Introduction:
The world of cyber threats is constantly poses increasing risks to organizations of all kind. In 2023 we have not witnessed the cyber threats, like ransomware, phishing and malware but also the emerging danger of cyber conflicts exemplified by the Russia Ukraine war.
This geopolitical turbulence is mirrored in the realm with the Israel Hamas conflict. We have seen a rise in groups getting involved. These groups are driven by ideologies or loyalties. Use their hacking skills to express their views or disrupt those they perceive as adversaries. During the Israel Hamas discord it has been reported that hacktivist factions from both sides have managed to infiltrate US systems.
Experts are worried that if this conflict continues these attacks may become more frequent and severe. What’s more concerning is that state sponsored actors may be hiding behind these groups effectively masking their own cyber offensives. Among them factions affiliated with Iran are seen as dangerous.
As geopolitical tensions persist worldwide the cyber domain continues to reflect these clashes by becoming more sophisticated and targeted. The consequences of a cyber attack in 2023 are more serious than before emphasizing the need, for stronger defense mechanisms and increased vigilance.
This report aims to offer an overview of the global threat landscape in 2023. It brings together insights, from leading security researchers and institutions to provide an understanding of the cyber threats and proactive measures. The report covers topics such as Advanced Persistent Threat (APT) groups, ransomware trends, phishing patterns, malware advancements, supply chain attack dynamics and the critical importance of security. By looking through this lens our goal is to equip organizations with the knowledge they need to anticipate, mitigate and effectively respond to the cyber threats, on the horizon.
Executive Summary:
The 2023 Global Threats Report presents an in-depth analysis of the evolving cyber threat landscape, drawing insights from the most recent and authoritative research across the globe. This year, we have witnessed a significant escalation in the sophistication and frequency of cyber attacks, highlighting the need for robust and proactive defense strategies.
Ransomware continues to be a dominant threat, evolving with more targeted and destructive tactics. These attacks are not only becoming more sophisticated but also demonstrate a shift towards targeting critical infrastructure and high-value sectors, emphasizing the need for improved ransomware preparedness and response strategies.
Phishing remains a primary vector for initial compromise, with attackers increasingly leveraging social engineering techniques to circumvent traditional security measures. The rise in remote work has further expanded the attack surface, making individuals and organizations more susceptible to these types of attacks.
Malware threats have also evolved, with attackers leveraging advanced techniques such as polymorphism and living-off-the-land tactics to evade detection. State-sponsored and advanced persistent threat (APT) groups are increasingly deploying malware as part of their sophisticated cyber espionage and sabotage campaigns.
Supply chain attacks have emerged as a key concern, with attackers exploiting vulnerabilities in software and hardware supply chains to compromise multiple targets. This trend underscores the need for comprehensive supply chain risk management and the implementation of secure software development practices.
Cloud security has become paramount as more organizations migrate to cloud environments. Threat actors are exploiting misconfigurations and vulnerabilities in cloud services to gain unauthorized access and exfiltrate sensitive data. This necessitates a shift towards a more robust cloud security posture, incorporating best practices in identity and access management, data protection, and threat detection and response.
In conclusion, the 2023 Global Threats Report underscores the dynamic and increasingly complex nature of the cyber threat landscape. It calls for an integrated and intelligence-driven approach to cybersecurity, emphasizing the importance of continuous monitoring, advanced threat intelligence, and collaboration within the cybersecurity community to effectively combat these evolving threats.
Key Findings:
The global cost of cybercrime is expected to reach $11.5 trillion in 2023
Healthcare Tops Cybercrime Cost Chart for 2023
Cyber Attacks by Attack Vector in 2023
Total Global Spend on Cyber Security in 2023 rose to over $100 Billion
Top 5 Cyber Attacks in 2023
Rank | Attack | Impact | Financial Impact |
1 | MOVEitBreach | Data breach of over 200 organizations | Over $9 billion |
2 | LapsusBreachofT- Mobile | Data breach of over 50 million customers | Over $1 billion |
3 | REvil Ransomware Attack on JBS | Disrupted operations and caused meat prices to surge | Hundreds of millions of dollars |
4 | NvidiaBreach | Compromised employee data and disrupted supply chain | Hundreds of millions of dollars |
5 | MGMResorts Cyberattack | Disrupted operations and potentially compromised customer data | Over $100 Million |
Global Cyber talent shortage grew to over 4Million in 2023
Positive Trend in Cybersecurity in 2023
Cybersecurity Spending: According to Gartner, global cybersecurity spending is expected to reach $168.4 billion in 2023, an increase of 11.4% from 2022. This indicates that organizations are prioritizing cybersecurity investments to protect their data and systems.
