Threat Monitor Annual Report 2023

nccgroup.com

FOREWORD

In this year’s Annual Cyber Threat Monitor Report, we take a look back at the key events that shaped the cyber threat landscape in 2023, as well as looking ahead at the year to come, sharing insights from our Cyber Threat Intelligence team here at NCC Group. 2023 appeared to show signs that the international community beginning to take the threats from cyber adversaries more seriously. We saw several examples of coordinated law enforcement action against criminal groups including key ransomware operators and individuals believed to be acting on behalf of foreign intelligence services. There was also consensus on the issue of ransomware, in that governments around the world have showed a united front against ransom payments and intelligence sharing through The International Counter Ransomware Initiative, which introduced several measures that offer a real opportunity to fight back against the pervasive threat from ransomware operators. However, despite this, we saw the highest volume of ransomware victims NCC Group has ever recorded with an 84% increase in 2023 alone. The sheer volume of attacks and different types of victims proves that no organisation is safe.

Notably, ransomware operators employed new and innovative techniques to maximize their profits, targeting big software creators and managed service providers. So, even if an organisation does not perceive a direct threat from ransomware, it should consider the potential impact on its supply chain. The ongoing threat to critical national infrastructure across the globe by hacktivists and Foreign Intelligence Services continued in 2023, following on from multiple geo-political conflicts in the Middle East, Eastern Europe, and Asia. National Cyber Security Centres in multiple countries have highlighted this threat and it is something we are monitoring as a priority moving in to 2024. With those few things in mind, here we give further insight into what was a challenging 2023, and what organistions should be focusing on in the year ahead.

Matt Hull Global Head of Threat Intelligence

CONTENT

Foreword by Matt Hull, Global Head of Threat Intelligence ......................................................................... 2

SECTION 1 - Critical Events Timeline . .......................................................................................................... 4

SECTION 2 - Incidents of Note ....................................................................................................................... 10

SECTION 3 - Law Enforcement Interventions . ............................................................................................. 14

SECTION 4 - Incident Response Findings .................................................................................................... 20

SECTION 5 - SOC Findings ............................................................................................................................24

SECTION 6 - Ransomware Threat Landscape .............................................................................................. 28 Sectors...............................................................................................................................................................32 Industrials...........................................................................................................................................................33 Industries (Industrials)........................................................................................................................................34 Consumer Cyclicals...........................................................................................................................................35 Industries (Consumer Cyclicals)........................................................................................................................36 Technology.........................................................................................................................................................36 Industries (Technology)......................................................................................................................................38 SECTION 7 - Threat Actors .............................................................................................................................40 LockBit 3.0.........................................................................................................................................................43 Sectors Targeted................................................................................................................................................45 Industries Targeted............................................................................................................................................45 BlackCat.............................................................................................................................................................46 Sectors Targeted................................................................................................................................................47 Industries Targeted............................................................................................................................................47 CL0P..................................................................................................................................................................48 Sectors Targeted................................................................................................................................................49 Industries Targeted............................................................................................................................................49

SECTION 8 - Regions ......................................................................................................................................50

SECTION 9 - Vulnerability Landscape .......................................................................................................... 52

SECTION 10 - Global Conflicts . ..................................................................................................................... 56 Russian Invasion of Ukraine..............................................................................................................................57 Increased Attacks, Reduced Impact..................................................................................................................57 Influence and Information Operations ................................................................................................................ 57 Disruption and Hacktivism.................................................................................................................................58 Destructive Operations . .....................................................................................................................................58 Global Impact.....................................................................................................................................................59 Summary............................................................................................................................................................59 Israeli-Palestinian Conflict ..................................................................................................................................59

SECTION 11 - Threat Spotlight ....................................................................................................................... 60

Ransomware Royal Mail attack 10th Jan

Royal Mail suffered 6 weeks of disruption to international postal services, affecting 11,500 Post Office branches. This was due to a LockBit affiliate driven ransomware attack, with Royal Mail refusing to pay the ransom.

CRITICAL EVENTS TIMELINE SECTION 01

30th Jan

Emotet was observed returning after a period of hiatus, with new evasion techniques, allowing it to continue to send malicious spam to victims, as well as steal credentials and email addresses, whilst enabling lateral movement and download further malware. It has been observed being used by Ransomware groups to distribute their ransomware payloads. Malware Emotet returns with new evasion techniques 7th Mar

Hacktivism

Pro-Russian Hacktivist group, Killnet, launched DDoS attacks against US healthcare organisations and public healthcare sectors. This followed claims the group had successfully compromised US Healthcare organisations. The motivation is believed to be the retaliation against countries in support of Ukraine, with DDoS attacks also focused on other NATO countries. Killnet targets NATO countries supporting Ukraine

