As we move towards the end of 2022, now is the time to take a look back at the major trends from the last eleven months and identify what might happen from a cyber threat perspective in 2023. 2022 will likely be remembered for several reasons; notably the Russian invasion of Ukraine, the world recovering from the worst of the COVID pandemic, and of course, a global financial crisis. All of these events have had a major effect on cyber threats, which continues to see malicious attackers giving network defenders plenty to think about. Take a look below for 5 of our predictions for the coming year. 

Lockbit will continue to lead the pack

Lockbit are currently the world’s most prolific ransomware group, which can be determined by looking at the activity levels on various groups’ data leak sites. While this does not provide a representation of every ransomware attack that occurs—as a posting on a data leak site will only indicate a company that has not paid a ransom—it does give an overall picture of the ransomware landscape and the most active groups. As determined by Digital Shadows (now ReliaQuest) analysis of ransomware activity over the last 6 months, Lockbit scored over three times as many data leak site entries as the second highest entry, which was the Basta News website. 

Ransomware group data leak site activity: 30 Apr-30 Sep 2022

It is common to have an outlier in this fashion—similar positions were previously taken by the likes of Conti and REvil. With those particular groups, their demise was typically brought about by internal conflicts—such as the compromise of Conti’s infrastructure and other divisions—or as a result of law enforcement scrutiny. For Lockbit, who have been the most active group since early 2021, it is possible that the current war between Russia and Ukraine may take law enforcement focus away from cybercrime as many western law enforcement agencies are likely more preoccupied with stopping Russian nation state sponsored activity.

The war in Eastern Europe also has had a crippling effect on relations between the United States and Russia, with the United States—in addition to several other western countries—providing significant monetary, military, and geopolitical support to Ukraine. Any collaboration between law enforcement in the United States and Russia—which was believed to have been instrumental in the January 2022 arrests of several members of the REvil organization—has also likely ceased. With many of Lockbit’s membership and hierarchy likely based in Russia or other Common of Independent States (CIS) countries, the opportunities for targeting Lockbit’s members and infrastructure will likely be limited. As a result, the group are likely to have a free reign to continue targeting western based companies; anything that damages US and European interests is likely to viewed favorably—and likely left alone—by the Russian government.

Top 20 sectors targeted by Lockbit 01 Jan – 31 Oct 2022 (Source Digital Shadows (now ReliaQuest))

It is also realistically possible that the LockBit group will continue to evade law enforcement scrutiny given their operating model, with the group known to prioritize targeting small to medium sized businesses (SMEs). This is different than most ransomware groups that instead prioritize highly impactful or high profile targets, such as critical national infrastructure (CNI).

Many groups that have faced law enforcement attention often follow an impactful attack being made against a sensitive target. This was the case for the “Darkside” ransomware group in targeting oil pipeline provider Colonial Pipeline, and also followed by Darkside’s successor group “BlackMatter”, who targeted new Cooperative Inc, a US based food & beverages company; both groups subsequently went underground following the attacks. By having a consistent approach to their selection of targets, LockBit may in turn generate a more sustainable business model. This in turn is more likely to avoid additional law enforcement scrutiny that places additional pressure on the group’s operations.

Rise of data leak site: many cyber extortion groups may pivot to solely conducting data exfiltration

One of the biggest trends from 2021—which continued in 2022—was an expansion of the numbers of double extortion attacks, which originally started in 2019. This tactic refers to when ransomware operators exfiltrate data before encryption, and then threaten to publish the data on a publicly available data leaks site as an additional layer of extortion. This has the double pronged effect of crippling an organization, whilst also resulting in the significant impact that accompanies a data breach. 

With many companies improving their incident response and ability to restore services through the use of backups, it is possible that the intentional breach of data is actually the more impactful side of a double extortion attack; according to research from 2022, the average cost of a data breach was USD 4.35 million.  Some cybercriminal groups have likely taken notice of this impact, moving to solely use data exfiltration as a medium for extortion.

In 2022, Digital Shadows (now ReliaQuest) identified 11 new data leak extortion groups establishing data leak sites, with two identified in Q1, five in Q2, and four in Q3 2022. As the content is hosted on the dark web, there is little companies can do to retrieve or remove content. Hosting content on this portion of the internet does however come with challenges for the extortion groups, with internet speeds capped and only individuals with dedicated software—such as the Onion Router (ToR)—capable of accessing breached data. Despite this, the risk does remain significant, and the affected company is prone to reputational, financial, and regulatory risk that follows a data breach.  

