《欧盟网络安全局:2022年网络安全威胁形势报告(英文版)(150页).pdf》由会员分享,可在线阅读,更多相关《欧盟网络安全局:2022年网络安全威胁形势报告(英文版)(150页).pdf(150页珍藏版)》请在三个皮匠报告上搜索。
1、 ENISA THREAT LANDSCAPE 2022 NOVEMBER 2022 1 ABOUT ENISA The European Union Agency for Cybersecurity,ENISA,is the Unions agency dedicated to achieving a high common level of cybersecurity across Europe.Established in 2004 and strengthened by the EU Cybersecurity Act,the European Union Agency for Cyb
2、ersecurity contributes to EU cyber policy,enhances the trustworthiness of ICT products,services and processes with cybersecurity certification schemes,cooperates with Member States and EU bodies,and helps Europe prepare for the cyber challenges of tomorrow.Through knowledge sharing,capacity building
3、 and awareness raising,the Agency works together with its key stakeholders to strengthen trust in the connected economy,to boost resilience of the Unions infrastructure and,ultimately,to keep Europes society and citizens digitally secure.More information about ENISA and its work can be found here:ww
4、w.enisa.europa.eu.CONTACT To contact the authors,please use etlenisa.europa.eu For media enquiries about this paper,please use pressenisa.europa.eu.EDITORS Ifigeneia Lella,Eleni Tsekmezoglou,Rossen Svetozarov Naydenov,Cosmin Ciobanu,Apostolos Malatras,Marianthi Theocharidou European Union Agency for
5、 Cybersecurity CONTRIBUTORS Claudio Ardagna,Stephen Corbiaux,Koen Van Impe,Andreas Sfakianakis ACKNOWLEDGEMENTS We would like to thank the Members and Observers of the ENISA ad hoc Working Group on Cyber Threat Landscapes(https:/www.enisa.europa.eu/topics/threat-risk-management/threats-and-trends/ad
6、-hoc-working-group-cyber-threat-landscapes)for their valuable feedback and comments in validating this report.We would also like to thank the ENISA Advisory Group and the National Liaison Officers network for their valuable feedback.ENISA THREAT LANDSCAPE 2022 NOVEMBER 2022 2 LEGAL NOTICE This publi
7、cation represents the views and interpretations of ENISA unless stated otherwise.It does not endorse a regulatory obligation of ENISA or of ENISA bodies pursuant to Regulation(EU)No 2019/881.ENISA has the right to alter,update or remove the publication or any of its contents.It is intended for infor
8、mation purposes only and it must be accessible free of charge.All references to it or its use as a whole or in part must show ENISA as its source.Third-party sources are quoted as appropriate.ENISA is not responsible or liable for the content of the external sources including external websites refer
9、enced in this publication.Neither ENISA nor any person acting on its behalf is responsible for the use that might be made of the information contained in this publication.ENISA maintains its intellectual property rights in relation to this publication.COPYRIGHT NOTICE European Union Agency for Cyber
10、security(ENISA),2022 Reproduction is authorised provided the source is acknowledged.Copyright for the image on the on pages xyz:Shutterstock For any use or reproduction of photos or other material that are not under ENISA copyright,permission must be sought directly from the copyright holders.ISBN:9
11、78-92-9204-588-3,DOI:10.2824/764318 ENISA THREAT LANDSCAPE 2022 NOVEMBER 2022 3 TABLE OF CONTENTS 1.THREAT LANDSCAPE OVERVIEW 7 2.THREAT ACTOR TRENDS 22 3.RANSOMWARE 43 4.MALWARE 49 5.SOCIAL ENGINEERING 54 6.THREATS AGAINST DATA 63 7.THREATS AGAINST AVAILABILITY:DENIAL OF SERVICE 69 8.THREATS AGAINS
12、T AVAILABILITY:INTERNET THREATS 78 9.DISINFORMATION-MISINFORMATION 82 10.SUPPLY CHAIN ATTACKS 88 A ANNEX:MAPPING TO MITRE ATT&CK FRAMEWORK 95 B ANNEX:INDICATIVE LIST OF INCIDENTS 102 C ANNEX:CVE LANDSCAPE 114 D ANNEX:RECOMMENDATIONS 124 ENISA THREAT LANDSCAPE 2022 NOVEMBER 2022 4 EXECUTIVE SUMMARY T
13、his is the tenth edition of the ENISA Threat Landscape(ETL)report,an annual report on the status of the cybersecurity threat landscape.It identifies the top threats,major trends observed with respect to threats,threat actors and attack techniques,as well as impact and motivation analysis.It also des
14、cribes relevant mitigation measures.This years work has again been supported by ENISAs ad hoc Working Group on Cybersecurity Threat Landscapes(CTL).During the reporting period of the ETL 2022,the prime threats identified include:1.Ransomware 2.Malware 3.Social Engineering threats 4.Threats against d
15、ata 5.Threats against availability:Denial of Service 6.Threats against availability:Internet threats 7.Disinformation misinformation 8.Supply-chain attacks For each of the identified threats,attack techniques,notable incidents and trends are proposed alongside with mitigation measures.When it comes
16、to trends during the reporting period,we must emphasise the following.Impact of geopolitics on the cybersecurity threat landscape o The conflict between Russia-Ukraine reshaped the threat landscape during the reporting period.Some of the interesting changes were significant increases in hacktivist a
17、ctivity,cyber actors conducting operations in concert with kinetic military action,the mobilisation of hacktivists,cybercrime,and aid by nation-state groups during this conflict.o Geopolitics continue to have stronger impact on cyber operations.o Destructive attacks are a prominent component of the
18、operations of state actors.During the Russia-Ukraine conflict,cyber actors were observed conducting operations in concert with kinetic military action1.o A new wave of hacktivism2 has been observed especially since the Russia-Ukraine crisis began.o Disinformation is a tool in cyberwarfare.It was use
19、d even before the physical war started as a preparatory activity for Russias invasion of Ukraine.Threat actors increasing their capabilities o Resourceful threat actors have utilised 0-day exploits to achieve their operational and strategic goals.The more organisations increase the maturity of their
20、 defences and cybersecurity programmes,the more they increase the cost for adversaries,driving them to develop and/or buy 0-day exploits,since defence in depth strategies reduce the availability of exploitable vulnerabilities.o Continuous retirements and the rebranding of ransomware groups is being
21、used to avoid law enforcement and sanctions.o Hacker-as-a-service business model gaining traction,growing since 2021.o Threat groups have an increased interest and exhibit an increasing capability in supply chain attacks and attacks against Managed Services Providers(MSPs).1 Microsoft Special Report
22、:Ukraine An overview of Russias cyberattack activity in Ukraine-https:/ 2 Republic of Estonia Information System Authority-Trends and Challenges in Cyber Security Q1 2022-https:/www.ria.ee/en/news/trends-and-challenges-cyber-security-q1-2022.html ENISA THREAT LANDSCAPE 2022 NOVEMBER 2022 5 Ransomwar
23、e and attacks against availability rank the highest during the reporting period o Significant rise on attacks against availability,particularly DDoS,with the ongoing war being the main reason behind such attacks.o Phishing is once again the most common vector for initial access.Advances in sophistic
24、ation of phishing,user fatigue and targeted,context-based phishing have led to this rise.New lures in social engineering threats are focusing on the Ukraine-Russia conflict in a similar manner to what happened during the COVID situation o Malware is on the rise again after the decrease that was noti
25、ced and linked to the COVID-19 pandemic3.o Extortion techniques are further evolving with the popular use of leak sites.o DDoS are getting larger and more complex,are moving towards mobile networks and IoT and are being used in the context of cyberwarfare.Novel,hybrid and emerging threats are markin
26、g the threat landscape with high impact o The Pegasus case triggered media coverage and governmental actions,which also then was reflected in other cases concerning surveillance and the targeting of civil society.o Consent phishing attackers use consent phishing to send users links that,if clicked,w
27、ill grant the attacker access and permissions to applications and services.o Data compromise is increasing year on year.The central role of data in our society produced a sharp increase in the amount of data collected and in the importance of proper data analysis.The price we pay for such importance
28、 is a continuous and unstoppable increase in data compromises.o Machine Learning(ML)models are at the core of modern distributed systems and are increasingly becoming the target of attacks.o AI-enabled disinformation and deepfakes.The proliferation of bots modelling personas can easily disrupt the n
29、otice-and-comment rulemaking process,as well as the interaction of the community,by flooding government agencies with fake comments.Moreover,understanding the trends related to threat actors,their motivations and their targets greatly assists in planning cybersecurity defences and mitigation strateg
30、ies.Therefore,for the purposes of the ETL 2022,the following four categories of cybersecurity threat actors are considered again:State-sponsored actors Cybercrime actors Hacker-for-hire actors Hacktivists.Through continuous analysis,ENISA derived trends,patterns and insights for each of the major th
31、reats presented in the ETL 2022.The key findings and judgments in this assessment are based on multiple and publicly available resources which are provided in the references used for the development of this document.The report is mainly targeted at strategic decision-makers and policy-makers,while a
32、lso being of interest to the technical cybersecurity community.3 ENISA Threat Landscape 2021 ENISA THREAT LANDSCAPE 2022 NOVEMBER 2022 6 ENISA THREAT LANDSCAPE 2022 NOVEMBER 2022 7 1.THREAT LANDSCAPE OVERVIEW In its tenth edition,the ENISA Threat Landscape(ETL)report provides a general overview of t
33、he cybersecurity threat landscape.Over the years,the ETL has been used as key instrument in understanding the current status of cybersecurity across the EU and provide insight in terms of trends and patterns,leading to relevant decisions,prioritisation of actions and recommendations.The ETL report i
34、s partly strategic and partly technical,with information relevant to both technical and non-technical readers.The ETL 2022 report has been validated and supported by the ENISA ad hoc Working Group on Cybersecurity Threat Landscapes(CTL)4 and ENISA National Liaison Officers(NLO)Network.Cybersecurity
35、attacks continued to increase during the second half of 2021 and 2022,not only in terms of vectors and numbers but also in terms of their impact.The Russia-Ukraine crisis has defined a new era for cyberwarfare and hacktivism,its role,and its impact on conflicts.States and other cyber operations will
36、 very likely adapt to this new state of affairs and take advantage of the novelties and challenges brought about by this war5.However,this new paradigm brought by the war has implications for international norms in cyberspace and,more specifically,for state sponsorship of cyberattacks and against ta
37、rgeting critical civilian infrastructure5.Due to the volatile international situation,we expect to observe more cyber operations being driven by geopolitics in the near to mid-term future.The geopolitical situation might trigger cyber operations and potentially damaging cyberattacks6.Consequently,a
38、destabilized situation and continued threshold exceedance in terms of malicious cyber activity may also lead to more resulting damage.It is worth noting that in this iteration of the ETL,additional focus was concentrated on the different kinds of impact cyber threats have in various sectors,includin
39、g the sectors listed in the Network and Information Security Directive(NISD)and its agreed revision NIS2.Interesting insights may be drawn from the particularities and insight of each sector when it comes to the threat landscape,as well as potential interdependencies and areas of significance.The cr
40、iticality of different sectors is also reflected in relevant policy initiatives,with the recently agreed NISD 2 significantly expanding the list of important sectors in the EU.ENISA is working in parallel on developing sectorial threat landscapes,diving deeper into the elements of each sector and pr
41、oviding targeted insight.The ETL 2022,building on the foundational elements of the ETL 2021,is based on a variety of open-source information and sources of cyber threat intelligence.It identifies major threats,trends and findings,and provides relevant high-level strategies for mitigation.The ETL 202
42、2 has been developed using the officially established ENISAs Cyber Security Threat Landscape Methodology that was published earlier this year7.The ENISA CTL Methodology aims to provide a baseline for the transparent and systematic delivery of horizontal,thematic and sectorial cybersecurity threat la
