Cyber Trends – Summer 2024 | Brunswick Group

Cyber Trends – Summer 2024

In this edition of Brunswick’s Quarterly Cyber Trends note, we explore how the cyber threat has evolved over the past few months – with a focus on state and state-aligned actors.

The key takeaways for businesses are as follows:

  • Companies targeted by state actors may find their incident response influenced by their host government. Crisis response strategies must reflect this possibility, as well as recognize that corporate priorities may not always fully align with those of the government.
  • The impact of cyberattacks is no longer limited to the digital realm. The potential physical impacts of a cyber incident on operations and personnel must be identified and mitigated where possible.
  • The benefits of using AI in day-to-day business processes are becoming clear. The risks are harder to discern, and companies will want to have a clearly documented and deliberative process for mapping and mitigating those risks.
  • The healthcare sector is experiencing a surge in cyberattacks, a seismic shift compared with a few years ago. The sector’s vulnerabilities are not unique to healthcare, however, and threat actors can easily use the same techniques to attack other industries.

If you have any questions, please reach out to the Brunswick Cyber team.

State actors: a continued threat

Not all cyberattacks are immediate. Many state actors covertly install dormant malware or backdoors on current or potential adversaries’ most sensitive cyber systems – with the intent of activating them in the event of a sudden geopolitical escalation. The impact of these efforts is significant, as seen in 2022 when suspected Russia-aligned actors activated the WhisperGate malware, destroying data stored by key Ukrainian entities in the government and IT sector around a month before Russia’s invasion. According to Cisco Talos, the threat actors were likely to have had “access to the victim network for months before the attack.”

Other efforts were discovered prior to activation. In 2023, several US infrastructure companies were found to have been infected with dormant malware by China-aligned threat actor Volt Typhoon. Analysis by the US government concluded that some systems had been compromised for “at least five years,” and the likely aim of the program was to cause “disruptive effects in the event of potential geopolitical tensions and/or military conflicts.” In a separate incident, a suspected state-level actor was found to have spent years slowly adding malicious code to the Linux operating system, which runs the vast majority of the world’s servers. Had they not been caught, the code would have given the hackers nigh-undetectable access into hundreds of millions of computers.

As geopolitical tensions grow, businesses operating in or serving strategically important industries will likely find their systems seeded with hidden malware or backdoors. Responding to a state-level threat actor will likely involve input from the national cybersecurity or intelligence apparatus, whose priorities may not be fully aligned with those of the impacted business. Businesses must therefore ensure their crisis response strategies account for the possibility that their response processes may be dictated by the government.

Cyber-physical convergence: the real-world impact of cyber attacks

One of the more disturbing cyber-attack evolutions is the growing number of incidents with kinetic – or real-world – impacts. Whilst the risk has always theoretically existed – former US Vice President Dick Cheney revealed in a 2013 interview that he had had his pacemaker’s wireless capabilities disabled in 2007 due to fear of cyber assassination – it is only in recent years that this tactic has been used on a large scale. Both Russia and Iran-affiliated actors have hacked into US water utilities in recent years, with the former having also attacked water systems in Poland and France. In some instances, the attacks are timed to enhance the potency of physical attacks – as seen in 2023 when a Russian cyberattack against the Ukrainian power grid coincided with a missile strike.

This tactic is not limited to state actors, with some non-state attacks having significant physical impacts. In 2014, it was reported that a blast furnace at a German steel mill suffered “massive damage” following a cyberattack. An attack on the University Hospital Dusseldorf in Germany forced the diversion of a patient with a life-threatening illness, who ultimately died. A 2022 attack on an Iranian steel factory by alleged hacktivists led to one machine “spewing molten steel and fire.” More recently, an attack against the NHS by ransomware group Qilin led to more than 1000 operations and appointments – including C-sections and organ transplants – being postponed.

The coercive power of combining cyber with physical impacts means that such incidents are likely to only increase in scale and number. The addition of a physical element to cyber incidents requires a rethink around how to approach both physical and digital security. Businesses should ensure their current crisis response procedures reflect the unique challenges and consequences of cyber-physical convergence.

