When it comes to cybersecurity you can almost write a “What’s Ahead in Cyber” article without any research, because the pivotal issues remain the same. The central characters in this digital drama of Good versus Evil are humans and as a result there will continue to be cybersecurity issues in the coming years.
You don’t need to be an expert to know that last year was a bad one whether we’re talking about data compromise, privacy shortfalls or malicious hacker activity. And you don’t need a crystal ball to predict that 2022 will be worse.
There are mitigating factors that may prove me wrong, and I welcome them. Artificial intelligence has been deployed with increasing success in cybersecurity programs, and it catches things early that, unnoticed, would have been far more detrimental. Institutional awareness of cyber hygiene has never been greater, which is fantastic. But awareness and adherence are too often like ships passing in the night when it comes to the implementation of cybersecurity protocols in the workplace. Humans go off course all the time, and cyber is a very human problem.
But enough gloom and doom. Let’s take a look at some trends in cybersecurity that made waves last year, because they will likely be around when I do my “What’s Ahead in Cyber” article for 2023.
By far the most sensational byword of 2021 was “killware,” a blanket term for any cyber activity intended to do real-world physical harm. While killware had something of a science fiction air to it, U.S. Department of Homeland Security Secretary Alejandro Mayorkas declared it to be a greater threat than ransomware.
Mayorkas wasn’t speaking hypothetically. In January 2021, a threat actor breached a water treatment plant in Oldsmar, Florida and, using remote access tools (the term RAT is so appropriate), increased the amount of sodium hydroxide (aka lye) in the water to lethal levels. The attack was noticed and stopped by a plant operator, but had the potential to poison over 15,000 people.
While the Oldsmar killware incident was fortunately a one-off in 2021, it shed light on a widespread and poorly protected target for threat actors and led to a joint advisory from the FBI, NSA, CISA and the EPA. As pointed out in a recent op-ed in the Washington Post, the United States has somewhere in the range of 70,000 drinking water and wastewater systems, many of which have limited budgets and few if any personnel to mount an effective cyber defense.
The potential number of targets and damage posed by killware is sobering, and we’re nowhere near where we need to be to protect everything that is currently vulnerable.
In no way does this eclipse the threat posed by ransomware. While killware is a new and threatening concept, it describes an old situation which includes existing threats. For instance, ransomware is killware if it is pointed at crucial targets such as hospitals, utilities or emergency services even if the intent is profit and not manslaughter.
Ransomware went mainstream in 2021, with increasingly sophisticated cyber crime gangs hitting bigger and higher-profile targets.
The examples are too many to count, but among the most notable was the July 2 Kaseya supply chain breach, where Russian-speaking ransomware affiliates compromised a US-based virtual systems administrator and disrupted as many as 1500 businesses and organizations worldwide. This gave rise to yet another diplomatic headache for President Biden, who rebuked Vladimir Putin, asking him to do more about cybercrime originating from Russia.
The crossover with killware commenced when hackers targeted critical infrastructure using ransomware. The Colonial Pipeline attack affected a primary supply of fuel to the eastern seaboard of the U.S. The disruption occurred in May, and was thought to be the work of the Darkside cybercrime gang. Brazilian meat processing giant JBS was hit a month later.
Another trend we can expect to see more of this year in ransomware is huge amounts of money changing hands–sometimes twice. Colonial Pipeline paid a $4.4 million ransom for what was a relatively useless decryptor tool (they simply restored their systems from a backup), and JBS paid the equivalent of $11 million. Perhaps even bigger news was the FBI clawing back the Colonial Pipeline ransom and other similar stories about the recapture of supposedly untrackable crypto.
The takeaway for ransomware gangs was straightforward. Attacks on critical infrastructure can net massive paydays, which means we’ll keep seeing bigger attacks and larger ransoms paid to threat actors in 2022. While some ransomware gangs have stated publicly that they would avoid infrastructural targets, their actions say otherwise. We can expect to see the FBI take some of the ill-gotten gains back, and in general just more ransomware-related chaos.
The takeaway for ransomware targets was murkier, revolving around a discussion of what qualifies as critical infrastructure. When two agricultural collectives in Iowa and Minnesota were disrupted by ransomware, one pleaded with the gang responsible to make them whole again because of their connection to the agricultural supply chain, which they argued made them critical. The gang begged to differ and communications broke down quickly.
