Cyber Threats 2022: A Year in Retrospect

“Blindsided” is cybersecurity’s worst-case scenario. The threat you don’t know about; the attack you don’t see coming; the hacker hiding undetected in your networks: unknowns are what can take a company down. Exposing them is what threat intelligence lives to do. Companies in 2022 faced an array of threat actors: sophisticated advanced persistent threats, or APTs; ruthless cyber criminals; disgruntled insiders; a resurgence in hacktivism and distributed denial of service (DDoS) attacks, and more. Geopolitics dominated the headlines and the cybersphere, even as threat actors continually shifted tactics and techniques and shared their tools, motivated by sabotage, espionage and money. And in 2022, public and private sectors joining forces and sharing their intelligence bolstered organisations’ defences. Our report “Cyber Threats 2022: A Year in Retrospect” examines the threat actors, trends, tools and motivations that captured the cyber threat landscape last year. It includes incident response case studies with direct and detailed insight into tools, techniques and procedures (TTPs) used in intrusions. We also provide detection logic throughout the report to assist your defenders when scanning your own systems and networks, to help you find malicious threat actors. With context for what to expect in 2023 from the report, we strive, as always, to not only keep pace with hostile cyber activity, but to get ahead of it, and stay ahead.

Trends

• Vulnerability and threat actor agility
• Geopolitical issues and the threat landscape
• Evolving cyber crime

Vulnerability and threat actor agility

In 2022:

• The Log4Shell vulnerability in Apache’s Log4j Java logging framework is thought to have affected 93% of business cloud environments and hundreds of millions of machines. A range of cyber threats jumped on the opportunity to exploit this vulnerability as organisations worked to identify impacted instances in their environments.
• Threat actors ranging in motivation and sophistication made use of commoditised and shared tooling and frameworks to accelerate and optimise their operations. Attackers also engaged in fast-moving, brute force attempts to fatigue users and security measures through social engineering or multifactor authentication (MFA) bypassing.
• Some threat actors developed better ways of obfuscating their espionage operations and intellectual property theft, making it increasingly difficult to identify who they were and what they were stealing. The use of obfuscation-as-a-service proxies became the method of choice for these threat actors to hide their tracks as they compromised victims and exfiltrated confidential and sensitive information.

Looking ahead:

Attackers will continue scouring unpatched systems for Log4Shell and other vulnerabilities and will exploit where they can. Software library vulnerabilities are also likely to be an exploitation focus for threat actors in the year ahead.

Poor or inconsistent patching regimes continue to be a key factor behind successful intrusions into networks. Most successful attacks exploit vulnerabilities that have already been remediated by manufacturers or developers and are available to customers for implementation. Successful attacks that are the result of 0-day exploits are still comparatively rare. Attackers will do the minimum they need to in order to gain access to a network and will not burn higher-end capabilities unnecessarily.

We therefore recommend that organisations prioritise defence in depth and rigorous patching in their security strategies to raise the barrier to entry for attackers.

Geopolitical issues and the threat landscape

In 2022:

• Espionage and sabotage motivated threat actors used their offensive cyber capabilities to complement traditional warfare approaches. They used these against countries and private entities seen to be supporting their perceived enemies. They sought to gain strategic advantage by weakening digital and physical infrastructure.
• Threat actors continued to engage in the contest for economic supremacy through intellectual property theft, with cyber attacks exacerbating ongoing supply chain issues and financial challenges. Threat actors used procured infrastructure, as well as compromised assets, to infiltrate and interdict supply chains, as well as to undermine secure communications around the world. Targets included high-end technology firms and telecommunications, manufacturing and logistics sectors.

Looking ahead:

Security and law enforcement agencies, along with the commercial security industry, will continue to use public disclosures to counter the activities of APTs and thwart their operations. Cloud service, managed service and identity and access management (IAM) providers with privileged access to client networks will increasingly become targets of choice for the most sophisticated actors – to achieve the scaled access they need to compromise the targets of their espionage and intellectual property theft operations.

In the full Cyber Threats 2022: A Year in Retrospect report, learn about these significant events and trends in more detail.

Evolving cyber crime

In 2022:

• Ransomware continued to be a major threat to industries around the world, as threat actors were able to circumvent security measures and successfully infect networks, from manufacturing to retail and beyond, and extort high ransoms from their victims. Governments and private companies responded to cyber threats with sanctions and blacklisting, which shut down the operations of at least one major ransomware group. Due to the fractured and fluid nature of ransomware groups, many cyber criminals simply moved to deploy their skills and capabilities in other, lesser-known brands and operations.
• Credential stealing malware proliferated within the cyber criminal ecosystem and bolstered the demand for Access-as-a-Service (AaaS) and other commoditised cyber criminal offerings, which powered cyber-enabled fraud and opportunistic attacks spanning multiple industries and countries.

Looking ahead:

Governments will also explore the continued use of sanctions as a way of hamstringing ransomware and other threat actors, as well as their access to and use of extorted and stolen funds. Organisations will increasingly be required to build their defence efforts and security strategies to account for more frequent attacks powered by an increasingly commodotised -as-a-Service cyber criminal ecosystem.

Sectors

Threat actors vary in motivation and sophistication, tailoring operations and opportunistic attacks in different sectors. In 2022, attacks in one sector cascaded to other industries and inflicted greater damage. That’s due to increased interconnections among increasingly digitised supply chains and industries.

Click on a sector to learn sector-specific motivations summarized by PwC Threat Intelligence from 2022 case studies and in-house analytics.

• Aerospace and Defence
• Automotive
• Construction
• Education
• Energy
• Financial Services
• Government
• Healthcare
• Manufacturing
• Pharmaceuticals and Life Sciences
• Professional Services
• Retail
• Sports and Entertainment
• Technology
• Telecommunications
• Transport and Logistics

Aerospace and Defence

Motivations: Espionage, cyber crime, sabotage, hacktivism

Military secrets and sophisticated technologies make this highly sensitive and important sector a prime target every year by cyber threats. But 2022 proved especially challenging as threat actors worked hard to penetrate A&D organizations and contractors, particularly in Europe. Their motives ran the gamut:

Espionage-motivated threat actors wanted research and development secrets as well as military plans and capabilities.

Saboteurs, hoping to weaken a rival’s defences, might try to inhibit research or halt production.

Ransomware attackers were willing to bet that high-value, defence contracting companies would pay to recover sensitive data. They often upped the ante by threatening to publish ransomed data on leak sites to collect from victims a second time.