2nd Feb

Nobelium, aka APT29 and Cozy Bear, targeted European diplomatic missions and systems sharing sensitive political information, aiding the Ukrainian government, and helping Ukrainian citizens flee. This group is affiliated with the Foreign Intelligence Service of the Russian Federation (FVR) and was targeting Polish representatives of the Ministry of Foreign Affairs visiting the US with a spear-phishing campaign compromising the official EU electronic document exchange system, LegisWrite. Surveillance Russian state-sponsored TA targets EU diplomatic entities and systems 14th Mar

Ransomware

Remote Code Injection flaw, CVE- 2023-0669, on exposed administrative consoles of GoAnywhere secure web file transfer solution was shared by Fortra. Reports at the time indicated that it had been actively exploited by threat actors, and later shown to be the case that CL0P ransomware group was using this flaw in a spate of ransomware attacks. GoAnywhere MFT Zero-Day exploited by CL0P

Using forged authentication tokens, Microsoft revealed that Customer email accounts were accessed using Outlook Web Access (OWA) Exchange Online. China based threat actor, Storm-0558 is believed responsible, using the access to email accounts to gather useful intelligence. Breach Microsoft China Storm-0558 11th Jul

8th Aug

In response to a Freedom of Information (FOI) request made to the Police Service of Northern Ireland, a spreadsheet detailing the locations and names of serving employees was mistakenly made public and posted online, putting these employees at risk. Police forces in Norfolk and Suffolk also confirmed FOI requests led to inadvertently sharing too much Personally Identifiable Information (PII) publicly, whilst Cumbria Police blamed human error for the publication of the names and salaries of all its officers online. Police Force: Data Leak FOI request leads to acci - dental PII data leak

Progress released a security advisory regarding a Zero-Day vulnerability, CVE-2023-34362, in their managed file transfer (MFT) software package, which had been used to exfiltrate data. Ransomware group CL0P was seen to be leveraging this flaw, alongside other File Transfer vulnerabilities, to steal data to demand ransom payments. Ransomware Move-IT Managed File Transfer vulnerability in mass Cl0p exploitation 31st May

31st Aug

NCSC and its Five Eyes partners issue a report associating Infamous Chisel Malware targeting Ukrainian military Android devices, with the threat actor, Sandworm. Ukraine Military Devices targeted by Russian GRU Malware Infamous Chisel

The malware allows for data exfiltration and remote access.

The campaign is believed to be part of the Russian war efforts against Ukraine.

Barracuda Zero Day Vulnerability Replace, don’t patch, vulnerable devices 23rd May

North Korean threat actors expected to be responsible for the compromise, which was used to go on to comprise 3CX customers critical infrastructure organisations within the energy sector. A trojanised version of the legitimate 3CX software was used to compromise their customers. What set this attack apart is that the attack was the result of an earlier supply chain attack, with a 3CX employee downloading malware infected software package. Supply Chain Attack 3CX Voice Over Internet Protocol (VOIP) desktop client compromised 29th Mar

Barracuda announced a zero-day vulnerability in their Email Security Gateway, CVE-2023-2868, which had been exploited in the wild, the threat actor believed to be the Chinese state affiliated UNC4841, leveraging the flaw for espionage. The threat actor quickly adapted to containment and remediation efforts, leaving Barracuda to take the unusual step of recommending customers replace their existing appliances with new ones, rather than rely on more typical remediation efforts.

Print Management Software maker, Papercut, announced Remote Code Execution (RCE) vulnerabilities in Papercut NG and Papercut MF, which could be levered without authentication in this critically rated CVE. A user account data flaw affecting Papercut NG and Papercut MF was also discovered, and both were known to be exploited by threat actors. Papercut has 100+ million customers worldwide. Groups such as LockBit then leveraged this flaw in ransomware attacks. Papercut: Ransomware Zero-Day actively exploited by Russian threat actors 14th Apr

The FBI and CISA released an advisory warning that Snatch threat actor group were targeting a wide range of Critical National Infrastructure (CNI) sectors for ransomware attacks. Sectors targeted included the Defence Industrial Base (DIB), Food and Agriculture as well as Information Technology sectors. FBI & CISA Advisory Law Enforcement – Snatch Ransomware 20th Sept

7th Oct

Ransomware Caesars Casino

Hackers exfiltrated data from the hotel and casino giant. They paid $US 15,000,000 after negotiating on the ransom. The threat actor suspected to be responsible is Scattered Spider, aka UNC3944.

27 Sept

Law Enforcement

Dual Ransomware Advisory

The US Federal Bureau of Investigation (FBI) shared a

Private Industry alert warning of an increasing trend of dual ransomware, where victims were targeted with more than one ransomware attack in close succession, with threat actors using different types of ransomware in each instance. Also noted was an increased use of wiper malware to destroy data, amongst other tactics to pressure victims to pay ransom.

7th Oct

Geopolitics

Hamas attack on Israel

Palestinian group, Hamas, officially designated in many countries as a terrorist organisation, launched an armed assault against Israel. 1,200 civilians were killed in the attacks making this one of the deadliest attack in Israel’s history. Hostages were also taken. 2 days later, the Israeli government announced a complete siege of Gaza, as a result of which over 23,000 Palestinians have since been killed.