In cases like Kaseya or SolarWinds (the target of a 2020 mega breach that compromised several Federal agencies and many of the largest companies in the world) one might argue that the sheer number of businesses and organizations affected by an outage makes them critical. No matter the size and reach of a company, we can expect to see more businesses and organizations identifying themselves as “critical infrastructure” in 2022. The goal will be twofold: forbearance from cybercrime syndicates and better engagement from law enforcement agencies.
If you find the whole “honor among thieves” idea ironic, you’re not alone. We can expect plenty of critical infrastructure to be targeted in the year to come.
Ransomware gangs will continue to recruit new affiliates with ransomware-as-a-service (RaaS) offerings. We can also expect more “double extortion” where not only is a victim locked out of their data unless a ransom is paid, they’re also charged to not have that data exposed on the darkweb.
Cybersecurity organization Group-IB reported a 935 percent increase in organizations with data leaks to dark websites from 2020 to 2021. A similar report from Unit 42 found a five-fold increase in average ransom demands with companies paying roughly 80 percent more than the previous year.
We will continue to see ransomware operators utilizing “triple extortion,” where the vendors, partners and suppliers of a targeted organization are hit with these double extortion-style tactics. With all this afoot, 2022 is going to get pricey for businesses and organizations of all stripe.
The ransomware business will continue to grow on the right side of the law as well, with more consultants and cybersecurity firms offering to communicate with ransomware gangs as a proxy. These mitigation services will continue to be controversial. Consultants and legal ransomware facilitators have and will continue to argue the merits of their services, citing the greater likelihood of data recovery and lower ransom payouts. Critics and law enforcement point out that assisting with payments only serves to increase the profitability of a now-rampant form of cybercrime that will only continue to grow.
Businesses will continue to be stuck in the middle.
Putting aside the ethical considerations, companies will increasingly decide that it makes sense to pay for access to their own data. The logistical hurdles of negotiation, cryptocurrency acquisition and ransom settlements can make them desperate for any assistance. As a result, we can expect ransomware attacks to skyrocket alongside the increasing interaction with hackers as a service model.
Ransom and ransom-related services will be siloed under the cost of doing business, and may even become tax deductible. Stay tuned.
Another issue that is guaranteed to cause headaches for IT departments, businesses, organizations and individuals alike is a security vulnerability that was discovered over the holidays in a near-ubiquitous software logging tool called Log4J.
The upshot: millions of servers, applications and websites using the tool (ranging from Apple to the NASA Ingenuity Mars Probe) can be quickly and easily compromised if the security patches (there are several) are not implemented in a timely way.
Threat actors spent December and the New Year scanning potential targets, with the earliest reports being for relatively low-level cyber crimes including cryptojacking as well as ransomware attacks. Expect more advanced attacks originating from more sophisticated hacking combines, both state-sponsored teams and cybercrime syndicates–as the vulnerability is better understood.
The common thread, whether we’re talking about petty crime or complex state-sponsored operations, is poor cyber hygiene and cyber-sloppy humans.
SolarWinds was actually protected by the password “solarwinds123,” and the password was publicly accessible from 2018 through 2019. The Oldsmar water supply attack was made possible by an outdated version of a remote desktop application that was protected by one password shared by all the plant’s employees. There was no firewall or added security. The Colonial Pipeline hack most likely started with an employee clicking on a phishing email with a malicious link.
The list goes on, but the prediction remains the same: Cybercrime and hacking will continue to grow exponentially as long as would-be targets leave the door open for threat actors.
Some basic steps you and your organization can take: nurture a culture of privacy and security from the mailroom to the board room, constantly educate your employees as to the threats they face and the red flags they need to be on the lookout for, keep your software updated, frequently backup your data, use a password manager (or at a minimum don’t share or reuse passwords and don’t think “123456” is going to hold a hacker at bay), check and double-check emails for anything suspicious before clicking links, and for heaven’s sake have a plan ready to go in the event something goes wrong. There’s no way to be 100 percent protected from threat actors, but it is possible for individuals and organizations to make themselves harder to hit. Finally, if you do get hit and are willing to share your experience for the benefit of others, I would love to have you as a guest on my podcast, What the Hack with Adam Levin.