Cybercriminals and state-sponsored threat actors alike have been targeting English-speaking economies with resource-rich businesses to plunder
According to one cybersecurity firm’s own data on cyber extortion, ransomware, democratization of cybercrime tools and other Big Game Hunting trends in 2023 and the first quarters of 2024, most the victims were in the predominantly English-speaking countries that dominate the world economy.
According to Charl van der Walt, Head of Security Research, Orange Cyberdefense, this is not because those geographies are being “targeted” but rather because, in an indiscriminate “harvest” of victims, most suitable victims are concentrated in the big, English-speaking economies and the industries they support.
Let CybersecAsia.net share what other cyber landscape insightsthis seasoned cyber researcher has to reveal to readers…
CybersecAsia: What new provocations and motivations (i.e., democratization of hacktivism facilitated by technology, collapses of moral barriers; extraordinary geopolitical tensions, etc) are trending-up in the war between cybercriminals and the world at large?
Charl van der Walt (CW): These are some of the notable observations:
- Re-victimization: This is a trend that has emerged over the past few years that has been exacerbated by the major increase in victim count in 2023. Merely being in a list of data leak sources posted on a Dedicated Leak Site exposes organizations to multiple forms of harm. The re-victimization cycle amplifies consequences like reputational damage, increased risk of data loss, financial burden, and psychological impact. The reposting of victims on Dedicated Leak Sites is especially noticeable during police takedowns or when threat groups are disbanded.
- An emerging pattern of victim profiles: While analysts and media will use the term “Big Game Hunting” to describe targeted and sophisticated attacks against large, high-value targets, we believe the term “harvest” more aptly describes the wanton and indiscriminate patterns we observe in our data. With very few exceptions, the simple global economic reality is that most victims are from the predominantly English-speaking countries that dominate the world economy.
- Collapse of “moral barriers”: Traditionally, the majority of threat actors have been politically astute, practicing a kind of “anti-targeting” that sees them deliberately avoiding victims that could elicit a particularly powerful political blow-back. For instance, threat actors have largely avoided targets in the healthcare domain through the COVID-19 crisis. However, our data reveals that the healthcare and social services sector saw the largest growth in victims of any industry, recording an increase of 160% in the past 12 months. This presents a worrying trend which is, perhaps naively, unexpected. Historically, threat actors had shown some degree of “moral restraint” — publicly committing not to target specific sectors including healthcare, education, and the government sector. Now, data shows that they could be shedding the ‘moral restraint’ that they have adhered to in the past.
- Geopolitics and hacktivism: Geopolitical tensions are expected to increase the vulnerability of the Asia Pacific region and its susceptible sectors. Hacktivism is becoming more political, potentially influencing societal perception, discourse, and policy. Countries like Australia, Indonesia, the Philippines, and Singapore are likely to be affected by these broader geopolitical trends.
CybersecAsia: Based on your research, is there a correlation between economic size and exposure to cybercrime? What about the role of multivariate factors in play, such as inter- and intra- regional geopolitical trends, extra-regional cyber warfare agendas, hidden economic trends, etc?
CW: There is indeed a correlation. However, one should make a distinction between “targeting”, which speaks to the attacker’s intent, and “impacted victims”, which is more generally shaped by attributes of the victim.
The attacker’s intent will often be shaped by diverse factors like geopolitical trends and cyber warfare agendas, and will thus determine which organizations get victimized. However, in general, we see most victims of cybercrime in the larger economies where there are more potential victims to be hacked. In other words, there will generally be more victims in larger, more modern economies simply because there are more victims to be had there, and not because those geographies are specifically being “targeted”.
Our hypothesis is that economic size, language, and business “culture” are the primary factors shaping the regional demographics of our victim dataset. These are some of the key trends we have observed in 2023 data:
- The number of victims encountered by Orange Cyberdefense in South-east Asia has increased 36% YoY.
- Distributions of industries and threat actors have mirrored global patterns. We anticipate that the problem will accelerate in regions like Singapore, where English is the primary business language.
- In our data, Australia had by far the most victims in the region, with a growth of 62% YoY.
- China appears to be somewhat immune to the specific “double extortion” form of cyber extortion threats. Unlike in many other nations, the victim numbers have remained largely constant and low since 2022. We believe that the reasons for this have to do with language, culture, and politics rather than a more robust technical security posture. Other cybercrimes may be more common in China but would be harder to observe and may not be publicly reported.
CybersecAsia: Do you think generative AI is exerting a multiplier effect to the existing motivations of cybercriminals and state-sponsored threat actors? If so, in what ways, and what new areas of impact and reach do you foresee as GenAI/AGI develop alongside quantum computing innovation? (e.g., enabling more attacks in languages other than English)
CW: The security industry has recently been fretting over the ostensibly cataclysmic impact that generative AI may have/is already having, on the existing cyber threats. We anticipate that GenAI tools will enable certain attackers to produce credible phishing emails and websites more quickly and easily: this includes the deployment of deepfakes as a means of initial access. There is also a concern that GenAI will allow the threat ecosystem to globalize — by providing the language- and cultural- tools needed to reach across language and cultural barriers that have, until now, potentially shielded some economies from greater impacts.
While we have not seen any short-term impact on the volume of cybercrime, we also anticipate that GenAI will enable more diverse actors target a more diverse set of victims, especially in regions where language could have been a barrier to extortion threat actors.
Finally, the adoption of GenAI technologies as a technology by businesses (e.g., as intuitive chatbots) will pose new vulnerabilities, expand the attack surface, and enable cyber compromises.
CybersecAsia: Using your imagination, if the recent CrowdStrike IT outage was actually used as a template by state-sponsored threat actors to create a devastating concurrent global cyber-extortion/ransomware/DDoS attack at around the time of the US presidential election, what do you envision will the success rate and collateral damage will be? How can the world prepare for this possible contingency?
CW: While the CrowdStrike incident was one of the worst of its kind in decades, its direct impact on global stability was limited. Such attacks are highly escalatory and would surely elicit a political, economic or even kinetic counterattack of similar magnitude.
As such, this kind of disruptive widespread operation may not be a suitable template for adversaries as it comes with similarly strong disincentives. The prevailing modus operandi for major international threat actors therefore remains: to sow uncertainty, distrust, dissent, and discord among and within their western adversaries.
Some technical techniques serve to support the goals above include disinformation and misinformation, Denial of Service, hack-and-leak campaigns, and perhaps other criminal and disruptive attacks via proxy actors: these are the threats that we should expect and plan to defend against.
With so many diverse tools in the adversaries’ toolbox, we must recognize that the ultimate goal is not a technical outcome, but rather to shape or create a narrative:it is about shaping perceptions and beliefs to ultimately coerce us into thinking and behaving in a manner that better suits the adversary’s goals.
What the world needs to prepare for is not only to thwart these myriad technical threats, but rather how to maintain influence and control over the narrative. How do we continue to cement facts, truth and shared values in our societies in the face of these threats and compromises?
CybersecAsia thanks Charl van der Walt for sharing his professional cyber insights with readers.