AI integration: a benefit and a risk

AI continues to be integrated into cybersecurity processes. The Bank of International Settlements recently reported that 71% of central banks surveyed had adopted generative AI tools for cybersecurity, with users praising the effectiveness of the technology in detecting cyber threats when compared to traditional tools. Google has also integrated AI into Google Threat Intelligence, with users now able to quickly analyze suspicious files and compile open-source intelligence from the web for threat intelligence purposes.

Threat actors, however, are also increasingly using AI – with analysis showing an aggressive expansion in their usage. Sumsub, a verification software provider, recorded a 700% increase in deepfake incidents in the fintech sector between 2022 and 2023 and a tenfold increase across all industries. The inclusion of AI has also created new vulnerabilities for threat attackers to exploit, such as the data sets used to train AI (known as data poisoning). Governments have begun warning companies of the risk – the head of the UK Government Communications Headquarters (GCHQ) told attendees at a recent cyber conference that the organization was seeing criminals using AI to draft phishing emails, enhance ransomware, infiltrate systems, spread disinformation and erode trust in democratic institutions.

While the benefits of AI for business are becoming clear, companies remain cognizant of the associated risks. Having a clear understanding of how your AI tools interact with your systems and operations, as well as how this exposes you to risks, is key to keeping your organization safe.

Food for thought: healthcare and cyber

During the height of COVID-19, several threat actors announced policies banning their affiliates and users from targeting healthcare companies. Many of these threat actors – most notably LockBit – have since changed their position, and healthcare is becoming one of the most targeted industries globally. Recent attacks have impacted thousands of medical patients and procedures – with many attacks impacting sensitive patient data in addition to varying degrees of operational impact. These companies may also face post-incident lawsuits from impacted parties, further exacerbating the incident’s cost to the organization.

Healthcare companies are particularly attractive to threat actors for several reasons. First, healthcare organizations tend to have significantly more sensitive data compared with companies in other industries – one study found that attacks on healthcare companies impacted around five times more sensitive data than attacks on other industries. Second, the breadth of machines and systems used in healthcare settings makes it difficult to maintain robust and up-to-date digital security across an entire network. Finally, the significant human risk created when a healthcare organization is hit by a ransomware incident creates additional pressure and urgency for the impacted companies to resolve the incident – which may translate into a higher likelihood of a ransom payout.

The vulnerabilities that make the healthcare sector attractive to threat actors are not unique. Other industries have similar weaknesses which can be exploited for financial gain, should their attention shift away from cybersecurity. Companies must continue to invest in their cyber preparedness and response protocols, as their sectors may become prime targets in the future.

You can download a copy of this note here

To continue the conversation

Nicola Hudson
Partner, Cybersecurity, Data & Privacy Global Lead, London
[email protected]

Nicola has worked on hundreds of cybersecurity incidents and has deep expertise in cybersecurity issues and crisis management across both the public and private sector. Prior to joining Brunswick, she was a member of the Executive Board at GCHQ and Director of Policy at the National Cyber Security Centre, joining the centre as one of the founding Directors in 2016.


Paddy McGuiness
Senior Advisor, London
[email protected]

Paddy supports clients on crisis and resilience and the interplay between geopolitics, national security and their transactions. From 2014 to 2018, Paddy was the UK’s Deputy National Security Advisor for Intelligence, Security and Resilience, advising two successive British Prime Ministers on UK Homeland Security policy, capabilities and related legislation.

Suntka von Halen
Partner, Munich
[email protected]

Suntka specializes in restructuring, crisis and cybersecurity, change communications and corporate positioning. As Co-Lead of Cybersecurity Germany, she supports clients in crisis preparedness and within Brunswick's global cyber crisis team works on many cross-border crisis response mandates. Prior to joining Brunswick, she worked in the media industry for more than 10 years and served as spokesperson at Gruner + Jahr (a Bertelsmann company).

Marina Bidoli
Partner, Milan
[email protected]

Marina is a senior client advisor on business-critical issues. Her stewardship has included four-and-a-half years as Head of Brunswick South Africa, where she led South Africa’s cyber and crisis practice groups. Prior to joining Brunswick, Marina headed Group Communication at Sasol, the JSE-listed integrated energy and chemicals group.

 

Download (238 KB)