2022 Annual Report

Editor’s Note: This is an excerpt of a full report. To read the entire analysis with endnotes, click here to download the report as a PDF.

The annual report surveys the threat landscape of 2022, summarizing a year of intelligence produced by Recorded Future’s threat research team, Insikt Group. We analyze global trends and evaluate significant cybersecurity events, geopolitical developments, vulnerability disclosures, and more, providing a broad, holistic view of the cyber threat landscape in 2022.

Executive Summary

The physical conflict in Ukraine, and the effects it has had on the cyber threat landscape throughout 2022, frames our discussion of significant cyber threat events and geopolitical trends that occurred in 2022 and underscores the increased convergence of the cyber and geopolitical threat landscape.

Before and throughout the physical invasion, Recorded Future has observed increased instances of distributed denial-of-service (DDoS) attacks, hacktivist activity, and the widespread deployment of wiper malware. And while Russia’s invasion of Ukraine dominated the discussion of kinetic and cyber-hybrid operations, threat actors affiliated with other prominent nation-states, specifically Iran, China, and North Korea, carried out cyberattacks throughout the year, informed by an era of heightened geopolitical tension, competition, and politically charged affiliations.

We also analyzed cyber threat events across the broader threat landscape, including those carried out by cybercriminal groups. While phishing campaigns and ransomware attacks continue to plague organizations across industries and geographies, Recorded Future identified a 600% increase in the number of credentials sold via information stealing malware between Q1 and Q4, a significant year-over-year increase in targeting of software frequently used in organizations’ supply chains, and a shift toward an increasingly managed service model as “as-a-service” offerings proliferated on dark web marketplaces and underground forums. Initial access brokers are increasingly active, likely due to the increased use of infostealer malware and the ability to monetize stolen data.

The effective use of infostealers often relies on the successful exploitation of vulnerabilities. Notable vulnerability-related trends in 2022 included ransomware and Chinese state-sponsored threat actors rapidly exploiting zero-day vulnerabilities, the ongoing exploitation of Log4Shell across all quarters in 2022, and the impact of Microsoft’s oscillation about the automatic disablement of macros.

Finally, ransomware remained an ever-present threat in 2022. While certain ransomware gangs disbanded, others were quick to assert their dominance and used their significant resources to undertake campaigns against organizations of all sizes across industries. Although ransomware payments decreased by about 60% between 2021 and 2022, likely due to increased guidance from governments to forgo making ransomware payments and increased due diligence on cybersecurity standards from insurance companies when underwriting policies for ransomware attacks, ransomware will continue to pose a major threat to organizations throughout 2023.

Key Takeaways

• Self-proclaimed hacktivist activity, likely a mix of grassroots and state-sponsored activity, surged in the first half of the year, as threat actors groups carried out attacks based on their allegiance to either Russia or Ukraine. While the majority of this activity was limited to targeting organizations involved in the conflict or located in areas close to eastern Europe, some hacktivist activity involved organizations in other regions.
• Spillover effects of the deployment of wiper malware and the hacktivist activity were the primary cyber threats to organizations not directly involved in the war in Ukraine.
• North Korea will most likely continue to test ballistic missiles in 2023. US military buildup in the western Pacific and increased defense spending and preparedness measures in Japan are likely to be met with equivalent actions by China.
• Diplomatic negotiations over the Joint Comprehensive Plan of Action (JCPOA; commonly referred to as the Iran nuclear deal) are unlikely to make any progress. Meanwhile, the Islamic Republic of Iran continues to enrich uranium in an effort to achieve a nuclear weapon. The Israeli government is likely to continue kinetic strikes on elements of the Islamic Revolutionary Guard Corps-Quds Force (IRGC-QF) operating in Syria while keeping its options open for strikes on nuclear facilities inside of Iran.
• 2022 was the year of “as-a-service”, as we identified the presence of new phishing-as-a-service (PaaS) offerings in the threat landscape, the continued success of the ransomware-as-a-service (RaaS) model, and the development and use of new strains of malware-as-a-service (MaaS) offerings.
• Open source or proprietary software packages were targeted throughout 2022. Given their effectiveness over the past year, these types of attacks will likely grow in severity in 2023.
• Infostealers were increasingly used by threat actors, and the increased advertisement of authentication information collected by infostealers poses a risk to multi-factor authentication (MFA) security solutions.
• While the adoption of countermeasures such as the disablement of macros by default has been highly effective, many threat actors have also pivoted their operations to subvert newly developed or implemented security protections, underscoring the need for a implementation of a defense-in-depth security strategy.
• The exploitation of widely used products, as well as continued exploitation of previously reported vulnerabilities like Log4Shell, underscores threat actors’ ongoing focus on attack vectors that can be used for extended periods of time.
• The volume of ransomware attacks is unlikely to shrink in 2023. However, if the finance gain from ransomware attacks continues to decrease, as observed from 2021 to 2022, threat actors are likely to adjust their tactics to continue realizing the historical financial incentives for ransomware attacks.