ENISA Threat Landscape 2023 report points to surge in ransomware, rise in supply chain attacks, persistent DDoS threats

The European Union Agency for Cybersecurity (ENISA) released on Thursday its eleventh annual report on the cybersecurity threat landscape, providing crucial insights into the current state of cyber threats. It identifies the top threats and major trends observed concerning threats, threat actors, and attack techniques while focusing on impact and motivation analysis. It also describes relevant mitigation measures. This year’s work has again been supported by ENISA’s ad hoc Working Group on Cybersecurity Threat Landscapes (CTL).

“In the latter part of 2022 and the first half of 2023, the cybersecurity landscape witnessed a significant increase in both the variety and quantity of cyberattacks and their consequences,” the ENISA Threat Landscape 2023 report identified. “The ongoing war of aggression against Ukraine continued to influence the landscape. Hacktivism has expanded with the emergence of new groups, while ransomware incidents surged in the first half of 2023 and showed no signs of slowing down.” 

The ENISA Threat Landscape report maps the cyber threat landscape to help decision-makers, policy-makers, and security specialists define strategies to defend citizens, organizations, and cyberspace. The work is part of the ENISA’s annual work program to provide strategic intelligence to its stakeholders. Its content is gathered from open sources such as media articles, expert opinions, intelligence reports, incident analysis, and security research reports; as well as through interviews with members of the ENISA Cyber Threat Landscapes Working Group. 

The prime threats identified and analyzed include ransomware, malware, social engineering, threats against data, threats against availability covering denial of service and Internet threats, information manipulation and interference, and supply chain attacks. 

During the reporting period, key findings include DDoS and ransomware ranking the highest among the prime threats, with social engineering, data-related threats, information manipulation, supply chain, and malware following. A noticeable rise was observed in threat actors professionalizing their as-a-service programs, employing novel tactics and alternative methods to infiltrate environments, pressure victims, and extort them, advancing their illicit enterprises. 

ENISA Threat Landscape Report 2023 identified public administration as the most targeted sector (~19 percent), followed by targeted individuals (~11 percent), health (~8 percent), digital infrastructure (~7 percent), manufacturing, finance, and transport. 

The report also disclosed that information manipulation has been a key element of Russia’s war of aggression against Ukraine has become prominent. State-nexus groups maintain a continued interest in dual-use tools (to remain undetected) and in trojanizing known software packages. Cybercriminals increasingly target cloud infrastructures, have geopolitical motivations in 2023, and increase their extortion operations, not only via ransomware but also by directly targeting users. Lastly, social engineering attacks grew significantly in 2023 with artificial intelligence (AI) and new techniques emerging, but phishing remains the top attack vector.

The ENISA Threat Landscape report also revealed that resourceful hackers have been observed to misuse legitimate tools primarily to prolong their cyber espionage operations. They aimed to evade detection for as long as possible and obscure their activities by using widely available software from most systems, making it more challenging for defenders to identify them. Maximizing their chances of success when it comes to an intrusion by not arousing the victim’s suspicions

It also disclosed that geopolitics continues to have a strong impact on cyber operations. By using extortion-only techniques criminal organizations have been progressively blending extortion methods that almost invariably incorporate some form of data theft. Double extortion has witnessed a notable rise, with certain groups even relying solely on the act of stealing information. 

The ENISA Threat Landscape report also identified increased operations by law enforcement, such as the takedown of Hive ransomware group’s IT infrastructure or Trickbot; Cl0p rose in the first half of 2023 with the weaponization of two zero-days. One of the biggest malware threats is still information stealers such as Agent Tesla, Redline Stealer, and FormoBook. Also, the report said that there is a steady decline in classic mobile malware, with adware remaining in numbers of occurrences the most prevalent threat to mobile devices while in terms of impact, spyware can be seen as the most prevalent threat to mobile devices. 

“Hacktivists are increasingly claiming that they target OT environments but public reporting indicates they often overestimate or do not substantiate their claims,” according to ENISA. “Phishing is once again the most common vector for initial access. But a new model of social engineering is also emerging, an approach that consists of deceiving victims in the physical world. Business e-mail compromise (BEC, VEC) remains one of the attacker’s favourite means for obtaining financial gain.”