Advancements in Cybersecurity Technologies: Cybersecurity vendors are continuously developing new and innovative solutions to combat evolving cyber threats. These advancements include enhanced artificial intelligence (AI) and machine learning (ML) capabilities, improved threat detection and response mechanisms, and more secure cloud-based solutions.
Cybersecurity Awareness: A recent study by ISACA found that 88% of organizations are providing cybersecurity training to theiremployees, up from 75% in 2022. This increased focus on cybersecurity awareness is helpingto reduce the number of human error- related security incidents.
Phishing Attack Detection: The percentage of phishing attacks that are detected and blocked has increased from 75% in 2022 to 80% in 2023. This improvement is due to advancements in email securitysolutions and employeetraining.
Data Breach Response Times:The average time to identifya data breach has decreased from 287 days in 2022 to 273 days in 2023.This indicates that organizations are becoming more efficient at detecting and responding to security incidents.
Cloud Security Adoption: The adoption of cloud security solutions has increased significantly in 2023. According to Gartner, 60% of organizations are now using cloud security platforms, up from 50% in 2022. This increased adoption is helping to protect cloud-based data and applications from cyberattacks.
These statistics demonstrate that organizations are making progress in addressing cybersecurity challenges and improving their overall cybersecurity posture. While cyber threats continue to evolve, the cybersecurity industryis responding with innovative solutions, increased awareness, and improved security practices.
Top Advanced Persistent Threat (APT) groups in 2023
In 2023, the cyber threat landscape was marked by the activities of several prominent Advanced Persistent Threat (APT) groups. TA505, also known as the Clop Ransomware Gang, topped the list, targeting government agencies, healthcare providers, and financial institutions with ransomware attacks. Following them, Mustang Panda (APT29), a Chinese APT group, engaged in cyberespionage against governments, military contractors, and technology firms. APT41, a Russian group, also known as Barium/Bismuth, was involved in data theft, sabotage, and disruption, primarily targeting Western governments and organizations. North Korea's Lazarus Group (APT38) conducted attacks, including data theft, sabotage, and financial fraud, against South Korea and the US. Other groups like Gallium (APT36), Turla (Waterbug), OceanLotus (APT33), Hermitage (APT29), Nobelium, and APT37 (Scarbee) also carried out various spear-phishing and malware activities, targeting similar sectors.
Rank | APT Group | Description | Attacks | Sector |
1 | TA505 (Clop Ransomware Gang) | A prolific ransomware group that has targeted a wide range of organizations, including government agencies, healthcare providers, and financial institutions. | Ransomware | Government, Healthcare, Finance |
2 | Mustang Panda (APT29) | A Chinese APT group that is known for its cyberespionage activities. The group has targeted a variety of organizations, including governments, military contractors, and technology companies. | Cyberespionage | Government, Military, Technology |
3 | APT41 (Barium/Bismuth) | A Russian APT group that is known for its cyberattacks against Western governments and organizations. The group has been linked to a variety of attacks, including data theft, sabotage, and disruption. | Data Theft, Sabotage, Disruption | Government, Organizations |
4 | Lazarus (APT38) | A North Korean APT group that is known for its cyberattacks against South Korea and the United States. The group has been linked to a variety of attacks, including data theft, sabotage, and financial fraud. | Data Theft, Sabotage, Financial Fraud | Government, Organizations |
5 | Gallium (APT36) | A Chinese APT group that is known for its cyberespionage activities. The group has targeted a variety of organizations, including governments, military contractors, and technology companies. | Cyberespionage | Government, Military, Technology |
6 | Turla (Waterbug) | A Russian APT group that is known for its cyberespionage activities. The group has targeted a variety of organizations, including governments, military contractors, and technology companies. | Cyberespionage | Government, Military, Technology |
7 | OceanLotus (APT33) | A Chinese APT group that is known for its cyberespionage activities. The group has targeted a variety of organizations, including governments, military contractors, and technology companies. | Cyberespionage | Government, Military, Technology |
8 | Hermitage (APT29) | A Russian APT group that is known for its cyberespionage activities. The group has targeted a variety of organizations, including governments, military contractors, and technology companies. | Cyberespionage | Government, Military, Technology |
9 | Nobelium (SolarWinds Supply Chain Attack) | A Russian APT group that is known for its cyberespionage activities. The group has targeted a variety of organizations, including governments, military contractors, and technology companies. | Cyberespionage | Government, Military, Technology |
10 | APT37 (Scarbee) | An Iranian state-sponsored APT group associated with the Islamic Revolutionary Guard Corps (IRGC), Iran's paramilitary force. | Spear-phishing, malware deployment, social engineering | Government, defense, energy |
Top 5 Ransomware Variants in 2023 and Attacks executed
1. LockBit: LockBit remained a dominant force in the ransomware landscape throughout 2023, consistently ranking among the most active groups. They continued to refine their tactics, including employing double extortion and data leak threats, and targeting a wide range of organizations, including government agencies, healthcare providers, and educational institutions.
