Mandiant has released its Threat Trends Report for 2022. Analysts say Russia, Iran, China and North Korea will pose the greatest threat to global cyberspace next year.
“The outlook for threats in 2022 looks bleak,” the authors write. “Those behind the ransomware are becoming more aggressive, turning these once relatively simple attacks into more complex and lucrative multi-faceted ransomware operations.” There are major anti-criminals’ efforts in the United States and abroad, but this does not affect the business model of using ransomware as a service. At the same time, harsh government measures can lead to negative consequences for organizations.
“Ransomware is not going anywhere, as are espionage and information attacks. In 2022, we will continue to monitor regional and international activities carried out by the Big Four: Russia, Iran, China and North Korea. The wider adoption of deepfake technology will only exacerbate threats,” the report says.
New ransomware tactics
The ransomware market has expanded significantly over the past decade and will continue to grow. This business is too lucrative, and therefore only global governments and technological innovations can fundamentally change the profitability of attackers. So far, attempts to prosecute cybercriminals have not been successful: cybercriminals simply register on a different platform – under the ransomware-as-a-service business model – and continue their activities. Most operate from regions that are not subject to US law. “We expect an increase in ransomware attacks outside the United States. We also expect an increase in ransomware incidents in critical industries that will have to pay to avoid serious health and well-being of civilians.”
Ransomware begins by using encryption (classic ransomware) to block victims’ own files and then threaten to expose sensitive data. Criminals are expected to use new tactics in 2022, such as trying to recruit insiders from their victims or taking counter-negotiation strategies into account.
More conflicts between attackers
Ransomware-as-a-service operations regularly involve multiple actors, each of which carries out a specific element of the attack for a fee or a portion of the proceeds. It is assumed that in 2022, conflict between these participants will grow, which in the end could lead to unpleasant consequences for the victims. Conflicts can arise when victims refuse to pay, or someone feels they are not being paid enough, or when law enforcement is blocking attackers from obtaining a ransom. In some situations, the data may be published by someone offended.
Between the devil and the deep sea
US companies and businesses doing business in the US are not allowed to pay those who are sanctioned. However, this approach, aimed at banning the financing of ransomware, can lead to negative consequences for companies.
Threats to cyber-physical systems from dummies
In 2022, attackers will continue to explore the Operational technology (OT) space and will increasingly use ransomware in their attacks on devices needed to track or control industrial equipment.
Attacks on critical OT environments can cause serious disruption and even threaten lives, thereby increasing pressure on organizations to obtain ransom. The problem is compounded by the fact that many of these OT devices are made with no security considerations, and there has been a significant increase in the number of vulnerabilities discovered recently. A prime example is Log4j, which can be used even by inexperienced hackers.
More Public Incidents in Asia Pacific and Japan (APJ)
Historically, incidents in the APJ region have gone largely unreported, but this may change in 2022 as extortion becomes more prevalent. Previously, attackers wanted to remain invisible for as long as possible, hoping to retain access to the victim’s networks. And those, in turn, tried to avoid reputational damage, financial and other consequences. Now, the criminals are threatening to release sensitive data to expedite the ransom. Organizations in the APJ region must be prepared to combat these types of ransomwares, but unfortunately many do not have relevant work experience or do not take them seriously.
The Big Four Threats
Analysts say Russia will maintain its aggressive stance, focusing on NATO, Eastern Europe, Ukraine, Afghanistan and the energy sector. Thus, the US government attributed the attack on SolarWinds to the UNC2452 group. The attackers hacked into software vendor SolarWinds and then provided Orion with a malicious update. “The manipulation of UNC2452 authentication methods in hybrid cloud / on-premises environments show new tactics, leading us to believe that the level of complexity and scale of Russian operations will expand,” the report says.
In its region, Iran will use cybertools much more aggressively than before. He has demonstrated his ability and willingness to deploy destructive malware, so he is expected to take advantage of every opportunity presented to him. Iran’s targets will continue to be Israel and other countries in the Middle East.
China will continue to act very aggressively, supporting the Belt and Road Initiative using cyber espionage. Now that the Ministry of State Security (MGB) and the People’s Liberation Army (PLA) have completed most of their reorganization, their operations will become much more focused. China has shown a willingness to scale its operations and take steps it never intended to take.
North Korea, with its geographic, international and financial problems, is ready to play all-in. It is expected to expand its cyber capabilities in 2022 to make up for the lack of other power tools. North Korea’s cyber apparatus will continue to support the ruling regime by funding nuclear ambitions and gathering strategic intelligence.
With the rise to power of the Taliban * and the withdrawal of US troops from Afghanistan, cyber espionage will continue. The country can also push pro-Islamist extremists to expand their propaganda activities and information sabotage.
Deepfakes
During 2020 and 2021, Mandiant monitored messages and advertisements for deepfake technology on Russian and English language crime forums. On these forums, attackers advertised deepfake videos and images, and trained users to create their own media files. Deepfake Audio has facilitated fraudulent schemes such as Business Email Compromise (BEC). Open source demonstrates how attackers bypass Multi-Factor Authentication (MFA) security protocols and Identity Verification (KYC) measures. As deepfake technology becomes more available in 2022 and beyond, it is expected that criminals will increasingly integrate it into their operations to make social engineering more compelling and tailor content to specific targets.
Cyber outsourcing increases risks
The outsourcing of malicious operations contributes to both the frequency and complexity of cyber threats. And this is unlikely to slow down in 2022. The blurring of distinctions between government-sponsored operations in terms of both tools and talent, the maturation of legitimate and illegitimate markets for third-party tools and services, and the growing specialization and commodification of cyberspace are all moving towards making the complex accessible to a wide range of criminals. For defenders, this means an increase in overall cyber risks as the quantity, quality, and adaptability of malicious operations grows.
Cloud as a bottleneck
Companies will continue to rely more and more on third-party cloud providers for their core business needs. The share of cloud-based incident investigations in Mandiant analytics has grown significantly over the past few years. It is expected to continue to grow with the adoption of enterprise clouds.
More IoT devices, more vulnerabilities, more attacks
Since all of these devices are connected to each other, we will see that the total attack area will expand. Unfortunately, when designing the fundamental devices of the “Internet of Things”, not enough attention was paid to security, so in the coming years the situation will only get worse. When fixes for newly discovered vulnerabilities are released, the user must take responsibility for updating their devices. Most users may never know that an update is needed, and if they do, they won’t care. There have been no coordinated security initiatives for IoT devices. Technologies like Secure Boot help, but they are only implemented by large organizations and in new products. It must be said that companies like Microsoft and Amazon are developing platforms that will empower smaller companies to build safer IoT devices. These are steps in the right direction, but it will take several years before a secure IoT landscape is implemented.
A detailed report can be ordered from the MIT Technology Review website.
