The cyber threat landscape is constantly evolving as threat actors and cyber security providers try to outsmart each other. In 2022, well-known attack methods remained popular and new techniques grew in frequency as perpetrators responded to developing defence mechanisms.
There were also a number of motivational factors influencing cyber attacks globally in 2022. For example, multiple high-profile incidents highlighted the value of data, whilst other high-impact attacks demonstrated the role cyber can play in political conflict.
Supply chain attacks
Much of the legislative reform implemented in 2022 aimed to address the risks posed by an organisation's supply chain. This was likely in response to an increase in supply chain attacks in 2021, and a growing body of research revealing a lack of preparedness amongst organisations. A report by software platform Anchore indicated that in 2022, attacks originating from the supply chain increased by 62%.1
The way in which businesses operate today makes it extremely difficult, if not impossible, to avoid interacting with and relying on other companies, facilities and services. Whilst software providers are an obvious example, the link does not have to be technological. An integral part of a manufacturer's supply chain could be the third-party company it engages to deliver its products to retailers. Each third-party provider has its own third-party providers, creating a vast interaction of interlinking supply chains.
In engaging third-party providers that are essential to a business, organisations often fail to inquire about the level of cyber maturity of these providers or assume that these providers have cyber security measures in place, which may not be the case. It is likely that a provider will have adequate security measures in place at the highest level, but lack robust systems further down the supply chain. Smaller companies often do not appreciate their links to large organisations several levels removed, or lack the resources to put strong measures in place.
This explains why supply chain attacks are so appealing to threat actors. A threat actor who can successfully infiltrate one weak link in a supply chain has the ability to compromise the entire chain. After all, a chain is only as strong as its weakest link.
Companies of varying sizes were exposed in this manner in 2022. The exploitation of a vulnerability affecting Apache Log4j, an extremely popular open-source logging library in the Java ecosystem, created a large attack surface which the US Cybersecurity and Infrastructure Security Agency labelled as an "endemic vulnerability" that will linger for years. In April, an incident on GitHub revealed a supply chain attack in which threat actors stole user authentication tokens issued to third-party integrators and leveraged them to download data from GitHub’s customers, raising concerns regarding reliance on external repositories.
Supply chain attacks are also appealing as they are diverse in nature. A threat actor can use various attack methods (such as brute force, malware and vulnerabilities) to attack numerous suppliers (such as hardware, configurations, and open-source code) and achieve various different outcomes (access to personal information, business data, financial information, software and processes).
In 2023 and beyond, supply chain attacks will likely continue to be popular. This is a systemic cyber risk which the insurance industry will continue to grapple with.
Cyber warfare
Geopolitical tensions, particularly the Russian invasion of Ukraine, strongly influenced cyber threats in 2022.
Shortly before the invasion, it is believed that Russian state-sponsored threat actors launched a broad cyber campaign that intended to create disorder and overwhelm Ukrainian defences, targeting government agencies and critical infrastructure. It is also believed that Russia was responsible for a hack on American satellite company Viasat, shortly before Russia physically invaded Ukraine. The effect of the attack was that the Ukrainian military, which relied on Viasat’s services for command and control of the country’s armed forces, was unable to communicate.
This "hybrid" war strategy seemingly adopted by Russia is one of the first real-world examples of how cyber attacks can be deployed to support physical attacks. It also reiterates one of the major trends from 2021, being the importance of critical infrastructure assets and the potentially fatal consequences an attack on these assets can have on national security.
This increase in cyber warfare also led to a dramatic increase in hacktivism, from newly-formed pro-Ukrainian and pro-Russian cyber legions to well-established groups such as Anonymous. Often using DDoS attacks, these groups aimed to cause disruption and use cyber attacks to send politically motivated messages. For example, our timeline shows that during the televising of a speech by Vladimir Putin, Anonymous hacked Russian TV channels to air uncensored footage of the war in Ukraine and display a message stating that the country has "blood on [its] hands".
Similar types of attacks and hybrid strategies were also seen in other conflicts globally, including the Israeli-Palestinian conflict and the China-Taiwan conflict. It is evident that the cyber realm is now a battlefield of its own during times of war, and these tactics will increasingly form an integral part of the defence strategies of certain countries.
Distributed denial-of-service (DDoS) attacks
DDoS attacks are a prime example of the role cyber can play in political conflict. These attacks increased in popularity as a method to cause disruption and send political messages during the Russia-Ukraine conflict. In fact, it is believed that observed DDoS attacks focusing on Russian targets increased by 236% between February and March 2022.2 Further reports at the end of 2022 recorded that throughout the year, 21.5 million DDoS attacks were aimed at roughly 600 Russian organisations and DDoS attacks accounted for approximately 80% of all cyber attacks on Russian entities that year.
However, it was not just pro-Ukrainian attackers deploying DDoS attacks. Russian-aligned hacktivist group Killnet gained notoriety during the first month of the Russia-Ukraine conflict when it began a widespread campaign of DDoS attacks. Whilst the attacks were described as unsophisticated, their targets included multiple hospitals, government websites and other critical infrastructure assets of NATO countries.
