The lack of any large cyber incidents doesn’t mean things are still deep under. Instead, this could well be the lull before a cyberstorm.
Earlier this week, Iran-linked APT group Charming Kitten (aka Ballistic Bobcat APT, APT35, and Phosphorus) initiated a fresh cyber espionage campaign targeting 14 countries across the globe. The objective of these attacks was to exfiltrate data and to open backdoors for long-term espionage.
Telemetric analysis conducted by Sectrio’s Threat Research Team revealed a higher level of APT 35 activity than ever before with governments, healthcare institutions, oil and gas, and manufacturing entities being targeted. The group is targeting these entities at two levels one is by attacking exchange servers and two by sending large-scale phishing campaigns using ‘critical media updates’ as the subject line.
In addition to this, certain groups are also scaling up their reconnaissance attacks taking advantage of the distraction that has been created by the large-scale DDoS and defacing attacks carried out by other groups. This is a pattern that we have often seen in the past where website defacing attacks are often used to cover targeted attacks.
As conflicts in the Middle East and Eastern Europe draw on, information warfare, or more specifically information held for ransom could become a game-changer for the parties involved. This is why we have not seen any major cyber incidents occurring since the latest outbreak of hostilities. However, knowing cyberspace, things could escalate quickly if the information already pilfered is put to use by the threat actor concerned or by their backers.
Cyberspace realities: Change in tactics
Unlike past geopolitical conflicts where cyberspace was impacted almost immediately, the biggest impact this time around has been limited to DDoS attacks on websites and the compromise of social accounts. That’s how most of the attacks panned out. However, reconnaissance and data exfiltration attacks on businesses have also grown but not as significantly as the DDoS attacks.
- Hackers are trying to create a distraction through large-scale attacks on non-critical civilian infrastructure
- Data theft is a clear objective for many of the threat actors involved.
- On the surface this takes the attention away from stealthier, sophisticated, and targeted attacks on critical infrastructure
- The IP addresses from where these attacks are originating are decoys
- The attack on a large North American defense and aerospace hardware vendor was part of this campaign. While Lockbit is supposed to be behind this, the involvement of other smaller gangs managing the initial breach cannot be ruled out. Lockbit runs a highly organized operation with a mild geopolitical tone defining its targets. The spike in attacks on Western and NATO countries in the aftermath of the Ukraine-Russia conflict bears testimony to this assertion
- Surprisingly, many IoT projects in North America and Western Europe are witnessing a rise in generic phishing activity targeted at on-ground employees. This could be an attempt to create bot farms by hijacking remote infrastructure
- On the operational technology front, state-backed threat actors may be waiting to unleash a cyber storm in the days to come based on the changes that may happen on the ground in conflict zones
To-do list for CISOs and Security leaders
Thus, things might escalate quickly reducing your time to respond. Here is an immediate to-do list for you as a CISO or a security leader:
- If you haven’t conducted a cyber risk audit on your critical and non-critical assets in the last 90 days, now is the time to conduct one
- Sensitize employees across the org to ensure that everyone is aware of the threats lurking
- Do not run unpatched systems or applications
- Limit privileges to key systems
- Implement an OT governance policy immediately
- Stress test systems and responses through mock drills
- Revisit your threat intelligence consumption patterns and see if you are ingesting cyber threat intelligence feeds properly
- Establish segments and zones to isolate crown jewels
- Conduct an Attack Path Analysis to determine the most probable paths and identify ways to break them
- Establish an OT security team, if you haven’t done so yet. This will bring in a higher level of focus on OT security
- Talk to your peers in the industry to see what they are doing to secure their OT and IoT systems
- Have conversations on security with OEMs
- Have a roadmap in place to address any OT or IoT security skilling issues
- Revisit your security KPIs
- Assess the level of visibility into key processes and networks you have currently and see if it needs to be improved
- Assess your IEC62443 level and identify room for improvement in this level
How sectrio can help
Sectrio is a one stop solution to secure all the above needs and requirements. Reach out to us and find out how sectrio can help secure your organization today.