Hacktivists used more destructive malware in 2022 - report
New research from Nozomi Networks has found hacktivists shifted their tactics in 2022 from data theft and Distributed Denial of Service (DDoS) attacks to using more destructive malware.
This was done in an attempt to destabilise critical infrastructure to further hacktivists' political stance in the Russia/Ukraine war.
Additional findings from Nozomi Networks' OT/IoT Security Report: A Deep Look into the ICS Threat Landscape include that wiper malware and IoT botnet activity also significantly influenced the 2022 threat landscape.
Nozomi Networks Labs researchers first picked up on hacktivists shifting their tactics in the first half of 2022 and note that it only gained momentum in the second half.
"Over the past six months, cyberattacks have increased significantly, causing major disruption to industries ranging from transportation to healthcare," says Roya Gordon, OT/IoT Security Research Evangelist, Nozomi Networks.
"Railways, in particular, have been subject to attacks, leading to the implementation of measures designed to protect rail operators and their assets.
"As cyber threats evolve and intensify, it is important for organisations to understand how threat actors are targeting OT/IoT and the actions required to defend critical assets from threat actors."
The company's latest OT/IoT security report also analysed customers' intrusion alerts covering the previous six months, finding weak/cleartext passwords and weak encryption were the top access threats to critical infrastructure environments.
Brute force and DDoS attempts followed this, with Nozomi Networks Labs detecting Trojans as the most common malware targeting enterprise IT networks.
Further, Remote Access Tools (RATs) topped the malware targeting OT and DDoS malware targeted IoT devices.
Malicious IoT botnet activity remained high and continued to increase in the second half of 2022, with researchers finding growing security concerns as botnets continue to use default credentials in an attempt to access IoT Devices.
From July to December 2022, Nozomi Networks honeypots found:
- Attacks peaked in July, October and December, with more than 5,000 unique attacks each month.
- The top attacker IP addresses were associated with China, the United States, South Korea and Taiwan.
- "root" and "admin" credentials are still the most common method threat actors use to gain initial access and escalate privileges once in the network.
- Regarding vulnerabilities, manufacturing and energy remain the most vulnerable industries, with water/wastewater, healthcare and transportation systems following.
In the last six months of 2022:
- CISA released 218 Common Vulnerabilities and Exposures (CVEs) – 61% fewer than in the first half of the year
- 70 vendors were impacted – up 16% from the previous reporting period
- Affected products were also up 6% from the first half of 2022
Nozomi Networks' latest report offers security professionals the latest insights they need to re-evaluate risk models and security initiatives, along with actionable recommendations for securing critical infrastructure.