What’s next in cybersecurity
This past year has seen Russian government hacks aimed at Ukraine; more ransomware against hospitals and schools–and against whole governments too; a seemingly endless series of costly crypto hacks; and high-profile hacks of companies like Microsoft, Nvidia, and Grand Theft Auto maker Rockstar Games, the last hack allegedly carried out by teenagers.
All these hacks will continue in the next year and possibly even further into the future, according cybersecurity experts who spoke with MIT Tech Review. Here’s what we expect in the next year:
Russia continues its online operations against Ukraine
Ukraine was the big story of the year in cybersecurity as in other news. The embattled country was the focus of industry attention. Russian government groups have carried out several attacks. One of the first ones hit Viasat, a US satellite communications company that was being used by civilians and troops in Ukraine. The hack caused “a really huge loss in communications in the very beginning of war,” according to Victor Zhora, the head of Ukraine’s defensive cybersecurity agency.
There have also been as many as six attacks against Ukrainian targets involving wiper malware, malicious computer code designed to destroy data.
These were all in support for military operations, and not acts of war per se. This could still mean that “cyberwarfare” is a misleading term, and that cyberwar as such will not happen, according to Stefano Zanero, an associate professor of the computer engineering department at Politecnico di Milano.
According to Lesley Carhart (a researcher at Dragos, an industrial cybersecurity company) and a veteran of the US Air Force, these attacks prove that “cyber” is only a part of warfare, which can still play a significant role and will continue to do so.
“I used to say that nearly everything that people just described as cyber war is actually cyber espionage,” says Eva Galperin, the director of cybersecurity at the Electronic Frontier Foundation. “And I would argue that over the past several years, that hasn’t been the case
Initial expectations were that Russian hacks could lead to physical damage. However, this has not happened.
One of the reasons cyber hasn’t played a bigger role in the war, according to Carhart, is because “in the whole conflict, we saw Russia being underprepared for things and not having a good game plan. So it’s not really surprising that we see that as well in the cyber domain.”
Moreover, Ukraine, under the leadership of Zhora and his cybersecurity agency, has been working on its cyber defenses for years, and it has received support from the international community since the war started, according to experts. Finally, an interesting twist in the conflict on the internet between Russia and Ukraine was the rise of the decentralized, international cyber coalition known as the IT Army, which scored some significant hacks, showing that war in the future can also be fought by hacktivists.
Ransomware runs rampant again
This year, other than the usual corporations, hospitals, and schools, government agencies in Costa Rica, Montenegro, and Albania all suffered damaging ransomware attacks too. The government of Costa Rica declared a state of emergency following a ransomware attack. And in Albania, the government expelled Iranian diplomats from the country–a first in the history of cybersecurity–following a destructive cyberattack.
These types of attacks were at an all-time high in 2022, a trend that will likely continue next year, according to Allan Liska, a researcher who focuses on ransomware at cybersecurity firm Recorded Future.
“[Ransomware] is not a technical problem, like an information stealer and other commodity malware. He says that there are real-world, geopolitical consequences. In the past, for example, a North Korean ransomware called WannaCry caused severe disruption to the UK’s National Health System and hit an estimated 230,000 computers worldwide.
There are positive signs in the ransomware world. According to Liska, there are some early signs that point to “the death of the ransomware-as-a-service model,” in which ransomware gangs lease out hacking tools. The main reason, he said, is that whenever a gang gets too big, “something bad happens to them.”
For example, the ransomware groups REvil and DarkSide/BlackMatter were hit by governments; Conti, a Russian ransomware gang, unraveled internally when a Ukrainian researcher appalled by Conti’s public support of the war leaked internal chats; and the LockBit crew also suffered the leak of its code. We are starting to see a lot more affiliates saying that they don’t want the ransomware groups to target them. This means that they might have a target on their backs, and that they just want to do their cybercrime.
“Adversaries are starting to realize that they don’t want to be under a specific name that brings the attention of the US government or other international partners,” says Katie Nickels, director of intelligence at Red Canary.
Also, both Liska and Brett Callow, a security researcher at Emsisoft who specializes in ransomware, stress that law enforcement action, including international cooperation among governments, was more frequent and effective this year, hinting that perhaps governments are starting to make inroads against ransomware.
But the conflict in Ukraine could make international cooperation more difficult. In January of this year, the Russian government said it was cooperating with the US when it announced the arrests of 14 members of REvil, as well as the seizure of computers, luxury cars, and more than $5 million. This unprecedented cooperation would not last. There could not be any more cooperation with Vladimir Putin’s government after Russia invaded Ukraine. “When it comes down to actually cutting off ransomware at its source, I think that we took a step back,” said Christine Bejerasco chief technology officer at cybersecurity firm WithSecure.
Crypto is still going to crypto, baby
The crypto didn’t just flow from ransomware victims to hackers; in 2022 it also flowed straight out of crypto projects and Web3 companies. This was the year cryptocurrency hacks, which have been occurring since cryptocurrencies were invented, became mainstream, with hackers stealing at least $3 billion in crypto during the year, according to blockchain tracking company Chainalysis. Another crypto tracking company Elliptic estimated that the theft total was $2.7 billion. )
There were more than 100 large-scale victims in the world of crypto; there are now websites and Twitter accounts specifically dedicated to tracking these hacks, which seemed to happen almost daily. Perhaps the most significant of them all was the hack on the Nomad protocol, where a hacker found a vulnerability and started draining funds. Because the hacker’s transactions were public, others noticed and just copy-pasted the exploit, leading to “the first decentralized robbery” in history. Just a few weeks ago, hackers accessed the server where the crypto exchange Deribit held its wallets, draining $28 million from them.
There was also some good news in crypto. Stephen Tong, a cofounder of blockchain security company Zellic, said that a “big new wave” of cybersecurity pros will keep coming to the crypto industry and create “the infrastructure, tooling, and practices needed to do things in a secure way.”
Tal Be’ery, a cybersecurity veteran who now works as CTO of the crypto wallet app ZenGo, says there are “building blocks” in place to make cybersecurity solutions specific to crypto and blockchains, which “hint that the future would be safer.”
“I think that we will start to see some hints of solutions in 2023,” Be’ery says. “But the advantage will still be with the attackers.”
One cohort of attackers that had an outsized success this year was the group known as Lapsus$. The hackers targeted Okta, a software supply chain provider that provides access management and identity management to other companies. This allowed hackers to penetrate large-name companies such as Microsoft, Nvidia, Rockstar Games, and others.
“Attackers look for the path of least resistance, and some infrastructure suppliers are one of these paths,” Zanero says, stressing that supply chain attacks are both the present and the future, because some suppliers–especially cybersecurity companies–have a large footprint across several industries.
“Adversaries continue to be able to make a significant impact,” Nickels says, “without necessarily having to use advanced capabilities.”
I’m a journalist who specializes in investigative reporting and writing. I have written for the New York Times and other publications.
