#RSAC: Current Nation-State and Ransomware Gang Threat Trends
Insights into recent cyber-threat activity was provided by Forescout’s VP of threat defense, Sean Taylor, during a session at the RSA Conference 2022.
Setting the scene, Taylor stated that in international threat intelligence, “understanding your adversary is key.”
He then highlighted attacks conducted by Russian state-backed attackers on Ukraine prior to the invasion. At the end of 2021 and January 2022, this primarily consisted of website defacements on Ukrainian government sites with sinister messages posted, such as “be afraid and wait for the worst.”
By mid-February, incidents primarily consisted of DDoS attacks on Ukrainian banks and government sites. Finally, on February 23, on the eve of the invasion, multiple Wiper malware campaigns were launched against the Ukrainian government and critical infrastructure organizations. These included WhisperGate and Hermetic Wiper.
Taylor also highlighted how hacktivist and cyber-criminal group activities are linked to the Russia-Ukraine conflict. This includes the Conti ransomware gang, who quickly affiliated themselves with Russia and threatening any country supporting Ukraine. Similarly, Russia-supporting hacktivist gang Killnet has been targeting European countries supporting Ukraine.
In addition, Taylor observed that numerous unaffiliated cyber-criminal gangs were leveraging the war to help launch attacks. These are:
- El Machete – a group targeting financial/government services in Latin America
- Lyceum – a group targeting energy organizations in Israel and Saudi Arabia
- SideWinder – a group targeting Pakistan and other Central Asian countries
Interestingly, each of these groups have been using email phishing lures with subject lines that have “something to do with Ukraine.”
Another trend discussed by Taylor was the growth and evolution of ransomware. He observed that three years ago, ransomware attacks were “all about encrypting data.” Now, it has evolved to exfiltrating data then encrypting it – so-called double-extortion ransomware. “Ultimately you’re getting these more advanced ransomware families,” added Taylor.
In addition, the barriers of entry for ransomware attackers are far lower, with the rise of ransomware-as-a-service. “Ultimately we expect that ransomware will continue to evolve,” he said.
This is likely to be driven by two factors:
- The proliferation of IoT devices
- The convergence of IT and OT devices
Ransomware IoT is a “game-changer that everyone in the industry needs to pay attention to,” according to Taylor. This is because this next-generation ransomware is likely to exploit IoT devices, encrypt IT and disrupt OT.
Currently, however, Taylor emphasized that it is very possible to mitigate most ransomware attacks. He said three key factors should be taken into account in this regard:
- Attacks are not immediate or fully automated
- Cybercrime-as-a-service means there are hundreds of very similar attacks happening
- Most tools and techniques they use are well-known
This means information is out there on the ways attackers “Look at what they do, how do they gain initial access and then work your way back and put those defensive steps in place,” he advised.