27th Sept

Law Enforcement

China remains active in its offensive cyber capabilities, warned US and Japanese security agencies as organisations in both countries were targeted by People’s Republic of China-linked threat actors, BlackTech. Government, Industrial, Technology, Media and Telecommunication organisations were amongst US and Japanese targets, with attackers leveraging flaws in Cisco routers. The group breaches network devices for international subsidiaries to then pivot to corporate headquarters. US and Japanese warn of Chinese exploitation of Cisco Router Firmware

12th Oct

Ransomware MGM Casino

MGM shared details of a ransomware attack, which included the theft of customer data, and cost to the business in the region of $US 100,000,000. BlackCat, aka AlphV subgroup of Scattered Spider, took responsibility for the attack, in which the casino refused to pay the ransom.

10th Oct

A successful credential stuffing attack allowed a threat actor to directly access 14,000 23andMe customer records, stealing genetic ancestry information and, in some cases, health related detail based on the genetics. Some of the stolen detail was leaked online and the criminals offered the records for sale, putting at risk particular groups. Using the access to these accounts allowed the threat actor to pivot from there to scrape some detail from 6.9 million customers. 23andMe: Data Breach Genetic Company hacked, and genetic ancestry data leaked

12th Dec

Hack

Russian threat actor, Sandstorm, believed responsible for an attack which disrupted Ukraine’s largest mobile network operator so severely, that its customer base of half the population of Ukraine was left without services for days. This also meant they would not receive alerts warning of Russian attacks, therefore endangering life. The attack wiped out ‘almost everything’, leaving infrastructure decimated. Kyivstar Telco company disclosed records destroyed by Russian state affiliated TA

SECTION 02

INCIDENTS OF NOTE

Hybrid Warfare: Gaza conflict

Throughout the year, the Russia and Ukraine conflict continued. However, the 7th October 2023 saw the Islamic Re - sistance Movement (Hamas) launch a surprise military operation against Israel. The cyber threat landscape has seen an interesting mirroring of the Russia-Ukraine conflict with hacktivism at the forefront of the cyber threat. Mostly targeted against Israeli infrastructure, the activity has typically impacted the Availability vector of the CIA triad through Denial of Service (DoS) attacks. Furthermore, for the greatest impact, adversaries have been targeting Crit- ical National Infrastructure sectors such as Energy and Defence, Telecommunications and Government to have the largest impact for their respective side.

The adversarial groups have also had a keen interest and relative success rate with specific targeting of Industrial Control Systems (ICS), in particularly SCADA.

Companies targeted through digital supply chain: File sharing platforms targeted Throughout 2023, file sharing platforms were exploited across the globe to compromise organisations using them for data extortion and ransomware attacks. Fortra’s GoAnywhere MFT software was targeted early in the year through a zero-day vulnerability tracked as CVE-2023-0669, which leveraged remote command execution to deploy ransomware to the userbase. CL0P managed to successfully breach 130 companies and exposed millions of individual’s private data using this vulnerability . This flaw was patched in version 7.1.2. Furthermore, in June 2023, MOVEit was exploited through additional zero-day vulnerabilities tracked as CVE-2023-35708 and CVE-2023-34362 . This attack had far-reaching consequences, including organisations that had supply chain usage of the tool. This attack has been documented as the biggest data theft of 2023, with over 2,000 organisations compromised and the data theft impacting 62 million individuals. Patches are available for these vulnerabilities and should be applied.

Supply chains continue to be breached: Capita Breach In March 2023, Capita, an outsourcing company suffered a data breach which impacted 90 organisations. Capita suffered an unauthorised intrusion into their Microsoft 365 applications and had Black Basta ransomware deployed to 0.1% of their server estate. This was reduced due to the intervention of Capita to stop movement. However, the reputational damage and financial impact has been costly for the company as they suffered direct cyber incident costs of around £25m. The groups share price dropped 12% showing the reputational damage of the attack starting to show in public markets. The costs continue to mount for the company too, as they lost £67.9m for the first six months to June 2023 compared to a profit of £100,000 a year earlier. The company attributed these losses to the fall out of the cyber incident and cannot determine the size of the fine yet. This attack shows the real impact that supply chains can have on organisations and proves the need to hold third parties to the same security standards as your own organisation, which might include standards such as ISO27001.

Data compromise exposes data for hundreds of millions of individuals: KidSecurity app

In September 2023, a tracking app for parents to know where their children are, KidSecurity, was found to have not configured authentication for their Elasticsearch and Logstash collections. The app with over 1,000,000 downloads from the Google Play store inadvertently left user activity logs publicly available to the internet for over a month. The instance contained over 300 million records with private data including 21,000 phone numbers and 31,000 email addresses. This exposure also showed payment details including the first six and last four digits of card numbers, expiry dates and the issuing bank. There have been indications that threat actors have leveraged this misconfiguration to leak the data. Open instances of Elasticsearch are often leveraged by attackers to exploit vulnerabilities. Ransomware re-encryption after failed negotiations: Henry Schein ransomware and data breach In October 2023, healthcare solutions giant Henry Schein suffered from re-encryption of their files after negotiations stalled with the ransomware group Alphv. The group claimed to have 35TB of sensitive data. The re-encryption happened just as the company got back to operating capabilities, so this was a big setback for the company and caused a lack of availability for its applications and ecommerce platform which triggered another two weeks of operational disruption.This breach included 35,000,000 records.