New identified data extortion sites Q1 – Q3 2022

There is also the possibility for some groups to redirect from ransomware activity even further and instead go in the opposite direction by conducting attacks that outright destroys affected data.  The aim of this activity is to ensure that victims are completely unable to restore data if they fail to pay a ransom. Taking this approach allows the group to speed up the process of an attack, given destructive malware is less complicated than ransomware. It also gives incident responders less chance to respond to the attack, in attempting to restore files via backups. 

It is debatable whether this makes the likelihood of a successful ransom payment more or less likely; some companies may be encouraged to pay over the increased risk, while others may either be dissuaded from negotiating further or otherwise impacted to a point where they can no longer continue operations—and therefore, there is no point in paying a ransom. While destructive malware may become more commonplace amongst extortion groups in 2023, it is likely that it will be used less commonly than traditional ransomware or single extortion groups stealing data for ransom purposes. 

Distinction between the motivations of nation-state, cybercriminal, and hacktivist, will be increasingly difficult to distinguish.

Attributing cyber-attacks to the responsible threat actors is an incredibly difficult task. While cybercriminals are often upfront with their intentions and in claiming responsibility for an attack, mapping real world identities can often be incredibly challenging. This is made even more difficult by groups frequently taking extended periods offline before coming back with a rebranded operation, often via a new name. Several of the most successful ransomware groups have taken this approach, including “Darkside” who changed to “BlackMatter”, “DopplePaymer” into “Grief”, and recently “Conti”, who have reportedly moved to support several different ransomware operations. 

Within the context of the Ukraine war, a handful of cybercriminal groups have conducted attacks in support of Russia’s operations. The “FreeCivilian” data extortion group have conducted several attacks that have resulted in the deliberate breaching of data taken from Ukrainian government websites. While the individual(s) running this operation have claimed to be an independent cybercriminal, there are several similarities with defacement activity that was attributed to advanced persistent threats (APT) groups associated with Russia’s Main Directorate of the General Staff of the Armed Forces of the Russian Federation, more commonly known as the “GRU”; it is possible that FreeCivilian is instead operated by GRU members.  This assists the group’s operators in masquerading the real motivation of their activity and provides plausible deniability. 

It is also possible that the Russian state could utilize ransomware or other destructive forms of malware, either directly through their own phony cybercriminal group, or through existing ransomware groups. The spectrum of state responsibility is complicated and can often be motivated by several factors. Some cybercriminal groups will be willing volunteers to assist in Russia’s fight with Ukraine—and by proxy, western countries—while others may be motivated by other factors, like money or leniency towards crimes they have been convicted; Russia has openly recruited criminals for private military contractors, it is feasible that cybercriminals could be recruited to work for the Russian state in a similar fashion.

The spectrum of state responsibility (Source: Atlantic Council)

The coordination of this activity also exists on a wide spectrum. Some cybercriminal and hacktivist activity may be directly coordinated via state policy—for example, North Korea “HolyGhost” ransomware group—while other activity may simply be encouraged. With threat actors deliberately attempting to obfuscate their identity and motivations—often by masquerading as a separate entity—determining where activity sits on this spectrum is incredibly difficult. 

A key for analysts is to remain flexible and not compartmentalize cyber threats. Threat groups are often representing a combination of nation-state, hacktivist, or cybercriminal.  

Many hands make light work: Resurgence of hacktivism is likely to continue amid a collectivized effort

One of the main trends for cyber threats in 2022 was the resurgence of hacktivism. Hacktivism is highly influenced by geopolitical and political conditions and is not often a proactive ideology. Hacktivism is highly open to fluctuation and has typically been viewed as a declining type of attack since 2017; this coincided with the decline in Anonymous associated activity. Pertinent events that cause global attention, as seen with the Russian invasion of Ukraine, are likely to galvanize hacktivists en masse. Hacktivism has historically taken the form of denial-of-service, defacement attacks, and data-leaks.

Hacktivist activity in the Russia-Ukraine war has been used on both sides of the conflict. In Ukraine, the “IT Army of Ukraine” amassed thousands of willing volunteers to take the fight to Russia online. This was coordinated centrally by Ukraine’s Vice Prime Minister and Minister for Digital Transformation, Mykhailo Fedorov (see Figure 8). This group have had great success in conducting denial of service (DoS) and defacement-based activity. In October 2022, the IT Army of Ukraine were reported as having targeted Russian company FTNET stealing 240GB of data and posting it online. Influence operations (IO) have also been utilized as a weapon during the conflict, by targeting Russian telecommunications providers, utilities, and private companies.

