Revisiting some top cyber threat predictions for 2018
At the end of each year, the IT security community routinely makes bold predictions on some of the imminent cyber threats to come. For example, at the conclusion of 2017, Kaspersky Lab researchers forecasted an increase in supply chain attacks leveraging third party software, more high-end mobile malware, additional destructive attacks like 2017’s ExPetr/NotPetya attack, as well as increased router and modem hacks.
Now, well into 2018, it’s important to re-evaluate some of the predictions made, to see what has come true, what has yet to happen and what has drastically changed in a few months’ time. In the cybersecurity community, this type of collaborative review is critical to ensuring stronger protection and greater research accuracy.
Let’s take a look at the first half of 2018.
H1 2018: The Current Reality
The first half of the year was not a quiet one in IT security. In fact, several advanced persistent threat (APT) operations were uncovered revealing weak points within critical infrastructure, pharma companies, government entities and more.
To kick off 2018, Olympic Destroyer made headlines when the threat group conducted a disruptive cyberattack against the Pyeongchang Winter Olympic games. The cyberattack temporarily paralyzed IT systems ahead of the official opening ceremony, shutting down display monitors, killing Wi-Fi and taking down the Olympics website so that visitors were unable to print tickets. Kaspersky Lab also found that several ski resort facilities in South Korea suffered from this worm, which disabled the operation of ski gates and lifts at the resorts.
Later in June, new activity by this threat actor was discovered, this time targeting financial organizations in Russia, as well as biochemical threat prevention laboratories in Europe and Ukraine. A number of indicators suggest a low to medium confidence link between Olympic Destroyer and the Russian speaking threat actor, Sofacy.
In addition to Olympic Destroyer, one of the most notable activities so far this year has been the VPNFilter campaign, an Internet of Things / router malware attributed by the FBI to the Sofacy and Sandworm (Black Energy) APT groups. The May 2018 campaign targeted a large assortment of domestic networking hardware and storage solutions. It was even able to inject malware into traffic in order to infect computers behind the infected networking device.
The VPNFilter campaign is one of the most relevant examples of how networking hardware has become a priority for sophisticated attackers. The data provided by Cisco Talos indicated this campaign was conducted at a largescale global level, and Kaspersky Lab’s analysis found that traces of this campaign could be found in almost every country.
That same month, in May 2018, Kaspersky Lab researchers also observed ZooPark, a sophisticated cyberespionage campaign that was targeting Android device users based in Middle Eastern countries for several years. Using legitimate websites as sources of infection, the campaign appeared to be a nation-state backed operation aimed at political organizations, activists and other targets based in the region.
Just one month after ZooPark and VPNFilter discoveries, the LuckyMouse APT Chinese-speaking threat actor reemerged in June. This APT had previously been observed abusing a national data center in Asia for waterhole attacks through high profile websites. Later this year, it was also found to be actively targeting Kazakh and Mongolian governmental entities around the time these governments held their meeting in China.
These cyber threats are just a small sampling of the APT activity observed in the first of half of 2018 by the IT security community. While some predictions made at the start of the year have come true, others have yet to come to fruition, keeping organizations and individuals alike in anticipation of the future.
H2 2018: Cyber Threats to Watch For
The second half of 2018 will likely also be a busy one for cybersecurity researchers. So far, we have repeatedly warned that networking hardware is ideally suited to targeted attacks, and we have highlighted the existence and spread of advanced activity focusing on these devices. We continue to stand by this expectation for the remainder of the year.
In addition, during the second half of the year, we expect to see more supply chain attacks, both from the point of discovery as well as actual attacks. Trojanizing specialized software used in specific regions and verticals will become a move akin to waterholing strategically chosen sites in order to reach specific victims.
We also estimate that in H2 2018, more high-end APT malware for mobile will be discovered, as a result of both an increase in the attacks and improvement in security technologies designed to catch them. Lastly, we expect that destructive attacks, such as those using wipers, which was evident in 2017’s Shamoon, Stonedrill and ExPetr/NotPetya attacks, will continue to rise as they can be used as a distraction, to wipe traces after an attack (repeatedly seen in the financial sector) and for propaganda purposes, other than destructive purposes.
Overall, as we become more digitized than ever before, we will continue to see significant cyber threats for the remainder of 2018 and beyond. Each year, industry predictions on APT actors should not be taken in isolation – but they should build on each other to raise awareness, enrich research and build on collaboration. Only by sharing and applying quality threat intelligence can we as a cybersecurity community be one step ahead of some of these APT actors.