It added that the move from Microsoft macros to ISO, Onenote, and LNKfiles is continuing, a shift towards the use of LNK and ISO/ZIP files as well as Onenote files in response to Microsoft’s macro changes. 

ENISA Threat Landscape also reported that data compromise increased in 2023. There was a rise in data compromises leading up to 2021, and although this trend remained relatively stable in 2022, it began to increase once more in 2023. “There has been a surge in AI chatbots impacting the cybersecurity threat landscape. The disruptive impact and the exponential adoption of generative artificial intelligence chatbots such as OpenAI ChatGPT, Microsoft Bing, and Google Bard are changing the way in which we work, live and play, all built around data sharing and analysis,” it added.

The threat landscape report also found that DDoS attacks are getting larger and more complex, are moving towards mobile networks and IoT, and are being used in the context of being used in support of additional means in the context of a conflict. Internet shutdowns are at an all-time high. Internet availability threats are keeping up their momentum, especially in the post-COVID era, due to the increasing reliance of human activities and society on Internet technologies. 

Information manipulation is a key element of Russia’s war of aggression against Ukraine. Information manipulation has been an essential and well-established component of Russia’s security strategies, ENISA reported. The number of analyzed events for the reporting period has also grown significantly. Additionally, ‘cheap fakes’ and AI-enabled manipulation of information continue to be a cause for concern. In the past months, the debate on the use of AI to manipulate information has heated up both within and beyond the circle of industry professionals. 

ENISA Threat Landscape report also disclosed that threat groups have an increased interest in supply chain attacks and exhibit an increasing capability by using employees as entry points. Threat actors will continue to target employees with elevated privileges, such as developers or system administrators.

Throughout the reporting period, EU member states continued to be affected by the ongoing geopolitical crisis, with a growing number of threat actors directing their efforts against both public and private organizations. These kinds of events more often fall under the DDoS threat with little to no impact in most of the cases reported through OSINT. Ransomware attacks have also increased in the EU. 

ENISA observed approximately 2,580 incidents, with an additional 220 incidents specifically targeting two or more EU member states (labeled ‘EU’), which shows a timeline of when the events were first reported through the OSINT channels. In addition, throughout this iteration of the ENISA Threat Landscape report it can be seen that ransomware and DDoS remain the two prime threats for the EU. 

During the reporting period, ENISA reported that the prime threat was ransomware and it appears to target the entire range of the sectors). The most targeted sectors were manufacturing (14 percent out of ransomware events), health (13 percent), public administration (11 percent) and services (9 percent). These are followed by DDoS attacks and data-related threats. Thirty-four percent of the DDoS attacks targeted public administration, followed by the transport (17 percent) and banking/finance sectors (9 percent). 

Data-related threats targeted all sectors, with the ones that hold personal information being more affected. These included public administration (16 percent) and health (10 percent). One-fifth of the events involving malware affected the general public (targeted individuals, 20 percent), followed by malware infections in public administration (13 percent), digital infrastructure (13 percent), banking and finance (12 percent), and digital service providers (7 percent). All sectors were targeted by 11 percent of the reported malware infections. 

Out of the observed events related to social engineering, 30 percent were aimed at the general public, 18 percent at public administration, and 8 percent at all sectors. Likewise, information manipulation campaigns targeted individuals (47 percent), public administration (29 percent), followed by the defense (9 percent) and media/entertainment (8 percent) sectors. 

As expected, threats against the availability of the Internet primarily affected digital infrastructure (28 percent) and digital service providers (10 percent). Public administration (15 percent), individuals (10 percent), and ‘all sectors’ (11 percent) were also affected, as they are dependent on digital infrastructure and services. 

Supply chain attacks affected public administration (21 percent) and involved primarily the digital service providers (16 percent), digital infrastructure (10 percent), and energy (9 percent) sectors. Likewise, the exploitation of vulnerabilities was associated with events targeting digital service providers (25 percent), digital infrastructures (23 percent), and public administration (15 percent), and they affected all sectors (8 percent) and targeted individuals (8 percent) to a greater degree.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.