ENISA releases annual report on cybersecurity threat landscape

The EU Agency for Cybersecurity, ENISA, released on Wednesday its annual report on the state of the cybersecurity threat landscape. The threat environment has grown in terms of sophistication of attacks, complexity, and impact. The trend has clearly been spurred by the ubiquity of online activity, transitioning of traditional infrastructures to online solutions, advanced interconnectivity, and exploitation of new features of emerging technologies, the report said.

The ninth edition of the ENISA Threat Landscape (ETL) report, covers the period of reporting starting from April last year up to July this year, and identifies prime threats, major trends observed to threats, threat hackers, and attack techniques, and provides relevant mitigation measures. The ETL report aims to help decision-makers, policy-makers, and security specialists define strategies to defend citizens, organizations, and cyberspace.

The annual report is part of the EU Agency for Cybersecurity’s annual work program to provide strategic intelligence to its stakeholders. The report’s content is gathered from open sources such as media articles, expert opinions, intelligence reports, incident analysis, security research reports, and through interviews with members of the ENISA Cyber Threat Landscapes Working Group (CTL working group).

The increase in cybersecurity threats has resulted in ransomware ranking as a prime threat for the reporting period. This has been driven by a growing online presence, transitioning of traditional infrastructures to online and cloud-based solutions, advanced interconnectivity, and exploitation of new features of emerging technologies such as artificial intelligence (AI). These advancements have further contributed to the cybersecurity landscape growing in terms of sophistication of attacks, their complexity, and their impact.

“Given the prominence of ransomware, having the right threat intelligence at hand will help the whole cybersecurity community to develop the techniques needed to best prevent and respond to such type of attacks,” Juhan Lepassaar, executive director at EU Agency for Cybersecurity, said in a media statement. “Such an approach can only rally around the necessity now emphasised by the European Council conclusions to reinforce the fight against cybercrime and ransomware more specifically.”

The ENISA report revealed that while supply chain compromises by state-backed threat hackers are not new, during the reporting period, this type of attack reached new levels of sophistication and impact. The diversified and complex world of supply chains offers a wealth of targets for state-backed threat attackers. Moreover, the move to teleworking, exacerbated by the COVID-19 pandemic, led organizations to maintain or even increase the third-party suppliers they depend on for their operational needs.

“In our assessment, state-backed threat actors will certainly continue conducting supply chain attacks (especially targeting software, cloud, and managed service providers) as they represent a unique initial access tactic,” according to ENISA. “We also assess the likely targeting of cloud-hosted development environments as enablers for supply chain attacks. Finally, while many of these attacks were carried out by state-sponsored adversaries, cybercrime threat actors increasingly show the same patterns of behaviour.”

Given that supply-chains attacks rank high among prime threats because of the significant potential they have in inducing catastrophic cascading effects, the risk is such that ENISA released a dedicated threat landscape report for this specific category of threat.

ENISA reported in July on the threat landscape for supply chains revealing that for about 58 percent of the supply chain incidents analyzed, the customer assets targeted were predominantly customer data, including personally identifiable information (PII) data and intellectual property. For 66 percent of the supply chain attacks analyzed, suppliers did not know, or failed to report on how they were compromised. However, less than nine percent of the customers compromised through supply chain attacks did not know how the attacks occurred. This highlights the gap in terms of maturity in cybersecurity incident reporting between suppliers and end-users, the report added.

The ongoing COVID-19 pandemic also drove cyber espionage. During the reporting period, it was observed that state-backed groups conducted cyber-espionage operations related to the COVID-19 pandemic, as well as using COVID-19 related lures for social engineering.

Historically, organizations have had less visibility into their ICS (industrial control system) networks compared to their IT networks. Moreover, digital transformation initiatives, the rise of industrial IoT, cloud connectivity of ICS devices, and remote access services for ICS networks provide opportunities for the threat hackers. Adversaries have over the last five to ten years increasingly invested resources to target ICS networks.

According to publicly available reports, the number of threat groups targeting ICS networks is growing at a rate three times faster than they are going dormant and, during the reporting period, at least four new groups were discovered: STIBNITE, TALONITE, KAMACITE, and VANADINITE. The objectives of these groups vary from information collection and long-term persistence to disruption of ICS operations and potential physical destruction.

“In our assessment the interest in targeting ICS networks will certainly grow in the near future,” the ENISA report said. “While we previously discussed the opportunities for ICS targeting, the drivers for such operations include the desire for technological independence, geopolitics (e.g. conflicts, long-term persistence, cyber warfare), as well as testing the capabilities of threat actors and preparing for future attacks (some threat actors are still learning about ICS domain, experimenting and developing ICS-targeting capabilities),” it added.

During the reporting period, ENISA observed that cyber operations were aligned with the strategic objectives of states, as well as with the geopolitical landscape and real-world events. The agency also noticed increased cyber intrusion activities in regions of trade routes, in regions of armed conflict against strategic targets such as governmental organizations like the SolarWinds supply chain attack, and cyber operations as enablers for large-scale espionage, personally identifiable information, and the theft of intellectual property like the Microsoft Exchange hack.

State-sponsored groups are increasingly testing and exhibiting their capabilities for disruptive operations, the report said. In the assessment, state-backed attackers will certainly continue pursuing their strategic objectives using cyber operations for intelligence gathering for advantages in decision-making, stealing intellectual property, and pre-positioning of military and critical infrastructure for future conflicts.

“It is also our assessment that state-backed groups will possibly develop (or buy or otherwise procure) and conduct disruptive/destructive operations masqueraded as ransomware to weaken, demoralise and discredit adversarial governments,” ENISA said. “Finally, local conflicts will likely include cyber operations paired with drone attacks and media-driven misinformation in order to amplify impact.”

During the reporting period, ENISA also observed increased targeting of critical infrastructure by cybercrime hackers. Major critical infrastructure sectors being impacted are the healthcare, transportation, and energy sectors. Ransomware attacks have disrupted the operations of public health agencies, hospitals, and emergency services. According to publicly available reports, the transportation industry has faced cybercrime threats related to initial access offerings, gift card fraud, and ransomware, the report added.

“It is our opinion that, as our society becomes increasingly dependent on technology and Internet connectivity, cybercrime attacks against critical infrastructure are very likely to become more disruptive,” the report said. “It is also likely that disruptive attacks against critical infrastructure may masquerade as ransomware attacks while having different objectives,” it added.

Misinformation and disinformation made their first appearance in the current ENISA threat landscape assessment. Such campaigns are on the rise as a result of the increased online presence of users, due to the COVID-19 pandemic, leading to an overuse of social media platforms and online media, the report revealed.

With the general increase in cybersecurity incidents, organizations are more prone to sign up for cybersecurity insurance, the ENISA report identified. “Taking out insurance is part of a risk strategy in which you transfer the risk to a third party. Being insured doesn’t mean that the security risks are mitigated. Instead, the risk of associated costs in case of an incident is reduced. Companies faced with ransomware incidents will more readily pay, knowing that they have insurance coverage,” it added.

The European Union Council said last week that it is set to adopt conclusions that will help further develop the EU cybersecurity crisis management framework, including by exploring the potential of a joint cyber unit, among the EU and its member states to tackle the rising number of serious cyber incidents impacting public services, as well as the life of businesses and citizens across the region.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.