This past year has been one of victory – for cybercriminals. The first nine months of 2021 saw 40% more cyberattacks than the same period in 2020, according to data from Check Point Software Technologies Ltd. And next year, things look to get even more challenging, with new and more comprehensive types of attacks, especially by state-level actors. Here is a look at what 2021 has brought, and what we can expect in 2022:
By Shmulik Yehezkel, Chief Critical Cyber Operations Officer at CYE
The Year of the Supply Chain Attack
Supply chain attacks were up more than sixfold in the first nine months of the year alone, according to a report from software supply chain management company Sonatype. These attacks, including the high-profile SolarWinds incident of late 2020 whose fallout continues to expand, are extremely dangerous because once a hacker gains access to a significant software supplier, they can also sometimes reach the data and code of their subscribers and customers. This provides multiple routes to new targets, including those that were once considered well-protected. Another advantage for attackers is deniability, as they can use the supply-chain company as a proxy for another target.
Attackers’ Deniability Has Grown
As cyberattacks grew increasingly severe in 2021, they also became harder to trace back to the parties carrying them out. Ironically, this is because we have seen that more hackers–including state-backed bad actors – use open-source tools that are publicly available – from what we at CYE have seen, mainly on GitHub. This helps cover their tracks, providing them a wide range of deniability, and making it more difficult to target them with counterattacks or other forms of retaliation. The anonymous nature of the attacks also allows those who carry them out to avoid dealing with the fallout, like being seen as responsible for causing financial damage or human death or injury.
Reliance on Publicly-available Attack Tools Increased
Although it may sound surprising, most of the cyberattacks we have seen during the past year were not highly technically sophisticated; this is true for both simple cybercriminals and state-level actors. Time and again, we saw them using publicly-available tools to take advantage of known vulnerabilities; as this not only saves them time and money but allows them the cover of deniability. In addition, as much as we do see growing usage of the much-feared zero-day attacks, these are still mainly limited to high-level state actors and superpowers.
On the horizon: The Increased Use of the “Hub” Attack
Going into the next year, we expect the continued growth of supply chain attacks, mainly with commercially-available tools. But hackers will also take things to the next level with what we are calling attacks on “hub-companies.” Hub companies are those with extensive digital connections to suppliers as well as customers. These companies can be average-seeming organizations, as well as insurance companies, credit clearing companies, and SaaS providers. These companies provide links to potentially more valuable suppliers and large customers. In addition to directly getting into the networks of these higher-value targets, like banks or weapons companies, hackers can find in the hub company valuable intelligence and information, like how a supplier interacts with a vendor, for creating effective phishing campaigns. This emerging hub attack is on track to become a preferred method of attack, simply because it is an efficient way to carry out attacks with far-reaching consequences, and provides easier avenues to bigger more well-protected targets.
The Emergence of “CN-All”
We also see change on the horizon for nation-state-backed attacks. These attacks have been on the rise in their number and in their success rates over the last year. But going forward, they will become more ambitious.
Today, the industry classifies attacks into categories: CNE, for computer network exploitation or espionage, CNI, for computer network influence, and CNA for computer network attack; this upcoming year, we are going to see more and more state-level actors carrying out what we call CN-ALL attacks. In this type of attack, state-level actors will combine all of the cyber warfare elements–espionage, influence, and disabling systems. These attacks will be particularly challenging because they require response simultaneously on several fronts. CISOs need to be prepared to deal with the technical aspects of recovering data and accessing backup systems, while also dealing with law-enforcement and legal teams, addressing the media, and, when needed, informing regulatory officials.
In addition, as we saw with the attack last December on Israeli insurance firm Shirbit, widely attributed to Iran, not all the consequences are clear at once. CN-ALL attacks will be about the attacker choosing when, where, and why to execute each phase of the attack. The consequence is that CISOs will have to keep in mind that even when an attack has been found, mitigated, and foiled, it might not be the end of it. In the Shirbit example, the initial part of the attack was the hackers demanding ransom and shutting down the company’s systems, making it unable to renew or issue policies and severely cutting into its business revenue. But later, it emerged that the attackers then actually sold customer data online, and, some experts say, had an overall goal of humiliating Israel and ruining its reputation as a technology powerhouse. This mix of financial and political goals, or disguising political motives as financial ones, is something we will, unfortunately, see more of this coming year.
No One is Immune
The growth in these types of attacks will require companies to rely on cybersecurity teams made up of professionals with hands-on experience in cyber warfare at the state level, in places like the government, military, and intelligence services, who really understand and have experienced interactions with state-backed hacking groups. We call them ACTs – Advanced Cyber Talents. On a more boring note, because the stakes of attacks are getting bigger, it remains more important than ever to make sure all employees understand the value of strong passwords, learn how to recognize phishing attempts, and use multi-factor authentication. While sloppiness in these areas has long allowed bad actors to reach sensitive and valuable data, now, with the growth of hub and CN-All attacks, this human factor can also result not only in severe damage to their organization but potentially to thousands of others. In addition, from now on, every company, regardless of size, domain, or region of activity, should be aware that it might be a potential target for cybercrime, as well as state-level cyberattacks with a variety of purposes and goals. No one is immune.
About the Author
After more than 25 years in the military and the Israeli defense special forces, Shmulik joined the CYE team as Chief Critical Cyber Operations Officer & CISO. Shmulik leads the Critical Cyber Operation division (C2OPS). The C2OPS division is responsible for CYE operative operations and is composed of four main centers: data forensics and incident response (DFIR), threat hunting & computer threat intelligence (CTI), advanced cyber architecture & engineering, and the VIP security center. Shmulik is a software engineer and cyber security professional with extensive strategic and hands-on experience. Shmulik brings years’ worth of experience leading cyber operations, cyber R&D, information security, and risk management in the Israel Defense Forces, the Ministry of Defense, and the Office of the Prime Minister of Israel.
Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.