March 2023: LockBit targeted the network of Costa Rica'sMinistry of Finance, causing widespread disruptions to government services and demanding a $1 million ransom payment.
June 2023: LockBitattacked the IT systems of Accenture, a global consulting and professional servicescompany, affecting its operations in multiple countries.
October 2023: LockBit breached the network of Swissport, a leading airport ground handling and cargo services company, disrupting its operations and causing delays at airports worldwide.
2. BlackCat: Emerging in late 2021, BlackCat quickly gained notoriety for its sophisticated attacks, quadruple extortion tactics, and high ransom demands. They targeted a diverse range of industries, including finance, healthcare, and manufacturing, causing significant disruptions and financial losses.
November 2023: BlackCat infiltrated the systems of healthcare giant Henry Schein and stole dozens of terabytes of data, including payroll data and shareholder information.
October 2023: BlackCat targeted the network of telecom provider Globe Telecom, impacting its mobile and broadband services in the Philippines.
August 2023: BlackCat attacked the IT systems of automotive supplier Continental AG, affecting its production facilities and causing supply chain disruptions.
3. Hive: Hive, also known as Hive057, maintained its position as a prominent ransomware group in 2023. Their aggressive double extortion tactics and focus on manufacturing and retail industries made them a significant threat to these sectors.
October 2023: Hive breached the network of German energy company VNG, forcing the shutdown of its natural gas storage facilities.
September 2023: Hive targeted the IT systems of Media Markt Saturn Retail Group, a leading European electronics retailer, disrupting its operations and causing temporary store closures.
August 2023: Hive attacked the network of Brazilian food and beverage company BRF, causing disruptions to its production facilities and supply chain.
4. DoppelPaymer: While DoppelPaymer's activity decreased compared to previous years, they remained a persistent threat, targeting primarily large organizations and demanding substantial ransom payments.
July 2023: DoppelPaymer targeted the systems of aerospace manufacturer Parker Hannifin, causing disruptions to its production and supply chain operations.
June 2023: DoppelPaymer attacked the IT infrastructure of Finnish energy company Fortum, causing power outages and financial losses.
April 2023: DoppelPaymer infiltrated the network of South African healthcare provider Netcare, disrupting its patient care services and demanding a substantial ransom payment.
4. REvil: REvil, also known as Sodinokibi, continued to operate in 2023, thoughtheir overall activity diminished comparedt o 2021. They still posed a significant threat due to their past history of high-profile attacks and their ability to adapt to evolving cybersecurity measures.
May 2023: REvil attacked the IT systems of Costa Rican food distributor Pozuelo, causing significant disruptions to its operations and affecting the supply of essential goods.
February 2023: REvil targeted the network of American food manufacturer JBS, causing disruptions to its meat processing plants and leading to meat shortages across the United States.
January 2023: REvil attacked the IT systems of German automotive supplier Prevent, affecting its production facilities and causing supply chain disruptions in the automotive industry.
AI Threats in 2023
In 2023, certain AI tools named WormGPT, FraudGPT, and Evil-GPT emerged as significant cybersecurity threats. These tools are particularly concerning because of their capabilities and the intentions behind their creation and use.
WormGPT is described as an "evil chatbot" with the ability to create malicious code and craft phishing emails. This AI platform is particularly sophisticated and has been associated with scams and cyberattacks. A cybersecurity firm discovered that WormGPT is being sold to criminals, and another firm created a tool called PoisonGPT, which seems to be a proof-of-concept to show how generative AI can spread fake news online.
The impact of these tools is evident, with reports indicating that WormGPT may be used to create convincing phishing emails to support business email compromise (BEC) attacks, with surveys showing that a significant portion of people can fall for these advanced phishing attempts.
