Provided by insights into recent cyber-threat activity Forescout Shaun Taylor, VP of threat defense during a session at RSA Conference 2022.
Setting the scene, Taylor said that in the international threat intelligence, “it is important to understand your opponent.”
He then referred to the attacks carried out by Russian state-backed invaders in Ukraine before the attack. In 2021 and at the end of January 2022, it initially included website distortions with malicious messages posted on government sites in Ukraine, such as “Fear and wait for the worst.”
In mid-February, the incidents primarily involved DDoS attacks on Ukrainian banks and government sites. Finally, on February 23, just before the attack, multiple Viper malware campaigns were launched against the Ukrainian government and critical infrastructure companies. These included WhisperGate and Hermetic Wiper.
Taylor further highlights how the activities of hacktivists and cyber-criminals are linked to the Russia-Ukraine conflict. These include the Konti Ransomware gang, which quickly associates itself with Russia and threatens any country that supports Ukraine. Similarly, pro-Russia Hacktivist gang Kilnet targets European countries supporting Ukraine.
Also, Taylor noticed that numerous unscrupulous cyber-criminals were taking advantage of the war to help launch gang attacks. These are:
- El Machete – A group targeting financial / government services in Latin America
- Lyceum – A group of 7 targeting the energy agencies of Israel and Saudi Arabia
- Sidewinder – A team targeting Pakistan and other Central Asian countries
Interestingly, each of these groups is using email phishing greed along the subject line, which has “something to do with Ukraine”.
Another trend discussed by Taylor was the growth and evolution of ransomware. He observed that three years ago, ransomware attacks were “all about encrypting data.” Now, it has been developed to encrypt the data after it has been extracted – the so-called double-extension ransomware. “You’re finally getting these more advanced ransomware families,” Taylor added.
Also, with the rise of ransomware-a-service, the barrier to entry for ransomware attackers is much lower. “Eventually we hope that ransomware will continue to evolve,” he said.
This can be driven by two factors:
- Expansion of IoT devices
- The combination of IT and OT devices
According to Taylor, Ransomware IoT is a “game-changer that everyone in the industry needs to pay attention to”. This is because next-generation ransomware can exploit IoT devices, encrypt IT, and disrupt OT.
Currently, however, Taylor emphasizes that most ransomware attacks can be mitigated. He said there are three main issues to consider in this case:
- Attacks are not instantaneous or completely automatic
- Cybercrime-a-service means there are hundreds of similar attacks happening here
- Most of the tools and techniques they use are well known
This means that there is information about the attacker’s way “see what they do, how they gain initial access and then work your way back and take those defensive measures,” he advises.