Unsurprisingly, 2021 was a dense year in terms of cyberthreats. The lack of respite for the public sector (health and local authorities), the extension of ransomware to larger targets (Colonial Pipeline, JBS Food, etc.) and the threats to data confidentiality with the Pegasus spyware: these are all examples of a year like no other, with Log4Shell vulnerability under the Christmas tree... So what can we expect in terms of cyberthreats in 2022? A prospective exercise, with our four cybersecurity predictions for 2022.
If the cybersecurity year 2021 were to be summed up in one trend, it would be that of structuring on the part of cybercriminals. Alongside the explosion of cases and amounts, the cybercriminal group ecosystem is consolidating into a veritable parallel economy, with the stated goal of improving the profitability of attacks. However, this is not the only strong signal to have shaken the past year. What lessons can be learned from 2021? What threats could emerge in 2022? As is the case every year, we are playing the prediction game.
A move towards the hyper-professionalisation of cybercriminals?
(Not so) weak signals in 2021
In 2021, cybercrime groups reached a milestone in terms of their structuring. The ransomware ecosystem, for example, is based on a plurality of players, from developers to access or data resellers. Real platforms were set up, also using affiliates to carry out their dirty work. The trend towards Ransomware as a Service (RaaS) was thus considerably strengthened in 2021. And this industrialisation is causing experts to react. "Cybercriminals are creating a kind of cyberattack ERP, with platforms that manage tools, customers being attacked, customer service chats, ransom payments, etc.," warned Gérôme Billois, cybersecurity and digital trust partner at Wavestone, during an event in France. "We are faced with an ecosystem that has been able to scale up to enable ordinary cybercriminals to carry out attacks. They even go so far as to set up arbitration tribunals on their forums in the event of non-payment between the platform and the cybercriminal."
2021 also saw a number of police operations against these cybercriminal groups. Until then, these state responses, marked by international cooperation, had been very rare. However, in 2021, two major episodes should be noted: the dismantling of the Emotet botnet and the dismantling of the REvil ransomware group. Is this the beginning of regulation? It is difficult to say, since dismantled operators tend to reform quickly afterwards, or even to be recruited... Thus, between September and November 2021, three new cybercriminal groups were identified: Lockean, FamousSparrow and Void Balaur. Cut off one head, and three more will grow back...
And on the bright side of the Force, the trend in 2021 was still towards a shortage of skills and talent. Although 700,000 more jobs were filled in 2021 in France, the cybersecurity field still has a 65% deficit in terms of manpower according to figures from Microsoft. In the United States alone, one third of cybersecurity-related jobs are reportedly vacant.
The 2022 scenario
A move towards a cybercriminal transfer market? It is almost a foregone conclusion that one or more new cybercrime groups will emerge in the coming year. However, with this chronic multiplication of groups and their structuring, they will face the same question as cybersecurity professionals, namely that of recruiting talent. In the cyber field, where hacker talent is scarce, competition could well lead to much more aggressive recruitment policies by cybercrime groups. Even if this means attracting some people to the dark side of the Force... Like the sports economy, agents could appear in the future, placing their colts with the highest bidding groups. These agents would not hesitate to adopt new methods, such as signing bonuses or "loans" between groups.
A move towards even more sophisticated cyberattacks?
(Not so) weak signals in 2021
With respect to threats, ransomware attacks, which increased by 62%, largely occupied the media field in 2021. However, other processes were also developed, including the supply chain attack. A prime example in 2021 was Codecov, a company that publishes source code auditing software, which reported a cyberattack in April 2021. By compromising its software, cybercriminals are believed to have succeeded in corrupting hundreds of customer networks.
Another type of attack that is becoming even more subtle is spyware. In July 2021, the shocking "Pegasus Project", a global system for spying on the smartphones of journalists, lawyers, activists and politicians, was revealed. In all, more than 50,000 telephone numbers of potential targets were identified by Amnesty International and the Forbidden Stories investigative consortium.
And a new vulnerability made the headlines in 2021. Linked to the Log4j open source library, and named Log4Shell, this Zero Day vulnerability caused a wave of panic. In December 2021, the Quebec government preventively closed down 4,000 government sites, in order to ensure that they were not vulnerable. In the same month, Microsoft's cybersecurity teams announced that ransomware attacks were targeting Minecraft servers hosted by users of the popular video game. A modus operandi that highlights the fragility of applications, many of which are based on pre-existing code blocks that are not necessarily very robust and which are only rarely evaluated before being used...
