Sign up to read the full the report
The cyber threats for 2021 were truly global in nature. In 2021, many new threat actors made their debut, while existing ones became more targeted and sophisticated in their operations. As Canadian organizations continued their rapid digital transformation, threat actors attempted to take full advantage of the associated risks.
Our report highlights significant cyber threats and trends observed in Canada in 2021. We’ve also included insights into these Canadian key trends to better understand the potential impacts of cyberattacks on government entities, businesses and individuals.
Most cyberattacks were financially motivated, while fewer, but an increasing number, were driven by nation-state threat-actor activity, espionage or profit-making factors.
Some of the most critical sectors of the Canadian economy and social well-being were the most targeted. As threat actors gain access to more sophisticated malware tools and technologies at minimum cost, cyberattacks are expected to become more targeted and potentially more damaging.
Here are the seven key cyber threat trends we observed in Canada in 2021. We believe these will be worth paying attention to in 2022 and beyond.
Ransomware attacks continue to be one of the most significant cyber threats to a majority of Canadian organizations. This trend is expected to grow in the coming years, as most victims are willing to pay the ransom to minimize damage. Meticulously designed social engineering campaigns, compromised third parties and software vulnerabilities have been the most abused initial access vectors.
Canada saw a significant number of cyberattacks in 2021. Even though most of the threat actors behind the majority of the campaigns remain unknown, several were carried out by state-backed threat actors. Some of the state-sponsored hacking groups that targeted Canadian entities in 2021 include SparklingGoblin APT and APT31.
As organizations continue to depend on third-party vendors for increased productivity, the associated cyber risks proliferate. Threat actors are taking advantage of this situation by targeting software supply chains to maximize the impact of their operations. In 2021, many threat actors targeted cloud infrastructure and software vulnerabilities, such as Log4j. A number of attacks also originated from third-party-based compromises in which threat actors gained access to a third-party network and used it as a node to launch attacks against the targeted organization.
A major trend in 2021 was the proliferation of cyber capabilities. Zero-day vulnerabilities reclaimed a prominent space in cybersecurity conversations, with issues surrounding their research, disclosure and exploitation attracting greater public scrutiny. This scrutiny came largely in relation to indiscriminate targeting and issues of national security, as threat actors of all motivations and capabilities rushed to exploit high-profile vulnerabilities.
In 2021, there was a steady rise in the number of business email compromise attacks and phishing campaigns. Automated phishing attacks carried out mostly by TA505 threat actors were quite prevalent through the first half of 2021. Threat actors mostly used newly registered domains, random email addresses and different subjects to get past security controls and phish users to click on a landing page, at which point a remote access trojan was installed.
One of the key themes we observed in 2021 was the use of weak security controls in the cloud environment. A number of organizations haven’t yet configured their cloud environments with conditional access and other controls. This has led to successful password spray attacks using stolen credentials from the dark web during which threat actors established initial access as well as persistence in the target environment.
PowerShell, Cobalt Strike and Remote Desktop Protocol (RDP) were the most frequently used tools to carry out cyberattacks in 2021. PowerShell, a popular tool among cybercriminals, facilitates fileless infections. Cobalt Strike is exploited to load malicious shellcode onto the target device and maintain persistent access on the victim’s network. RDP servers are used to breach the target network using automated scanning tools and botnet malware families.
Partner, National Cybersecurity Managed Services Leader, PwC Canada
Tel: +1 416 815 5208