43、ndscapes based on a systematic and transparent process for data collection and analysis.In this edition of the ETL,a novel element includes the analysis of the vulnerability landscape in tandem with the cybersecurity threat landscape analysis.Moreover,for the first time an impact analysis of the thr
44、eats across different sectors and dedicated analysis of threat actors motivations give an additional glimpse into the threat landscape.As always,findings are based on analysis of events and incidents,cross-validated with relevant cyber threat intelligence sources.1.1 PRIME THREATS A series of cyber
45、threats emerged and materialised in the course of 2021 and 2022.Based on the analysis presented in this report,the ENISA Threat Landscape 2022 identifies and focuses on the following eight prime threat groups 4 https:/www.enisa.europa.eu/topics/threat-risk-management/threats-and-trends/ad-hoc-workin
46、g-group-cyber-threat-landscapes 5 Council on Foreign Relations-Cyber Proxies in the Ukraine Conflict:Implications for International Norms-https:/www.cfr.org/blog/cyber-proxies-ukraine-conflict-implications-international-norms 6 QuoIntelligence-Ransomware is here to stay and other cybersecurity predi
47、ctions for 2022-https:/quointelligence.eu/2022/01/ransomware-and-other-cybersecurity-predictions-for-2022/7 https:/www.enisa.europa.eu/publications/enisa-threat-landscape-methodology ENISA THREAT LANDSCAPE 2022 NOVEMBER 2022 8 (See Figure 1).These eight threat groups are highlighted because of their
48、 prominence during the reporting period,their popularity and the impact that was due to the materialisation of these threats.Ransomware According to ENISAs Threat Landscape for Ransomware Attacks8 report,ransomware is defined as a type of attack where threat actors take control of a targets assets a
49、nd demand a ransom in exchange for the return of the assets availability.This action-agnostic definition is needed to cover the changing ransomware threat landscape,the prevalence of multiple extortion techniques and the various goals,other than solely financial gains,of the perpetrators.Ransomware
50、has been,once more,one of the prime threats during the reporting period,with several high profile and highly publicised incidents.Malware Malware,also referred to as malicious code and malicious logic9,is an overarching term used to describe any software or firmware intended to perform an unauthoris
51、ed process that will have an adverse impact on the confidentiality,integrity or availability of a system.Traditionally,examples of malicious code types include viruses,worms,trojan horses or other code-based entities that infect a host.Spyware and some forms of adware are also examples of malicious
52、code10.During this reporting period,we again observed a large number of incidents involving malware.The incidents analysed are mainly focused on EU countries.Social Engineering Social engineering encompasses a broad range of activities that attempt to exploit a human error or human behaviour with th
53、e objective of gaining access to information or services11.It uses various forms of manipulation to trick victims into making mistakes or handing over sensitive or secret information.In cybersecurity,social engineering lures users into opening documents,files or e-mails,visiting websites or granting
54、 unauthorised persons access to systems or services.And although these tricks can abuse technology they always rely on a human element to be successful.This threat canvas consists mainly of the following vectors:phishing,spear-phishing,whaling,smishing,vishing,business e-mail compromise(BEC),fraud,i
55、mpersonation and counterfeit,which are analysed in the relevant chapter.Threats against data Threats against data form a collection of threats that target sources of data with the aim of gaining unauthorised access and disclosure,as well as manipulating data to interfere with the behaviour of system
56、s.These threats are also the basis of many other threats,also discussed in this report.For instance,ransomware,RDoS(Ransomware Denial of Service),DDoS(Distributed Denial of Service)aim to deny access to data and possibly collect a payment to restore this access.Technically speaking,threats against d
57、ata can be mainly classified as data breach and data leak.Data breach is an intentional attack brought by a cybercriminal with the goal of gaining unauthorised access and the release of sensitive,confidential or protected data.Data leak is an event that can cause the unintentional release of sensiti
58、ve,confidential or protected data due to,for example,misconfigurations,vulnerabilities or human errors.Threats against availability:Denial of Service Availability is the target of a plethora of threats and attacks,among which DDoS stands out.DDoS targets system and data availability and,though it is
59、 not a new threat,it has a significant role in the cybersecurity threat landscape12 13.Attacks occur when users of a system or service are not able to access relevant data,services or other resources.This can be accomplished by exhausting the service and its resources or overloading the components o
60、f the network infrastructure14.During the reporting period,threats against availability and ransomware rank the highest among the prime threats,which signals a change from ETL 2021 where ransomware was clearly at the top.Threats against availability:Internet threats 8 ENISA Threat Landscape for Rans
61、omware Attacks https:/www.enisa.europa.eu/publications/enisa-threat-landscape-for-ransomware-attacks 9 https:/csrc.nist.gov/glossary/term/malware 10 https:/nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r2.pdf 11 https:/ Federal Office for Information Security(BSI),The State of IT Sec
62、in Germany,September 2020 13 Europol,Internet Organised Crime Threat Assessment(IOCTA)2020,https:/www.europol.europa.eu/activities-services/main-reports/internet-organised-crime-threat-assessment-iocta-2020 14 CISA,Understanding Denial-of-Service Attacks,November 2019.https:/www.uscert.gov/ncas/tips
63、/ST04-015 ENISA THREAT LANDSCAPE 2022 NOVEMBER 2022 9 Internet use and the free flow of information impacts the lives of everyone.For many people,access to the internet has become a basic necessity to work,study,and to exercise freedom of expression,political freedom,and to interact socially.This gr
64、oup covers the threats that have an impact on the availability of the internet,such as BGP(Border Gateway Protocol)highjacking.Denial of Service(DoS)is covered in a separate section due to its individual impact in the threat landscape.Disinformation misinformation Disinformation and misinformation c
65、ampaigns are still on the rise,spurred by the increased use of social media platforms and online media.Digital platforms are nowadays the norm for news and media.Social sites,news and media outlets,even search engines,are now sources of information for many people.Due to the nature of how these site
66、s operate,which is by attracting people and generating traffic to their sites,the information that generates more viewers is usually the one promoted,sometimes without it being validated.The war between Russia and Ukraine has shown new ways to use this threat,targeting peoples perception of the stat
67、us of the war and the responsibilities of the parties involved.Various motives underlie the differences between wrong and purposely falsified information.This is where the definitions of misinformation15 and disinformation16 come into play.Supply Chain Attacks A supply chain attack targets the relat
68、ionship between organisations and their suppliers17.For this ETL report we use the definition as stated in the ENISA Threat Landscape for Supply Chain18 where an attack is considered to have a supply chain component when it consists of a combination of at least two attacks.For an attack to be classi
69、fied as a supply chain attack,both the supplier and the customer have to be targets.SolarWinds was one of the first revelation of this kind of attack and showed the potential impact of supply chain attacks.It seems that threat actors are continuing19 to feed on this source to conduct their operation
70、s and gain a foothold within organisations,in an attempt to benefit from the widespread impact and potential victim base of such attacks.15 Misinformation is an unintentional attack,where sharing of information is done inadvertently.The inaccuracy carried by the information is unintentional and coul
71、d happen for example when a journalist reports wrong information in good faith or reports information by mistake.ENISA ETL 2020 16 Disinformation is an intentional attack that consists of the creation or sharing of false or misleading information.ENISA ETL 2020 17 https:/www.enisa.europa.eu/publicat
72、ions/threat-landscape-for-supply-chain-attacks 18 ENISA Threat Landscape for Supply Chain Attacks https:/www.enisa.europa.eu/publications/threat-landscape-for-supply-chain-attacks 19 Accenture Cyber Threat Intelligence Report https:/ ENISA THREAT LANDSCAPE 2022 NOVEMBER 2022 10 Figure 1:ENISA Threat
73、 Landscape 2022-Prime threats It should be noted that the aforementioned threats involve categories and refer to collection of different types of threats that have been consolidated into the eight areas mentioned above.Each of the threat categories is further analysed in a dedicated chapter of this
74、report,which elaborates on its particularities and provides more specific information,findings,trends,attack techniques and mitigation vectors.1.1 KEY TRENDS The list below summarises the main trends observed in the cyber threat landscape during the reporting period.These are also reviewed in detail
75、 throughout the various chapters that comprise the ENISA threat landscape of 2022.Ransomware and threats against availability rank at the top during the reporting period.Resourceful threat actors have utilised 0-day exploits to achieve their operational and strategic goals.The more organisations inc
76、rease the maturity of their defences and cybersecurity programmes,the more they increase the cost for adversaries,driving them to develop and/or buy 0-day exploits,since defence in depth strategies reduce the availability of exploitable vulnerabilities.Geopolitics continue to have strong impact on c
77、yber operations.Destructive attacks are a prominent component of the operations of state actors.During the Russia-Ukraine conflict,cyber actors were observed conducting operations in concert with kinetic military action20.Continuous retirements and the rebranding of ransomware groups is being used t
78、o avoid law enforcement and sanctions.Hacker-as-a-service business model gaining traction,growing since 2021.Significant rise on attacks against availability,particularly DDoS,with the ongoing war being the main reason behind such attacks.The Pegasus case triggered media coverage and governmental ac
79、tions,which also then was reflected in other cases concerning surveillance and the targeting of civil society.A new wave of hacktivism21 has been observed especially since the Russia-Ukraine crisis began.20 Microsoft Special Report:Ukraine An overview of Russias cyberattack activity in Ukraine-https
80、:/ 21 Republic of Estonia Information System Authority-Trends and Challenges in Cyber Security Q1 2022-https:/www.ria.ee/en/news/trends-and-challenges-cyber-security-q1-2022.html Please use footnotes for providing additional or explanatory information and/or relevant links.References should be liste
81、d in a dedicated section.Use only the function References/Insert Footnote ENISA THREAT LANDSCAPE 2022 NOVEMBER 2022 11 Phishing is once again the most common vector for initial access.Advances in sophistication of phishing,user fatigue and targeted,context-based phishing have led to this rise.Extort
82、ion techniques are further evolving with the popular use of leak sites.Malware is on the rise again after the decrease that was noticed and linked to the COVID-19 pandemic22.Consent phishing attackers use consent phishing to send users links that,if clicked,will grant the attacker access and permiss
83、ions to applications and services.Data compromise is increasing year on year.The central role of data in our society produced a sharp increase in the amount of data collected and in the importance of proper data analysis.The price we pay for such importance is a continuous and unstoppable increase i
84、n data compromises.Machine Learning(ML)models are at the core of modern distributed systems and are increasingly becoming the target of attacks.DDoS are getting larger and more complex,are moving towards mobile networks and IoT and are being used in the context of cyberwarfare.State-owned Certificat
