Cybercrime 2023 and 2024 - what was and what is coming?
The year 2023 is finally over and a 2024 full of new and familiar cyber threats lies ahead of us. By looking back at the old year, we want to try to recognize threats early in the new year so that we are not unprepared to enter the ring against hacker groups and spies. In the following blog post, we look at what both cyber criminals and state hackers learned in 2023 and draw conclusions about attack patterns in the new year.
Cybercrime: Ransomware is still the supreme discipline
The business of extortion remains the biggest threat to business and administration in the area of cybercrime. This view was shared at the end of 2023 by authorities such as the German Federal Office for Information Security (BSI) as well as specialists from relevant security vendors. The LockBit group, now an old acquaintance in the business, was also the most active of the ransomware franchises in 2023. Achieving this title for the second time in a row is a dangerous distinction. As in the Wild West, the proverbial bounty, i.e. the pressure from the authorities, is growing on the group's operators and the concept of "too big to stay afloat" could finally take hold for LockBit and its operators and developers this year.
However, the ransomware scene also went through some changes in terms of tactics and techniques in 2023 - which will reverberate into 2024. On the one hand, a decline in encryption was measured while the number of attacks increased. This means that ransomware attackers are moving away from the current state of the art "double extortion", i.e. double extortion consisting of data encryption and data theft with the threat of a leak, to simply stealing data without causing damage to the victim via encryption. There are two reasons for this trend: Firstly, potential victims' backup strategies are now so sophisticated that it is usually possible to restore encrypted files. Backups in multiple versions at different locations, online and offline, have become the standard protection against ransomware. Secondly, this makes it easy for attackers to carry out a quick attack. The time and computational effort required to encrypt entire corporate networks offers a higher risk with a dwindling return on investment. Accordingly, we will also see less encryption and more data theft in 2024.
A real game changer in the ransomware scene was the adoption of a tactic usually reserved for highly equipped hacker groups with state support: the mass exploitation of zero-day vulnerabilities in supply chain products. In particular, the Cl0p group was able to compromise several file transfer solutions, namely Fortra GoAnywhere and MOVEit File Transfer, at hundreds of organizations, exfiltrating data and encrypting systems. Given the opportunity, other groups would certainly make use of such a lucrative method, which is why patch management for critical systems is more important than ever as a defense measure.
State actors: geopolitical tensions in cyberspace
The war in Ukraine enters its third year in a month's time with the same level of brutality and the associated suffering for soldiers and the civilian population. At the same time, the conflict between pro-Russian and pro-Western hacker groups is raging in cyberspace. Although this type of trial of strength is far less bloody, it is similarly bitter and the fronts are also hardened. In 2023, both pro-Russian and Ukrainian state hackers changed their tactics. The latter were able to switch from the defensive to the offensive several times and inflict considerable damage on Russian critical infrastructure, including banks and tax offices, using wiper malware - a tactic that was still being used extensively by Russia in 2022. Pro-Russian hackers, often based directly in the FSB and GRU intelligence services, switched in 2023 from initial "shock and awe" wiper attacks against Ukrainian targets back to the actual core business: espionage operations against important targets in Ukraine and NATO countries. Just this week Microsoft announced that the email accounts of its executives had been compromised for several months by the Russian APT "Midnight Blizzard" (aka "Cozy Bear" and "Nobelium"). The success of such long-running espionage operations will surely spur Russian intelligence services on to further operations in 2024.
Meanwhile, a storm is brewing in the Pacific region, particularly in the Taiwan Strait. Chinese claims to Taiwan are growing louder, military maneuvers are increasing, and Chinese hackers were not idle in 2023. For example, the "Volt Typhoon" group was able to create its own botnet from end-of-life Cisco routers to covertly route global internet traffic and conceal Chinese operations. The same actor also attracted attention in 2023 by compromising the power grids of various US military bases (including in Guam). At the same time, the hacker group "Storm-0558" managed to gain access to by stealing a Microsoft key from high-ranking US officials, including the Secretary of Commerce. The attackers were able to read emails and download entire mailboxes. The scandal caused by the discovery raised the question of what other secrets of Western vendors are already in the hands of intelligence services. With increasing tension in the Pacific region in 2024, Chinese hackers will also become conspicuous with increasingly brazen actions.
So things remain exciting in cyber security for companies and public administration. Complion security experts will continue to support IT security managers in their tasks in projects at this year . Complion security experts will also support you with a weekly analysis of the current threat situation in the Cyber Security Competence Center (CSCC) - a service provided by VOICE CIO Service GmbH - and in IT security projects. If you are also interested in our cyber security portfolio, look here: https://complion.de/was-machen-wir/cybersecurity
Author: Tobias Philipsen