Other geopolitical conflicts also saw DDoS attacks employed to send political messages. For example, a DDoS attack occurred on the Taiwan presidential office's website and several other government websites in August 2022. It is believed that these attacks coincided with the visit of US House Speaker Nancy Pelosi, following threats from the Chinese government to take action to respond to Ms Pelosi's trip. Reports also showed some websites and television screens at government facilities defaced with messages criticising Ms Pelosi's visit in an effort to spread disinformation.
DDoS attacks were frequent in 2022, and not just in cyber warfare. The volume of DDoS attacks targeting financial firms increased 22% year-on-year as of November, with reports that financial services in Europe were most affected, experiencing a 73% increase in attacks.3 Whilst attacks on financial services can be politically motivated, threat actors also use DDoS as an extortion technique, demanding money in order for the traffic to cease.
In 2022, numerous bank websites and apps experienced significant downtime due to DDoS attacks, creating an extreme amount of disruption and customer dissatisfaction. The ability of threat actors to leverage this for significant ransom payments has seen an increase in a DDoS-for-hire model, where anyone with access to the internet and the dark web can be given access to a botnet to carry out an attack for as little as $10 per hour.4
The rise in the DDoS-for-hire industry will be one to watch in 2023.
Large-scale data breaches
Whilst data breaches were prevalent throughout 2022, they experienced a sharp increase in frequency and scale in Q3 2022. According to a report by Surfshark, a total of 108.9 million accounts were breached globally in Q3 2022, a 70% increase compared to the previous quarter.
In Australia, Q4 2022 saw major data breaches that targeted some of Australia's most prominent critical infrastructure organisations, affected millions of Australians and fuelled legislative reform. Although ranked 16th in the world by total data breach count, Australia had the highest "data breach density" globally in Q4 2022, which was 24 times more than the global average. In October and November 2022, on average, 7,387 user counts were leaked per 100,000 Australians.
These attacks shone a spotlight on the sheer value of data available online. As they say, data is the new currency. In many of these large-scale data breaches, threat actors moved away from the encryption of files to a data theft-only approach. Ransomware-as-a-Service gang LockBit, for example, issued guidelines for affiliates including that file encryption was not to be used against certain industries, such as healthcare. Many threat actors are no longer bothering with the technicalities of encryption or using the disruption of services as a bargaining tool. The many ways in which the data itself can provide financial gain is often sufficient.
When a threat actor compromises an organisation's network and exfiltrates data, they have several options. Firstly, they can demand a ransom from the organisation to prevent the release of the data. This, however, is usually not their main motivator. By exfiltrating personal and sensitive data, the threat actor uses the information of the organisation's customers and employees to extort each of those individuals. Alternatively, and often in addition to these methods, the threat actor will also sell the data to allow others to use the information for their financial gain, including by extortion, scams, credential theft and identity theft.
Data will continue to be currency, power and opportunity for threat actors.
Ransomware
A summary of 2022 cyber trends would not be complete without ransomware. The Australian Cyber Security Centre identified that in the 2021-22 financial year, ransomware was the most destructive cyber crime.
As organisations have become more cyber aware, extortion methods have become multifaceted. Ransomware no longer involves simply locking down data and demanding money for its release. Labelled by cyber security company Mandiant as "extortion accelerators", threat actors now engage in a number of practices to more effectively extract payment from victims. Such tactics include:
- exfiltrating and stealing the data
- threatening to publish the data
- publishing parts of the stolen data on name-and-shame websites to prove possession of the data
- carrying out DDoS attacks on the victim's network during ransom negotiations
- disclosing the breach, subsequent details of the incident and any negotiations to media outlets
- amplifying stories of victims in the media to increase public pressure
- notifying business partners and other stakeholders to increase pressure to pay the ransom.
These multifaceted attacks often have the effect of:
- requiring more involvement from various employees, including an organisation's IT department, legal, public relations and management functions
- preventing customers from accessing websites
- preventing employees from accessing software required for day-to-day business operations
- increasing the risk of regulatory fines for data breaches
- creating relationship friction with key stakeholders
- reputational damage and customer loss.
What these effects have in common is that they all cost the business money and pose a risk to its reputation. In a study by GetApp, only 11% of ransomware victims said that the ransom payment itself was the most consequential aspect of the attack. The ongoing reputational damage and financial loss that the threat actors then used to gain leverage to demand higher payouts proved far more impactful.
The changing face of ransomware will be one to watch and prepare for in 2023 and beyond.
This article is part of CyberSight 360 2022/23.
Our team of legal experts in Australian privacy regulation has developed Lander & Rogers PrivacyComply—an innovative, automated privacy impact assessment tool. Designed to help organisations efficiently navigate privacy obligations, Lander & Rogers PrivacyComply offers a smart, fast, and cyber-safe way to manage privacy risk.
1 Anchore 2022 Software Supply Chain Security Report.
2 ASERT Team. DDos Threat Landscape - Russia 23 March 2022.
3 Martin, Andrew. Denial-of-Service Attacks Rise, Raising Concerns for Banks. Insurance Journal. 1 February, 2023.
4 Nesbo, Elliot. What is DDoS-for-Hire and Why is it a Problem? MUO. 26 November, 2021.
Photo by Philipp Katzenberger on Unsplash.
All information on this site is of a general nature only and is not intended to be relied upon as, nor to be a substitute for, specific legal professional advice. No responsibility for the loss occasioned to any person acting on or refraining from action as a result of any material published can be accepted.