85、e Authorities(CA)makes it easy to perform HTTPS traffic interception and man-in-the-middle attacks on its citizens thus putting internet security and privacy at risk.Disinformation is a tool in cyberwarfare.It was used even before the physical war started as a preparatory activity for Russias invasi
86、on of Ukraine.AI-enabled disinformation and deepfakes.The proliferation of bots modelling personas can easily disrupt the notice-and-comment rulemaking process,as well as the interaction of the community,by flooding government agencies with fake comments.Threat groups have an increased interest and
87、exhibit an increasing capability in supply chain attacks and attacks against Managed Services Providers(MSPs).1.2 EU PROXIMITY OF PRIME THREATS An important aspect to consider in the context of the ENISA Threat Landscape involves the proximity of a cyber threat with respect to the European Union(EU)
88、.This is particularly important to assist analysts in assessing the significance of cyber threats,to correlate them with potential threat actors and vectors and even to guide the selection of appropriately targeted mitigation vectors.In line with the proposed classification for the EU Common Securit
89、y and Defence Policy(CSDP)23,we classify cyber threats into four categories as illustrated in Table 1.Table 1 Classification of proximity of cyber threats Proximity Concerns NEAR Affected networks,systems,controlled and assured within EU borders.Affected population within the borders of the EU.MID N
90、etworks and systems considered vital for operational objectives within the scope of the EU digital single market and the NISD sectors,but their control and assurance relies on non-EU institutional or public or private authorities in Member States(MSs).Affected population in geographical areas close
91、to EU borders.FAR Networks and systems that,if influenced,will have a critical impact on operational objectives within the scope of the EU single digital market and the NISD sectors.Control and assurance of those networks and systems lie beyond EU institutional authorities or public or private autho
92、rities in MSs.Affected population is in geographical areas far from the EU.GLOBAL All the aforementioned areas 22 ENISA Threat Landscape 2021 23 https:/www.europarl.europa.eu/RegData/etudes/STUD/2017/603175/EPRS_STU(2017)603175_EN.pdf Please use footnotes for providing additional or explanatory info
93、rmation and/or relevant links.References should be listed in a dedicated section.Use only the function References/Insert Footnote ENISA THREAT LANDSCAPE 2022 NOVEMBER 2022 12 Figure 2 illustrates a time series of incidents related to the categories of prime threats reported in the ETL 2022.It should
94、 be noted that the information in the graph is based on OSINT(Open Source Intelligence)and is a result of work by ENISA in the area of Situational Awareness24.Figure 2:Observed incidents related to major ETL threats(OSINT-based situational awareness)in terms of their proximity F As evidenced by the
95、above figure,2022 has seen a reduced number of incidents overall compared to 2021.This is partly due to the fact that incident handling and analysis is ongoing and reporting follows,as well as the open source nature of information collection in the ETL,which might inadvertently introduce bias in the
96、 results.In particular though,the category NEAR has a steady high number of observed incidents related to prime threats,which implies their significance in the context of the EU.This comes as no surprise considering the geopolitical situation in which the EU is involved.Unsurprisingly,the monthly tr
97、ends(not shown in the figure for brevity)are quite similar among the different classifications since cybersecurity knows no border and in most cases threats materialise at all levels of proximity.1.3 PRIME THREATS BY SECTOR Cyber threats are usually not restricted to any particular sector and in mos
98、t cases affect more than one.This is indeed true since in many cases the threats manifest themselves by exploiting vulnerabilities in underlying ICT systems that are being used in a variety of sectors.However,targeted attacks as well as attacks exploiting the differences in cybersecurity maturity ac
99、ross sectors and the popularity or prominence of certain sectors are all factors that need to be considered,particularly when it comes to prioritising targeted mitigating actions.These factors contribute to threats manifesting themselves as incidents in specific sectors and this is why it is importa
100、nt to look deeply into the sectorial aspects of observed incidents and threats.Figure 3 and Figure 4 highlight the affected sectors concerning the incidents observed based on OSINT(Open Source Intelligence)and are a result of work by ENISA in the area of Situational Awareness25.They refer to inciden
101、ts related to the prime threats of ETL 2022.The sectors have been aligned to the sectors listed in the Network and Information Security Directive26(NISD)and the agreed text27 for its review(NISD 2.0).24 In accordance with the EU cybersecurity act Art.7,Para.6 https:/eur-lex.europa.eu/legal-content/E
102、N/TXT/PDF/?uri=CELEX:32019R0881&from=EN 25 In accordance with the EU cybersecurity act Art.7,Para.6(https:/eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32019R0881&from=EN)26 https:/eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016L1148&from=EN 27 https:/ec.europa.eu/commission/pre
103、sscorner/detail/en/IP_22_2985 ENISA THREAT LANDSCAPE 2022 NOVEMBER 2022 13 Figure 3:Observed incidents related to prime ETL threats in terms of the affected sector ENISA THREAT LANDSCAPE 2022 NOVEMBER 2022 14 Figure 4:Targeted sectors per number of incidents(July 2021-June 2022)During this reporting
104、 period,we again observed a large number of incidents targeting public administration and government and digital service providers.The latter is to be expected given the horizontal provisioning of services for this sector and thus its impact on many other sectors.We also observed a significant numbe
105、r of incidents targeting end users and not necessarily a particular sector.Interestingly,the finance sector faced a consistent number of incidents throughout the reporting period with the health sector following it close behind.1.4 IMPACT ASSESSMENT BY SECTOR In this iteration of ENISAs threat lands
106、cape we have included an assessment of the impacts of the incidents that were observed during the reporting period.With this qualitative process of impact analysis ENISA seeks to identify the consequences of a disruptive cyber incident by defining five types of potential impact and assigning respect
107、ive levels or degrees of impact i.e.high,medium,low or unknown.Due to the fact that information related to the impact of a cybersecurity attack is often not available or made public for obvious reasons,determining and assessing the effect following an incident entails a level of assumption in which
108、a certain degree of subjectivity cannot be avoided.This in itself makes the argument for improving the process of incident reporting in the EU,an aspect that is reflected in the NIS 2 Directive and an area where ENISA will continue its efforts in the coming years.In the context of this ETL,we define
109、d the following types of impact.Reputational impact refers to the potential for negative publicity or an adverse public perception of the entity that has been the victim of a cyber incident.Digital impact refers to damaged or unavailable systems,corrupted data files or exfiltration of data.Economic
110、impact refers to the direct financial loss incurred,the damage to national security that can be caused due to the loss of important material or a ransom requested.Physical impact refers to any kind of injury or harm to employees,customers or patients.Social impact refers to any effect on the general
111、 public or to a widespread disruption that could have an impact on society(e.g.incidents disrupting the national health system of a country).The incidents collected were classified according to these five types of impact by applying internal ENISA experience and expertise.One of the highlights that
112、emerged from the analysis is that in most of the incidents or cases the impact remained unknown either because the victims were not clear about the level or type of impact that affected ENISA THREAT LANDSCAPE 2022 NOVEMBER 2022 15 their organisations or because they were not willing to disclose this
113、 kind of information due to a worry about the cascading impact that this could have to their reputation.This lack of reliable data from the targeted organisations makes it very hard to fully understand the situation.Once again,the significance of incident reporting and sharing of information concern
114、ing cybersecurity incidents emerges.The accurate understanding of the cybersecurity threat landscape and situational awareness in general,rely on timely and reliable incident reporting information.In Figure 5 it can be observed,according to the analysis,that the Public Administration sector was impa
115、cted the most when it was the target of a cyberattack.This is probably due to a loss of trust in the targeted entity.The second sector that was most hit by incidents with a high impact on its reputation was the Finance sector.Figure 5 Reputational impact by sector Digital impact(Figure 6)was in most
116、 sectors set to medium to low with the exception of the Public administration,Finance and Digital Service Providers which showed incidents with high impacts.The cause for this was usually a ransomware incident.ENISA THREAT LANDSCAPE 2022 NOVEMBER 2022 16 Figure 6 Digital impact by sector When talkin
117、g about economic losses(Figure 7),it was observed that the Public Administration and Finance sectors had some of the highest impacts.This can be tied to many breaches related to stealing banking data or details and many breaches regarding personal data,in conjunction with the public sector also bein
118、g the primary target of ransomware attacks this year.Figure 7 Economic impact by sector ENISA THREAT LANDSCAPE 2022 NOVEMBER 2022 17 Physical impact(Figure 8)remains the most unknown impact due to the lack of published information or available reliable data.Figure 8 Physical impact by sector The Pub
119、lic Administration sector was the one with the highest number of incidents with regards to social impact,which in most cases concerned either the disruption of services or breaches of personal data.In addition,it was observed that the Health sector also had a large number of high impact incidents,du
120、e to cases of either sensitive data being breached or Health services such as the appointment of bookings being unavailable.ENISA THREAT LANDSCAPE 2022 NOVEMBER 2022 18 Figure 9 Social Impact by sector 1.5 PRIME THREATS BY MOTIVATION Understanding the enemy and the motivation behind a cybersecurity
121、incident or targeted attack is important because it can determine what an adversary is after.Knowing the motives can help organisations determine and prioritise what to protect and how to protect it.It also provides an idea of the attackers intent and helps entities focus their efforts in defence on
122、 the most likely attack scenario for any particular asset.For all the above reasons,ETL 2022 has been expanded to include an assessment of the motivation behind the incidents observed during the reporting period.For this purpose,four different kinds of motivation have been defined that can be linked
123、 to threat actors:Monetisation:any financially related action(carried out by cybercrime groups);Geopolitics/Espionage:gaining information on IP(Intellectual Property),sensitive data,classified data(mostly executed by state sponsored groups);Geopolitics/Disruption:any disruptive action done in the na
124、me of geopolitics(mostly carried out by state sponsored groups);Ideological:any action backed up with an ideology behind it(such as hactivism).We can observe that in most cases the prime threats fall under one or more motivations quite evenly.Ransomware though is done purely for financial gain.ENISA
125、 THREAT LANDSCAPE 2022 NOVEMBER 2022 19 Figure 10 Motivation of threat actors per threat category 1.6 METHODOLOGY The ENISA Cybersecurity Threat Landscape(CTL)methodology28 was used to produce the ETL 2022 report.The methodology was published in July 2022.By establishing the ENISA Cybersecurity Thre
