Security Experts:

Cyber Insights 2022: Improving Criminal Sophistication

Cyber Threat Insights 2022: Improving cybercriminal sophistication

When SecurityWeek asked Steve Katz, the world’s first CISO, what future threats concerned him most, he replied, “The biggest threat is the ever-increasing expertise of the hackers.”

This is a result of basic mechanics: “When one object exerts a force on a second object, the second one exerts a force on the first that is equal in magnitude and opposite in direction." In cyber, it means that when defenses get stronger, attackers get more sophisticated; and when attackers get more sophisticated, defenses get stronger. It is action versus reaction ad infinitum – with cybercriminals currently holding the ascendancy.

(We are excluding adversarial nation-state activity from this discussion. See Cyber Insights 2022: Nation-States for information on the nation threat. It is worth noting, however, that the demarcation between cybercriminal and nation state actors is not always simple, with some actors having a foot in both camps.)

Throughout 2021, the attackers have been dominant. This will continue for at least the first half of 2022. The primary reasons are better, more professional organization, and vastly more resources. Criminal gangs have, quite simply, become very rich.

“It is now a reality that cybercrime gangs are as valuable as unicorn companies,” says Mikko Hyppönen, researcher at F-Secure. “Our enemy is becoming more powerful and wealthier.”

He cites two reasons for this. Firstly, the income from crime has risen dramatically through BEC scams and increased ransomware and denial of service extortion. Secondly, criminals prefer to store their funds as cryptocurrency. “Five years ago,” says Hyppönen, “they were controlling around $10m or so in wealth. Over these 5 years, the value of bitcoin has increased from $500 to $50,000 so that the age of cybercrime unicorn gangs has arrived.”

The effect of this increased wealth has been the evolution of professionally organized cybercrime businesses with enough wealth to buy zero-days on the open market in competition with nation states, and enough money to fund their own R&D into new technologies such as AI. "As the value of bitcoin and other cryptocurrencies grows, attackers will invest in higher degrees of automation and more sophisticated techniques to infiltrate targets,” adds Mike Heredi, VP EMEA and APAC at XM Cyber.

The drivers of cybercrime in 2022

Kudos

The earliest hackers were not after money. They were, as the original meaning of the word indicates, curious folk who liked to take things apart. The kudos of ‘breaking’ things was the primary motivation – and the spirit, although modified, lives on.

“For years, gamers and streamers have been a growing trend on social media, with audiences wanting to know their secret techniques on how they get to the next level,” comments Joseph Carson, chief security scientist at ThycoticCentrify. 

“Hacking is now following that same path with the world’s top hackers streaming their hacking skills online, showing off new techniques and methods on how to bypass security and get the initial foothold, and then elevating privileges. Hacking gamification platforms are also on the rise as hacking teams compete for L33T status and placing at the top of the leaderboard.  This new trend will continue in 2022, and we will see hacking become an EL3T3 Sport, with viewers paying to watch hackers operate live.”

Ethics

The term ‘hacktivist’ is used to describe a hacker driven by his or her own view of right and wrong rather than a direct desire to make money. In its beginnings it focused largely on web defacements leaving messages such as “Free Julian Assange!”

It evolved into something less innocent, with attacks by animal rights activists against animal experimentation companies, and attacks by anti-nuclear activists against nuclear industry companies. It is largely driven by the greatest moral issues of any period – so environmental hacktivism will likely increase in 2022.

But it has also increased in extent and severity, up to national geopolitical activity. Arguably, disinformation and misinformation campaigns and even direct election meddling can be described as a form of hacktivism. Putin famously dismissed Russian election meddling as the work of patriots (not the Russian state!) who may have simply been trying to help their country. Such ‘hacktivism’ will likely return in a midterm elections year. 

Mike Sentonas, CTO at CrowdStrike, believes that the 2022 Winter Olympics in China might also serve as a catalyst. “The 2022 Beijing Winter Olympics could very well be a powder keg of nation-state cyber activity,” he says. “We’ll likely even see hacktivists come out of the woodworks to engage in disruption and misinformation campaigns.”

Money

Money is by far the single most important motivation behind cybercriminal activity. In the attempt to make more money (and protect individuals), cybercrime groups have become better organized and more businesslike.

The single most important development is the emergence of ‘cybercrime-as-a-service’, and a concomitant separation of roles. 

It started as loosely defined malware-as-a-service. Rather than use their malware themselves, developers began to ‘rent out’ their product to other, often lesser-skilled, criminals. Raccoon, Silent Night and Legion Loader are a few examples. More specific services soon emerged, with researchers recognizing ransomware-as-a-service (for example, DarkSide and REvil) and phishing-as-a-service as categories within the genre. The growth of crimeware-as-a-service will expand throughout 2022.

“Ransomware gangs will rival enterprises in complexity,” warns Darren Williams, CEO and founder at BlackFog. “In the past year, we’ve already seen ransomware gangs morph into savvy businesses with sophisticated organizational structures, with one going so far as to create a fake company to recruit talent. In 2022, we’ll see this trend continue to pick up steam, with greater coordination between gangs, double extortion evolving to triple extortion and short selling schemes skyrocketing.”

