In November, Ukraine’s president revealed that the nation’s IT defenses fended off greater than 1,300 Russian cyberattacks, together with assaults on satellite tv for pc communications infrastructure.
The onslaught of cyberattacks highlights one of many shifts in superior persistent menace (APT) assaults seen previously yr: In 2022, geopolitical tensions ratcheted up, and together with them, cyber operations grew to become the go-to technique for nationwide governments. Whereas Russia and different nations have used cyberattacks to assist army actions previously, the continuing conflict represents essentially the most sustained cyber operation thus far and one that may undoubtedly proceed within the coming yr, consultants say.
Army battle will be a part of cybercrime as a driving pressure behind APT teams within the coming yr, John Lambert, company vp and distinguished engineer at Microsoft’s Risk Intelligence Heart, said within the firm’s Digital Protection Report 2022 launched final month.
“The battle in Ukraine has offered an all-too-poignant instance of how cyberattacks evolve to affect the world in parallel with army battle on the bottom,” he stated. “Energy methods, telecommunication methods, media, and different crucial infrastructure all grew to become targets of each bodily assaults and cyberattacks.”
Whereas the elevated use of APT assaults by Russia is essentially the most seen change that occurred previously yr, APTs are evolving. Extra are transferring onto crucial infrastructure, adopting dual-use instruments and living-off-the-land methods, and pinpointing the software program provide chain to achieve entry to focused firms.
Cybercriminals are utilizing more and more refined instruments, however APT methods are sometimes attributed to nation-state operations, which means that firms must change into extra conscious of the methods utilized by superior actors and the way they might be motivated by geopolitical considerations, says Adam Meyers, senior vp of intelligence for cybersecurity providers agency CrowdStrike.
“You do not have one uniform menace — it modifications by enterprise vertical and geo-location,” he says. “You — and this has been our mantra for a few years — haven’t got a malware downside, you’ve an adversary downside, and if you concentrate on who these adversaries are, what they’re after, and the way they function, then you may be in a significantly better place to defend towards them.”
Vital Infrastructure, Satellites More and more Focused
In 2021, the assault on oil-and-gas distributor Colonial Pipeline highlighted the affect that cybersecurity weak spot may have on the US financial system. Equally, this yr’s assault on the Viasat satellite tv for pc communication system — probably by Russia — confirmed that APT menace actors have continued to concentrate on disrupting crucial infrastructure via cyberattacks. The development has gained momentum over the previous yr, with Microsoft warning that the variety of nation-state notifications (NSNs) the corporate issued as alerts to prospects greater than doubled, with 40% of the assaults focusing on crucial infrastructure, in comparison with 20% within the prior yr.
Vital infrastructure is not only a goal of nation-state actors. Cybercriminals centered on ransomware are additionally focusing on crucial infrastructure firms, in addition to pursuing a hack-and-leak technique, Kaspersky said in its just lately printed APT predictions.
“We consider that in 2023 we are going to see a report variety of disruptive and harmful cyberattacks, affecting authorities, trade, and significant civilian infrastructure — maybe vitality grids or public broadcasting, as an example,” says David Emm, principal safety researcher at Kaspersky. “This yr, it grew to become clear simply how susceptible bodily infrastructure will be, so it is potential we would see focusing on of underwater cables and fibre distribution hubs.”
Not Simply Cobalt Strike
Cobalt Strike has change into a preferred device amongst APT teams, as a result of it supplies attackers — and when used for its legit functions, crimson groups and penetration testers — post-exploitation capabilities, covert communications channels, and the flexibility to collaborate. The red-team device has “crop[ped] up in a myriad of campaigns from state-sponsored APTs to politically motivated menace teams,” says Leandro Velasco, a safety researcher with cybersecurity agency Trellix.
But, as defenders have more and more centered on detecting each Cobalt Strike and the favored Metasploit Framework, menace actors have moved towards alternate options, together with the industrial assault simulation device Brute Ratel C4 and the open supply device Sliver.
“Brute Ratel C4 … is particularly harmful because it has been designed to keep away from detection by antivirus and EDR safety,” Kaspersky’s Emm says. Different up-and-coming instruments embody Manjusaka, which has implants written in Rust for each Home windows and Linux, and Ninja, a distant exploitation and management package deal for put up exploitation, he says.
Identification Underneath Assault
Following the coronavirus pandemic, distant work — and the cloud providers to assist such work — have elevated in significance, main attackers to focus on these providers with identification assaults. Microsoft, for instance, noticed 921 assaults each second, a 74% improve in quantity over the previous yr, the corporate said in its report.
Actually, identification has change into a crucial part to securing the infrastructure and enterprise, whereas on the identical time turning into a serious goal of APT teams. Each breach and compromise investigated by CrowdStrike previously yr has had an identification part, CrowdStrike’s Meyers says.
“We used to say belief, however confirm, however the brand new mantra is confirm after which belief,” he says. “These attackers have began focusing on that mushy underbelly of identification … that could be a advanced a part of the system.”
IT Provide Chains Underneath Assault
The assault on SolarWinds and the broadly exploited vulnerability in Log4J2 demonstrated the alternatives that vulnerabilities within the software program provide supply to attackers, and corporations ought to count on APT teams to create their very own vulnerabilities via assaults on the software program provide chain.
Whereas there was no main occasion but, attackers have focused Python ecosystems with dependency confusion assaults towards open supply repositories and phishing assaults focusing on Python builders. Total, the variety of assaults focusing on builders and corporations elevated by greater than 650% over the previous yr.
As well as, APT actors are discovering the weak factors in vendor and provider relationships and exploiting them. In January, for instance, the Iran-linked DEV-0198 group compromised an Israeli cloud supplier through the use of a compromised credential from a third-party logistics firm, based on Microsoft’s report.
“This previous yr of exercise demonstrates that menace actors … are attending to know the panorama of a corporation’s trusted relationships higher than the organizations themselves,” the report said. “This elevated menace emphasizes the necessity for organizations to grasp and harden the borders and entry factors of their digital estates.”
To harden their defenses towards APT teams and superior assaults, firms ought to repeatedly confirm their cybersecurity hygiene, develop and deploy incident response methods, and combine actionable menace intelligence feeds into their processes, says Trellix’s Velasco. To make identification assaults harder, multifactor authentication ought to be routine, he says.
“In 2023, easy safety planning will not be sufficient to discourage or stop attackers,” Velasco says. “System defenders must implement a extra proactive defensive strategy.”