126、at Landscape(CTL)methodology,the Agency sets a baseline for the transparent and systematic delivery of horizontal,thematic,and sectorial cybersecurity threat landscapes.The ENISA Threat Landscape(ETL)2022 report is based on information from open sources,mainly of a strategic nature and ENISAs own Cy
127、ber Threat Intelligence(CTI)capabilities.It covers more than one sector,technology and context.The report aims to be industry and vendor agnostic.It references or cites the work of various security researchers,security blogs and news media articles throughout the text in multiple footnotes to valida
128、te findings and statements.The time span of the ETL 2022 report is July 2021 to June 2022 and is referred to as the reporting period throughout the report.During the reporting period,ENISA gathered a list of major incidents as they appeared in open sources through situational awareness.This list ser
129、ves as the foundation for identifying the list of prime threats and the source material for several trends and statistics in the report.Subsequently,an in-depth desk research of available literature from open sources such as news media articles,expert opinion,intelligence reports,incident analysis a
130、nd security research reports was conducted by ENISA and external experts.Note that many intelligence and research reports report on the basis of a January to December year,contrary to the ETL 2022 reporting period which is from July to June.Through continuous analysis,ENISA derived trends and points
131、 of interest.The key findings and judgments in this assessment are based on multiple and publicly available resources which are provided in the references used for the development of this document.28 ENISA Cybersecurity Threat Landscape(CTL)methodology,July 2022.https:/www.enisa.europa.eu/publicatio
132、ns/enisa-threat-landscape-methodology Please use footnotes for providing additional or explanatory information and/or relevant links.References should be listed in a dedicated section.Use only the function References/Insert Footnote ENISA THREAT LANDSCAPE 2022 NOVEMBER 2022 20 Within the report,we d
133、ifferentiate between what has been reported by our sources and what is our assessment.When conducting an assessment,we convey probability by using words that express an estimate of probability29.When we refer to threat actors in this report we use the naming convention used by the company revealing
134、the campaign,as well as a number of synonyms30 commonly used in the industry.1.7 STRUCTURE OF THE REPORT The ENISA Threat Landscape(ETL)2022 has maintained the core structure of previous ETL reports for highlighting the prime cybersecurity threats in 2022.Readers of past iterations will notice that
135、the threat categories have been consolidated in line with a move towards a new cybersecurity threat taxonomy to be used in the future.This report is structured as follows.Chapter 2 explores the trends related to threat actors(i.e.state-sponsored actors,cybercrime actors,hacker-for-hire actors and ha
136、cktivists).Chapter 3 discusses major findings,incidents and trends regarding ransomware.Chapter 4 presents major findings,incidents and trends regarding malware.Chapter 5 describes major findings,incidents and trends regarding social engineering.Chapter 6 highlights major findings,incidents and tren
137、ds regarding threats against data(data breach,data leak).Chapter 7 discusses major findings,incidents and trends regarding threats against availability(denial of service).Chapter 8 presents major findings,incidents and trends regarding threats against availability(internet threats).Chapter 9 underli
138、nes the importance of hybrid threats and describes major findings,incidents and trends regarding disinformation and misinformation.Chapter 10 focuses on major findings,incidents and trends regarding supply chain attacks.Annex A presents the techniques commonly used for each threat,based on the MITRE
139、 ATT&CK framework.Annex B includes notable incidents per threat,as observed during the reporting period.Annex C includes a CVE landscape,as observed during the reporting period.Annex D presents recommendations and security controls that might add to the mitigation of the threats.29 MISP estimative l
140、anguage https:/www.misp-project.org/taxonomies.html#_estimative_language 30 MISP Galaxies and Clusters https:/ ENISA THREAT LANDSCAPE 2022 NOVEMBER 2022 21 ENISA THREAT LANDSCAPE 2022 NOVEMBER 2022 22 2.THREAT ACTOR TRENDS Cyber threat actors are an integral component of the threat landscape.They ar
141、e entities aiming to carry out a malicious act by taking advantage of existing vulnerabilities with the intent to harm their victims.Understanding how threat actors think and act and their motivations and goals are essential for a more robust cyber threat management and incident response.Monitoring
142、the latest developments concerning the tactics and techniques used by threat actors to achieve their objectives and staying up-to-date with the long-term trends in motivations and targets is crucial for an efficient defence in todays cybersecurity ecosystem.Moreover,understanding the trends related
143、to threat actors,their motivations and their targets assists greatly in planning cybersecurity defences and mitigation strategies.It is an integral part of the overall threat assessment since it allows security controls to be prioritised and a dedicated strategy based on potential impact and the lik
144、elihood that threats will materialise.Not understanding threat actors and how they operate creates a significant knowledge gap in cybersecurity because analysing threats without considering the motivations and goals may lead to inefficient defences or in some cases not being able to protect at all.I
145、n this section,we explore the trends related to threat actors.This assessment does not provide an exhaustive list of all trends during the reporting period but rather a high-level view of the significant trends observed at a strategic level.We focus on the motives of threat actors,their impact,and t
146、argeting.Their evolution is also assessed.For the ETL 2022,we consider once more the following four categories of cybersecurity threat actors:State-sponsored actors Cybercrime actors Hacker-for-hire actors Hacktivists.The list of potential threat actors is extensive and encompasses other categories,
147、such as insider actors.The focus on the above four categories does not imply that other categories of threat actors are deemed of lesser significance.The focus on the four selected categories of threat actors is based on their relative prominence during the ETL 2022 reporting period.2.1 STATE-SPONSO
148、RED ACTOR TRENDS Increased exploitation of 0-day and other critical vulnerabilities.According to public reporting,exploitation of vulnerabilities was the most frequently identified vector31 of intrusions while,during 2021,the number of disclosed 0-day exploits reached an all-time high of sixty six(6
149、6)32.31 Mandiant M-Trends 2022-https:/ 32 Trend Micro Security Prediction for 2022-https:/ Please use footnotes for providing additional or explanatory information and/or relevant links.References should be listed in a dedicated section.Use only the function References/Insert Footnote ENISA THREAT L
150、ANDSCAPE 2022 NOVEMBER 2022 23 During the reporting period,state-sponsored actors exploited many critical vulnerabilities31 in the wild,some of which were against Microsoft33 34 35 36,Pulse Secure VPN appliances37,Atlassian Confluence38,F5 Big-IP devices39,Fortinet appliances33 44,and Apaches Log4j
151、utility40 41 42.Moreover,we have observed state-sponsored threat actors targeting small office or home office routers worldwide and using this compromised infrastructure for their cyber operations while hindering defenders efforts 43 44.We have also observed the replacement of Sandworms VPNFilter ma
152、lware with Cyclops Blink for targeting WatchGuard firewall devices and ASUS routers45 46.Although the topic of 0-day vulnerabilities is not new,we would like to highlight the significant increase in 0-day disclosures during the reporting period.The factors that contributed to the increased number of
153、 disclosed 0-day vulnerabilities include the following.47 48 51 The growing need for more software solutions provides a bigger surface and more opportunities for researching and exploiting vulnerabilities.It is likely that nation-state actors have to use 0-day exploits to accomplish their goals due
154、to the maturing security posture of their targets and the security technologies they use.51 Nation-state threat actors increasingly dedicate resources to 0-day research and the development of exploits.We have observed that sometimes these efforts can also lead to policy decisions,e.g.a new law in Ch
155、ina requires vendors to report 0-day vulnerabilities to the government49 50.Another possibility is the increased focus on the supply chain by nation-state actors,which likely encourages research into the vulnerability of widely used software technologies.Thus,by exploiting one 0-day vulnerability,th
156、e threat actors can get initial access to multiple targets.Google,Microsoft,Apple,and Adobe products are indicatively some of the prime targets for such 0-day vulnerabilities51.The Access-as-a-Service market has matured and been professionalised,offering services such as vulnerability research,explo
157、itation,and malware payload development(among others)52.Threat hunting and vulnerability research programmes are maturing and developing more capabilities to detect 0-day exploitation in the wild.Through security bulletins,more vendors have started to disclose the 0-day vulnerabilities of their soft
158、ware that were exploited in-the-wild.The same happens for security researchers that publicly disclosed 0-day vulnerabilities before the vendors patches(especially if there was exploitation in-the-wild and no vendor patch).33 CISA-Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exc
159、hange and Fortinet Vulnerabilities in Furtherance of Malicious Activities-https:/www.cisa.gov/uscert/ncas/alerts/aa21-321a 34 CISA-FBI-Joint Advisory on Compromise of Microsoft Exchange Server-https:/www.cisa.gov/uscert/ncas/current-activity/2021/03/10/fbi-cisa-joint-advisory-compromise-microsoft-ex
160、change-server 35 CISA-Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default Multifactor Authentication Protocols and PrintNightmare Vulnerability-https:/www.cisa.gov/uscert/ncas/alerts/aa22-074a 36 Security Affairs-Another nation-state actor exploits Microsoft Follina to att
161、ack European and US entities-https:/securityaffairs.co/wordpress/131992/apt/nation-state-actors-follina-exploits.html 37 CISA-Exploitation of Pulse Connect Secure Vulnerabilities-https:/www.cisa.gov/uscert/ncas/alerts/aa21-110a 38 The Record-Microsoft:Ransomware groups,nation-states exploiting Atlas
162、sian Confluence vulnerability-https:/therecord.media/microsoft-ransomware-groups-nation-states-exploiting-atlassian-confluence-vulnerability/39 CISA-Threat Actors Exploiting F5 BIG-IP CVE-2022-1388-https:/www.cisa.gov/uscert/ncas/alerts/aa22-138a 40 Bleeping Computer-Log4j vulnerability now used by
163、state-backed hackers,access brokers-https:/ CERT-EU-Threat Landscape Report 2021 Q4-Executive Summary-https:/media.cert.europa.eu/static/MEMO/2021/TLP-WHITE-2021Q4-Threat_Landscape_Report-Executive-Summary-v1.0.pdf 42 CrowdStrike 2022 Global Threat Report-https:/ Microsoft Digital Defense Report-htt
164、ps:/ 44 CISA-Peoples Republic of China State-Sponsored Cyber Actors Exploit Network Providers and Devices-https:/www.cisa.gov/uscert/ncas/alerts/aa22-158a 45 CISA-New Sandworm Malware Cyclops Blink Replaces VPNFilter-https:/www.cisa.gov/uscert/ncas/alerts/aa22-054a 46 US Department of Justice-Justic
165、e Department Announces Court-Authorized Disruption of Botnet Controlled by the Russian Federations Main Intelligence Directorate(GRU)-https:/www.justice.gov/opa/pr/justice-department-announces-court-authorized-disruption-botnet-controlled-russian-federation 47 PwC Cyber Threats 2021:A Year in Retros
166、pect-https:/ 48 esentire-The State of Zero-Day Attacks in 2021-https:/ 49 The Hacker News-Chinas New Law Requires Vendors to Report Zero-Day Bugs to Government-https:/ 50 CERT-EU-Threat Landscape Report 2021 Q3-Executive Summary-https:/media.cert.europa.eu/static/MEMO/2021/TLP-WHITE-2021Q3-Threat_La
167、ndscape_Report-Executive-Summary-v1.0.pdf 51 Google TAG-How we protect users from 0-day attacks-https:/blog.google/threat-analysis-group/how-we-protect-users-0-day-attacks/52 Atlantic Council-Countering cyber proliferation:Zeroing in on Access-as-a-Service-https:/www.atlanticcouncil.org/in-depth-res
