2022 is turning out to be the year of nation-state actors. With attacks on wind turbine operations and public transit services in the Netherlands, utility firms in India, retail businesses in Taiwan, and stock markets in the US being traced to APT groups, this year has logged more APT activity than ever before. With the increasing realization of their capabilities as a source of rich data and disruption, nations are now growing increasingly comfortable with the use of APT groups to settle scores. This trend has had a complex impact on the security of cyberspace and the ramifications will play out more visibly in the days to come.
2022 – a year of brazen APT attacks
The attacks on many retail businesses, websites of government departments, and the presidential office and tram stations in Taiwan in August following the visit of US House Speaker Nancy Pelosi to the island were clearly linked to Chinese and Russian IP addresses. The hackers involved didn’t even try to hide their origins in what was seen as an attempt to convey a geopolitical message to Taiwan. Russian APT groups were also found meddling with critical infrastructure in Germany, the Netherlands, Ukraine, Norway, and the US.
Transparent Tribe AKA APT36 went as far as to develop and deploy a fake version of an Indian government-mandated two-factor authentication solution required for accessing email services to target Indian government and defense personnel. Transparent Tribe also used fake domains and traffic redirecting mechanisms to divert traffic to spurious sites hosting malware. Even here, the hackers made no serious attempt to hide their trail.
Such levels of visible aggression are not frequent in cyberspace. Room of plausible denial is always left by APT groups so that the nation-state backing them can deny all allegations of support or sponsorship. While acting in a noiseless manner in the networks they are targeting, APT groups are also becoming noisier when it comes to claiming credit. The reasons for such brazen and aggressive attacks could be:
- The need to prove their potency to the higher-ups in the hierarchy
- Funding for APT groups has risen in 2022 so also could be the need to prove their utility to the states that sponsor them
- To score a geopolitical goal without worrying about the ramifications
- They are confident that the nations they are targeting won’t be in a position to retaliate or won’t retaliate for whatever reason
- Such attacks may be the work of more brazen sub-groups within these APT groups
- To train rookie hackers who have just joined the team
Whatever be the motivation for such transparency, it is clear that APT playbooks have changed this year. Even among the industrial cyberattacks on OT and IoT-based infrastructure and systems perpetuated by APT groups, the attacks were done in a more systematic and transparent manner. While the attacks including scans are becoming more sophisticated while APT groups involved are leaving digital tracks behind making attribution easier.
Impact on IoT and OT security in 2023
Overall, this trend clearly indicates a period of increasing APT activity that could spill over into segments that are not directly connected with the government including manufacturing, retail, extended supply chains, aviation, and shipping. Such brazen attacks also mean that APT groups are now more confident about their capabilities and are not shy of showcasing them in the digital space even if it could attract some form of retribution.
In 2023, the time to attack post a geopolitical incident will shrink and we will enter an era of lightening fast attacks on critical infrastructure that could lead to prolonged disruption. Public transportation systems and financial institutions (especially stock markets) could be the potential targets for such attacks. Among defense systems, hardware and systems linked to base security, air traffic control and temperature control within underground storage systems will be targeted. APT groups will also go for greater monetization of attacks by targeting businesses for ransom. Most APT groups are moving towards generating their funding sources outside their state sponsors to prevent disruption in R&D and ongoing projects due to a fund crunch. Such attacks will be running in parallel with attacks on their conventional targets.
We are giving away threat intelligence for free for the next 2 weeks. Find out how you can sign up and try out our threat intelligence feeds
Find out what is lurking in your network. Go for a comprehensive 3-layer threat assessment now