Evil-GPT, advertised as a replacement for WormGPT, has been promoted on forums by a hacker known as “Amlo”. The sale and promotion of these malicious AI tools are a source of serious concern within the cybersecurity community.
Furthermore, generative AI models like ChatGPT, along with FraudGPT and WormGPT, have been implicated in the evolution of cyberattacks. They have been used to facilitate personalized phishing, create deepfakes, and exploit cognitive biases, thus amplifying existing threats and introducing new risks to cybersecurity.
These developments underscore the dual-use nature of AI technology, capable of driving innovation but also posing new challenges that require vigilant cybersecurity defenses and ethical considerations.
MaliciousAIVariant | Description | PotentialImpact |
EvilGPT | Generates realistic and convincing phishing emails, social media posts, and other forms of online content to deceive users into revealing personal information or clicking on malicious links. | Financial loss, identity theft, data breaches |
WormGPT | Self-replicating malware that can spread rapidly through networks and devices, potentially causing wide spread disruptions and data loss. | Denial-of-service attacks, data corruption, infrastructure disruption |
PoisonGPT | Alters or manipulates data to mislead machine learning algorithms, potentially compromising the accuracy of automated decision-making systems. | Erroneous decisions, financial losses, reputational damage |
FraudGPT | Generates fraudulent documents, such as invoices, financial reports, and insurance claims, to deceive businesses and individuals. | Financial losses, legal liabilities, reputitional damage |
A look forward into 2024 and beyond:
As we look towards 2024 and beyond, the role of AI in cybersecurity and its global impact continues to evolve in complexity. AI technologies offer significant advancements in protecting digital assets, yet they also present new challenges and opportunities for misuse:
Evolving Cyber Threats: The landscape of cyber threats is rapidly adapting, with a notable shift towards exploiting human identities over technology. Social engineering and phishing, increasingly sophisticated, target human vulnerabilities rather than technological flaws.
Generative AI as a Double-Edged Sword: The rise of generative AI tools, including advanced language models, presents both risks and benefits. On one hand, these tools can significantly improve cybersecurity offerings; on the other, they pose risks of misuse for phishing and other malicious activities.
Mobile Device Security: The focus on mobile device security is intensifying. Cybercriminals are redirecting attacks to mobile platforms, employing tactics like QR codes and fraudulent voice calls to make phishing more effective and harder to detect.
Malware Evolution: Malware development is being democratized, with open-source tools and generative AI making advanced techniques more accessible. This trend leads to the proliferation of sophisticated malware capable of evading detection.
Identity-Based Attacks: Identity-based attacks are expected to dominate, urging organizations to shift their focus to securing stored credentials, session cookies, access keys, and addressing misconfigurations.
Shift to Passwordless Access Management: Organizations are increasingly adopting passwordless solutions, like passkeys and multi-factor authentication (MFA), to counteract cyber threats. However, threat actors are evolving their tactics accordingly, with session hijacking predicted to account for 40% of all cyberattacks by 2024. This necessitates vigilant security, monitoring, and response strategies to combat innovative attackers.
Recommendations:
Enhanced Identity Security: Prioritize securing user identities and credentials, given the shift towards identity-based attacks and the vulnerabilities posed by passwordless authentication.
Robust AI and Automation Integration: Invest in AI and automation technologies to enhance threat detection and response capabilities, while also ensuring responsible AI policies are in place to prevent misuse.
Proactive Defense Against Advanced Malware: Develop strategies to counteract the rise of sophisticated malware, leveraging open-source tools and AI for advanced detection and prevention.
Adaptive Strategies for Phishing and Social Engineering: Implement comprehensive training and awareness programsto combat the increasing sophistication of phishing and social engineering tactics, particularly those targeting mobile platforms.