Ransomware halted physical delivery: Royal Mail hit by LockBit

In January, Royal Mail discovered a cyberattack which halted their international shipping services due to what they referred to as, “severe service disruption.” It later surfaced that the threat group responsible for the attack was LockBit, who announced their role in a post published on a Russian-speaking hacking site. Royal Mail were able to re-establish most of their international shipping services by the 3rd of February on Twitter, and declared that they were fully operational on the 21st of February 2023. On the 23rd of February, LockBit leaked 44GB of data stolen from Royal Mail, as they refused to pay the £66 million ransom due to it being ‘an absurd amount of money.’ The leaked data included files relating to “various parts of Royal Mail’s business…technical information, contracts with third- party suppliers, human resource and staff disciplinary records, details of salaries and overtime payments, and even one staff member’s Covid-19 vaccination records.”

The ransom has since lowered to £33m, but Royal Mail have shown no signs of giving in to the threat groups demands.

This is an excellent example of the real-world implications of cybercrime, notably where operational disruption is concerned, with the impact extending beyond the victim itself. UK residents were forced to use alternative shipping solutions for their international exports, also highlighting the impact on customer confidence .

LAW ENFORCEMENT INTERVENTIONS SECTION 03

TrickBot:

Trickbot is a banking trojan which started off as a derivative of the Dyre banking trojan in 2016 before evolving independent features which turned it into a flexible and modular piece of malware, enabling cybercriminals to deploy multiple payloads including malware. Joint sanctions between the United Kingdom and the United States were levied against 11 named individuals believed to have been involved in the development of the TrickBot trojan. Additionally, two individuals have been arrested and faced charges relating to their involvement with the banking trojan, a Latvian national, Alla Witte, plead guilty to conspiracy to commit computer fraud for their involvement with the group, and in June 2023 was sentenced to 32 months imprisonment. Additionally, Russian national Vladimir Dunaev, was arrested in South Korea in September 2021 and was extradited to the United States; he plead guilty to committing computer fraud and identity theft as well as conspiracy to commit wire fraud and bank fraud, and faces up to a maximum of 35 years in prison upon his scheduled sentencing on 20 March 2024.

Sanctions against North Korea:

worker operations threaten international security by financing the DPRK regime and its dangerous activities, including its unlawful weapons of mass destruction (WMD) and ballistic missile programs.”

In May, the US Treasury Department’s Office of Foreign Assets Control (OFAC) levied sanctions against four corporate, government, and academic entities as well as one individual for their involvement in international fraud for the purposes of raising funds for the North Korean regime. Thousands of workers hide their identity to be hired as IT professionals overseas in order to generate revenue for the government through receiving foreign salaries and funnelling them back to Pyongyang. Some of these workers receive salaries in excess of a quarter of a million dollars, and while this may not be applicable for every one of the illicit IT workers, the economy of scale through utilising thousands of agents means the Kim regime is able to generate significant funds.

BreachForums and Pompompurin

US authorities in March arrested the threat actor responsible for successfully hacking the FBI in 2021. Conor Brian Fitzpatrick, known online by his alias Pompompurin, and is also connected to the FBI’s InfraGard network breach in 2022, the 2022 Twitter data leak, the 2021 Robinhood hack, as well as being the owner of BreachForums. BreachForums rose to take the place of RaidForums after its own takedown at the hands of the FBI in 2022 and has been host to such data as PII of roughly 170,000 individuals affected by the DC Health Link breach in March 2023. Only 20 at the time of his arrest, Fitzpatrick was charged with three crimes: conspiracy to commit access device fraud; solicitation for the purpose of offering access devices; and possession of child pornography. Held on a $300,000 bond paid by his parents, Fitzpatrick has since pled guilty to all three charges and faces up to a maximum of 40 years behind bars.

