State-actor cybersecurity threats in 2023
2023 looks like being as big a year as we’ve seen in recent decades as far as cybersecurity is concerned. In Part 1 of this article, we spoke with Mike McLellan, Director of Intelligence at the SecureWorks Counter Threat Unit, for trustworthy cybersecurity threat predictions on “market-led” dangers like ransomware, extortion-only attacks, and business email compromise. While we had him in the chair, though, we also explored less “commercial” and more geopolitical cybersecurity threats that could harm businesses through cyberattack in the coming year.
Let’s talk about the heavy subject of Ukraine. Whatever happens on the ground, presumably the cyberwar goes on?
It’s going to be really interesting to see what comes out around Ukraine in 2023. We have had fairly limited visibility into what’s actually been happening there from a cybersecurity standpoint. But we’ve already seen talk about the number of attacks Ukraine is seeing. There is clearly a high tempo of Russian attacks, targeting Ukrainian critical infrastructure, probably in parallel with some of the missile strikes. What’s been notable has been that most of those attacks have stayed within Ukraine, or the very close region around it. We haven’t seen a lot of indiscriminate attacks that spread beyond the borders.
So, Ukraine will continue to be a major focus for Russian groups and other groups who want to understand what’s going on there. We’ll see more action from Russian threat groups against Ukraine in 2023, but the thing that we’re possibly more focused on is all the other stuff that Russia does, which has not been getting as much attention because of Ukraine.
Go back two years, we had SolarWinds around this time, and as we speak, we’re expecting this year’s Christmas miracle. SolarWinds was a very sophisticated supply chain attack, and I would not be at all surprised if we see something similar again.
Over the next 12 months, we may well see the uncovering of some kind of major, highly pervasive supply chain attack which has been ongoing behind the scenes for some time. Russia will not just be focused on Ukraine, it still has standing intelligence requirements around the US, the UK and other countries. So we’re keeping a close eye out for that side of the Russian activity, as well as the attacks going on inside Ukraine.
We’ve heard the idea that when the war does eventually end, a lot of people who have either been professional cybercriminals for a long time, or have been recruited specifically to fight the war, will need to be deployed elsewhere. So we could be looking at an increase in cybersecurity threat as and when the war ends. Do you have a view on that?
It’s possible, yes. It would be interesting to know if the Russians have recruited more cyberattackers into their military ranks in the intelligence services to do some of this stuff. You would think that possibly they have, given, as you say, the national focus on Ukraine, so yes, that may well be true. We may see a higher volume of activity over the next four months. A lot depends, I think, on how things pan out in Ukraine.
The Taiwan question
And just to keep our spirits up, let’s turn to China.
In 2023, we think China will focus more on regional issues – particularly Taiwan.
Oh, Taiwan. World’s largest semiconductor hub, believes it’s an independent nation, while China insists it’s part of Chinese territory. That Taiwan?
That Taiwan, yes. With tensions as they are around Taiwan, it’s going to be interesting to see how that develops over the next 12 months. Obviously, the situation there is a problem for the whole world, because of the state of the semiconductor industry. That’s why the US and the UK are so heavily focused on it. We’ve seen both the US and UK Governments come out and more actively call out China for some of its cyberactivity. That’s going to continue.
But we’ll also continue to see a strong regional focus in terms of China’s long term development plans, like technology theft, the defense supply chain, all that kind of stuff as well. We think China is our most active hostile state adversary right now – and that looks likely to continue to be the case throughout the course of 2023.
The escalating tension there is worrying there, isn’t it? Particularly around the semiconductor industry, with the US putting pressure on companies trying to sell chips to China, and Taiwan’s disputed status?
Absolutely. It may actually be more of a flashpoint than Ukraine was in terms of whether the West will feel like it has to intervene if a military invasion occurs. On the cyber side of it, the kinds of operations that China would need to have an effect in Taiwan to support a military invasion take time to establish, so people are watching for any kind of increase in cyberactivity around Taiwan. China has always been interested in Taiwan and will have been conducting longstanding operations to try and get access to the country’s infrastructure through cyber and other means. But we may see some of that materialize in the next four months if there is a military conflict, or tensions continue to increase.
Indeed. After all, the US government pointedly didn’t suggest that it would send troops in to defend Ukraine from Russia, but it has actually come out and said it will defend Taiwan with troops on the ground if China invades. How much cyberattack would it have to launch to equate to a “cyberinvasion” – and would that trigger the same sort of response?
That’s an interesting point. A lot of the talk around Ukraine has been around the whole Article 5 thing. At what point do you trigger a NATO response to the kind of activity that’s going on? And who would you have to target to trigger that kind of response within NATO? From a cyber perspective, I think there’s some value in ambiguity. I think you don’t want to set too many red lines, because you don’t want to paint yourself into a corner on either side of the conflict. But you need to send the right messages to try and deter any potential aggression.
Cyber is never going to be a replacement for true kinetic activity and missile strikes and that kind of thing. But if we see the Chinese start to knock out critical infrastructure or industries in Taiwan, will there actually have to be some kind of response? I don’t know.
Who’s next on the list of state players to watch from a cybersecurity point of view?
Iran is worth keeping an eye on. It’s been one of the major state adversaries that we’ve been tracking. China, Russia, and Iran are the big three that we talk to our customers about, with North Korea targeting some of the financial infrastructure too.
Iran is heavily regionally focused. There’s been ongoing tit for tat between Iran and Israel, or groups that are proxying for those countries, with some fairly destructive attacks, like port closures, attempts to poison water supplies, all that kind of stuff happening. We’ve seen a lot of hacking leak operations, too, lots of documentation being published online about Iranian intelligence operatives, or Iranian individuals who are involved in cyberespionage. There’s a lot of that happening.
It’s not about to be a public conflict between countries like Iran and Israel, but it’s fairly clear that there is some kind of state-directed activity behind it. So there’s lots going on there, which is obviously a concern, especially as tension is always fairly high in that region.
But we also see some of that spreading outside the region. There’s an Iranian group that has been conducting ransomware attacks against US organizations, and possibly UK organizations, but certainly within Europe. This is an espionage group that probably also does some ransomware on the side for a bit of extra pocket money.
These groups are active, traditionally targeting the Middle East, but now spreading out further west. So Iran is one that’s on our radar, especially as these groups are conducting opportunistic ransomware threats rather than targeted espionage. That means theoretically anyone could be a target.
Do we think there’ll be more of that in 2023?
We’ll definitely see more of this kind of proxy war activity, because lots of hacktivist groups are popping up on Twitter and Telegram and leaking data that’s probably been stolen by some kind of state-sponsored group.
In the final part of this article, we’ll be looking at the types of business under special cybersecurity threat in 2023, including crypto-exchanges, as well as touching on the double-edged sword of offensive security, and how the escalating cost of living crisis might well see the threat of insider action rise across 2023.
25 September 2023
21 September 2023
20 September 2023