ENISA Threat Landscape 2022 report confirms geopolitical conflicts led to cyberwarfare, hacktivism during reporting period

The European Union Agency for Cybersecurity (ENISA) released Wednesday its ENISA Threat Landscape 2022 (ETL) report, covering the state of the cybersecurity threat landscape for the reporting period from July 2021 up to July 2022. The ETL report finds that with the geopolitical context giving rise to cyberwarfare and hacktivism, alarming cyber operations and malignant cyberattacks have altered the trends of the 10th edition of the report.

During the reporting period, the ETL report disclosed that the prime threats identified include ransomware, malware, social engineering threats, threats against data, threats against availability: denial of service, threats against availability: internet threats, disinformation–misinformation, and supply-chain attacks. For each of the identified threats, attack techniques, notable incidents and trends are proposed alongside mitigation measures. 

Commenting on the ETL report, Juhan Lepassaar, executive director at the EU Agency for Cybersecurity, stated in a statement that “Today’s global context is inevitably driving major changes in the cybersecurity threat landscape. The new paradigm is shaped by the growing range of threat actors. We enter a phase which will need appropriate mitigation strategies to protect all our critical sectors, our industry partners and therefore all EU citizens.”

Data published in the ETL report revealed that 60 percent of affected organizations may have paid ransom demands, while malware accounted for 66 disclosures of zero-day vulnerabilities observed in 2021. Phishing remains a popular technique of social engineering, but the report sees newer forms of phishing arising such as spear-phishing, whaling, smishing and vishing. 

Additionally, threats against data are increasing in proportion to the total amount of data produced. When it comes to threats against availability, the largest distributed denial of service (DDoS) attack ever was launched in Europe in July this year, and the Internet covered destruction of infrastructure, outages and rerouting of internet traffic. Coming to disinformation – misinformation, the ETL report identified escalating AI-enabled disinformation, deepfakes and disinformation-as-a-service. Supply chain targeting revealed that third-party incidents account for 17 percent of the intrusions in 2021 compared to less than 1 percent in 2020.

With over 10 terabytes of data stolen monthly, ransomware still fares as one of the prime threats in the new report with phishing now identified as the most common initial vector of such attacks, the ETL report said. The other threats to rank highest along ransomware are attacks against availability also called distributed denial of service (DDoS) attacks.

However, the geopolitical situations particularly the Russian invasion of Ukraine have acted as a game changer over the reporting period for the global cyber domain. “While we still observe an increase of the number of threats, we also see a wider range of vectors emerge such as zero-day exploits and AI-enabled disinformation and deepfakes. As a result, more malicious and widespread attacks emerge having more damaging impact,” the report disclosed.

Assessing the impact of geopolitics on the cybersecurity threat landscape, the ETL report said that the conflict between Russia-Ukraine reshaped the threat landscape during the reporting period. Some of the interesting changes were significant increases in hacktivist activity, cyber actors conducting operations in concert with kinetic military action, the mobilization of hacktivists, cybercrime, and aid by nation-state groups during the conflict.

Furthermore, geopolitics continues to have a stronger impact on cyber operations. Destructive attacks are a prominent component of the operations of state actors.During the Russia-Ukraine conflict, cyber actors were observed conducting operations in concert with kinetic military action. “A new wave of hacktivism has been observed especially since the Russia-Ukraine crisis began. Disinformation is a tool in cyberwarfare. It was used even before the ‘physical’ war started as a preparatory activity for Russia’s invasion of Ukraine,” the ETL report adds.

The Russia-Ukraine crisis has defined a new era for cyberwarfare and hacktivism, its role, and its impact on conflicts. States and other cyber operations will very likely adapt to this new state of affairs and take advantage of the novelties and challenges brought about by this war5. However, this new paradigm brought by the war has implications for international norms in cyberspace and, more specifically, for state sponsorship of cyberattacks and against targeting critical civilian infrastructure.