US Secretary of State, Anthony Blinken, summarises the issue as:

“The DPRK conducts malicious cyber activities and deploys information technology (IT) workers abroad who fraudulently obtain employment to generate revenue that supports the Kim regime . . . The DPRK’s extensive illicit cyber and IT

Ukrainian phishing ring busted

Spanish authorities arrest 40 members of the Trinitarios group

Ukrainian cyber authorities apprehended members of a phishing ring responsible for stealing over £3 million/160 million Ukrainian hryvnia from over one thousand victims spread across Poland, Spain, France, Portugal, Czechia, and other European nations. Joint raids were conducted on over 30 locations, resulting in the seizing of computer equipment, mobile phones, and numerous SIM cards used as part of numerous phishing campaigns. The perpetrators of these campaigns created over 100 different phishing sites to trick victims into thinking they could purchase cheap goods, upon which the scammers would then use the payment card details for further fraudulent campaigns. In addition to the phishing sites themselves, the group employed scammers in call centres based in Lviv and Vinnytsia for the purposes of adding legitimacy to the fake online stores through talking to victims and encouraging them to complete purchases. This operation was conducted in collaboration with authorities from Czechia and resulted in two arrests made within Ukraine, as well as 10 more in undisclosed countries in Europe. The suspected leaders face charges on fraud and creating criminal organisations and could face up to 12 years in jail if successfully prosecuted.

Authorities in Spain arrested 40 members of the notorious Trinitarios crime group in May.

The group was responsible for carrying out numerous fraud campaigns, facilitated by initial phishing and smishing attacks with which they gained banking and payment card details of victims, used to generate approximately €700,000 from over 300,000 victims. Some of the proceeds were used to pay the legal fee of members who were already incarcerated, bought drugs for resale, as well as to purchase property in the Dominican Republic. 13 homes located across Spain in Madrid, Seville, and Guadalajara, were raided as part of the campaign to arrest the gang members, resulting in the seizure of computer equipment and cash, as well as tools for conventional crimes such as lock picks. Amongst the 40 individuals arrested, there are thought to be two hackers who were primarily responsible for carrying out phishing and smishing attacks, as well as 15 others who are charged with crimes such as bank fraud and identity theft, typical crimes resulting from falling victim to a phishing attack. This case shows how the gap between cybercrime and conventional crime is narrowing as the two fields merge.

LockBit affiliate arrested

A Russian national was arrested and charged in June for his role as an affiliate of the LockBit Ransomware-as-a-Service (RaaS) group. Ruslan Astamirov is accused of at least five attacks between 2020 and early 2023 against victims across the globe, including in the United States. He faces charges of conspiring to commit wire fraud and conspiring to intentionally damage protected computers and to transmit ransom demands, and faces up to a maximum of 25 years in prison. This second LockBit arrest in six months prompted the U.S. Attorney Philip R. Sellinger for the District of New Jersey to say; “The LockBit conspirators and any other ransomware perpetrators cannot hide behind imagined online anonymity. We will continue to work tirelessly with all our law enforcement partners to identify ransomware perpetrators and bring them to justice.”

6,500 arrests plus nearly a billion seized

Following its initial compromise by European law enforcement agencies in 2020, further efforts have targeted the userbase of EncroChat. The encrypted communications platform which ran on a specially hardened version of the Android operating system offered users self-destruct features, panic wipe capabilities, 24/7 customer support, and more for a one-time payment of €1,000 and €1,500 for a 6 month subscription. More than 6,500 arrests have since been made, including of 197 high-value targets. This was done through analysing over 100 million conversations between approximately 60,000 users of the platform. Through utilising this data, law enforcement agencies across Europe were able, in addition to the thousands of arrests, seize 270 tons of narcotics, 971 vehicles, 271 properties, 923 weapons, 68 explosives, 40 planes, 83 boats, as well as €740 million in cash in addition to freezing a further €154 million. Europol states that a third of EncroChat users were members of organised crime groups, a third were drug traffickers, while the rest were included money launderers, murderers, and firearms traffickers. This campaign sent shockwaves through OCGs (Organised Criminal Groups) across Europe, and further highlighted the intersection between conventional criminal activity and cyber- enabled crimes.

Man indicted after acting as malicious insider against water treatment facility

July saw the indictment Rambler Gallo, a former employee of a Massachusetts based company operating at the Discovery Bay Water Treatment Facility in California, after his alleged attack on the facility in January 2021. Gallo, the former Instrumentation and Control Tech at the facility, is alleged to have installed software on his own private computer as well on the private internal network of his employer, and, upon resignation from the company in January 2021, exploiting his remote access to uninstall software which was the main hub of the network and which was responsible for protecting the entire water treatment system including filtration, chemical levels, and water pressure. He faces up to 10 years behind bars and up to $240k for the charge of transmitting a program, information, code, and command to cause damage to a protected computer, in violation of 18 U.S.C. §§ 1030(a)(5)(A) and (c)(4)(B)(i). This Discovery Bay facility attack, as well as the similar attack on the water system of Oldsmar in early 2021, likely contributed to the March 2023 decision of the Biden administration to make the conducting of cyber security audits on public water systems mandatory.

INCIDENT RESPONSE FINDINGS SECTION 04

Our Incident Response data represents cases handled by our CIRT Team when responding to NCC clients. In 2023, the Financials sector observed the greatest percentage of incidents raised (15%), closely followed by Industrials (14%) and Government (14%). This reflected a shift in the top-three targeted sectors in 2022, from Government (18%), Industrials and Financials in joint second (13%) and Technology and Consumer Cyclicals (11%) in joint third. Over the last two years, the data suggests that Financials and Industrials remain of consistent interest to threat actors, with a growth of 2% in incident response cases for the Financials sector between 2022 and 2023. This is likely a combination of the potential for financial gain understood by cybercriminals where targeting these sectors successfully, as well as the continued need for sufficient cyber security hygiene to combat ever growing cyber threats.

