FireEye Mandiant has delivered its cyber landscape predictions for the coming year, including growing and affiliate-supported espionage, increased targeting of OT by ransomware, and continued targeting of healthcare.
The COVID-19 pandemic and related cyber activity has dominated 2020. This will continue into 2021 (PDF), but the techniques learned and used through this year will expand beyond COVID into the future. Cyber espionage is a good example. There have been many recent stories about espionage attacks targeting COVID vaccine research– but FireEye Mandiant sees cyber espionage evolving and increasing across the globe.
“A lot of espionage in 2021 will be similar to what we are already seeing,” Jaimie Collier, cyber threat intelligence consultant at FireEye Mandiant, told SecurityWeek. “The Big Four (Russia, China, Iran and North Korea) are not going to fundamentally change what they are doing. But China’s threat apparatus has grown with regard to espionage, and we expect to see more espionage activity from China.”
Collier has also seen an uptick in activity from Vietnam and South Asia in general. “We’re beginning to see more activity outside of the Big Four. Some of the countries that are just now getting into the business of cyber espionage will turn to third party intruder vendors for tools and capability enhancement. We’ve already seen that in the Dark Basin report earlier in the year.”
The reverse of espionage — which is the seeking of secrets — is the information operation that seeks to sow falsehoods. “While it used to be just Russia targeting the U.S., the number of parties involved is growing rapidly. Iran is now involved, and there are pro-China and pro-Cuba regional networks in Argentina. All this space is getting more complex — and a wider nexus of groups is trying to mimic legitimate media in their campaigns. We suspect that there are contractors, PR and marketing firms and other non-state actors now involved in these information operations.”
Collier expects to see ransomware continue to evolve and expand. “Ransomware is transitioning from a bit of a nuisance to something that is a real strategic concern,” he explained. “We’re seeing the affiliate models expand, where different threat actors combine leading to a huge amount of specialization within the overall process. Some of the actors develop the ransomware, but work with others that specialize in gaining the initial access, and post-compromise exfiltration; all leading to a broader criminal ecosystem.”
Part of this shows in the growing practice of double extortion — using stolen data as an extra incentive for payment, or selling or exposing it if the victim still refuses to pay. But FireEye Mandiant also sees an increasing pivot towards ransomware targeting operational technology. “That’s something we’re watching keenly,” Collier told SecurityWeek, “because of the potential for real world harm.”
He believes the political profile around ransomware is also changing. In September 2020, the U.S. Department of the Treasury made it clear that paying a ransom could be considered contrary to the interests of national security. “The Australian Signals Directorate,” he added, “has stated publicly that they will be proactive in going after financial/healthcare criminals. It’s going to be interesting to see how other governments react, and see if other intelligence agencies start to go after financial criminals more than they have in the past.”
But the pandemic and effects of the pandemic will continue to affect the cyber landscape through 2021. Surprisingly, FireEye Mandiant has not seen as much directly COVID-related phishing as has been reported elsewhere in 2020. “I think back in March,” said Collier, “at the height of the first wave, COVID and Coronavirus was only featuring in around 2% of phishing emails.” Although he believes it may have increased a little since then, the majority of phishing emails are still using traditional lures such as fake password resets and other lures that have been used for years. “For social engineering in general,” he added, “it’s important to look at Coronavirus as just another opportunity for the criminals.”
The implication from this observation is that the continued increase in phishing cannot be explained by the pandemic, and that phishing is likely to continue its increase even after the pandemic eases. Spear-phishing will remain the most popular entry route for compromises, but FireEye Mandiant also believes that a wider number of nation-state actors will focus on intrusion techniques that don’t require victim interaction — such as exploiting web facing applications and password spraying.
A big problem through 2021 will, however, be the rapid and enforced move to increased remote working, and organizations’ transition to a more expansive ecosystem. “As companies adopt remote work,” he continued, “there is a push towards more niche areas for security — from virtual conferencing to productivity platforms. We’re introducing a lot of new systems and services into our organizations. A lot of these will be outsourced, working with third parties — so there’s a much more expansive ecosystem.”
Much of this expansion overlaps with cloud security, with different providers for different services. These wider ecosystems were already evolving beyond the network perimeter. “One thing with cloud that we will be watching,” said Collier, “is the issue around responsibility and the dynamic relationship between users and providers. Who is responsible for security?” Organizations will need to make the appropriate decisions in taking ownership of their data in the cloud, he warns, where inadvertent exposure is a growing problem.
Traditionally, security firms have been interested in adversary behavior — but user behavior is the growing problem now that is likely to worsen with increased cloud usage. “One of the issues that will play out in 2021,” he said, “is whether adversaries can take advantage of this new ecosystem faster than security teams can learn how to defend it.” He worries that while security teams have been involved with company-wide cloud system usage, there is now a new reality. “A lot of different departments are going in different directions. You potentially have a marketing team experimenting with virtual conferencing platforms that may not automatically be perceived as part of the security team’s purview. But if someone in marketing sets up a new virtual conference platform or new social media manager, is that going through the right channels — because a lot of those areas have quite serious security issues. If you’ve got a corporate Twitter account with hundreds of thousands of followers, any compromise could lead to huge reputational damage. So, you have parts of the network that need to be secured, but are being run out of areas that are not usually seen as traditional security areas. Managing these areas in the remote world is the big question mark at the moment.”