In addition to the core financial motives, geopolitical and state-sponsored intelligence and espionage agendas may make 2023 a year of extremes
Combining telemetry collected from endpoint protection installations, threat actor leak sites and data gathered from open- and closed- source intelligence reports from the final quarter of 2022, a cyber threat report has curated four findings that could reflect 2023 cyber activity.
Offering evidence of malicious activity linked to ransomware and state-sponsored advanced persistent threat (APT) actors; trends in email threats to email, and the malicious use of legitimate security tools, among other trends, the report noted a rise in grey zone conflicts and hacktivism.
Key findings include:
- LockBit 3.0 most aggressive with ransom demands: While no longer the most active ransomware group according to Trellix telemetry (Cuba and Hive ransomware families generated more detections in Q4) the LockBit leak site reported the most victims. This threat group uses a variety of techniques to execute its campaigns, including exploiting vulnerabilities found as far back as 2018.
- China led in state-sponsored cyber activity: APT actors linked to China, including Mustang Panda and UNC4191, were the most active in the quarter, generating a combined 71% of detected nation-state backed activity. Actors tied to China, North Korea, Russia, and Iran were ranked the most active APT actors in public reports.
- Critical infrastructure were heavy targets: Sectors across critical infrastructure were most impacted by cyber threats in the study. Trellix observed 69% of detected malicious activity linked to state-sponsored APT actors targeting transportation and shipping, followed by energy, oil, and gas. In the telemetry data, finance and healthcare were also among the top sectors targeted by ransomware actors; telecom, government, and finance were among the top sectors targeted via malicious email.
- Fake CEO Emails led to Business Email Compromise: The telemetry showed that 78% of business email compromise (BEC) tactics involved impersonation of CEOs using common CEO phrases, resulting in a 64% increase from Q3. Tactics included asking employees to confirm their direct phone number to execute a voice-phishing (vishing) scheme; 82% were sent using free email services, meaning threat actors need no special infrastructure to execute their campaigns.
According to John Fokker, Head of Threat Intelligence, Trellix Advanced Research Center, which released the report: “Q4 saw malicious actors push the limits of attack vectors. Grey zone conflict and hacktivism have both led to an increase in cyber as statecraft as well as a rise in activity on threat actor leak sites. As the economic climate changes, organizations need to make the most effective security out of scarce resources.”