Figure 1: Percentage of CIRT Cases by Sectors Impacted

Analysis of attack categories found that most incidents concerned Unauthorised Access (36%), Phishing (16%) and Malicious Code (15%).

Where the top-targeted sector was concerned, Financials, most attacks were related to Unauthorised Access (5%) and Phishing (5%).

Remaining aware of possible signs of authorised access such as unusual activity on devices, as well as ensuring appropriate phishing training and awareness can support organisations to prevent or minimise potential attacks.

Figure 2: CIRT Cases by Attack Type 2023

SECTION 05

SOC FINDINGS

Data collated from our Global Security Operations Centre (SOC) reported 3493 true positive incidents across the European and APAC SOCs. 2023 saw a 36% increase from the 2559 true positive cases observed in 2022, reflecting a growth in the number of tickets raised across NCC Group’s client base. This may also be in line with a growth in NCCs clientele, amounting to a greater number of incidents overall and not necessarily a growth in global security incidents. Regardless, in this section we will dive into the dataset to better understand the course of events throughout the year.

Figure 3: Month-by-Month Count of Incidents Raised in the SOC (2023)

July recorded the greatest number of tickets raised with 356 in total, followed by November in second place with 336. Comparing with the figures for 2022 (see Figure 4) we instead saw a steady growth for the period January-May with a peak in May with 297 tickets raised. This was followed by a drop in June with 175 and a growth spurt again for the period June – September; with the highest number of tickets recorded for 2022 being in September or a total of 350. However, this peak was again followed by a rapid decline for the period October – December, ending the year with 192 tickets raised in December.

As seen in Figure 3, we observe a much steadier flow of tickets raised in 2023 for the period January – June. After which, we notice the peak to 356 tickets raised in July, followed by a slight decrease to 312 in August then we see a steady increase for the period September - November. Similar to the previous two years, the month of December tends to mark some of the lowest ticket activity recorded throughout the year as whole. In 2023, we observe that the lowest number of tickets raised was in fact in December with a total of 150. It is, however, difficult to pinpoint a root cause for the spike in July and November activity as a number of variables may be at play, from client security practices to a growth in cybercrime activity.

Figure 4: Month-by-Month Count of Incidents Raised in the SOC (2022)

Next, we dissect the number of cases raised by true positive category, captured in Figure 5, and notice the following; overall, 1263 incidents were mitigated (36%), and 1574 (45%) required no action, hence, the vast majority (82% or 2837) did not need to be escalated, with no further action needed.

Finally, 588 cases were escalated to the client (17%).

Figure 5: Number of Cases by True Positive Category (2023)

While analysing incidents by sector (Figure 6), we notice that NCC Group’s clients within Academic & Educational Services were most susceptible to incidents with a total of 810 recorded. Again, this is likely to be influenced by NCC Group’s client base as a whole. With that in mind, it is worth mentioning that Academic & Educational Services was also ranked as the most targeted sector in 2022 with 657 incidents. Year-on-year, the number of incidents recorded for the sector has experienced an increase of 23%. Interestingly, the sector was also the top target in 2021 with 255 incidents recorded at the time. Given the overall number of tickets recorded in the period 2021 – 2023 for Academic & Educational Services, there is a high possibility that this would continue to be the case in 2024, so we would strongly recommend that clients within the sector stay vigilant and ensure best security practices are followed.

The remaining targets within the top five for 2023 are actually the same sectors as in 2022 with the differences being; the higher number of incidents recorded year-on-year as well as a shift in Technology’s position from fifth in 2022 to third in 2023, which means that Financials and Energy moved to fourth and fifth respectively.

With regards to the figures, all sectors have experienced an increase in incidents raised.

However, we notice that Technology and Energy’s sectors have experienced the highest increases with 161% (from 217) and 95% (from 261) respectively. Finally, Industrials and Financials’ targeting increased by 46% (from 439) and 20% (from 435) respectively. We would highly recommend that clients operating within these sectors review their defensive mechanisms.

Figure 6: SOC Tickets’ Raised according to Sector (2023)

RANSOMWARE THREAT LANDSCAPE SECTION 06

With 2023 concluded, the following provides an analysis of the ransomware threat landscape with year-on- year comparisons and trend predictions for 2024, to support organisations in implementing security measures for the year ahead. In this section of the report, we will discuss the trends that have emerged throughout the year and their implications, how these differ from what we have found in previous annual reports, and what we expect going forward based on existing data.

