What Will Nation-State Threat Actors Be Doing in 2022?

Nation-State Cybercrime is Becoming Every Organization’s Problem

---

Nation-state cybercrime has become an increasingly larger concern for businesses. Splashy, major attacks against infrastructure targets around the world in 2021 by nation-state and nation-state adjacent cybercriminals have also brought a greater focus on the risks to daily life presented by state-backed threat actors into the public eye. As threat actors turn their sights to targets outside their usual zones of government, military and quasi-governmental agencies, businesses are left wondering if they’re going to be the next target on a state-backed cybercrime gang’s agenda, and what they can do to steer clear of trouble. 

---

---

Do Businesses Have Cause for Alarm? 

---

Businesses definitely have cause for alarm. A study by Dr. Mike McGuire, Senior Lecturer in Criminology at the University of Surrey, and sponsored by HP, Nation States, Cyberconflict and the Web of Profit shows that nation-state cybercrime risk is growing fast. The report highlights a 100% rise in significant nation-state incidents between 2017-2020. The researchers’ analysis of over 200 cybersecurity incidents associated with nation-state threat actors since 2009 also shows the shift in their targeting to become a serious threat to businesses. Enterprise is now the most common target of state-sponsored cybercriminals, beating out government-associated targets by a substantial margin. 

Targets of Nation-State Cyberattacks 

• Enterprises 35% 
• Cyber Defense Assets 25% 
• Media & Communications 14% 
• Government Bodies 12% 
• Critical Infrastructure 10% 

In just the past year, we’ve seen some significant cyberattacks from state-sponsored threat actors. The Center for International and Strategic Studies has an excellent breakdown on recent notable nation-state cybercrime activity, highlighting incidents like: 

October 2021. A group with ties to Iran attempted to hack over 250 Office 365 accounts. All the targeted accounts were either U.S. and Israeli defense technology companies, had a focus on Persian Gulf ports of entry, or maritime transportation companies with a presence in the Middle East.   

September 2021. Hackers obtained 15 TB of data from 8,000 organizations working with Israel-based company, Voicenter and offered the data online for $1.5 million. Some experts have stipulated the hackers have ties to Iran, but no link has been confirmed.   

October 2021. An American company (purportedly Microsoft) announced that the Russian Foreign Intelligence Service (SVR) launched a campaign targeting resellers and other technology service providers that customize, deploy and manage cloud services.    

---

---

Experts Are Sounding the Alarm

---

The 9th edition of the ENISA Threat Landscape (ETL) report lays out the findings of their experts and observers after analyzing what they saw in 2021 – and it was definitely a wild ride. The last 12 months have featured a chaotic threat atmosphere that left IT professionals exhausted and new cybercrime threats surging. The 9th edition of the report lays out the findings of ENISA analysts and observers about the biggest threats that EU organizations faced in 2021. To no one’s surprise, ransomware topped the list.  

ENISA experts stated that fact unequivocally in a release: “Ransomware ranks as a prime threat for the reporting period”. EU Agency for Cybersecurity Executive Director Juhan Lepassaar went a little bit further, saying in a statement published in connection with the report that “Given the prominence of ransomware, having the right threat intelligence at hand will help the whole cybersecurity community to develop the techniques needed to best prevent and respond to such type of attacks. Such an approach can only rally around the necessity now emphasised by the European Council conclusions to reinforce the fight against cybercrime and ransomware more specifically.”   

---

ENISA’s Top 9 Threats 

---

1. Ransomware  
2. Malware  
3. Cryptojacking  
4. Email related threats  
5. Threats against data  
6. Threats against availability and integrity  
7. Disinformation – misinformation  
8. Non-malicious threats  
9. Supply-chain attacks 

---

---

State-Backed Threat Actors Had a Busy Pandemic 

---

So, who is behind all of those threats? ENISA researchers say threat actors that fall into one of four broad categories are the culprits behind most cyberattacks, and nation-state threat actors are at the top of the tree. ENISA’s breakdown of the activities of state-backed threat actors that they’ve observed at work in the cybercrime landscape and what those actors might get up to in 2022 is one of the most interesting sections of the report. Researchers analyzed patterns in this reporting period to catalog the activity of nation-state threat actors in the EU as well as make a few predictions for the activity that they expect to see from them going forward.     

