5 minute read
2022 has been a watershed year for cybersecurity, but what’s next?
JANA DEKANOVSKA
By Jana Dekanovska, Strategic Threat Advisor at CrowdStrike
2022 has been a pivotal year for cybersecurity with adversaries increasingly turning their gaze to Australia’s critical infrastructure and essential industries. Just when organisations were starting to catch up, new and novel threats emerged. In September we saw another attack on ride sharing and food delivery giant, Uber, just months after the company revealed it had suffered a ransomware attack in 2016.
Sophisticated, highly targeted and premeditated intrusion campaigns are being carried out against some of the world’s largest companies. CrowdStrike’s OverWatch team uncovered a highly sophisticated Chinese state-sponsored adversary, Aquatic Panda, carrying out a long-term targeted intrusion campaign against a global technology and manufacturing company. China-linked adversaries such as Aquatic Panda continue to be the most active groups conducting cyber attacks for economic, diplomatic and political purposes.
In fact, China-linked adversaries were the most frequently observed targeting entities in Australia and New Zealand. Continued geopolitical tensions between Canberra and Beijing and the AUKUS security pact further fuelled this activity in 2022. Adversaries attributed to the Democratic People’s Republic of Korea were also prolific, maintaining a dual focus on financial gain and economic espionage driven by domestic circumstances and ongoing international sanctions that restrict the country’s access to global markets.
Nor is Australia immune to financially motivated cyber attacks. Bitwise Spider dominated the eCrime scene throughout 2022 and continues to operate the most professionally run ransomware-as-a-service operation, accumulating the highest number of victims to date. In June 2022, Bitwise Spider released a new update to its program, introducing novel features and techniques, and reaffirmed its focus on what we have named the triple extortion model: ransomware, DDoS attacks and data leaks all at the same time.
This activity is consistent with the criminal behaviour CrowdStrike Intelligence has tracked over the course of 2022 in which adversaries move away
from using ransomware alone and adopt the triple extortion strategy.
Governments are adapting to the onslaught of attacks from nation states and criminal groups through legislative measures such as the Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 which passed in April this year, and more recently Labor’s plan to overhaul Australia’s cybersecurity strategy. But more needs to be done to keep pace with the continued evolution of cybercrime in Australia and the Asia Pacific region more broadly.
THE GRADUAL DEATH OF RANSOMWARE
Headline stories of cyber attacks in which threat actors demonstrate new levels of determination and expertise through consistent and successful exploitation of organisations are becoming routine. These attacks are made possible by the continued evolution and innovation of their tradecraft.
One example we have seen over the last year is Chinalinked adversaries moving from relying on phishing and spear phishing as their primary methods for gaining access to organisations, instead leveraging zero day and old vulnerabilities for access to publicfacing assets that have not been patched.
Beyond nation state adversaries, financially motivated criminals have been seen moving away from relying solely on ransomware to adopting the triple extortion model. It has become one of the latest strategies in cyber criminals’ arsenals to maximise pressure on the victim and increase the likelihood of a ransom being paid. With good, regularly maintained data backups to restore systems in the event of a ransomware attack, data encryption is no longer enough to extort a ransom from a victim.
As organisations improve their cybersecurity posture by working with security companies such as CrowdStrike, threat adversaries are clearly becoming frustrated because their old ways are not working. We have seen eCrime adversaries leveraging stolen personally identifiable information and cold calling company employees to threaten physical violence unless the ransom is paid. This shows that cyber intrusions are increasingly human-led and, in the worst case, that adversaries will resort to a variety of tactics, including physical violence, to coerce victims into meeting their demands.
This activity is consistent with CrowdStrike’s most recent Falcon OverWatch Threat Hunting Report, which observed that human-led cyber attacks against organisations in Asia Pacific and Japan grew at a far faster rate than attacks against their peers elsewhere, with an attack occurring approximately every seven minutes, down from eight minutes in 2021. Globally, 71 percent of all threat detections were human-driven, an increase from 64 percent in 2021, as reported by CrowdStrike in February 2022.
Another key, but unexpected, trend we observed this year was the rise of ideologically motivated cyber attacks around the world. eCrime adversaries from Russia, Ukraine and the US were seen shifting their motivations from financial gain to ideologies as a direct consequence of the war in Ukraine. In the APJ region, we saw a similar pattern of behaviour with Chinese hacktivists conducting attacks against Taiwanese government websites ahead of US House of Representatives Speaker Nancy Pelosi’s arrival in Taipei. Similarly, we saw hackers claiming to be affiliated with Anonymous deface a Chinese government website in support of Taiwan and Pelosi’s visit.
In light of these activities we can expect adversaries to continue to experiment with their newly found appetite for conducting ideologically motivated attacks, selecting targets on an ad hoc basis to react to political conflicts and controversial issues as they emerge.
FUTURE CYBER THREATS AND HOW BUSINESSES CAN SET THEMSELVES UP TO STAY SAFE
Based on changing adversary behaviour observed in 2022 we can expect to see a greater shift towards targeted intrusions in the year ahead. Targeted intrusions will continue to be a threat particularly
to Australian businesses and government agencies in 2023 as foreign, state-sponsored adversaries undertake intelligence gathering and cyber espionage and sometimes pursue financial objectives. Moreover, the rise of ideologically motivated cyber attacks will see hacktivists replicate the level of sophistication and professionalism of eCrime actors in their campaigns, but in much greater volumes. Adversaries now operate much like any other large organisation and are constantly finding new and innovative ways to exploit existing vulnerabilities within an organisation.
Because of this, human threat hunting is key to identifying changing behaviours and preventing attacks. Having access to the latest adversarial intelligence and real-time visibility of misconfigurations and vulnerabilities on a network will enable organisations to anticipate threats and respond immediately to cyber attacks.
Today’s adversaries do not only exploit organisations for financial gain; they are ideologically motivated and far more sophisticated than the typical hacker portrayed as someone operating from his mother’s old sofa bed on his home-built computer.
www.linkedin.com/in/janadeka
www.linkedin.com/company/crowdstrike