168、earch-reports/report/countering-cyber-proliferation-zeroing-in-on-access-as-a-service/Please use footnotes for providing additional or explanatory information and/or relevant links.References should be listed in a dedicated section.Use only the function References/Insert Footnote ENISA THREAT LANDSC
169、APE 2022 NOVEMBER 2022 24 Vulnerability developers have more opportunities to get financial rewards for their 0-day exploitation work.One can make money from 0-day exploits usually by hacking contests,e.g.Tianfu Cup and Pwn2Own,or the underground marketplaces.Heightened risk for Operational Technolo
170、gy networks.In ETL 2021,our assessment was that the interest of state actors in targeting critical infrastructure and Operational Technology(OT)networks would certainly grow in the near future.Throughout the reporting period,our assessment held valid as cyber operations targeting such infrastructure
171、 primarily for the collection of intelligence,deployment of newly observed ICS-targeting malware,and disruption were all observed.According to public reports,three new activity groups(out of 18 in total)have been identified as showing intent or capability to target OT networks53,namely KOSTOVITE,PET
172、ROVITE,and ERYTHRITE.In general,adversaries are willing to dedicate time and resources in compromising their targets to harvest information on the OT networks for future purposes.Currently,most adversaries in this space prioritise pre-positioning and information gathering over disruption as strategi
173、c objectives53.We also observed two new additions to the short list of ICS-capable malware:Industroyer254 and INCONTROLLER55 56(also known as PIPEDREAM57).ICS-specific malware is rare,and Industroyer2 and INCONTROLLER are the sixth and seventh known ICS malware,respectively,following Stuxnet58,Havex
174、59,BlackEnergy260,CrashOverride61 or Industroyer62,and Trisis or Triton63 64 65 53.Industroyer2 was detected while analysing an attack against a Ukrainian energy company with the intent to cut power in a Ukrainian region during the Russia Ukraine crisis.The perpetrator of this attack is assessed to
175、be the state-sponsored threat group Sandworm54.INCONTROLLER is very likely a state-sponsored malware(based on the resources needed for development and research)focused on disruption,sabotage,and potential destruction.In our assessment,state-backed threat actors will step up their reconnaissance agai
176、nst OT networks160 develop capabilities and increasingly target them for the foreseeable future,especially during times of crisis and armed conflict.We assess that state-backed actors interested in targeting OT networks will continue dedicating resources and developing extensible ICS malware framewo
177、rks because of their modularity and capability in targeting multiple victims and equipment used across multiple industries66.Destructive attacks as a prominent component of state actors operations.During the Russia-Ukraine conflict,it was observed that cyber actors conducting operations in concert w
178、ith kinetic military action67.Part of these operations included widespread use of wiper attacks68 to destroy and disrupt networks of governmental agencies and critical infrastructure entities.The intentions of the threat actors in using wiper malware are predominantly to degrade the functioning of t
179、he targeted entities but also to undermine public trust in the countrys leadership,spread FUD(fear,uncertainty,and doubt),and facilitate disinformation operations.53 Dragos 2021 ICS/OT Cybersecurity Year in Review-https:/ ESET-Industroyer2:Industroyer reloaded-https:/ CISA-APT Cyber Tools Targeting
180、ICS/SCADA Devices-https:/www.cisa.gov/uscert/ncas/alerts/aa22-103a 56 Mandiant-INCONTROLLER:New State-Sponsored Cyber Attack Tools Target Multiple Industrial Control Systems-https:/ 57 Dragos-CHERNOVITEs PIPEDREAM Malware Targeting Industrial Control Systems(ICS)-https:/ Wired-An Unprecedented Look
181、at Stuxnet,the Worlds First Digital Weapon-https:/ Palo Alto Unit 42-Why Havex Is a Game-Changing Threat to Industrial Control Systems-https:/unit42.paloaltonetworks.c 60 Dragos-The Evolution of Cyber Attacks on Electric Operations-https:/ Dragos-CRASHOVERRIDE Analysis of the Threat to Electric Grid
182、 Operations-https:/ 62 ESET-Industroyer:Biggest malware threat to critical infrastructure since Stuxnet-https:/ Dragos-TRISIS Malware Analysis of Safety System Targeted Malware-https:/ 64 Mandiant-Attackers Deploy New ICS Attack Framework TRITON and Cause Operational Disruption to Critical Infrastru
183、cture-https:/ 65 Dragos-PIPEDREAM:CHERNOVITES EMERGING MALWARE TARGETING INDUSTRIAL CONTROL SYSTEMS-https:/ 66 Mandiant-INDUSTROYER.V2:Old Malware Learns New Tricks-https:/ 67 Microsoft Special Report:Ukraine An overview of Russias cyberattack activity in Ukraine-https:/ 68 Max Smeets Wipers-https:/
184、 Please use footnotes for providing additional or explanatory information and/or relevant links.References should be listed in a dedicated section.Use only the function References/Insert Footnote ENISA THREAT LANDSCAPE 2022 NOVEMBER 2022 25 As of the time of writing,state-sponsored threat actors hav
185、e deployed nine wiper malware families:WhisperGate69 or WhisperKill,Hermetic Wiper70,CaddyWiper71,DesertBlade72,AcidRain73,Industroyer254,IsaacWiper74,and DoubleZero75.Apart from the sheer number of distinct wiper malware families observed,the tempo of these operations was also relatively high.From
186、23 February 2022 to 8 April 2022,Microsoft reported that they saw 40 discrete destructive attacks targeting hundreds of systems in dozens of Ukrainian organisations 67 An interesting observation was the targeting of satellite communications in which the AcidRain wiper malware was used.The EU76,US77,
187、and the UK78(among others79)formally pointed at Russia for hacking Viasat(a commercial satellite communication company)before the Ukraine invasion.The impact of this attack was particularly observed in Ukraine as Viasat satellite modems were not functioning.There was also spill-over across central E
188、urope as wind farms were disrupted80 and satellite internet connectivity was impacted.It is our assessment that destructive or disruptive operations by state-backed actors will certainly continue as the conflict goes on.Within Ukraine,the prime targets include the government and military networks an
189、d the energy and communications sectors from the perspective of critical infrastructure.Further disruptive operations could potentionally spill-over to other countries.Furthermore,it is our assessment that Western or NATO allies(especially critical infrastructure entities81)will likely be targeted a
190、s part of retaliatory actions in response to the sanctions imposed on Russia and the support provided to Ukraine82.There is a possibility that some pro-Russia cybercrime ransomware groups will be coordinated to conduct destructive operations against western organisations.Finally,state-sponsored grou
191、ps may leverage existing ransomware variants to disguise their operations in order to generate plausible deniability of their activities 83.189 Public attribution and legal actions continue.Last year in ETL 2021,we highlighted the trend of governments stepping up their game to disrupt,name and shame
192、,and take legal action against state-sponsored threat actors.22 During the reporting period,many significant events took place involving state-sponsored actors.A Venezuelan was charged for using and selling ransomware associated with Iran84.This indictment provides an indication of the interest of s
193、tate-backed actors in leveraging ransomware(and buying this capability)to achieve their strategic goals85,although this aspect needs to be further examined.69 CISA-Update:Destructive Malware Targeting Organizations in Ukraine-https:/www.cisa.gov/uscert/ncas/alerts/aa22-057a 70 Sentinel LABS-Hermetic
194、Wiper|New Destructive Malware Used In Cyber Attacks on Ukraine -https:/ ESET-CaddyWiper:New wiper malware discovered in Ukraine-https:/ Microsoft-Cyber threat activity in Ukraine:analysis and resources-https:/msrc- Sentinel LABS-AcidRain|A Modem Wiper Rains Down on Europe-https:/ ESET-IsaacWiper and
195、 HermeticWizard:New wiper and worm targeting Ukraine-https:/ Security Affairs-Ukrainian enterprises hit with the DoubleZero wiper-https:/securityaffairs.co/wordpress/129417/malware/doublezero-wiper-hit-ukraine.html 76 European Council-Russian cyber operations against Ukraine:Declaration by the High
196、Representative on behalf of the European Union-https:/www.consilium.europa.eu/en/press/press-releases/2022/05/10/russian-cyber-operations-against-ukraine-declaration-by-the-high-representative-on-behalf-of-the-european-union/77 U.S.Department of State-Attribution of Russias Malicious Cyber Activity
197、Against Ukraine-https:/www.state.gov/attribution-of-russias-malicious-cyber-activity-against-ukraine/78 GOV.UK-Russia behind cyber-attack with Europe-wide impact an hour before Ukraine invasion-https:/www.gov.uk/government/news/russia-behind-cyber-attack-with-europe-wide-impact-an-hour-before-ukrain
198、e-invasion 79 Washington Post-U.S.allies blame Russia for a cyberattack early in its Ukraine invasion-https:/ Reuters-Satellite outage knocks out thousands of Enercons wind turbines-https:/ CISA-Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure-https:/www.cisa.gov/uscert/
199、ncas/alerts/aa22-110a 82 IT World Canada-Canadian,US,UK sanctions may spark retaliatory cyberattacks on Western critical infrastructure-https:/ 83 The Hacker News-State-Backed Hackers Using Ransomware as a Decoy for Cyber Espionage Attacks-https:/ 84 U.S.Department of Justice-Hacker and Ransomware D
200、esigner Charged for Use and Sale of Ransomware,and Profit Sharing Arrangements with Cybercriminals-https:/www.justice.gov/usao-edny/pr/hacker-and-ransomware-designer-charged-use-and-sale-ransomware-and-profit-sharing 85 The Institute for National Security Studies-Iranian Cyber Influence Operations a
201、gainst Israel Disguised as Ransomware Attacks-https:/www.inss.org.il/publication/cyber-iran/Please use footnotes for providing additional or explanatory information and/or relevant links.References should be listed in a dedicated section.Use only the function References/Insert Footnote ENISA THREAT
202、LANDSCAPE 2022 NOVEMBER 2022 26 The USA charged four operators of state-sponsored threat group APT4086.Ukraines Security Service(SBU)indicted three operators of the group Gamaredon87.Two Iranian were charged with carrying out cyber campaigns and influence operations related to the 2020 US Presidenti
203、al election88.The US Department of Treasury sanctioned Blender cryptocurrency mixer service after laundering crypto for the state-sponsored Lazarus threat group89.Four Russians were charged with participating in the Triton and Dragonfly cyber operations against critical infrastructure90.UC Berkeleys
204、 Human Rights Centre sent a formal request to the Office of the Prosecutor for the International Criminal Court in the Hague to prosecute the Sandworm threat group on charges of war crimes for its involvement in shutting off power in Ukraine during 2015 and 201691.The FBI shut down a botnet named Cy
205、clops Blink,controlled by Russias military intelligence service(GRU)92.The EU and US allies formally attributed the cyberattack against commercial satellite company Viasat to Russia93 94.The EU and Member States have strongly condemned the cyberattacks against Ukraine95 and the Distributed Denial of
206、 Service(DDoS)attacks against several Member States of the EU96.The Attorney General has issued an arrest warrant for a hacker of the state-sponsored APT28 group97.The adversary conducted cyber espionage against a NATO think tank in 2017.In our view,as cyber operations have become a priority for gov
207、ernments,we will certainly observe increased efforts by them in the public attribution of cyber campaigns,the disruption of the infrastructure of adversaries,and indictments to name and shame operators6.It is also our assessment that more states will likely continue to take legal actions against thr
208、eat actors in this area in the near to mid-term future.On the other hand,it is still unclear how these activities will deter highly sophisticated and determined state-backed threat actors in the long term.A good example is the state-sponsored threat group APT41 which had seven of its operators indic
209、ted by the US Department of Justice and part of its infrastructure seized on 7 September 202098.However,the group set up a new infrastructure and continued its operations from late 2021 until mid-202247.Another example is the threat group APT40 which kept advertising for new recruits despite its ind