Figure 7: Global Ransomware Attacks by Month

First and foremost, an interesting observation to note is that from 2021-2022 there was in fact a miniscule 5% decrease in ransomware cases year-on-year, from 2667 to 2531 incidents, which contrasts heavily with our findings for 2022-2023 where there was a huge 84% increase from 2531 to 4667. As is easily interpretable from Figure 7, and as we have referred to throughout the year, 2023’s monthly totals consistently surpassed those of 2022, when there was a far more sporadic distribution between 2021 and 2022. To highlight how significant 2023’s comparative increases were, the mean number of attacks for 2021 was 222, for 2022 it was 211, and for 2023 was a huge 389.

There is a whole host of potential explanations for this huge contrast between 2021/2022 and 2023. From a general heightened understanding of the profit that double extortion ransomware can amass for threat actors, to an increased accessibility of ransomware distributions for affiliates to utilise with the growing number of Ransomware-as-a-Service (RaaS) offerings. While these are all valid and likely contribute in some way, NCC Group strongly consider the frequent uptick of new players in 2023’s ransomware threat landscape to be pushing this figure up further, with an additional 3 arriving in December alone (Hunters, DragonForce and WereWolves).

Corroborating the above statement regarding the increasing availability of a plethora of ransomware variants is an interesting case that took place in September of 2023. A ransomware threat actor accessed one of Symantec’s client’s environments and attempted to deploy LockBit ransomware, however, the client was able to detect and block LockBit’s variant before the impact stage. With a demonstration of tenacity, the threat actor instead tried to deploy a much newer variant; 3AM (the first observation of which was very possibly this same incident), which was instead successful, although it was still subsequently blocked after just three machines were affected . This is a quintessential example of threat actors having a pool of variants to choose from, making their attacks far more persistent and difficult to block, and thereby potentially increasing the overall ransomware cases across the year. If this develops into a trend and is not a one off incident, the standard approach for proactive security measures may not end at simply knowing which groups are targeting a specific sector and region and defending accordingly. Instead, it may have to include a holistic view of the whole ransomware threat landscape with constant IoC ingestion for every emerging group, to avoid successful “second attempts.” This occurrence does also raise an intriguing question regarding the loyalty of affiliates to their ransomware groups, as this instance implies that the usage of them is somewhat interchangeable.

Another curious case that took place in 2023 involved a ransomware attack on a university in the UK, where the threat actors emailed students and staff detailing the data that they had stolen, likely in an attempt to get the victims to apply more pressure on the university. This has aptly been referred to as another triple- extortion technique, as it is yet another way to tighten the threat actor’s grip on the victim; first there was the addition of DDoS to the attacks, then the withholding of victim names and only revealing them after their ‘time had run out,’ and now there is this. Irrespective of whether or not this technique will be repeated, we are certain of one thing; ransomware groups will continue to innovate in their extortive techniques in an effort to continuously increase their success rates. As such, we reiterate the importance for organisations to remain vigilant and consistently enhance their defensive mechanisms. If this influx of new threat actors continues in 2024, we can expect a similar increase in ransomware cases from 2023-2024, and perhaps an even larger one if the arrival of new ransomware groups occurs exponentially. As our findings for the year highlight, double extortion ransomware is showing no signs of slowing down and its popularity, scope, and impact, are heightening on at least a yearly basis. So, unless we have finally reached a plateau which is unlikely at this point, and if there is a similar increase for 2023- 2024 as there was from 2022-2023, the number of ransomware cases could even double by the end of the year.

As our findings for the year highlight, double extortion ransomware is showing no signs of slowing down and its popularity, scope, and impact, are heightening on at least a yearly basis.

Sectors

Figure 8: Most Targeted Sectors 2022 vs 2023

Sectoral targeting in 2023 was largely similar to that of the previous year although, as previously mentioned, 2023 was the most active year to a significant degree. The most targeted sector for 2023 was as is to be expected Industrials with 1484 attacks (32% of year’s total) The most targeted sector for 2023 was as is to be expected, Industrials with 1484 attacks (32% of year’s total), followed by Consumer Cyclicals with 695 (15%) and finally Technology with 503 (11%). Figure 8 is perhaps one of the most effective visualisations to portray the explosiveness of 2023 when contrasted with 2022; although they largely shared the same most targeted sectors, in terms of absolute figures 2023 was much busier.

The activity in Industrials has almost doubled from the 804 attacks witnessed in 2022; a huge 85% increase. Consumer Cyclicals saw a less radical increase, but an increase nonetheless, from 487 hack & leak ransomware cases in 2022 (a 43% rise). Finally, Technology was another sector with a drastic rise in attack numbers, again almost doubling from 263 hack & leak cases (a huge 91% increase).

Proportionally speaking, Industrials stayed the same, accounting for 32% of victims in both 2022 and 2023.

Conversely, Consumer Cyclicals exhibited a 5% proportional decrease from 2022 and Technology experienced a 6% proportional decrease.

