“Blindsided” is cybersecurity’s worst-case scenario. The threat you don’t know about; the attack you don’t see coming; the hacker hiding undetected in your networks: unknowns are what can take a company down. Exposing them is what threat intelligence lives to do.
Companies in 2022 faced an array of threat actors: sophisticated advanced persistent threats, or APTs; ruthless cyber criminals; disgruntled insiders; a resurgence in hacktivism and distributed denial of service (DDoS) attacks, and more. Geopolitics dominated the headlines and the cybersphere, even as threat actors continually shifted tactics and techniques and shared their tools, motivated by sabotage, espionage and money.
And in 2022, public and private sectors joining forces and sharing their intelligence bolstered organisations’ defences.
Our report “Cyber Threats 2022: A Year in Retrospect” examines the threat actors, trends, tools and motivations that captured the cyber threat landscape last year. It includes incident response case studies with direct and detailed insight into tools, techniques and procedures (TTPs) used in intrusions. We also provide detection logic throughout the report to assist your defenders when scanning your own systems and networks, to help you find malicious threat actors.
With context for what to expect in 2023 from the report, we strive, as always, to not only keep pace with hostile cyber activity, but to get ahead of it, and stay ahead.
Threat actors vary in motivation and sophistication, tailoring operations and opportunistic attacks in different sectors. In 2022, attacks in one sector cascaded to other industries and inflicted greater damage. That’s due to increased interconnections among increasingly digitised supply chains and industries.
Click on a sector to learn sector-specific motivations summarized by PwC Threat Intelligence from 2022 case studies and in-house analytics.
Military secrets and sophisticated technologies make this highly sensitive and important sector a prime target every year by cyber threats. But 2022 proved especially challenging as threat actors worked hard to penetrate A&D organizations and contractors, particularly in Europe. Their motives ran the gamut:
Espionage-motivated threat actors wanted research and development secrets as well as military plans and capabilities.
Saboteurs, hoping to weaken a rival’s defences, might try to inhibit research or halt production.
Ransomware attackers were willing to bet that high-value, defence contracting companies would pay to recover sensitive data. They often upped the ante by threatening to publish ransomed data on leak sites to collect from victims a second time.
The auto industry is speeding along on the digital highway, transforming rapidly and perhaps more completely than many other sectors.
Automakers must secure not only the software and hardware that make up their vehicles but also the factories that manufacture them. Their distributors and suppliers are targets, as well.
Ransomware operators hit the automotive supply chain worldwide in 2022 and posted information on leak sites from 75 organisations. Many of these incidents brought operations to a standstill and left manufacturers without needed parts or equipment.
We also saw evidence of espionage, including compromises resulting in threat actors stealing sensitive and proprietary information from victims.
The many builders, engineers and suppliers who must work together on construction projects increasingly use digital technologies to operate and connect. Each is vulnerable to intruders who seek primarily, in this sector, money and information.
Among ransomware leak site victims in 2022, 10% were in construction and engineering, making it number two among sectors. Only manufacturing suffered more ransomware-generated leaks.
Meanwhile, espionage agents sought to steal information or halt operations in the moment and to plant the seeds for doing so later. Their attacks stood to affect projects linked to government agencies, public infrastructure, and the public interest, including water and utilities, transportation, public buildings and even corporate facilities.
Knowledge is power. Espionage-motivated threat actors know this, and have targeted academia for sensitive data and research, as well as information on researchers.
Attackers have more ways to get in than ever before. Partly as a result of the COVID-19 pandemic, so much of learning itself now happens online, and school administrations have increasingly gone digital. Each new connection, device and platform expands the attack surface of educational systems and networks.
Ransomware attacks had an immense impact on this sector in 2022, and cyber criminals dominated headlines, as victims in many cases were forced to shut down operations while systems were being restored. Education’s traditional role as an open space for the free exchange of ideas and information may make the sector an easier target. We saw hundreds of schools’ data and systems around the world held for ransom in 2022.
Among the most critical of infrastructure and most important of resources, energy has become a prime target for cyber criminals and other threats. But the stakes rose in 2022.
Last year we saw espionage-motivated threat actors and saboteurs targeting energy producers and distributors as a complement to conventional warfare. The intruders had often positioned themselves in advance, breaching systems to gain a foothold in victim networks, gather information and plant malware for future use. Hacktivists also re-emerged and targeted energy sector organisations in 2022, often through DDoS attacks.
Ransomware attacks, too, increased, with actors frequently using double extortion to coerce victims. In exchange for the first payment, they’d decrypt the victims’ data. The second would keep them from posting the stolen data on leak sites or selling it.
Perhaps not surprisingly, money was the ultimate driver for threat actors targeting financial services (FS) in 2022. Ransomware hit FS hard in 2022: the sector accounted for 5% of all ransomware leak site victims. Cryptocurrency theft resulted in the loss of millions of US dollars, as well. And fraud was an ongoing concern as threat actors used cyber methods to buy items using others’ payment cards, hack into financial accounts, commit identity theft, and conduct other fraudulent acts.
But money wasn’t the only objective. Some used sabotage to slow and even halt financial transactions and stymie the flow of money, aiming to cripple economies. And threat actors continued to slip in to view sensitive financial data and systems.
Adversaries, eyeing the sensitive information that governments collect and maintain, carried out sophisticated attacks in acts of cyber espionage in 2022.
Saboteurs, too, were active. They attempted to disable or disrupt government services and destroy or manipulate sensitive information and communications. They also released disinformation and leaked data regarding high-profile events and issues.
Opportunistic cyber criminals, too, targeted the government. They followed headlines to launch ransomware attacks on public agencies and organisations. And as world events and tensions evolved, they injected themselves into geopolitical conflicts.