Hackers are increasing their capabilities with resourceful hackers who have utilized zero-day exploits to achieve their operational and strategic goals, the ETL report identified. “The more organisations increase the maturity of their defences and cybersecurity programmes, the more they increase the cost for adversaries, driving them to develop and/or buy 0-day exploits, since defence in depth strategies reduce the availability of exploitable vulnerabilities.” 

It also discloses that continuous ‘retirements’ and the rebranding of ransomware groups is being used to avoid law enforcement and sanctions. Hacker-as-a-service business model gaining traction, growing since 2021. Additionally, threat groups have an increased interest and exhibit an increasing capability in supply chain attacks and attacks against managed services providers (MSPs).

Ransomware and attacks against availability rank the highest during the reporting period. It also identifies a significant rise in attacks against availability, particularly DDoS, with the ongoing war being the main reason behind such attacks. Phishing is once again the most common vector for initial access. Advances in sophistication of phishing, user fatigue and targeted, context-based phishing have led to this rise.New lures in social engineering threats are focusing on the Ukraine-Russia conflict in a similar manner to what happened during the COVID situation. 

The ETL report revealed that malware is on the rise again after the decrease that was noticed and linked to the COVID-19 pandemic. Extortion techniques are further evolving with the popular use of leak sites. DDoS are getting larger and more complex, are moving towards mobile networks and IoT and are being used in the context of cyberwarfare.

Novel, hybrid and emerging threats are marking the threat landscape with high impact, the report detects.The Pegasus case triggered media coverage and governmental actions, which also then was reflected in other cases concerning surveillance and the targeting of civil society. 

“Consent phishing attackers use consent phishing to send users links that, if clicked, will grant the attacker access and permissions to applications and services.oData compromise is increasing year on year. The central role of data in our society produced a sharp increase in the amount of data collected and in the importance of proper data analysis. The price we pay for such importance is a continuous and unstoppable increase in data compromises,” the ETL report adds.

Machine learning (ML) models are at the core of modern distributed systems and are increasingly becoming the target of attacks. It also points to AI-enabled disinformation and deepfakes, with the proliferation of bots modeling personas disrupting the ‘notice-and-comment’ rulemaking process, and interaction of the community, by flooding government agencies with fake comments.

The ETL report also assesses that state sponsored, cybercrime, hacker-for-hire actors and hacktivists remain the prominent threat actors during the reporting period of July 2021 to July 2022. Based on the analysis of the proximity of cyber threats in relation to the EU, the number of incidents remains high over the reporting period in the ‘NEAR’ category. The category includes affected networks, systems, controlled and assured within EU borders, while also covering the affected population within the borders of the EU.

Added last year, the threat distribution across sectors is an important aspect of the report as it gives context to the threats identified. Tes analysis shows that no sector is spared. It also reveals nearly 50 percent of threats target public administration and governments, accounting for 24 percent, digital service providers at 13 percent, and the general public at 12 percent, while the other half is shared by all other sectors of the economy.

The ETL report said that in 2021-22, while the COVID-19 pandemic still had an important impact on DDoS, the Russia-Ukraine cyberwarfare monopolized and influenced the shape of DDoS like never before. DDoS threats are finally becoming the fifth dimension of warfare, after battles in the air, sea, land and even space. The threats and levels of extortion exploded, moving DDoS towards being a state-sponsored attack. In this context, cloud computing is increasingly being used as a threat vector for DDoS attacks on the one side, and as a primary target of the attacks on the other side.

While cybercrime, specifically ransomware, is becoming a heated geopolitical issue, the ETL report expects the West to continue trying to limit safe havens for cyber criminals. Other countries (e.g. Russia) will be leveraging the cybercrime underground for diplomatic advantage and as proxy actors achieving their strategic objectives (state-ignored and state-encouraged activity regarding state responsibility.

“We estimate that the association between cybercrime groups and state actors will certainly continue for the foreseeable future with a strong focus on plausible deniability. In the short-term future, we expect several ransomware incidents in the critical infrastructure to cause concerns and grasp media attention as potential cyberwar and retaliatory actions,” it adds.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.