Industrials

Figure 9: Total Industrials Victims Month-by-Month 2022 vs 2023

As mentioned above, ransomware cases in the Industrials sector almost doubled from 2022- 2023 from 804 to 1484, but despite that the total ransomware cases shot up by 84% over the two years, the sector remained at 32% overall weighting of attacks. This notably contrasts with Consumer Cyclicals and Technology which, although experienced increases in total figures, exhibited 5% and 6% relative decreases respectively. This alone goes to show the attractiveness of the Industrials sector, and Figure 9 highlights that year- on-year there has been a consistently sustained interest, dwarfing its 2022 totals. When we compare Figure 9 with Figure 7, it is possible to observe a striking similarity between the two graphs, especially, where 2023 is concerned. This highlights the correlation between the overall total of ransomware attacks and the number of cases within Industrials, which brings us to our next point that was mentioned in our 2022 Threat Monitor.

As the Industrials sector is so heavily targeted within the ransomware threat landscape, the frequency of cases within is highly reactive to overall threat actor activity for that month, once more illustrating the significance of this sector. This sector is often the most targeted for a number of reasons. Firstly, industries within, such as Professional & Commercial Services are likely an attractive target to TA’s due to the vast quantities of PII that they store. Firms that operate on a consultancy basis tend to serve a vast number of clients yearly, and thus have consistent access to huge amounts of client data making them both an attractive and lucrative target from a TA’s perspective. Other industries within the sector share some commonalities which make them attractive to TA’s. One example is the cost of operational disruption (especially for those organisations that have tight production lines), another being the expanded attack surface due to sector-wide issues like IT/OT convergence.

Industries

Figure 10: Most Targeted Industries in Industrials 2022 vs 2023

Similar to the observations for 2021-2022, the most targeted industries within the sector have remained largely the same between 2022 and 2023, with only a few minor differences, and of course, the expected discrepancy in total figures. The most targeted industries within the sector have remained largely the same between 2022 and 2023.

In first place, we have Professional & Commercial Services with 662, which is 45% of the total figure, followed by Machinery, Tools, Heavy Vehicles, Trains & Ships with 327 or 22% of the total, and finally Construction & Engineering is in third place with 260 cases which is 18% of the total.

Consumer Cyclicals

Figure 11: Total Consumer Cyclicals Victims Month-by-Month 2022 vs 2023

Consumer Cyclicals experienced a less explosive increase from 2022 to 2023 when compared to 2021 and 2022. Furthermore, the sector saw a 5% relative decrease when totalling its contribution to all ransomware cases in 2023, implying that for that year Consumer Cyclicals was less of a focus for threat actors. It is possible that this is because of the heightened threat actor interest in the Industrials sector, causing Consumer Cyclicals to be less targeted. As can be seen in Figure 11, the apparent cause of the increase in absolute figures in 2023 is a heightened interest in the sector from June onwards, which consistently surpasses that of the previous year. However, this is again directly proportional to the overall threat actor activity within the year, so this does not necessarily indicate a specific focus on

Consumer Cyclicals in the latter half of the year. Consumer Cyclicals will likely continue to be heavily targeted for the foreseeable future due to the nature of the industries existing within. Organisations operating within Hotels & Entertainment Services as well as various retailers will be targeted for very similar reasons; their constant influx of new clientele and thus their access to payment details and information, alongside other PII such as email addresses and sometimes home addresses. Contrastingly, organisations under the manufacturing umbrella (such as Automobiles & Auto Parts and Homebuilding & Construction Supplies) are more likely to be targeted due to their need for operational uptime which, once disturbed, can cause major profit losses which incentivises ransom payments.

Industries

Figure 12: Most Targeted Industries in Consumer Cyclicals 2022 vs 2023

As is to be expected based on the provided justifications for threat actors favouring these sectors, the most targeted have remained largely the same with just a few minor fluctuations.

In first place we have Hotels & Entertainment Services with 134 attacks (19% of the total), followed by Specialty Retailers with 128 cases (18% of the total), and finally followed by Homebuilding & Construction Supplies in third place with 98 cases (14% of the total).

NCC Group do not foresee a major shift in the top three most targeted industries within this sector in 2024 due to their attractiveness to extortive threat actors.

Page 1 Page 2 Page 3 Page 4 Page 5 Page 6 Page 7 Page 8 Page 9 Page 10 Page 11 Page 12 Page 13 Page 14 Page 15 Page 16 Page 17 Page 18 Page 19 Page 20 Page 21 Page 22 Page 23 Page 24 Page 25 Page 26 Page 27 Page 28 Page 29 Page 30 Page 31 Page 32 Page 33 Page 34 Page 35 Page 36 Page 37 Page 38 Page 39 Page 40 Page 41 Page 42 Page 43 Page 44 Page 45 Page 46 Page 47 Page 48 Page 49 Page 50 Page 51 Page 52 Page 53 Page 54 Page 55 Page 56 Page 57 Page 58 Page 59 Page 60 Page 61 Page 62 Page 63 Page 64 Page 65 Page 66 Page 67 Page 68

Made with FlippingBook - PDF hosting