The 2022 scenario
A move towards an explosion of Zero Day vulnerabilities hidden in open source libraries? The power of the Log4Shell attack could (unfortunately) inspire more than one cybercriminal group in the future. Indeed, the very functioning of the open source software system implies that entire sections of the Web are maintained by just a handful of volunteers. If, in future, large companies do not invest in the open source projects they use, patches will not be able to keep up with the discovery of critical flaws. Cybercriminals could then easily attack particularly sensitive infrastructures, networks or data. For example, in France, those contained in the TousAntiCovid application. By identifying a flaw in the published code elements, the most downloaded application in France in 2021 could find itself digitally wide open, giving cybercriminals the opportunity to access a huge amount of health data and an enormous number of health passes. In the midst of the presidential election campaign, the political impact of such a cyberattack should not be overlooked.
A move towards the end of a media magnifying glass effect?
(Not so) weak signals in 2021
Colonial Pipeline, JBS Food, Log4Shell: all of these cyberattacks made the headlines in 2021. You cannot see the connection between them? Do not think about the cyber side of things, since the only thing they have in common is the media hype they generated. A media magnifying glass phenomenon that can lead to a false sense of security for VSEs and SMEs. However, according to an international study by Forrester Consulting published in January 2021, the proportion of VSEs/SMEs with fewer than 250 employees affected by cyberattacks is 33%. Media focus is therefore selective: who has ever heard of cyberattacks on a law firm, a chartered accountant or the local plumber? And size does not matter, since larger companies also slip under the media radar. In February 2021, for example, the boat manufacturer Bénéteau was hit by a large-scale cyberattack without arousing any great public interest, despite the 3,900 employees affected. Another potential consequence of the media magnifying glass effect is that a large-scale media frenzy can lead to the designation of a target for cybercriminal groups, who are always keen to find new victims with little or no security.
Another (not so weak) signal came in February 2021, when the video game publisher CD Projekt fell victim to a ransomware attack, just before the release of a new game... on the cyberpunk universe. A nod and a wink and, above all, another episode after Capcom and Electronic Arts, who have been victims in the past years. This is because major video game publishers and studios are already prime targets for cybercriminals. However, while the consequences to date have been mainly related to reputation, the situation could (quickly) change.
Indeed, at the end of October 2021, Facebook announced with great fanfare the launch of virtual universes, as the next wave of the internet and the logical continuation of on-line video games. There was immediately a rapid escalation: purchases of high-value plots, in excess of one million dollars, have even already been made in this virtual world.
The 2022 scenario
"Metaverse Police, NFT please". Popularity, media focus and large sums of money; these virtual worlds could well become the new playground for cybercriminals. And their primary motivation would obviously remain money. From the ransoming of digital artefacts purchased for exorbitant sums to the theft of NFTs, the criminal possibilities are numerous. Publishers of virtual worlds or on-line games could quickly be overtaken by waves of cyberattacks that could hamper the development of their products. A metaverse police force, based on specific investigative tools, would then become necessary. It would bring together experts from all over the world, whose objective would be to track down cybercriminals in the most remote corners of the metaverse. This would be a real challenge, given that the number of transactions in these spaces is set to increase massively over the course of the year.
A move towards cybersecurity for all?
(Not so) weak signals in 2021
In 2021, people were still the main gateway into a company's network. According to an IDG study, 44% of large companies (500-999 employees) experienced network outages lasting more than one day due to phishing attacks in 2021, compared to 14% of small companies (25-100 employees). And the latest figures available indicate that in 2021, 22% of reported data breaches began with a phishing email.
Furthermore, with a quarter of French employees working from home at least one day a week in 2021, the issue of the accessibility of cybersecurity solutions appears even more essential (on a global scale): this is because employees use their work devices for personal purposes, thus multiplying the number of potential entry points.
And awareness of digital hygiene and cybersecurity is still a long way off. According to the 2021 report by the American company KnowBe4, one quarter of employees believe that clicking on suspicious links or attachments carries little or no risk. We might as well bang our head against a brick wall...
The 2022 scenario
A move towards an individual cyberscore for employees? On 22 November 2022, Jeanine, an executive secretary in a large household appliance group, clicks on a link in an e-mail announcing that she has won the latest iPhone. A few days later, after several days of difficult work, the company's IT department manages to contain the ransomware cyberattack on the company's IT network. After a short investigation, Jeanine is summoned by the HRD: she is told that points have been deducted from her personal cyberscore. In recent months, some companies have decided to introduce this system, which enables their employees to better understand that cybersecurity concerns everyone. Each person has a starting credit, which decreases in the event of shortcomings or increases after training sessions or when best practices are implemented. For example, Paul, manager of a sales team, saw his cyberscore rise after having an endpoint solution installed on the laptops of his mobile employees. And beware of the executive who follows his/her favourite team's football matches on illegal streaming sites...
These are all possible scenarios and futures for the cybersecurity trends of 2022 - to be monitored extremely closely. And what about 2023?