According to analysts, there is no doubt that the COVID-19 crisis was a major driver behind nation-state cybercrime activity. Throughout the pandemic, observers cataloged state-sponsored threat actors seeking data related to infection rates, country-level responses and treatments. The collection of scientific information related to the COVID-19 vaccine was a high-priority item for state-sponsored cybercriminals and a direct contributor to the immense cyberattack pressure that the healthcare, pharmaceutical, and medical research sectors experienced. State-backed threat actors seemed to put an overall higher focus on revenue generation than in past years. 

---

---

Nation-State Actors Play a Part in Supply Chain Risk 

---

ENISA observers also reported that supply chain compromises by state-backed threat actors reached new levels of sophistication and impact. Based on ENISA’s analysis supply chain attacks were conducted by state-sponsored cybercriminals, also referred to as Advanced Persistent Threat (APT) groups, on at least 17 occasions between 2020 and 2021. That’s more than 50% of the attributed supply chain attacks during the reporting period. 

Experts also cautioned: “During the past few years, we have observed threat actors monitoring threat intelligence reporting and attribution disclosures and responses from an operational and strategic perspective. Over the years, one can claim that state-backed threat actors have been learning from their past mistakes and they have been improving their operational security and leaving no high fidelity indicators during their intrusions.” 

---

---

What’s Next for State-Backed Threat Actors  

---

ENISA’s report laid out several predictions about what their experts expect to see in the state-backed cybercrime space in 2022, giving businesses an opportunity to prepare for the next generation of threats. 

---

ENISA Nation-State Cybercrime Predictions for 2022 

---

• State-backed threat actors will continue conducting supply chain attacks (especially targeting software, cloud, and managed service providers) as an initial access tactic.  
• Cloud-hosted development environments will be under fire as enablers for supply chain attacks  
• State-backed actors will continue conducting revenue-generating cyber intrusions (in pursuit of strategic objectives or personal gain) with varying levels of national responsibility.  
• State-backed groups will leverage offensive security tools, living-off-the-land techniques, published PoCs, false flags, criminal contract hackers and crimeware-as-a-service, while also exhibiting high levels of operational security when conducting cyber operations 
• Interest in targeting ICS networks will grow in the near future. 
• State-backed actors will continue pursuing cyber operations for intelligence gathering as strategic objectives for advantages in decision-making, to steal intellectual property, and to discover pre-positioning of military and critical infrastructure assets for future conflicts. 
• State-backed groups will possibly develop and conduct disruptive/destructive ransomware operations to weaken, demoralize and discredit adversarial governments. 
• Local conflicts will likely include cyber operations paired with drone attacks and media-driven misinformation in order to amplify impact. 
• Threat actors will continue pursuing their strategic objectives by conducting cyber-enabled information operations for the next decade focusing on important geopolitical issues like elections, public health, humanitarian crises, human rights, and security.  
• Hack-and-leak operations by state-backed and state-affiliated groups will continue, intensifying during periods of high interest (e.g. pre-election periods). The technique will also be used to exploit political divisions or instability as was seen in the 2016 US elections.  

---

---

Smart Defensive Moves Help Protect Businesses from Trouble 

---

Ransomware is the most commonly used tool of nation-state cybercriminals, and phishing is their most widely used means of spreading it. Security awareness training using a solution like BullPhish ID reduces a company’s risk of falling victim to cybersecurity threats like phishing or ransomware by up to 70%. Here’s why it’s a smart choice for businesses of every size. 

• It’s easy to run phishing simulations to keep employees vigilant. Choose from preloaded plug-and-play phishing campaign kits or customize messages, attachments and other content to reflect specific threats for specialized industries. 
• Easily train employees about more than just phishing. BullPhish ID features a vast library of video lessons on subjects like compliance, credential handling, ransomware, industry regulations and more all in one place. 
• Automate training campaigns and reporting for stress-free, consistent training that gets results. 
• Online quizzes to measure employee training retention and simple, clear reporting let businesses know exactly where they need to step up training. 
• Training content is available in 7 languages. 

Learn more about the benefits of training with BullPhish ID. BOOK A DEMO>>

---

---

---