Healthcare perhaps faced the most peril from cyber threats of any sector, with people’s very lives potentially at stake. And as providers’ and patients’ use of technology grew, so did opportunities for theft and worse.
Espionage by those seeking personal and proprietary information remained a concern, as did sabotage that might shut down systems and compromise patient care. But ransomware posed the greatest threat in 2022.
The damage that threat actors can do is vast in a cyber attack: they can bring down entire networks, affecting patients, providers, third parties, operators, facilities and more.
Operational technology (OT) took center stage among cyber concerns in 2022 as factories continued to digitise, moving toward increased automation. Each new connection poses a new cyber threat, number one of which is ransomware.
A ransomware attack that freezes or shuts down a factory’s OT costs revenue and time, and could endanger workers. Cyber criminals are making use of these concerns, first striking and then attempting to extort for profit. Manufacturing companies ranked number one (15%) among ransomware leak site victims in 2022.
A production halt can ripple up and down the supply chain and exacerbate other shortages, as happened last year. Critical infrastructure, government, business, suppliers and distributors could all suffer losses.
On our 2023 watchlist: semiconductor manufacturing, as the US and others continue to impose restrictions. Cyber criminals are savvy about world events, and are certainly watching.
Research is the lifeblood of pharma, but it’s also a prime attractant for espionage.
As companies rely on technologies to advance their research and produce groundbreaking medicines ever more rapidly, they also create incentives for cyber criminals to break in and provide them with more avenues through which to do so.
Espionage-motivated threat actors abound, working to infiltrate laboratories via third parties, Internet of Things (IoT) technologies, cloud environments, software misconfigurations and more to view and steal sensitive and proprietary information and disrupt production.
The stakes go far beyond a product or pill, and even beyond such high profile projects as the development of new vaccines and other lifesaving treatments. Bad actors can also undercut companies’ profits and cause regulatory problems and reputational damage. In 2022, we saw them use ransomware to extort pharma and life sciences companies: Pay or suffer the consequences.
Threat actors want badly what professional services (PS) companies have: namely, a wealth of project and operations information as well as sensitive proprietary, personal and financial data about clients in the private and public sectors.
Threat actors often target PS organisations with fraud in mind, using these companies’ compromised networks to access their clients’ data. Or they may use access to email accounts to conduct convincing spoofing, phishing and social engineering campaigns.
But money remains a significant motivator in PS breaches. Among victim data posted to ransomware leak sites in 2022, 9% came from professional services, making it the third highest sector last year among ransomware leak site victims.
As more PS organizations use the cloud and other technologies, we expect to see threat actors work more diligently to compromise these services as well as to circumvent identity and access management (IAM) controls.
The retail industry is a cash cow for cyber criminals and fraudsters. As the use of contactless payments grew in 2022, we saw more widespread use of phony processing applications to steal customer data, including payment card information.
Threat actors may use customers’ credentials to gain access to their retail accounts and make fraudulent purchases of items that they then return for a refund to their own accounts — a popular tactic in 2022.
Attackers also may disable retailers’ online marketplaces for ransom, effectively shutting down business. The retail sector was the fourth hardest hit among ransomware leak site victims last year and accounted for 8% of all organisations leaked by ransomware threat actors.
Such a competitive industry is bound to have its share of cyber espionage, as well. As retailers and developers create and patent their own software and technologies in heated competition, they face the enduring balancing act of security vs. speed. Threat actors can then slip in to view companies’ proprietary information and their customers’ personally identifiable information (PII), payment information, and online behaviours.
Sports and entertainment has become a highly transactional, technology-driven, on-demand service — one that suffered an onslaught of cyber attacks in 2022.
Interrupting scheduled events can cost sports and entertainment organisations a lot of money. This includes content creators and owners, teams, venues and platforms. Criminals capitalized on this vulnerability, timing ransomware deployments to coincide with time-sensitive events. We anticipate more such attacks in 2023.
Threat actors pilfered from fans and subscribers, as well, intercepting their purchases to steal payment card information, for instance.
And they stole embargoed media, then leaked it for money or notoriety, as we saw in one widely publicised instance in 2022.
In the digital age, technology all but makes the world go around, making it a prime target for power-and-money-hungry cyber criminals and espionage-motivated threat actors.
Its omnipresent reach, extending into every sector, prompted threat actors to break into managed service providers, cloud service providers, and other widely-used services that provided access to users’ systems and networks.
Sophisticated cyber intrusions slipped into enterprise systems via software updates or systems maintenance tasks. Others used social engineering to exhaust security mechanisms and exploit users for granting access.
Then, lurking inside their victims’ networks, a range of threat actors stole proprietary secrets and personal data, disrupted supply chains, launched attacks and damaged trust along the digital supply chain.
This somewhat beleaguered sector suffered hits from a variety of threat actors, sometimes suffering punches from all sides in quick succession.
And because its data and telemetry contain much confidential intelligence, espionage-motivated actors focused keenly on telco, eager to scale their targeting and reconnaissance operations and enable future attacks.
The global supply chain links most critically in the transportation and distribution of raw materials and goods. The risks increased as companies connected more systems through operational technology (OT) and industrial control systems (ICS). We saw threats to transport and logistics not only grow, but also become more sophisticated.
The consequences could be dire. We saw an attack shut down one country’s entire railway system.
Supply chain and sector interdependencies in 2022 made it more and more likely that an incident might enormously affect not only the breached company but also its customers and third parties. Ransomware actors seized on this likelihood, often targeting transport and logistics firms in aggressive attacks.
Partner, National Cybersecurity Managed Services Leader, PwC Canada
Tel: +1 416 815 5208
Global Threat Intelligence Lead Partner, PwC United Kingdom
Tel: +44 (0)7725 707360