The primary advantages to the criminals are a separation of roles (making the whole process more business-like and efficient) and allowing the criminal masterminds to remain in the background and potentially more difficult to identify.

The separation of roles has continued beyond simple malware development. There are separate access brokers that can sell ready-made access to different targets, and sales agents that can sell on stolen credentials. The overall effect is that less-skilled wannabe hackers are being attracted to cybercrime and can deliver sophisticated attacks at scale. As a result, the sheer volume of cyberattacks will increase through 2022.

“The ROI behind hacks and ransomware attacks over the past two years,” says Matt Rahman, COO at IOActive, “has turned bad actors into business professionals. When you run a business, professionalism, customer service and great product drives demand for your services.”

Troy Gill, senior manager of threat intelligence at Zix/App River, adds, “That is why in 2022 we will see cybercriminals form even more robust working relationships to facilitate their continued success.”

Law enforcement

With cybercrime firmly in the ascendancy, the law of action and reaction means that the defenders need to respond. Bigger security budgets, better security products and continuous exhortations for industry to get at least the basics of cybersecurity in place, have not halted the rise in cybercrime. Governments have finally realized that they need to take a more proactive stance against cybercrime. This has already begun.

“Unicorn hunting season is well underway, and we are seeing law enforcement take more action, bringing down organized crime gangs globally,” says Hyppönen. “The US State Department is also offering a $10m bounty for information leading to the arrest of at least two different ransomware gangs – so it will be interesting to see how many cybercrime unicorns there will be throughout 2022.”

There are also subtle indications of increased international government cooperation against cybercrime. In early December 2021, Trustwave’s SpiderLabs reported, “Law enforcement collaboration has eastern-European cybercriminals questioning whether there is a safe haven anymore.”

SpiderLabs continued, “Based on the conversations that we’ve collected, a segment of cybercriminals is now worried that the Russian authorities may be actively hunting them down.” It quotes a message dated November 10, 2021, found on the dark web: “Incidentally, there are the recent secret negotiations on cybercrime between the Russian Federation and the United States.”

The turning point may have been the DarkSide ransomware attack against Colonial Pipeline. Physical attacks against critical infrastructure have long been considered out of scope by many governments – the danger of escalating retribution is too high. This one may have been accidental; an attack not performed by DarkSide itself, but by a less experienced ransomware-as-a-service franchisee.

What happened next is worth considering. Biden spoke to Putin. DarkSide went dark. The attack was ‘dismissed’ as a more acceptable attack against the payments IT side of Colonial rather than an attack against the operational technology of a critical industry (a claim that is not universally accepted). And the U.S. government was able to retrieve a sizable portion of the bitcoin ransom paid by Colonial (again, something that has not been adequately explained).

[ ReadFive Key Signals From Russia's REvil Ransomware Bust ]

It is tempting to consider that at least between the U.S. and Russia there is now a tacit understanding of the danger of unfettered cybercriminality dragging the two nations into an unwanted full-blown cyberwar. It is possible that 2022 will see increased, but subtle, collaboration between the U.S. and Russian governments against cybercrime (as opposed to nation-state espionage, which is traditional, more acceptable, and performed by all major countries). This has already been seen with the recent REvil ransomware gang bust early this year in Russia, supposedly at the request of the U.S. 

Action and reaction

But if law enforcement becomes more effective against cybercrime, we can expect the cybercriminals to fight back. It’s simple action and reaction.

Erich Kron, security awareness advocate at KnowBe4, comments: “Cybercrime gangs are not going to stand by idly while they are taken offline one-by-one. In reaction to increased coordination between countries and the resulting arrests or takedowns, these bad actors are going to start fighting back, targeting the interests of those that are causing them the most trouble. Where ransomware and cybercrime are often strictly money-motivated endeavors, it's no longer just business, now it's personal. Expect increased attacks focused on nations that arrest or take down infrastructures.”

The cybercrime gangs don’t need to stay in Russia or eastern Europe, where cultural similarities between east and west makes a common understanding easier. There are other countries with different cultures and different religions that might be happy to host anti-West criminals – such as Iran and possibly Afghanistan. “Top-down efforts, such as sanctions by the U.S. Treasury Department, may lead to arrests but will ultimately push these groups further underground and out of reach,” suggests John Bambenek, principal threat hunter at Netenrich.

2022 is a cusp year in action and reaction. The fight back against cybercriminals by law enforcement has already begun. But the criminals will not sit back and do nothing. They will react. All of this will play out throughout 2022 – and there is no telling which side will have the ascendency by the end of the year. The only certainty is that whichever side wins, it will only be a temporary victory. The action and reaction between the good and the bad will continue indefinitely.

About SecurityWeek Cyber Insights 2022

Cyber Insights 2022 is a series of articles examining the potential evolution of threats over the new year and beyond. Six primary threat areas are discussed:

• Ransomware

• Adversarial AI

• Supply Chain 

• Nation States

• Identity

• Improving Criminal Sophistication

Although the subjects have been separated, the attacks will rarely occur in isolation. Nation state and supply chain attacks will often be linked ‒ as will supply chain and ransomware. Adversarial AI will likely be seen primarily in attacks against identity; at least in the short term. And underlying everything is the growing sophistication and professionalism of the cybercriminal. 

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.