternalBlue vulnerability to automatically spread to vulnerable machines.

Fortunately, vulnerabilities that enable the creation of worms are rare and far-between, and need to meet a number of conditions to be suitable (reliability of the exploit, stability of the target machine, etc.). It is extremely difficult to predict when such a bug will be discovered next, but we will take a wild guess and mark it up for next year. One potential reason increasing the likelihood of such an event is the fact that the most sophisticated actors in the world likely possess at least one suitable exploit of the sort, and current tensions greatly increase the chance that a ShadowBrokers-style hack-and-leak (see below) could take place.

APT targeting turns toward satellite technologies, producers and operators

It is nearly 40 years since the US’s Strategic Defense Initiative (nicknamed “Star Wars”) contemplated extending military capabilities to include space technologies. While such things may have seemed a little far-fetched in 1983, there have been several instances where countries have successfully interfered with satellites orbiting the earth.

Both China and Russia have used ground-based missiles to destroy their own satellites. There have also been claims that China has launched a satellite with a grappling arm that could be used to interfere with orbiting equipment and that Russia may have developed the same technology. We have already seen the hijacking of satellite communications by an APT threat actor.

If the Viasat incident is any indication, it is likely that APT threat actors will increasingly turn their attention to the manipulation of, and interference with, satellite technologies in the future, making the security of such technologies ever more important.

Hack-and-leak is the new black (and bleak)

There is still much debate regarding whether “cyberwar” indeed took place in the context of the Ukrainian crisis. It is however clear that a new form of hybrid conflict is currently unfolding, involving (among many things) hack-and-leak operations.

This modus operandi involves breaching a target and releasing internal documents and emails publicly. Ransomware groups have resorted to this tactic as a way to apply pressure on victims, but APTs may leverage it for purely disruptive ends. In the past, we’ve seen APT actors leak data about competing threat groups, or create websites disseminating personal information. While it is difficult to assess their effectiveness from the sidelines, there’s no doubt they’re part of the landscape now and that 2023 will involve a high number of cases.

More APT groups will move from CobaltStrike to other alternatives

CobaltStrike, released in 2012, is a threat emulation tool designed to help red teams understand the methods an attacker can use to penetrate a network. Unfortunately, along with the Metasploit Framework, it has since become a tool of choice for cybercriminal groups and APT threat actors alike. However, we believe that a number of threat actors will begin to use other alternatives.

One of these alternatives is Brute Ratel C4, a commercial attack simulation tool that is especially dangerous since it has been designed to avoid detection by antivirus and EDR protection. Another is the open-source offensive tool Sliver.

In addition to off-the-shelf products abused by threat actors, there are other tools that are likely to be included in APT toolsets. One of these, Manjusaka, is advertised as an imitation of the Cobalt Strike framework. The implants of this tool are written in the Rust language for Windows and Linux. A fully functional version of the C&C written in Golang is freely available and can easily generate new implants with custom configurations. Another is Ninja, a tool that provides a large set of commands, which allows attackers to control remote systems, avoid detection and penetrate deep inside a target network.

Overall, we suspect that CobaltStrike is receiving too much attention from defenders (especially when it comes to the infrastructure), and that APTs will make attempts to diversify their toolsets in order to remain undetected.

SIGINT-delivered malware

It has been almost 10 years since the Snowden revelations shed light on the FoxAcid/Quantum hacking system used by the NSA. They involve leveraging “partnerships with US telecoms companies” to place servers in key positions of the internet backbone, allowing them to perform man-on-the-side attacks. This is one of the most potent attack vectors imaginable, as they allow victims to be infected without any interaction. In 2022, we saw another threat actor replicate this technique in China, and there is little doubt in our minds that many groups have worked tirelessly to acquire this capability. While deploying it at scale requires political and technological power available to few, it is likely that by now, Quantum-like tools would be implemented on the local level (i.e., at country level, by relying on national ISPs).

Such attacks are extremely hard to spot, but we predict that their becoming more widespread will lead to more discoveries in 2023.

Drone hacking!

Despite the flashy title, we’re not talking about hacks of unmanned aircrafts used for surveillance or even military support (although that could happen too). This final prediction concerns itself with the other way around: the use of commercial-grade drones to enable proximity hacking.

Year after year, drones available to the general public gain additional range and capabilities. It wouldn’t take too much work to mount one of them with a rogue Wi-Fi access point or an IMSI catcher; or sufficient tooling that would allow the collection of WPA handshakes used for offline cracking of Wi-Fi passwords. Another attack scenario would be using drones to drop malicious USB keys in restricted areas, in the hope that a passer-by would pick them up and plug them into a machine. All in all, we believe this to be a promising attack vector, likely to be used by bold attackers or specialists already adept at mixing physical- and cyber-intrusion.

See you next year to see how we fared!