State actors: a continued threat
Not all cyberattacks are immediate. Many state actors covertly install dormant malware or backdoors on current or potential adversaries’ most sensitive cyber systems – with the intent of activating them in the event of a sudden geopolitical escalation. The impact of these efforts is significant, as seen in 2022 when suspected Russia-aligned actors activated the WhisperGate malware, destroying data stored by key Ukrainian entities in the government and IT sector around a month before Russia’s invasion. According to Cisco Talos, the threat actors were likely to have had “access to the victim network for months before the attack.”
Other efforts were discovered prior to activation. In 2023, several US infrastructure companies were found to have been infected with dormant malware by China-aligned threat actor Volt Typhoon. Analysis by the US government concluded that some systems had been compromised for “at least five years,” and the likely aim of the program was to cause “disruptive effects in the event of potential geopolitical tensions and/or military conflicts.” In a separate incident, a suspected state-level actor was found to have spent years slowly adding malicious code to the Linux operating system, which runs the vast majority of the world’s servers. Had they not been caught, the code would have given the hackers nigh-undetectable access into hundreds of millions of computers.
As geopolitical tensions grow, businesses operating in or serving strategically important industries will likely find their systems seeded with hidden malware or backdoors. Responding to a state-level threat actor will likely involve input from the national cybersecurity or intelligence apparatus, whose priorities may not be fully aligned with those of the impacted business. Businesses must therefore ensure their crisis response strategies account for the possibility that their response processes may be dictated by the government.
Cyber-physical convergence: the real-world impact of cyber attacks
One of the more disturbing cyber-attack evolutions is the growing number of incidents with kinetic – or real-world – impacts. Whilst the risk has always theoretically existed – former US Vice President Dick Cheney revealed in a 2013 interview that he had had his pacemaker’s wireless capabilities disabled in 2007 due to fear of cyber assassination – it is only in recent years that this tactic has been used on a large scale. Both Russia and Iran-affiliated actors have hacked into US water utilities in recent years, with the former having also attacked water systems in Poland and France. In some instances, the attacks are timed to enhance the potency of physical attacks – as seen in 2023 when a Russian cyberattack against the Ukrainian power grid coincided with a missile strike.
This tactic is not limited to state actors, with some non-state attacks having significant physical impacts. In 2014, it was reported that a blast furnace at a German steel mill suffered “massive damage” following a cyberattack. An attack on the University Hospital Dusseldorf in Germany forced the diversion of a patient with a life-threatening illness, who ultimately died. A 2022 attack on an Iranian steel factory by alleged hacktivists led to one machine “spewing molten steel and fire.” More recently, an attack against the NHS by ransomware group Qilin led to more than 1000 operations and appointments – including C-sections and organ transplants – being postponed.
The coercive power of combining cyber with physical impacts means that such incidents are likely to only increase in scale and number. The addition of a physical element to cyber incidents requires a rethink around how to approach both physical and digital security. Businesses should ensure their current crisis response procedures reflect the unique challenges and consequences of cyber-physical convergence.
AI integration: a benefit and a risk
AI continues to be integrated into cybersecurity processes. The Bank of International Settlements recently reported that 71% of central banks surveyed had adopted generative AI tools for cybersecurity, with users praising the effectiveness of the technology in detecting cyber threats when compared to traditional tools. Google has also integrated AI into Google Threat Intelligence, with users now able to quickly analyze suspicious files and compile open-source intelligence from the web for threat intelligence purposes.
Threat actors, however, are also increasingly using AI – with analysis showing an aggressive expansion in their usage. Sumsub, a verification software provider, recorded a 700% increase in deepfake incidents in the fintech sector between 2022 and 2023 and a tenfold increase across all industries. The inclusion of AI has also created new vulnerabilities for threat attackers to exploit, such as the data sets used to train AI (known as data poisoning). Governments have begun warning companies of the risk – the head of the UK Government Communications Headquarters (GCHQ) told attendees at a recent cyber conference that the organization was seeing criminals using AI to draft phishing emails, enhance ransomware, infiltrate systems, spread disinformation and erode trust in democratic institutions.
While the benefits of AI for business are becoming clear, companies remain cognizant of the associated risks. Having a clear understanding of how your AI tools interact with your systems and operations, as well as how this exposes you to risks, is key to keeping your organization safe.
Food for thought: healthcare and cyber
During the height of COVID-19, several threat actors announced policies banning their affiliates and users from targeting healthcare companies. Many of these threat actors – most notably LockBit – have since changed their position, and healthcare is becoming one of the most targeted industries globally. Recent attacks have impacted thousands of medical patients and procedures – with many attacks impacting sensitive patient data in addition to varying degrees of operational impact. These companies may also face post-incident lawsuits from impacted parties, further exacerbating the incident’s cost to the organization.
Healthcare companies are particularly attractive to threat actors for several reasons. First, healthcare organizations tend to have significantly more sensitive data compared with companies in other industries – one study found that attacks on healthcare companies impacted around five times more sensitive data than attacks on other industries. Second, the breadth of machines and systems used in healthcare settings makes it difficult to maintain robust and up-to-date digital security across an entire network. Finally, the significant human risk created when a healthcare organization is hit by a ransomware incident creates additional pressure and urgency for the impacted companies to resolve the incident – which may translate into a higher likelihood of a ransom payout.
The vulnerabilities that make the healthcare sector attractive to threat actors are not unique. Other industries have similar weaknesses which can be exploited for financial gain, should their attention shift away from cybersecurity. Companies must continue to invest in their cyber preparedness and response protocols, as their sectors may become prime targets in the future.
You can download a copy of this note here.