New Group-IB Cybersecurity Report for 2022 analyzes cyberattacks, forecasts changes in threat landscape

The Threat Intelligence Unit from Group-IB presented its Cybersecurity Report for 2022 which studied the current trends in threats and projections for the future. The report analyzes cyberattacks, examines how the cybercrime industry functions, and forecasts upcoming changes in the threat landscape for various sectors of the global economy, to build cybersecurity strategies with relevant threats in mind.

Titled ‘Hi-Tech Crime Trends 2022/2023,’ the report identified a surge of activity from threat groups and state-sponsored hackers due to the Russia-Ukraine dispute, ransomware continuing to be a top global danger, and hackers utilizing Telegram instead of command and control (C&C) servers. It said that since February last year, at least 12 hacktivist communities have attacked government resources and commercial companies. “Some hackers left their groups and conducted attacks alone. At least 19 state-sponsored groups from Ukraine, Russia, China, Belarus, North Korea, and Iran carried out attacks in relation to the conflict,” it added.

The Group-IB report, released on Tuesday, also said that state-sponsored groups from countries that are not directly involved in the conflict conducted cyber espionage against neighboring countries in search of military secrets. “BlackEnergy resumed its attacks after a lull. The threat actors are notorious for disrupting Ukraine’s energy infrastructure. Wiper malware became popular during the conflict: seven new wipers targeting Ukrainian companies and infrastructure were discovered in 2022,” it added. 

The number of websites where threat actors publish stolen data (dedicated leak sites or DLSs) grew by 83 percent, reaching 44, Group-IB reported. “Data belonging to 2,886 victim organizations was published. Lockbit, Conti, and Hive have been the most active ransomware groups. Every day, data belonging to at least eight companies worldwide appears on DLSs, which accounts for only 10% of all ransomware victims.”

The report assessed that despite key threat actor forums banning searching for affiliates, the ransomware-as-a-service market (RaaS) continues to evolve. Group-IB discovered 20 new public affiliate RaaS programs. Most ransomware attacks target US companies, with the manufacturing and real estate sectors being breached most often.

Group-IB compared ransomware groups becoming increasingly similar to IT startups, with their own corporate structures, departments, incentive programs, and days off. Additionally, threat actors are using zero-day vulnerabilities and supply-chain attacks to infect victims.

The report also identified that the sale of access to corporate networks more than doubled. Between the second half of 2021 and the first half of 2022, 380 access brokers were identified, 327 of which are new. They published over 2,300 advertisements on underground forums. The average price for access halved as compared to the period between the second half of 2020 and the first half of 2021. “Threat actors mainly sold VPN and RDP access. Novelli, orangecake, Pirat-Networks, SubComandanteVPN, and zirochka were the key initial access brokers (IABs). Their offers accounted for 25% of the entire access market,” it added.

Group-IB revealed that hackers are finding new post-exploitation frameworks, as they look for new methods and tools every year. “This year, Group-IB analysts noticed that hackers were especially interested in the frameworks Mythic, Viper, Merlin, and Sliver. A new tool called Brute Ratel C4 is replacing Cobalt Strike, which is vulnerable to exploits. Some state-sponsored groups have already used Brute Ratel C4. The new tool is still relatively unknown, which means that it is more difficult to detect,” the report added.

Group-IB specialists discovered 19 new state-sponsored groups that specialize in cyber espionage. Special services continue attacking critical infrastructure, mainly for sabotage and destruction purposes. 

“In 2022, China started publicly reporting attacks by state-sponsored hackers against its infrastructure. This could be a result of Chinese companies being barred from the US market due to espionage concerns,” the report said. “Threat groups within given countries started uniting to attack other countries. For instance, the Iranian hacktivists HomeLandJustice, the cyber espionage group OilRigand the destruction-oriented Hexane attacked Albania together.”

The report said that at least ten groups connected with special services attacked critical infrastructure in the energy sector during the reporting period, with 80 ransomware attacks against energy companies detected. It added that threat actors are using RDP access as an initial vector for penetrating corporate networks. 

“The biggest threats to electrical energy systems are a new version of Industroyer malware and a recently discovered framework called PIPEDREAM (INCONTROLLER),” Group-IB reported. “Industroyer2 was used in attacks against Ukraine, while PIPEDREAM has not yet been deployed in the wild. To erase all traces of their activity, hackers use wiper malware called CaddyWiper. Many attacks against energy entities were a result of exploiting vulnerabilities, including in network equipment (routers),” it added.

Group-IB identified that 12 state-sponsored groups, most of which are funded by China, were active in the telecommunications sector over the reporting period. “29 ransomware attacks against telecom companies were detected over the reporting period, which is 15% less than in the previous period (H2 2020 – H1 2021),” it added.