210、ictment by the FBI99.These 86 U.S.Department of Justice-Four Chinese Nationals Working with the Ministry of State Security Charged with Global Computer Intrusion Campaign Targeting Intellectual Property and Confidential Business Information,Including Infectious Disease Research-https:/www.justice.go
211、v/opa/pr/four-chinese-nationals-working-ministry-state-security-charged-global-computer-intrusion 87 Kyiv Post-SBU unveils names of Russian hackers attacking Ukraine since 2014-https:/ 88 U.S.Department of Justice-Two Iranian Nationals Charged for Cyber-Enabled Disinformation and Threat Campaign Des
212、igned to Influence the 2020 U.S.Presidential Election-https:/www.justice.gov/opa/pr/two-iranian-nationals-charged-cyber-enabled-disinformation-and-threat-campaign-designed 89 U.S.Department of Treasury-Cyber-related Designation;North Korea Designation Update-https:/home.treasury.gov/policy-issues/fi
213、nancial-sanctions/recent-actions/20220506 90 U.S.Department of Justice-Four Russian Government Employees Charged in Two Historical Hacking Campaigns Targeting Critical Infrastructure Worldwide-https:/www.justice.gov/opa/pr/four-russian-government-employees-charged-two-historical-hacking-campaigns-ta
214、rgeting-critical 91 Wired-The Case for War Crimes Charges Against Russias Sandworm Hackers-https:/ U.S.Department of Justice-Justice Department Announces Court-Authorized Disruption of Botnet Controlled by the Russian Federations Main Intelligence Directorate(GRU)-https:/www.justice.gov/opa/pr/justi
215、ce-department-announces-court-authorized-disruption-botnet-controlled-russian-federation 93 Council of the EU-Russian cyber operations against Ukraine:Declaration by the High Representative on behalf of the European Union-https:/www.consilium.europa.eu/en/press/press-releases/2022/05/10/russian-cybe
216、r-operations-against-ukraine-declaration-by-the-high-representative-on-behalf-of-the-european-union/94 Washington Post-U.S.allies blame Russia for a cyberattack early in its Ukraine invasion-https:/ Council of the EU-Ukraine:Declaration by the High Representative on behalf of the European Union on t
217、he cyberattack against Ukraine-https:/www.consilium.europa.eu/en/press/press-releases/2022/01/14/ukraine-declaration-by-the-high-representative-on-behalf-of-the-european-union-on-the-cyberattack-against-ukraine/96 Council of the EU-Declaration by the High Representative on behalf of the European Uni
218、on on malicious cyber activities conducted by hackers and hacker groups in the context of Russias aggression against Ukraine-https:/www.consilium.europa.eu/en/press/press-releases/2022/07/19/declaration-by-the-high-representative-on-behalf-of-the-european-union-on-malicious-cyber-activities-conducte
219、d-by-hackers-and-hacker-groups-in-the-context-of-russia-s-aggression-against-ukraine/97 Security Affairs-Russian APT28 hacker accused of the NATO think tank hack in Germany-https:/securityaffairs.co/wordpress/132452/hacking/apt28-hacked-nato-think-tank.html 98 U.S.Department of Justice-Seven Interna
220、tional Cyber Defendants,Including Apt41 Actors,Charged In Connection With Computer Intrusion Campaigns Against More Than 100 Victims Globally-https:/www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer 99 Financial Times-Chinese hackers kept
221、up hiring drive despite FBI indictment-https:/ Please use footnotes for providing additional or explanatory information and/or relevant links.References should be listed in a dedicated section.Use only the function References/Insert Footnote ENISA THREAT LANDSCAPE 2022 NOVEMBER 2022 27 examples indi
222、cate that sometimes the indictments of the operators of a threat group may not have a significant impact on the(cyber)operations of that threat group139 and further coordinated actions are encouraged.State-backed threat actors increasingly focus on supply chain compromises.Supply chain compromises a
223、ccounted for 17%(or up to 62%according to other sources100)of the intrusions in 2021 compared to less than 1%during 202031.Since the revelation of the SolarWinds supply chain campaign in December 2020,state-backed threat actors have realised the potential and have increasingly targeted third parties
224、 to expand their cyber operations downstream to their clients.Cloud Service Providers(CSPs),Managed Services Providers(MSPs),and IT services organisations are prime targets for threat actors to exploit their trust relationships to conduct nefarious operations101.The NOBELIUM activity group consisten
225、tly targeted service providers and their downstream customers.At the same time,threat actors targeted over 40 IT services companies(primarily based in India)to access their clients networks102.In our assessment state-backed threat actors will certainly further develop their toolsets to target and co
226、mpromise supply chains103 as indirect vectors to achieve their objectives.Software supply chain attacks(e.g.open-source software development libraries,popular software packages,software platform compromises,etc.)will very likely be leveraged by well-funded state-backed groups to get a foothold in th
227、e networks of hundreds of victims 143 Geopolitics continue to influence cyber operations.As mentioned in ETL 2021,geopolitics is one of the key driver for collecting intelligence through cyber operations.It was observed that targeting increases consistently with increasing geopolitical tensions 47.A
228、ccording to public reports,several cyber operations have been observed against Ukrainian entities by state-backed groups due to the ongoing armed conflict43.These threat groups focused on initial access operations and collection of intelligence that would give military forces any tactical or strateg
229、ic advantage.State-sponsored threat actors have also targeted 128 governmental organisations in 42 countries that support Ukraine(The USA,The EU,Poland,countries bordering Russia,and NATO members were prioritised)104.Security researchers believe there is a direct link between a countys 5-Year Plan10
230、5 and the targets of state-sponsored threat groups31.These threat groups are reportedly tasked with collecting intelligence on investments,negotiations,and influence related to the Belt and Road Initiative43.During the reporting period,state-sponsored threat actors have been observed targeting entit
231、ies from countries in Southeast Asia,Japan106,Australia107 and Taiwan108.Due to increased tensions between specific countries in the Asian Region,an interesting observation is that state-sponsored threat actors have targeted countries(including Member States of the EU)that had established closer tie
232、s with Taiwan109.Another interesting development is that some threat actors targeted Ukrainian110 and Russian111 entities during the early days of the conflict,likely for the collection of intelligence.100 Verizon 2022 DBIR -https:/ CISA,NSA,FBI-CISA,NSA,FBI AND INTERNATIONAL CYBER AUTHORITIES ISSUE
233、 CYBERSECURITY ADVISORY TO PROTECT MANAGED SERVICE PROVIDERS(MSP)AND CUSTOMERS-https:/www.cisa.gov/news/2022/05/11/joint-cybersecurity-advisory-protect-msp-providers-and-customers 102 Microsoft-Iranian targeting of IT sector on the rise-https:/ Microsoft-NOBELIUM targeting delegated administrative p
234、rivileges to facilitate broader attacks-https:/ Microsoft-Defending Ukraine:Early Lessons from the Cyber War-https:/ DIGICHINA-Translation:14th Five-Year Plan for National Informatization Dec.2021-https:/digichina.stanford.edu/work/translation-14th-five-year-plan-for-national-informatization-dec-202
235、1/106 Ministry of Foreign Affairs of Japan-Cases of cyberattacks including those by a group known as APT40 which the Chinese government is behind(Statement by Press Secretary YOSHIDA Tomoyuki)-https:/www.mofa.go.jp/press/danwa/press6e_000312.html 107 The Hacker News-A Decade-Long Chinese Espionage C
236、ampaign Targets Southeast Asia and Australia -https:/ 108 The Record-Chinese hackers linked to months-long attack on Taiwanese financial sector-https:/therecord.media/chinese-hackers-linked-to-months-long-attack-on-taiwanese-financial-sector/109 State Security department of the Republic of Lithuania
237、-NATIONAL THREAT ASSESSMENT 2022-https:/www.vsd.lt/wp-content/uploads/2022/04/ANGL-el-_.pdf 110 BBC-Mystery of alleged Chinese hack on eve of Ukraine invasion-https:/ 111 CheckPoint-Twisted Panda:Chinese APT espionage operation against Russians state-owned defense institutes-https:/ use footnotes fo
238、r providing additional or explanatory information and/or relevant links.References should be listed in a dedicated section.Use only the function References/Insert Footnote ENISA THREAT LANDSCAPE 2022 NOVEMBER 2022 28 Additionally,threat actors have reportedly targeted entities in the Middle Eastern
239、area as tensions have escalated between various countries.These actors widely adopted ransomware and43 lock-and-leak47 information operations,and they mainly targeted organisations in Israel and the USA,and in the Middle East and North African regions.The cyber operations between these countries in
240、the Middle Eastern area had reached such a scale that they also affected civilians112.Cyber operations reportedly targeted South Korean,US,European,and Japanese entities43.The threat actors strongly focused on collecting diplomatic and geopolitical intelligence,likely driven by its requirements rela
241、ted to the sanctions imposed on their state43.In this particular case,another main driver for its cyber operations is the acquisition of financial resources,primarily through crypto heists113.Due to the volatile international situation,we expect to observe more cyber operations being driven by geopo
242、litics in the near to mid-term.The geopolitical situation in areas like the Middle East,Eastern Mediterranean,Artic Region,Baltics,Afghanistan,Yemen,Syria,and Libya might trigger cyber operations and potentially damaging cyber-attacks.181 It needs to be nonetheless clarified,that the cyber operation
243、 triggered by the geopolitical situation in Ukraine have a bigger potential,relevance and connection to the EU.Finally,during the reporting period,we also observed cyber campaigns from threat groups that reportedly had connections with an increasing number of states such as Vietnam,Turkey,Pakistan,I
244、ndia,Ukraine,Belarus,and others114.We expect to see more and more states deploying their cyber capabilities for the collection of intelligence,especially in times of increased tensions or conflict.Armies of cyber volunteers?The armed conflict in Ukraine mobilised many hacktivists,cybercrime,and nati
245、on-state groups115.The case of the IT Army of Ukraine116 is a unique case that is difficult to categorise;it could be considered a hacktivist group of volunteers,or a state-backed group or a hybrid one.As of the time of writing,the cyber security community has not reached a consensus.The IT Army of
246、Ukraine will definitely feed future scholars in cyber warfare studies,and it might highlight a trend in future conflicts.On 26 February 2022,Ukraines deputy prime minister and minister for digital transformation announced the creation of Ukraines IT Army117.The announcement was a call for volunteers
247、 whose actions on the cyber front were coordinated through a Telegram channel(the channel had 300.000 subscribers)118.Ukraines IT Army managed to target various entities and conducted mostly coordinated Distributed Denial of Services(DDoS)attacks but was not limited to such attacks119 293.At the tim
248、e of the Russian invasion,Ukraine had no military cyber command unit120.Based on the model of Estonias Cyber Defence League121,as well as out of necessity,Ukraine managed to create a hybrid entity that is quite difficult to categorise as it is comprised of Ukrainian and international civilians,priva
249、te companies,as well as Ukrainian defence and military personnel.It is not a civilian,military,public,private,local or international entity122.Moreover,it 112 The New York Times-Israel and Iran Broaden Cyberwar to Attack Civilian Targets-https:/ 113 Mandiant-Not So Lazarus:Mapping DPRK Cyber Threat
250、Groups to Government Organizations-https:/ 114 Mandiant-UNC1151 Assessed with High Confidence to have Links to Belarus,Ghostwriter Campaign Aligned with Belarusian Government Interests-https:/ 115 Cyberknow-Update 15.2022 Russia-Ukraine war Cyber group tracker.June 13.-https:/ 116 CFR-Ukrainian IT A
251、rmy-https:/www.cfr.org/cyber-operations/ukrainian-it-army 117 Twitter Mykhailo Fedorov-https:/ 118 Telegram itarmyofukraine2022-https:/t.me/itarmyofukraine2022 119 CrowdStrike-Compromised Docker Honeypots Used for Pro-Ukrainian DoS Attack-https:/ Foreign Policy-Dont Underestimate Ukraines Volunteer
