Kathy Gibson reports from Jordan – Companies in the Middle East, Turkey and Africa (META) region can expect to come under attack from innovative new directions in 2023.
This is the word from Maher Yamout, senior security researcher at Kaspersky GReAT, who says the threat landscape is changing as cybercriminals employ new technologies.
“Hack-and-leak information operations (IO) are the new black,” Yamout says. These attacks are seeing an increase now, which is expected to continue into 2023 and beyond.”
More worrying is that attacks are rapidly becoming increasingly destructive rather than being carried out for financial or information gain. These attacks are often associated with wiper trojans and ransomware. “For instance, ransomware is being used as a destructive weapon, with the threat actors not giving back the keys,” Yamout says.
Drone hacking is a new emerging trend, with drones used to target financial or government institutions. “The drones are loaded with hardware, then flown close to a building so it can hack devices inside the building.
“We have seen two attacks of this kind on a global scale,” Yamout says.
He adds that the past year has seen an increase in advanced persistent threat (APT) attacks that seek to harvest critical information that undermines nations and states.
Meanwhile, cybercriminal attacks – typically aiming for financial gain – are also hitting organisations in the region.
Cyber-mercenaries are becoming increasingly active in META, aiming at extracting intelligence that is then sold on.
Worryingly, there are also a number of attacks being performed by actors or groups unknown. “We see the effects, but have no idea who carried them out,” Yamout says.
Malware threats in South Africa have remained reasonably steady over 2022, with the exception of mobile malware, which has seen a steady uptick during the year.
Africa, overall, has seen an increase in threats, Yamout says. “The reason is probably subjective. Often geopolitical interests or economic interests are at the bottom of the attacks.”
There has been a big increase in Chinese-speaking groups in the region, Yamout points out.
The main targets for APTs are government and diplomatic institutions, with financial institutions coming in at third.
During 2002, it has become apparent that cybercriminals have been looking to exploit low-ranking banks.
Yamout says they are mainly concerned with targeting victims to gain information that can be sold on.
Kaspersky is currently investigating five large, Russian-speaking cybercriminal groups involved in stealing money using malicious software. Another in Saudi Arabia is selling databases or access credentials.
In 2022, Kaspersky spotted what is probably the first Arabic-speaking ransomware group, also conducting scams and getting involved in major conflicts.
“They are trying to make a name for themselves with high-profile ransomware groups,” Yamout says. “And they are trying to get themselves into the spotlight by getting involved in geopolitical conflicts .”
Cyber-mercenaries are now targeting new countries and industries.
Unknown threat actors are responsible for an increase in ransomware attacks and hack-and-leak operations in the region – two countries in particular: Saudi Arabia and Bahrain.
These new groups are hacking government and educational institutions, mostly hacking for the sake of making information public.
“This an extension of the traditional information warfare,” Yamout says.
Attacks on industrial control systems (ICS) and critical infrastructure are growing. “When countries are facing economic pressures, this affects budgets, which affects the implementation of cybersecurity solutions, and this could lead to vulnerable systems.
Economic pressures also lead to disgruntled employees and opens organisations up to insider threats which makes ICS processes more vulnerable.
In the META region, malicious objects were blocked on 38% of ICS computers in the region that were protected by Kaspersky solutions, according to Kaspersky ICS CERT statistics. Globally, the share of ICS computers with blocked malicious objects stands at 31,8%. APT attacks on industrial systems are expected to get even more sophisticated in the coming months.
During the three quarters of 2022 in the META region ICS computers in the oil and gas sector faced attacks most often (39,3% of them got attacked). Attacks on building automation systems were in second place – 38,8% of ICS computers in this sector were targeted. The energy sector was also among the top three environments that got attacked (36,8% of computers there were affected).
In total in January to September 2022, various types of malicious objects were blocked on 38% of ICS computers in the META region. Of these, most attacks on ICS infrastructure came from the Internet (28,2%) and 9,9% of attacks were made through email clients. Seven percent of attacks were conducted through removable media and 0,9% through network folders.
In South Africa, various types of malicious objects were blocked on 36,1% of ICS computers between January to September 2022. Of these, 14,6% came from the Internet and 17,8% of attacks were made through email clients – 2,9% of attacks were conducted through removable media.
Another trend seen by Kaspersky for the remainder of 2022 and the next year is the rise of ransomware in ICS environments. Ransomware groups have come a long way – scattered gangs become organised businesses and form a full-fledged industry. We are seeing more cases where ransomware attacks, including those on ICS computers, are performed manually, in a time-consuming, yet efficient manner.