The report also added that as part of the Russia-Ukraine conflict, threat actors carried out more and more DDoS attacks against telecom companies.

“In H2 2021 – H1 2022, the number of attacks against manufacturing companies grew by 19%, with 295 incidents detected in total,” Group-IB reported. “Air-gapped networks do not ensure complete protection from state-sponsored hackers. For instance, a Chinese hacker tool called Daxin successfully functioned in such networks for over 10 years without being noticed.

The group APT41, which is sponsored by China, continued attacking the technology and manufacturing sectors, Group-IB reported. “A campaign called CuckooBees, as part of which companies in North America, Europe, and Asia had been spied on since 2019 was attributed to the group. Another pro-China group, Tropic Trooper, used a new Trojan called ‘xPack’ to attack a manufacturing company in Taiwan and remained in the company’s network for 175 days.”

Group-IB specialists discovered 13 new phishing frameworks. “As in the previous period, the authors of phishing tools tend to be located in the same region as the banks and other organizations that they target. In H2 2021 – H1 2022, this trend affected Latin America in addition to Europe. Attacks involving a specific framework often continue even if its developer is arrested. Many threat actors created their own phishing kits based on the source code of phishing panels U-Admin and Reliable,” it added.

The report predicts that the RaaS industry will continue to grow. Hacker groups Lockbit, Hive, and BlackCat will remain the top players in the ransomware industry and further improve their malware and infiltration techniques, with the US remaining the country where most companies are attacked. “Threat actors will more often use authentication data obtained from stealers to gain initial access. Manufacturing will remain the most often targeted sector. Ransomware groups will continue to develop their internal capabilities by creating research units dedicated to finding zero-day vulnerabilities,” it added. 

The Group-IB report expects political tension to lead to more attacks. Politically motivated hackers will continue carrying out attacks as long as the conflict between Russia and Ukraine lasts. Financially motivated threat actors might masquerade as hacktivists or nation-state groups, and will be highly active. This could lead to far-reaching DDoS attacks and substantial leaks of sensitive information, as well as major financial thefts. 

“Since the summer of 2022, hackers have been using a new tool: Brute Ratel C4 (BRc4). The reason is the need for an alternative solution to Cobalt Strike, which has been thoroughly investigated by security specialists,” Group-IB reported. “Due to the release of a hacked version of Brute Ratel C4, Group-IB specialists expect a sharp increase in this tool being used by hackers in general. Stealer logs will become the main way to gain access to companies.”

Group-IB expects that the number of attacks on critical infrastructure will increase. “The tense political environment will lead to an increase in attacks on energy, telecommunications, and manufacturing infrastructure. We expect attacks by nation-state hackers and other pro-Russia or pro-Ukraine criminal groups,” it added.

“Hacktivists could conduct multiple DDoS attacks to disable telecommunications systems,” Group-IB said “Ransomware threats to telecommunications companies will decrease as ransomware operators lose their interest in this sector. The large scale of remote work increases the risk of corporate data being compromised. It is easy for criminals to gain access to companies by attacking poorly protected home routers used by employees and data storage systems.”

Nation-state groups will show an interest in institutions and regulators in the nuclear energy sector due to the Russia-Ukraine conflict and the nuclear powers involved, Group-IB reported. “Threat actors will use simple methods to infiltrate networks, such as abusing RDP access. Employees and social engineering will be used as initial attack vectors more and more often. There could be an increase in ransomware attacks due to the tense political environment. State-sponsored groups could also disguise their attacks as financially motivated. New frameworks such as Industroyer2 could be used to manage controllers and cause power cuts,” it added.

Group-IB also predicted an increase in the number of ransomware attacks on the manufacturing sector. “Computers belonging to engineers and software developers will be used more and more often as an entry point for attacks because they have access to ICSs and elevated permissions. Not all companies proactively install security patches, so the exploitation of old vulnerabilities, including those related to routers, will continue to be the main attack vector. Supply chain attacks and trusted relationship attacks are expected to increase. Threat actors will gain access to manufacturing companies by compromising software or telecommunications service providers,” it added.

The report also expects that the number of phishing frameworks will increase. “At the same time, Telegram will become the preferred channel for sending compromised data. More and more frameworks will use APIs to work with compromised data. The number of frameworks designed to target clients of cryptocurrency companies will continue to increase. More customized solutions will emerge on the market,” it added.

On Tuesday, Australia’s Cyber and Infrastructure Security Centre (CISC) published its Risk Assessment advisory for critical infrastructure across the energy sector. Last week, the U.S. Cybersecurity and Infrastructure Infrastructure Agency (CISA) released its 2022 Year in Review which highlights a national effort to understand, manage, and reduce risk to cyber and physical infrastructure.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.