252、Hackers-https:/ KAITSELIIT-Estonian Defence Leagues Cyber Unit-https:/www.kaitseliit.ee/en/cyber-unit Please use footnotes for providing additional or explanatory information and/or relevant links.References should be listed in a dedicated section.Use only the function References/Insert Footnote ENI
253、SA THREAT LANDSCAPE 2022 NOVEMBER 2022 29 raises topics for discussion related to international laws in cyberspace,state cyber norms,the targeting of civilian infrastructure,and the ethics of private companies122.It is our assessment that state actors will likely adopt the structure and setup of the
254、 IT Army of Ukraine as a blueprint for non-state participation in future conflicts122 132(especially for states that lack an organised military cyber command unit).It is also likely that these crowdsourced cyber armies will incorporate a non-public side which will further complicate their structure,
255、operational conduct,and analysis by the cyber community,scholars,and cyber warfare analysts.Tech companies increasing defensive role in cyber operations during conflicts.During the Russian invasion of Ukraine,it was observed for the first time that some big technology companies were taking sides and
256、 supporting Ukraine in the cyber war front 132 123.The most prominent example is Microsoft which provided support to Ukrainian cybersecurity officials to tackle FoxBlade malware124 as well as awareness and intelligence reports on Russian cyber operations125 126.Microsoft and AWS have been awarded th
257、e Peace Prize by the President of Ukraine,Volodymyr Zelenskyy127.We would like to emphasise that this trend is interesting but also challenging to assess.Currently,the long-term consequences of such a strong alignment with one side of the conflict are not well understood 132.Moreover,discussions are
258、 being raised about the role and responsibilities of private companies in future cyber operations during conflicts(e.g.should tech companies take on the burden of defence?132).Increasing sophistication and scope of disinformation43.Several state-backed actors have built the capability to use social
259、media platforms,search engines and messaging services to disseminate disinformation.Their approach differs from the traditional disinformation campaigns since these services provide out-of-the-box tools to test and optimise their content and monitor the outreach and impact of disinformation campaign
260、s43.Moreover,developments in Machine Learning(ML),Artificial Intelligence(AI),deep fakes,and voice biometrics have provided threat actors with powerful tools to create misleading content for their campaigns43.Some of the significant information developments that were observed during the reporting in
261、clude the following.Influence operations that were either financially motivated or linked to a state 128 129 130(e.g.Turkey,Iraq,China,Russia,Latin America,Philippines,Iran,Sudan,Uganda,China,Nicaragua,etc.)were active.Chinese threat groups too were active on social media to amplify pro-Chinese mess
262、ages50 and information operations in Europe originating from China and Russia41.There were coordinated information operations related to the Russia-Ukraine crisis(and linked to Russian threat actors)130.Some information operations coincided with disruptive or destructive and other cyber threat activ
263、ity,while others contained fabricated content and promoted Russian favoured narratives via various platforms131.Moreover,some leaks and dumps of information from pro-Russia and pro-Ukraine actors had psychological effects on the ground132.122 ETH Zurich CSS Stefan Soesanto-The IT Army of Ukraine Str
264、ucture,Tasking,and Ecosystem-https:/css.ethz.ch/content/dam/ethz/special-interest/gess/cis/center-for-securities-studies/pdfs/Cyber-Reports-2022-06-IT-Army-of-Ukraine.pdf 123 Miko Hypponen-Mikko Hypponen Ctrl-Z at#SPHERE22-https:/ 124 New York Times-As Tanks Rolled Into Ukraine,So Did Malware.Then M
265、icrosoft Entered the War.-https:/ 125 Microsoft-Disrupting cyberattacks targeting Ukraine-https:/ Microsoft-The hybrid war in Ukraine-https:/ TechRadar-Microsoft and AWS awarded Ukrainian peace prize for cloud efforts-https:/ 128 Google Threat Analysis Group-TAG Bulletin:Q4 2021-https:/blog.google/t
266、hreat-analysis-group/tag-bulletin-q4-2021/129 Google Threat Analysis Group-TAG Bulletin:Q3 2021-https:/blog.google/threat-analysis-group/tag-bulletin-q3-2021/130 Google Threat Analysis Group-TAG Bulletin:Q1 2022-https:/blog.google/threat-analysis-group/tag-bulletin-q1-2022/131 Mandiant-The IO Offens
267、ive:Information Operations Surrounding the Russian Invasion of Ukraine-https:/ 132 ECCRI-Cyber Operations during the 2022 Russian invasion of Ukraine:Lessons Learned(so far)-https:/eccri.eu/wp-content/uploads/2022/07/ECCRI_WorkshopReport_Version-Online.pdf Please use footnotes for providing addition
268、al or explanatory information and/or relevant links.References should be listed in a dedicated section.Use only the function References/Insert Footnote ENISA THREAT LANDSCAPE 2022 NOVEMBER 2022 30 Actors conducting pro-China and pro-Iran information operations took opportunistic advantage of the Rus
269、sian invasion to further progress their strategic objectives134.According to a public report133,there has indeed been a Russification of Chinese influence operations since about 2017.The report mentions that China draws inspiration from Russia and that there is a certain degree of cooperation.One of
270、 the major groups conducting cyber-enabled information attacks in Europe is Ghostwriter,linked to Belarusian interests 134135109.Two Iranian nationals were charged with conducting cyber-enabled disinformation to influence the 2020 US Presidential Election136.Several threat actors(such as Moses Staff
271、137 and Black Shadow138)have conducted a number of hack and leak operations,mostly against targets within Israel.These operations have also included a disruptive element.It is our assessment that nation-backed threat actors will certainly be conducting information operations for the foreseeable futu
272、re.As the Russia-Ukraine conflict progresses,we expect information operations related to the conflict to expand in scope and outside Eastern Europe,in addition to being leveraged to serve the strategic objectives of various states131.Finally,we would like to emphasise to governments and media organi
273、sations the heightened risk of cyber operations(compromise,disruption,and information operations)during high-profile physical or geopolitical events.2.2 CYBERCRIME ACTOR TRENDS Cybercriminals exhibit increasing capability and interest in supply chain attacks.While supply chain attacks are primarily
274、associated with state-backed actors139,cybercriminals became more interested and proficient in the supply chain as an attack vector to conduct their operations during the reporting period.During the reporting period,supply chain attacks have become increasingly interconnected with ransomware campaig
275、ns140 141 142,allowing the threat actors to increase the scale of their operations with a single initial compromise150.Such supply chain attacks usually lead to ransomware deployment,coin mining,stealing cryptocurrency,or stealing credentials that will enable cybercriminals to facilitate their malic
276、ious activities further.Public reports say supply chain attacks are related to poisoned developer libraries and software platform compromises143.Software supply chain attacks(e.g.via widely deployed software)can have a high impact and 143disrupt critical services or even services not directly affect
277、ed.Indicative examples of such attacks include the Node Package Manager(NPM)package compromises144 145 143 exploitation of the Log4j Java logging library vulnerability144,malicious python library manager PyPi packages 146 147,and malicious RubyGems packages148.Major 133 French Institute for Strategi
278、c Research-CHINESE INFLUENCE OPERATIONS-https:/www.irsem.fr/report.html 134 Mandiant-UNC1151 Assessed with High Confidence to have Links to Belarus,Ghostwriter Campaign Aligned with Belarusian Government Interests-https:/ 135 Mandiant M-Trends 2022-https:/ 136 U.S.Department of Justice-Two Iranian N
279、ationals Charged for Cyber-Enabled Disinformation and Threat Campaign Designed to Influence the 2020 U.S.Presidential Election-https:/www.justice.gov/opa/pr/two-iranian-nationals-charged-cyber-enabled-disinformation-and-threat-campaign-designed 137 Bleeping Computer-Moses Staff hackers wreak havoc o
280、n Israeli orgs with ransomless encryptions-https:/ Cyber Scoop-Hack-and-leak group Black Shadow keeps targeting Israeli victims-https:/ PwC Cyber Threats 2021:A Year in Retrospect-https:/ 140 Trend Micro Security Prediction for 2022-https:/ 141 Europol-Internet Organised Crime Threat Assessment(IOCT
281、A)-https:/www.europol.europa.eu/publications-events/main-reports/internet-organised-crime-threat-assessment-iocta-2021 142 Tenable 2021 Threat Landscape Retrospective-https:/ 143 Accenture Cyber Threat Intelligence Report Volume 2-2021-https:/ 144 Red Canary 2022 Threat Detection Report-https:/ 145
282、CISA Malware Discovered in Popular NPM package,ua-parser-js-https:/www.cisa.gov/uscert/ncas/current-activity/2021/10/22/malware-discovered-popular-npm-package-ua-parser-js 146 JFrog-Python Malware Imitates Signed PyPI Traffic in Novel Exfiltration Technique-https:/ JFrog-JFrog Detects Malicious PyPI
283、 Packages Stealing Credit Cards and Injecting Code-https:/ 148 Bleeping Computer-Malicious RubyGems packages used in cryptocurrency supply chain attack-https:/ use footnotes for providing additional or explanatory information and/or relevant links.References should be listed in a dedicated section.U
284、se only the function References/Insert Footnote ENISA THREAT LANDSCAPE 2022 NOVEMBER 2022 31 obstacles to detecting and defending against such attacks are the large number of interdependencies of various open-source packages and the fact that most organisations do not audit,manage or inspect the thi
285、rd-party packages imported into supply chains and trusted environments149.Managed Service Providers(MSPs)have also been increasingly targeted by ransomware threat groups150(as well as state-sponsored groups)due to their trusted network connectivity and privileged access to their customers.In May 202
286、2,the cybersecurity authorities of the United Kingdom,Australia,Canada,New Zealand and the United States released an alert informing organisations about the cyber threats to MSPs and their customers151.We expect cybercriminals to continue targeting the software supply chain and MSPs for the foreseea
287、ble future.Cybercrime threat actors will certainly be further enabled by the increased focus on Access-as-a-Service(AaaS)brokers in supply chain targeting.Cybercriminals are also likely to target the management tools used by MSPs such as professional services automation software(PSA)or remote monito
288、ring and management(RMM)tools152.Finally,we expect the continued exploitation of critical vulnerabilities in the remote execution of code affecting the software supply chain(e.g.Log4j)in upcoming months145.Organisations are advised to include such supply chain attacks in their threat modelling proce
289、ss and evolve their strategies by applying the zero-trust approach in their security practices140.Moreover,the third-party risk teams of organisations should work with their critical suppliers and partners on enhancing their security processes and should define contractual commitments on the basis o
290、f acceptable risk levels151.Widespread cloud adoption provides attack opportunities for cybercriminals.COVID-19 has accelerated the adoption of cloud-based services supporting the business processes of organisations.Since cybercriminals follow trends in technology,it comes as no surprise that cyberc
291、riminals are targeting cloud environments.Cybercriminals target cloud services mostly in the following ways.Exploiting cloud vulnerabilities:virtualisation infrastructure has been increasingly targeted(e.g.VMWare vSphere and ESXi platforms160)by cybercriminals and especially by ransomware groups153.
292、Using cloud services for hosting their infrastructure:cybercriminals take advantage of the highly scalable and reliable cloud infrastructure 143and use legitimate cloud services to bypass security controls by blending into normal network traffic154.Targeting cloud credentials:cybercriminals use soci
293、al engineering attacks to harvest credentials for cloud services(e.g.Microsoft Office 365,Okta,etc.)154.Exploiting misconfigured image containers 154cybercriminals increasingly target poorly configured Docker containers155 and Kubernetes clusters156.Targeting cloud instances for cryptomining157(e.g.
