In 2023, the CERT-Wavestone (incident response) team handled almost 40 major cybersecurity incidents for large companies or public organizations. And for 16 of these, a dedicated team was set up to support crisis management.
2023, was rich in cyber-attacks. As cybercriminal activity continued to increase, the majority of attacker groups remained driven by financial gain and we see this trend continuing to rise. However, we also witnessed attacker groups being radicalized. The threat of attackers carrying out destabilizing actions in support of Russia is fueled by the tense geopolitical context.
Incident response: lessons from 2023
- The main motivation for attacks remains profit, accounting for 46% of incidents managed. Ransomware is still the most common extortion method.
- The main entry point for attackers is still the fraudulent use of valid accounts. Among the compromises, Office 365 accounts are strongly represented.
- Opportunistic attacks dominate the sample (77%). In addition to ransomware, they also target the sensitive data of victim organizations, with disclosure as the preferred pressure tactic.
- Tomorrow's challenges are already visible: the ability to decouple IS in an emergency, preparations for the 2024 Olympic Games and the influence of Artificial Intelligence.
Gérôme Billois
Partner Cybersecurity
Wavestone
All organizations need to remain alert to rising threats; smaller companies need to increase their level of cyber maturity, starting with the basics (implementing protection and detection measures), and larger ones need to continue their investments, particularly in the face of increasingly advanced cases of fraud and AI-related threats.
Incentives: the lure of gain, indisputable
Attackers predominantly out for money
46%
of attacks are financially motivated
With 46% of the cases handled by the CERT-Wavestone, financial motives dominate the ranking, with ransomware as the predominant method.
Spying, data theft... what's new in 2023
- For the first time since 2019, the report reveals acts of espionage – a direct consequence of the geopolitical context.
- Fraud and data theft are on the rise, accounting for respectively 19% and 25% of money-driven attacks in 2023.
- The proportion of attacks with no clear motivation is rising sharply: 29% of incidents handled in 2023, compared with 16% in 2022. This uncertainty can be interpreted as good news: improved detection and response capabilities mean that attacks can be stopped before they have any impact on the information system.
Attack targets: User accounts on the front line
Theft of valid user accounts, top entry point for cyber criminals
Once again this year, valid user accounts remain a prime target (42%), ahead of vulnerable websites (23%) and remote access systems (17%). Access to these accounts are gained by purchasing databases on the darknet, exploiting weak passwords, or through phishing techniques.
2023 trend: Compromised Office 365 accounts
In 2023, Office 365 account compromises are common. Possible explanations includes:
- Widespread adoption of these solutions in companies;
- Insufficient level of security for accounts upon implementation.
In all reported situations, the implementation of multi-factor authentication (MFA) would have prevented the accounts in question from being compromised.
Targets: Opportunism at the expense of smaller structures
While all sectors and company sizes are targeted, five trends are becoming increasingly apparent.
Large companies have improved their detection and response capabilities in recent years, and are therefore less affected by attacks. In response, cyber criminals are targeting easier, less secure targets.
Threatening to publish stolen data has become the most effective means of putting pressure on target companies. In 2032, 77% of observed ransomware cases exfiltrates data before launching the encryption phasec; the ransom note almost invariably mentioned data theft.
Attackers have found a way of affecting several hundred or even thousands of virtual servers in a single attack by targetting virtualization platforms. These infrastructures have thus become one of their favorite targets.
Ransomware now takes just a few days to execute, instead of weeks. This reduction in time has enabled multiple ransomware attacks, where one or different groups of attackers can target the same victim within two days of each other – as shared by the FBI in its September notification.
Protection and detection investments by major corporations are bearing fruit. The proof: in one year, the time to detect an attack has been reduced by almost 50%, from 35 days in 2022 to 18 days today.
71 days
average attack detection time for SMEs
On the contrary, SMEs (Small and Medium-sized Enterprises) are less mature in cybersecurity than large corporations, and hence more vulnerable to opportunistic attacks. They take longer to detect the threat: 71 days on average! In smaller structures, the detection of an attack is often linked to the appearance of the first business impacts, rather than to detection by security tools and services.
Generally speaking, the market is increasingly mature. More and more attacks are being reported by partners and third parties: they accounted for 20% of reports this year, compared with 3% last year. As a result, smaller organizations are sometimes alerted by their larger customers.
Cybersecurity challenges in 2023 and beyond
Managing new-scale crises with decoupling
Over the course of 2023, we managed a number of large-scale crises requiring the rapid decoupling of information systems. This need for rapid isolation of entire systems can arise in several emergency situations:
- For geopolitical reasons, to isolate a geographical area
- Due to suppliers or partners being compromised, with the need to isolate an entity or business function
Triggering crisis management is essential to ensure a first level of rapid decoupling, and once again places cyber resilience at the heart of cyber security considerations.
Quentin Perceval
Head of CERT-Wavestone
Mastering your core business and underlying infrastructure is an essential prerequisite for being able to react effectively to a cyber attack and limit the impact on your business.
Preparing for the Paris 2024 Olympic Games
One of the major challenges of 2024 will be to anticipate the obvious spike in cyber attacks targeting the Paris Olympic Games.
This high-profile event usually generates multiple cyber attacks, both directly on the event and its partners (targeted attacks, data theft, attempted disruptions, etc.) and indirectly on the general public and the digital sphere (fraud, denial of service, etc.). All structures need to prepare for this particular period, which falls in the middle of summer, when many staff are on annual leave.
Anticipating AI adoption by cyber criminals
The other threat to be anticipated for 2024 and beyond is that of artificial intelligence (AI).
On the one hand, cyber criminals are using AI to improve their attack capabilities, making them more versatile and effective – for example, with higher-quality text, revamped malicious code or the use of fake AI-generated videos/photos (deepfake).
On the other hand, cyber criminals attack AI directly, using innovative attack methods. This enables them to poison systems to make them malfunction and, for example, bypass anti-fraud mechanisms, or to steal data by making chatbots talk too much.
CERT-Wavestone Report methodology
Timeframe
The 2023 edition of the CERT-Wavestone Report is based on data observedbetween September 2022 and September 2023.
Data
This report is based on cyber incidents and crises managed by Wavestone over the period: 37 attacks, including 16 major crises.
Related Insights
Ouala Barhoumi
Zineb Elfarissi
Gerome Billois
Sleh-Eddine Choura
Henri du Périer
Nathalie Balabhadra
Aurelia de Maleissye