Continuous Vigilance and Innovation: Maintain a proactive stance in cybersecurity, staying ahead of evolving threats through continuous innovation, vigilant monitoring, and rapid response mechanisms. This includes preparingfor new forms of attacks, such as generative AI-driven threats
Conclusion:
In summary, the 2023 Global Threats Report provides a comprehensive overview of the current cyber threat landscape, revealing a world increasingly menaced by sophisticated cyber attacks. This year has seen a marked escalation in the frequency and complexity of these threats, spanning from ransomware to state-sponsored activities. Particularly alarming is the rise in ideologically motivated groups leveraging their hacking skills in geopolitical conflicts, as seen in the Israel-Hamas and Russia-Ukraine situations. These developments underscore the urgent need for enhanced cybersecurity measures. Organizations must adopt proactive defense strategies, incorporating advanced threat intelligence and robust cloud security practices. The report highlights the critical role of cybersecurity professionals who, with their expertise and dedication, form the frontline defense against these evolving digital threats. As the cyber domain continues to mirror global geopolitical tensions, the importance of staying ahead of these threats through innovation and vigilance cannot be overstated.In this context, the contributions of cybersecurity professionals cannot be overstated. They are the vanguard in this evolving battle, working relentlessly with often limited resources to protect both public and private sectors from these multifaceted threats. Their adaptability, expertise, and unwavering commitment play a pivotal role in safeguarding our digital world. The advancements in AI and automation they leverage are crucial in bolstering defenses and responding more swiftly to threats. As we navigate through these challenges, their continuous vigilance and innovative strategies are invaluable in maintaining the integrity and security of our digital infrastructure. We owe them our gratitude for their tireless efforts and dedication to keeping our digital realm safe and secure.
References: DomainTools. "The Most Prolific Ransomware Families: 2023 Edition." https://www.domaintools.com/resources/blog/the-most-prolific-ransomware-families- 2023-edition/: https://www.domaintools.com/resources/blog/the-most-prolific- ransomware-families-2023-edition/. Help Net Security. "Ransomware groups continue to increase their operational tempo and impact." https://www.helpnetsecurity.com/2023/05/16/trends-ransomware-attacks- future-of-cybersecurity-video/: https://www.helpnetsecurity.com/2023/05/16/trends- ransomware-attacks-future-of-cybersecurity-video/ McAfee. "The Future of Cybersecurity." https://www.mcafee.com/blogs/security- news/mcafee-2023-threat-predictions-evolution-and-exploitation/: https://www.mcafee.com/blogs/security-news/mcafee-2023-threat-predictions- evolution-and-exploitation/ Palo Alto Networks. "Ransomware Trends in 2023." https://start.paloaltonetworks.com/2023-unit42-ransomware-extortion-report: https://start.paloaltonetworks.com/2023-unit42-ransomware-extortion-report SANS Institute. "AI and Cybersecurity: The Dual Threat." https://www.sans.org/newsletters/ouch/artificial-intelligence/: https://www.sans.org/newsletters/ouch/artificial-intelligence/ Trend Micro. "LockBit, BlackCat,and Clop Prevailas Top RAAS Groups: Ransomware in 1H 2023." https://www.trendmicro.com/vinfo/us/security/news/ransomware-by-the- numbers/lockbit-blackcat-and-clop-prevail-as-top-raas-groups-for-1h-2023: https://www.trendmicro.com/vinfo/us/security/news/ransomware-by-the- numbers/lockbit-blackcat-and-clop-prevail-as-top-raas-groups-for-1h-2023 Crowdstrike. "2023 Global Threat Report." https://go.crowdstrike.com/rs/281-OBQ- 266/images/CrowdStrike2023GlobalThreatReport.pdf: https://go.crowdstrike.com/rs/281- OBQ-266/images/CrowdStrike2023GlobalThreatReport.pdf Fortinet. "FortiGuard Labs Global Threat Report 1H, 2023." https://www.fortinet.com/content/dam/fortinet/assets/threat-reports/threat-report-1h-
2023.pdf: https://www.fortinet.com/content/dam/fortinet/assets/threat-reports/threat- report-1h-2023.pdf
NTT Data. "NTT ThreatInsights Report 2023."
https://us.nttdata.com/en/-/media/nttdataamerica/files/gated-asset/2023-nttsh-gtir- cybersecurity-report.pdf: https://us.nttdata.com/en/-/media/nttdataamerica/files/gated- asset/2023-nttsh-gtir-cybersecurity-report.pdf
Kaspersky ICS CERT. "APT and Financial Attackson Industrial Organizations in H1 2023." https://ics-cert.kaspersky.com/publications/reports/2023/09/25/apt-and-financial- attacks-on-industrial-organizations-in-h1-2023/: https://ics- cert.kaspersky.com/publications/reports/2023/09/25/apt-and-financial-attacks-on- industrial-organizations-in-h1-2023/
Mandiant. "Advanced Persistent Threat (APT) Groups." https://www.mandiant.com/resources/insights/apt-groups: https://www.mandiant.com/resources/insights/apt-groups