294、TeamTNT group):security researchers have identified a cloud-focused toolset from the TeamTNT group158.Targeting cloud infrastructure(e.g.Azure AD),cloud application programming interfaces(APIs),and cloud-hosted backups by ransomware groups 150to infiltrate cloud environments 154and increase impact14
295、3.It is our assessment that cybercriminals will certainly continue to compromise and abuse cloud environments as cloud adoption grows159140.We expect more malware families to shift their targeting from generic Linux systems to container platforms used in cloud solutions(e.g.Docker)160.At the same ti
296、me,ransomware groups will continue 149 Palo Alto Networks Unit 42 Cloud Threat Report 2H 2021-https:/ 150 CISA-2021 Trends Show Increased Globalized Threat of Ransomware-https:/www.cisa.gov/uscert/ncas/alerts/aa22-040a 151 CISA-Protecting Against Cyber Threats to Managed Service Providers and their
297、Customers-https:/www.cisa.gov/uscert/ncas/alerts/aa22-131a 152 Acronis Cyberthreats Report 2022-https:/ Mandiant M-Trends 2022-https:/ 154 CrowdStrike 2022 Global Threat Report-https:/ CrowdStrike-LemonDuck Targets Docker for Cryptomining Operations-https:/ Bleepeng Computer-Attackers deploy cryptom
298、iners on Kubernetes clusters via Argo Workflows-https:/ Google Cloud Threat Horizons Cloud Threat Intelligence November 2021-https:/ 158 VX Underground Twitter-https:/ 159 Mandiant Security Predictions 2022-https:/ 160 IBX X-Force Threat Intelligence Index 2022-https:/ Please use footnotes for provi
299、ding additional or explanatory information and/or relevant links.References should be listed in a dedicated section.Use only the function References/Insert Footnote ENISA THREAT LANDSCAPE 2022 NOVEMBER 2022 32 developing custom tools for cloud targeting143.Finally,cybercriminals will increasingly ta
300、rget cloud APIs to disrupt cloud automated processes,thus causing severe impacts on businesses161.Imposing cost on ransomware threat actors.Several governments prioritised ransomware as a national security threat during the reporting period.A combination of(mostly)legal and regulatory responses trie
301、d to alter the cost-benefit calculations of cybercriminals while some anti-ransomware initiatives popped up162 163 164 165.Law enforcement actions against ransomware groups forced some to leave the stage,some even releasing decryption keys166.Moreover,law enforcement agencies have offered millions i
302、n rewards for arresting members of ransomware groups167.Through international cooperation,law enforcement operations arrested cybercriminals associated with ransomware threat groups such as REvil,Cl0p,NetWalker,and LockerGoga or MegaCortex 168 169 170 171 172 173 174.Military and intelligence servic
303、es came into play against ransomware.According to public reports,the US military has acted against ransomware groups175.An interesting development was the arrest by the Russian Federal Security Service(FSB)of the members of the REvil ransomware group176.This action could be attributed to Russias pur
304、suit of its strategic geopolitical objectives177 or the potential targeting of Russian entities by the REvil group139.The White House organised a meeting coordinating an international response against ransomware(to which Russia was not invited)178.From the regulatory perspective,The Ransom Disclosur
305、e Act made it mandatory for ransomware victims to inform the US government within 48 hours of the ransom payment179.Finally,the government of the Netherlands indicated that it would use its intelligence and/or armed forces to respond to ransomware attacks180.It is our assessment that the efforts of
306、law enforcement to disrupt ransomware groups will continue for the foreseeable future181.Law enforcement attention will certainly have an impact on the modus operandi of several ransomware groups(e.g.increased operational security,rebranding,internal conflicts,targeting of small companies181 etc.)an
307、d underground forums(e.g.banning any promotion of ransomware affiliate programmes182)for the short-term.However,it is not clear how law enforcement actions will affect the ransomware threat landscape 161 Acronis Cyberthreats Report 2022-https:/ Ransomware Task Force-https:/securityandtechnology.org/
308、ransomwaretaskforce/163 StopRansomware-https:/www.cisa.gov/stopransomware 164 WEF Partnership against Cybercrime-https:/www.weforum.org/projects/partnership-against-cybercime 165 U.S.Department of State Update on the International Counter-Ransomware Initiative-https:/www.state.gov/briefings-foreign-
309、press-centers/update-on-the-international-counter-ransomware-initiative 166 ESET Threat Report T3 2021-https:/ Bleeping Computer-US targets DarkSide ransomware and its rebrands with$10 million reward-https:/ Europol Five affiliates to REvil unplugged-https:/www.europol.europa.eu/media-press/newsroom
310、/news/five-affiliates-to-sodinokibi/revil-unplugged 169 Interpol Ransomware gang arrested in Ukraine-https:/www.interpol.int/en/News-and-Events/News/2021/Ransomware-gang-arrested-in-Ukraine 170 Interpol Major gang members in handcuffs,assets seized-https:/www.interpol.int/News-and-Events/News/2021/I
311、NTERPOL-led-operation-takes-down-prolific-cybercrime-ring 171 Europol-12 targeted for involvement in ransomware attacks against critical infrastructure-https:/www.europol.europa.eu/media-press/newsroom/news/12-targeted-for-involvement-in-ransomware-attacks-against-critical-infrastructure 172 Krebs O
312、n Security-Estonian Tied to 13 Ransomware Attacks Gets 66 Months in Prison-https:/ Bleeping Computer-NetWalker ransomware affiliate sentenced to 80 months in prison-https:/ US Department of Justice-Former Canadian Government Employee Extradited to the United States to Face Charges for Dozens of Rans
313、omware Attacks Resulting in the Payment of Tens of Millions of Dollars in Ransoms-https:/www.justice.gov/opa/pr/former-canadian-government-employee-extradited-united-states-face-charges-dozens-ransomware 175 NY Times-U.S.Military Has Acted Against Ransomware Groups,General Acknowledges-https:/ 176 B
314、leeping Computer-Russia arrests REvil ransomware gang members,seize$6.6 million-https:/ Intel471-What can we expect from the REvil arrests?-https:/ 178 ZDNet-The White House is having a big meeting about fighting ransomware.It didnt invite Russia-https:/ ZDNet-Ransomware law would require victims to
315、 disclose ransom payments within 48 hours-https:/ The Record-Netherlands can use intelligence or armed forces to respond to ransomware attacks-https:/therecord.media/netherlands-can-use-intelligence-or-armed-forces-to-respond-to-ransomware-attacks/?s=01 181 QuoIntelligence-Ransomware is here to stay
316、 and other cybersecurity predictions for 2022-https:/quointelligence.eu/2022/01/ransomware-and-other-cybersecurity-predictions-for-2022/182 Flashpoint-After Ransomware Ads Are Banned On Cybercrime Forums,Alternative Platforms Being Used to Advertise and Recruit-https:/flashpoint.io/blog/avoslocker-r
317、ansomware-advertise-and-recruit/Please use footnotes for providing additional or explanatory information and/or relevant links.References should be listed in a dedicated section.Use only the function References/Insert Footnote ENISA THREAT LANDSCAPE 2022 NOVEMBER 2022 33 (new groups appearing and ne
318、w business methods)181 and further increase the risks for ransomware actors 183159.Furthermore,we expect to see increased volumes of activity from groups operating outside the USA159,while Russia-based cybercriminals are unlikely to be deterred due to the arrest of REvil members by the FSB184177.Fin
319、ally,we expect that governments will increasingly allocate resources to combat ransomware threats by tasking their military and intelligence services to disrupt the operations of cybercriminals,collect intelligence about members of these groups and recover ransom payments185 186 187.Cybercriminals c
320、ontinue to disrupt the industrial sector.Last year we estimated that cybercrime attacks against Operational Technology(OT)systems would very likely become more disruptive188.This assessment still holds true and,during the reporting period,ransomware was the major cause of compromises in the industri
321、al sector,with the manufacturing industry being the most targeted sector by far189 190.Disruptive attacks have had significant impacts on other sectors:food and beverages,healthcare,transportation and energy.Cybercriminal operations can disrupt OT operations using196:malware that has an OT-specific
322、module for OT systems191;limited network segmentation allowing ransomware to spread from IT to OT network192;the shutdown of OT infrastructure by operators to prevent the spreading of ransomware to the OT network193 194150;exfiltration of sensitive information about the OT environment that can facil
323、itate further cyber-physical attacks by other threat actors(cybercrime as well as state-sponsored groups)195.It is our assessment that ransomware groups will likely continue to target and disrupt OT operations for the foreseeable future196 197.Contributing factors to this assessment are:the ongoing
324、digital transformation in the industrial sector and the increased connectivity between IT and OT networks;189 an increased urgency to pay ransom to avoid any critical business and social impact;159 the ongoing rebranding of ransomware groups which increases the chances of malware blending and the de
325、velopment of capabilities to target and disrupt OT networks;189 the Russia-Ukraine crisis as ransomware groups(e.g.Conti198)are taking sides and are likely to conduct retaliatory attacks against critical Western infrastructure;the massive increase in the number of newly identified vulnerabilities in
326、 OT environments.159 183 Coveware-Ransomware attackers down shift to Mid-Game hunting in Q3 2021-https:/ 184 Recorded Future-Dark Covenant:Connections Between the Russian State and Criminal Actors-https:/ 185 SonicWall 2022 Cyber Threat Report-https:/ 186 Security Intelligence-Recovering Ransom Paym
327、ents:Is This the End of Ransomware?-https:/ AP News-US recovers most of ransom paid after Colonial Pipeline hack-https:/ 188 ENISA Threat Landscape 2021-https:/www.enisa.europa.eu/publications/enisa-threat-landscape-2021 189 Dragos 2021 ICS/OT Cybersecurity Year in Review-https:/ Intel471-Manufactur
328、ers should focus on protecting their supply chains-https:/ 191 MITRE ATT&CK EKANS Software-https:/attack.mitre.org/software/S0605/192 CISA-Rising Ransomware Threat To Operational Technology Assets-https:/www.cisa.gov/sites/default/files/publications/CISA_Fact_Sheet-Rising_Ransomware_Threat_to_OT_Ass
329、ets_508C.pdf 193 NY Times-Cyberattack Forces a Shutdown of a Top U.S.Pipeline-https:/ 194 NCSC-UK What is OT malware?-https:/www.ncsc.gov.uk/blog-post/what-is-ot-malware 195 SecurityWeek-OT Data Stolen by Ransomware Gangs Can Facilitate Cyber-Physical Attacks-https:/ 196 Dragos-ICS/OT Ransomware Ana
330、lysis:Q1 2022-https:/ Dragos-ICS/OT Ransomware Analysis:Q4 2021-https:/ CyberScoop-Conti ransomware group announces support of Russia,threatens retaliatory attacks-https:/ use footnotes for providing additional or explanatory information and/or relevant links.References should be listed in a dedicat
331、ed section.Use only the function References/Insert Footnote ENISA THREAT LANDSCAPE 2022 NOVEMBER 2022 34 Organisations are recommended to plan and remediate the most common issues causing security incidents within OT environments189:limited OT visibility,poor network segmentation between IT and OT n
332、etworks,external remote access to OT network,and shared and reused credentials.Continuous retirements and rebranding to avoid law enforcement and sanctions.As described above,the sheer volume of ransomware operations and some highly critical incidents(e.g.Colonial Pipeline199)resulted in increased e
333、fforts by law enforcement and governments worldwide.Thus,ransomware groups resorted to retiring and rebranding,139 143taking an average time of 17 months before they do so160.Cybercriminals behave this way potentially due to a need to:a)reboot their operations in case their tools,TTPs or infrastructure were critically compromised(e.g.security researchers develop a decryptor);b)avoid law enforcemen