CCB report highlights cyber threat landscape in 2023, as hacktivist and state-sponsored attacks rise

The Centre for Cybersecurity Belgium (CCB) disclosed that the global cyber threat landscape in 2023 continued to be characterized by cyberattacks carried out by various threat actors, including hacktivist groups, ransomware groups, and state-sponsored hacking groups. While cyber-criminals primarily focus on financial gains, there is a strong correlation between geopolitics and cyber attacks conducted by hacktivists and state-sponsored attackers. 

In 2023, Belgian organizations were primarily targeted by ransomware and DDoS (distributed denial-of-service) attacks. However, they also experienced other types of cyber incidents, such as data leaks, CEO frauds, and the discovery of threat leads on the dark web and specialized forums advertising stolen data and compromised Belgian IPs used in cyber operations.

The agency is working towards enhancing resilience through various means, such as national and international collaboration, public-private partnerships, information sharing, capacity building and training, awareness raising, research, AI-driven detection and response, quantum-ready cryptography, national cybersecurity exercises, and more. While these actions are crucial and beneficial, they alone are not sufficient. Despite these measures, cybercrime and online fraud continue to increase. It appears that these measures are often too broad in scope and do not always result in tangible actions and outcomes unless they are translated into smaller, more specific projects and services.

The CCB report, released on Thursday, identified that the Ukraine-Russia conflict started in 2022, reactivated hacktivism, and showed that hacktivist groups could represent an important capability and a way to attract attention in support of the physical and ideological activities during a conflict time. It said that their favorite modus operandi was represented by disruptive DDoS attacks, web defacements, and hack-and-leak operations. 

The pro-Russia hacktivist groups targeted not only Ukraine but also a lot of other countries in Europe, including Belgium. Their targets were mostly government and military entities, but also organizations in the energy, transportation (ports and airports), logistics, banking, telecommunication, and even healthcare sectors. 

The attacks were conducted in retaliation for national military, financial, humanitarian, or political support offered by European countries to Ukraine and consistently mirrored Russian strategic objectives. Apart from the hacktivist activity related to the Ukraine-Russia conflict, hacktivism has also been on the rise in different zones of the world, as these groups continue to respond to changing political societal issues and conflicts occurring worldwide. Political issues and social tensions, as well as ongoing conflicts in different zones of the world, influenced the hacktivist activity in 2023.

According to the CCB report, cybercriminal activity has been impacted by macroeconomic changes, leading to notable advancements in capabilities and tactics. Additionally, there has been an expansion in the range of targets, including governmental bodies, public institutions, and critical sector organizations. 

Ransomware attacks continue to pose a significant threat to organizations, particularly critical infrastructures, in Europe and the U.S. These malicious activities primarily target sectors such as manufacturing, software and IT, healthcare, education, business and consulting services, law, finance, and banking. Additionally, there has been a notable rise in ransomware attacks against municipalities and public sector institutions in European countries, including Belgium, since the onset of the war in Ukraine.

The CCB report said that geopolitics remains the most important driver of APT (advanced persistent threat) campaign development, whose prime goal continues to be cyber espionage (exfiltration and collection of sensitive data). APT attacks were mostly conducted by state-sponsored hacking groups and had a significant impact on the targeted infrastructure. 

Cybersecurity companies and national authorities reported throughout the entire year about multiple cyber espionage campaigns targeting mainly the governmental environment, but also some strategic sectors. State-sponsored hacking groups, such as APT 28 (Fancy Bear), APT 29 (Cozy Bear), Emissary Panda, APT 33, Charming Kitten, and Lazarus Groups, to name just some of them, continued to be globally active. 

There were also reports indicating intense activity against different European targets from new groups such as Storm-0978 which was reported by Microsoft conducting a phishing campaign against the North Atlantic Treaty Organisation (NATO) Summit this year or Storm-0558 a threat actor also tracked by Microsoft, which primarily targets government agencies in Western Europe and focuses on espionage, data theft, and credential access. The state-sponsored threat actors were also observed developing and deploying new tools and capabilities against their targets, to maintain their persistence, avoid detection, and complete their objectives.

The CCB report also addressed critical vulnerabilities that have shaped the cyber threat landscape between January and September 2023. It identified five of the most critical vulnerabilities that were also exploited by cyber threat actors last year. These include CVE-2023-0669, a zero-day vulnerability in Fortra’s GoAnywhere Managed File Transfer (MFT) tool, which has been actively exploited by threat actors, including ransomware groups. The vulnerability enables remote code execution (RCE), which can result in compromised systems, data breaches, and financial extortion. The Clop ransomware group targeted approximately 490,000 individuals, compromising their personal information through this vulnerability.

The CVE-2023-2868 vulnerability in the Barracuda Email Security Gateway devices permits user inputs to be executed as a system command, which grants attackers the ability to remotely manipulate system commands with significant privileges. The flaw was exploited in wide campaigns, from October 2022 until May 2023, by a highly skilled threat actor, tracked by Mandiant as UNC4841. Almost a third of the identified affected organizations were government agencies across all regions. 

The CCB report also includes CVE-2023-34362 as a critical zero-day vulnerability in the MOVEit Transfer, a file transfer solution. The vulnerability, which could lead to escalated privileges and unauthorized access to the environment, was mass-exploited by the Cl0p ransomware group to steal data from organizations. The operators behind Cl0p ransomware claimed to have gained access to information from ‘hundreds’ of companies that use the MOVEit software and started to list the victims on their Data Leak Site (DLS). 

Another vulnerability that was highly exploited by cyber threat actors was CVE-2023-23397, a critical elevation of privilege vulnerability in all supported versions of the Microsoft Outlook email client for Windows. This flaw allows attackers to bypass authentication measures, facilitating unauthorized access to confidential data and enabling user impersonation within organizations. 

Lastly, the CCB report included the CVE-2023-38831 security flaw in the WinRAR archiver tool for Windows, which allows attackers to execute arbitrary code when a user attempts to view a benign file within a ZIP archive. The vulnerability has been largely exploited to achieve remote code exploitation both by cybercriminal organizations and state-sponsored threat actors, like APT 28, Sandworm, DarkPink, or APT40.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.