Twitter post encouraging hacktivist actors to assist Ukraine

In Russia, the “Killnet” hacktivist group have also generated significant support in conducting attacks in support of Russia, targeting both Ukraine and several NATO and aligned countries. Like with the IT Army of Ukraine, Killnet organized and coordinated its followers through a dedicated Telegram channel. This coordination of hacktivist entities through a collectivized effort is one of the main developments that have taken place in the last year; pooling resources and crowdfunding for further personnel can greatly assist hacktivist actors in achieving their goal. It’s likely that future hacktivist activity will be coordinated in a similar fashion, with a single figure or authority using social media as a conduit to coordinate activity and generate external support.

Disinformation campaigns will be the weapon of choice for threat actors targeting the 2022 US midterm elections

The run up to the US midterm elections in November will likely face a series of influence and disinformation operations, as opposed to destructive attacks. The 2020 US election saw significant levels of IO, aimed at discrediting the electoral process. This included denigrating mail in ballots and highlighting reported electoral irregularities. 

With Russian and US relations collapsing in 2022, it’s likely that similar efforts will be directed towards the upcoming election. This will almost certainly focus on sowing criticism over the US’ involvement in the ongoing Russia Ukraine conflict—a viewpoint held by a portion of the US’ elected officials—and the international community’s position on sanctions targeting Russia. Themes that will be discussed will likely surround the decision to continue providing economic and military aid for Ukraine, in addition to spreading propaganda over reported Russian successes and justifications for starting the conflict; including attributing the blame to Ukraine, the US, and NATO. It is realistically possible that any attempts at undermining the 2022 midterm elections could also have an impact on US policy making in 2023.   

The method of distributing disinformation campaigns will continue to be achieved through the use of social media, including establishing accounts to spread IO messages, memes, and also amplify dissenting opinions on the future of the war; a recent example of this was several Russian media outlets offering praise towards entrepreneur Elon Musk and an alternate approach he established to end the war. The November elections could also see a return of the infamous “Internet Research Agency” troll farm, a Russian organization known to be tasked with spreading pro-Russian propaganda.

It’s realistically possible that deepfakes will be deployed as part of disinformation campaigns targeting the US elections; in March 2022, a deepfake video depicted Ukrainian President Volodomyr Zelensky reportedly confirming Ukraine’s surrender to Russia. While the use of deepfake is likely to become increasingly commonplace in social engineering campaigns of the future, at this time they are easily identifiable by social media companies before they have a possibility to cause a great effect.   

IO is also not likely to be limited to Russia, spreading divisive political material is also likely to emanate from Chinese state sponsored threat actors, who will have their own objectives in promoting an agenda favorable to Beijing; on 24 Oct 2022, 13 Chinese operatives were indicted for conducting influence operations against the US. This could again involve the US role in the war in Eastern Europe, but also is likely to focus on issues related to the COVID-19 pandemic, and US involvement in Taiwan’s independence movement, something of great significance to China. Iranian actors may also have an interest in spreading disinformation at this time, most likely motivated at raising sanctions impacting Iran, stifling criticism of Tehran handling of ongoing civil rights protests, and renewing the Joint Comprehensive Plan of Action (JCPOA), also known as the Iranian nuclear deal.

Charting course with cyber threat intelligence

Our CEO Brian Murphy has frequently called cyber security the greatest challenge of our lifetime. Staying ahead of the numerous cyber threats facing both business can often seem like an impossible task. Threat actors are agile and resourceful, unhindered by their ethics, any regulation, or geography. On the other hand, businesses must consider resource and personality constraints, ensure that management approves of changes that could be made, and that any changes are implemented in a safe manner. And even if you get the right controls in place, that doesn’t guarantee safety, far from it. 

The best possible method of understanding cyber risk—and of course tackling it—is through a robust intelligence service. This can assist in identifying trends, the common techniques and methods used by cyber threat actors. Ultimately, providing the best methods of steering your ship round the various threats on the way. 

You can get a comprehensive look at the data that we used to build this blog with a free demo request of SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) here. Additionally, you can get a customized demo of SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) to gain visibility of your organization’s threats and potential exposures, including access to a finished threat intelligence library with MITRE associations and mitigations from Photon Research.