Cybersecurity in 2023: Russian escalation, Chinese espionage, Iranian “hacktivism”

In 2022, state-sponsored cyber activity has been drawn into sharp focus, ransomware continued to dominate as the primary threat facing organizations, and there have been several highly publicized incidents. Beyond the headlines, there have been some interesting shifts in both tools and tactics of cyber adversaries.

What can we learn from the past 12 months as we look ahead at the trends that will shape the threat landscape in 2023?

State-sponsored activity

In 2022, we saw increasing state-sponsored activity originating from several countries. But the drivers behind the activity and the tactics used varied widely. This will continue into 2023, as governments use their cyber capabilities as one way of advancing their economic and political goals.

Russian cyber activity will be split between targeting Ukraine and advancing its broader intelligence objectives

With no prospect of an immediate end to the conflict in Ukraine, we can expect more conflict-related cyber activity aimed at degrading Ukraine’s critical infrastructure and government services and collecting foreign intelligence useful to the Russian government from entities engaged in the war effort. Groups tied to the Russian intelligence services will also continue to target geographic neighbors with disinformation campaigns, intelligence gathering, and possibly low-level disruptive attacks.

However, Russia will also continue to pursue its broader long-term intelligence objectives. Traditional espionage targets will continue to be a focus; for example, we saw evidence in August 2022 of Russian intelligence services using spear phishing emails to target staff at the Argonne and Brookhaven national laboratories in the US, which conduct cutting edge energy research. We also expect that new revelations will emerge of large scale, covert intelligence gathering by Russian state-sponsored threat actors, enabled by the exploitation of cloud environments, internet backbone infrastructure, or pervasive identity management systems.

China will continue to prioritize political and economic cyber espionage

Economic and political motives will continue to drive China’s intelligence gathering activity.

The newly re-elected Xi Jinping and his Chinese Communist Party will continue to use its intelligence apparatus to help meet broader economic and social objectives as it strives to maintain control. Surveillance of dissident groups and individuals critical of the Chinese government will also continue, including through ongoing targeting of international non-governmental organizations.

Chinese threat actors will be targeting high-tech companies that operate in or supply industries such as energy, manufacturing, housing, and natural resources as it looks to upgrade these industries internally.

Foreign governments will also continue to be a focus, particularly in East Asia and in relation to China’s Belt and Road Initiative. We are keeping a close eye on the developing geopolitical situation around Taiwan and the South China Sea, although it is likely that much of the pre-positioning required to enable disruptive cyber-attacks against critical infrastructure in the event of an invasion will have already occurred.

Iranian government-sponsored harassment and cybercrime will overlap

The way in which the Iranian intelligence services outsource operations to cyber security organizations in Iran blurs the lines between state-sponsored activity and cybercrime. We have seen this recently with the IRGC-affiliated COBALT MIRAGE threat group, which conducts cyber espionage but also financially motivated ransomware attacks. That cybercrime activity is by its nature opportunistic, meaning that it has and will continue to impact organizations of all shapes and sizes globally.

We’ll continue to see low-intensity conflict between Iran and regional adversaries, particularly Israel. Operations conducted under the guise of hacktivism and cybercrime will be intended to disrupt critical infrastructure, leak sensitive information, and expose foreign intelligence operatives.

The cybercrime landscape

Opportunistic cybercrime threats will continue to be the main problem for most organizations. This is not a problem without a solution; many, many organizations are successfully defending themselves daily. These incidents typically happen due to a failure or lack of security controls. Organizations can mitigate this threat if they invest in fundamental security controls such as asset management, patching, multi-factor authentication and network monitoring.

Ransomware-as-a-Service will flourish

The Ransomware-as-a-Service (RaaS) landscape will continue to be dominated by a handful of organized cybercrime groups operating a limited number of highly active schemes. New ransomware variants will continue to appear and disappear but will likely find it hard to establish a significant market presence.

Successful schemes will continue attract more affiliates, in a virtuous circle, but scheme operators will need to be vigilant for rogue affiliates targeting critical infrastructure and misjudging the intensity of the ensuing political and law enforcement reaction. The “detection window” between initial access to an environment and the deployment of ransomware will continue to shrink.

We’ll also see experienced threat actors operating as affiliates of these established RaaS schemes to make attribution more difficult and evade sanctions enforced by the US authorities that target named cybercriminals.

Extortion-only attacks will rise in popularity

Despite being relatively unsophisticated by nature, extortion attacks will continue to shed light on gaps in organizations’ security controls and will increase in number this year. However, ransomware attacks will remain more profitable for cybercriminals in the long term as they provide a greater return on investment.

Primary vectors will continue to change

In 2022, our data showed the primary vector for attacks shift from credential-based access to exploitation of internet-facing remote services. Attackers move with the times and are constantly looking for new ways to outfox security teams and gain access to networks.

This will continue in 2023. We expect to see a particular focus on bypassing multi-factor authentication as this critical security control continues to see increased adoption rates by organizations and individuals.

AI will not significantly alter the threat landscape, at least not yet

Lot of attention has been given lately to AI-generated content, especially with the emergence of tools such as ChatGPT. The security industry occasionally likes to claim the emergence of sophisticated attacks that use AI and machine learning technologies. The reality, however, is that attackers will continue to use the least sophisticated techniques, as “traditional” tools and techniques continue to be effective. Over the course of the year, we’ll see a lot of hype around AI, deepfakes and the like, but little real-world impact.

The importance of a well-rounded defense strategy

As we head into 2023, the pressure on security teams is relentless, so they too must be relentless in their pursuit of protecting organizations.

Getting the basics of good cyber hygiene nailed down is an absolute must. Maintaining a solid understanding of the threat landscape and the tactics used by adversaries is an important step, but security teams must also look to identify and protect their key assets and prioritize vulnerability management.

It is also critical to comprehensively monitoring the entire network, from endpoints to cloud assets, as traditional techniques and point solutions like endpoint detection and response are no longer effective in fighting today’s threats. But it’s vital that businesses are equipped to filter out and prioritize the most important threats to their business to mitigate them efficiently and effectively.

This holistic approach will be vital to ensuring security against nation states and cybercrime gangs alike over the next 12 months.