As 2022 draws to a close, what can we learn from a year marked by Russia's invasion of Ukraine, crippling cyber and kinetic attacks against critical infrastructure not just in Ukraine but across the world, and a continued rise in cyber attacks and ransomware globally? A year in which Russia, China and Iran have all become victims of cyber attacks, perhaps reaping the seeds sown by each of them in the past. And a year which saw the costs of cybercrime move well above its $6 trillion 2021 levels even though the year is not over yet and the full impacts counted.
Can and should we extrapolate trends identified over the past year and say with near certainly that these trends will continue in their upward path, or is the cyber threat landscape more complicated than we generally assume it to be.
With both Russia, Iran and China, the three greatest perpetrators of cybercrime, increasingly isolated from the rest of the world, and with growing domestic dissent in their own countries, are geopolitical moves against autocrats likely to change the world's three most egregious offensive cyber actors?
2022 - A Year in Reflection
In 2022 we saw a massive collapse and re-alignment of organized crime groups following the Russian invasion of Ukraine in February. Prior to the war, these groups consisting of perpetrators located right across the Commonwealth of Independent States (CIS) were united predominantly by their use of the Russian language. During the invasion, Ukrainian and other non-Russian members pulled out of many of these Russian led groups, and some even turned on their former gangs exposing their inner most secrets and the identities of leaders. This break up caused a dip in attacks in March and April and was further hampered by many global ISPs withdrawing from business in Russia. The result was a dramatic reduction in the Internet bandwidth into Russia for many of these groups to use.
Since the onset of war, many of the leaders of these crime gangs, who operate under the eye of the Russian Mafia, who in turn operate with impunity under the oligarchs and ultimately the Kremlin, have quit the profession, scared that Russia will collapse along with Putin’s protective umbrella. Many are worried that they might be identified, caught, and prosecuted. Most have taken their millions in ill-gotten gains and ran, going deep underground. This has left a power vacuum in Russian organized crime syndicates where young, fearless, and ruthless new leaders have taken over. This has led to reckless attacks including the targeting of healthcare providers. A ‘live today die tomorrow’, ‘get rich quick’ mentality now persists as many of those involved are scared of being conscripted by the Russian Army and being sent off to die in Ukraine. Some of these cybercriminals have even acted upon their disdain for the Putin dictatorship, by launching cyberattacks against the Kremlin itself, a very risky proposition indeed.
At the same time, the affiliates of many of these ransomware-as-a-service (RaaS) groups have gone rogue, distancing themselves from Russia and from RaaS providers. With re-alignment complete, the gloves have been taken off and affiliates are hunting freely by themselves and are prepared to take much higher risks than previously allowed. Again, this includes the targeting of healthcare and other national critical infrastructure industries.
Unsurprisingly this has piqued the attention of the FBI, Homeland Security, and other law enforcement groups. Its also one of the main reasons behind the recent FBI warning about one of these groups in particular, Daixin. This group is widely accredited with the September / October ransomware attack against Common Spirit Health, the second largest US healthcare provider. The attack impacted hundreds of provider facilities across most US states, denying timely care to millions of US citizens.
If we thought that the threat landscape was bad in 2021, 2022 has turned into the wild west with rogue gun-slingers on every corner and dead bodies mounting up on every street! For an easy target like healthcare, prospects don’t look good. With its collection of out-of-date weapons, no money to buy new tools, and very small ill-equipped teams, it stands almost no chance defending against an increasingly out-of-control and rabid gang of adversaries.
But the Russian and other CIS gangs aren’t the only things that healthcare needs to be concerned about. Increased offensive activity against providers has been seen coming from both China and Iran. With Iran recently appearing to side with Putinist forces. With threats of further sanctions from Europe and the USA, and rising internal revolt against the theocratic dictatorship that runs the country, Iranian forces are on the offensive. So too is China, and now that Xi has unchecked power over the CCP and the country for life, it is likely that China’s massive PLA cyber army will launch new offensives against western critical infrastructure providers, as China increasingly uses cyber weaponry against its perceived enemies.
Any healthcare CEOs that still have their heads buried in the sand, thinking that a cyberattack is unlikely to impact their hospitals, had better find a deep cave in which to hide, because the noise of collapse in 2023 will be omnipresent.
"We are seeing 2 to 3 ransomware attacks against US healthcare providers each and every day at the moment,” claimed Richard Staynings, Cylera's Chief Security Strategist in a recent interview. “That is not about to go down any time soon, so long as hospital boards and CEOs keep paying the ransoms. Instead of paying the criminals holding them to extortion, they need to invest properly in security and IT which is totally underfunded. This is especially so if you analyze the risks or compare the healthcare industry with other industries such as financial services. It’s somewhat analogous to crime victims paying protection money to the mafia, while refusing the properly fund the police or the FBI" he added.
"I wish that I had a more positive prediction for 2023 but that would be putting lipstick on a pig" claimed Staynings.
Are we doing a better job today of defending against attacks than we were a few years ago? Many cybersecurity leaders would say that we are but that the goal posts have moved. Some health systems have prioritized cybersecurity, but most have a long way to go. And that comes back to governance, leadership, and the prioritization of cybersecurity. Most cybersecurity leaders would agree that it's not where it needs to be right now.
Nor unfortunately is the level of cyber protection being provided by Homeland Security, the FBI and others. Governments are never quick to act but plainly, expecting small critical access facilities to protect themselves against highly sophisticated nation-state actors and organized crime syndicates is ridiculous.
As Staynings puts it, "it’s not even analogous to David and Goliath. It’s more akin to a lone Maasai warrior armed with a spear going up against an entire regiment armed with machine guns. The Maasai warrior stands almost no change at all!"