The cyber threat landscape in 2021 | Stormshield

Although the dismantling of part of the Emotet malware network seemed a positive step forward for the cybersecurity world, its potential successor – IceID – is already well established. Another sign of more turbulent times to come in the cyber landscape in 2021?

There is already an abundance of cyber news for 2021 and, following the announcement of a stimulus plan in France to further protect businesses against cyber attacks, cyber criminals are more active than ever. What’s new this year in terms of cyber threats? What major IT events have already marked the beginning of the year? And what different types of cyber attacks will we see in the coming months? Here’s a quick look at what the first months of 2021 have in store.


The health crisis continues to drive social engineering attacks

In 2021, cyber-attackers are still riding the wave of the pandemic. The continuation of teleworking, the isolation of employees and the current vaccination situation are increasing cyber criminals’ interest in social engineering approaches. “Scammers are using the health and social crisis to lend credibility to the flood of emails they are producing. The encryption tools are fairly standard, but messages are personalised using health topics, teleworking login tools and delivery announcements. With such carefully-tailored strategies, cyber-attackers can increase the effectiveness of their actions,” says Nicolas Arpagian, Vice President in charge of Strategy, Public Affairs and CSR at Orange Cyberdefense. The Phishing Attack Landscape Report explains that in the past year, the success of phishing attacks has increased by 30%. This is an explosive cocktail that would appear to be good news for cyber threat actor groups who accumulate large amounts of data on their targets, to ensure their attacks have the maximum impact. A sad confirmation of a clear cyber trend this year.

Scammers are using the health and social crisis to lend credibility to the flood of emails they are producing

Nicolas Arpagian, Vice President in charge of Strategy, Public Affairs and CSR, Orange Cyberdefense

For example, cyber-criminals sift through social networks and hack into email accounts to gather as much information as possible about their future targets – usually employees with access to sensitive information. “For example, breaking into an executive’s email system will allow attackers not only to obtain sensitive company information company, but also to carry out CEO scams or money transfer fraud,” explains Jean-Jacques Latour, head of cybersecurity expertise at France’s platform, adding: “These scams are in tenth place - out of 45 - on the list of threats we deal with via the platform, and the consequences of these operating methods can be frightening.”

The French accounting firm CDER knows this all too well, having fallen victim to a CEO fraud in February. The cyber criminals were able to access the email account of a senior manager, impersonating him and ordering a transfer of almost 15 million euros. The operation was a success for the cyber-attackers, who took advantage of the firm’s unusual teleworking situation to exploit the breach.


Ransomware steps up: health and public services mainly affected

Since 2019, ransomware attacks have (unfortunately) remained very successful. In 2020, in France alone, more than 1,000 organisations were affected by ransomware, according to “Ransomware has really taken off in 2020, and attackers are putting additional pressure on organisations by hitting them where it really hurts: publishing stolen data,” says Jean-Jacques Latour.

This evolution in data blackmail seems to be a particularly common tactic against the health sector - worldwide. In the US, for example, last February, attackers published thousands of patients’ data records on the dark web. The data belonged to two hospitals in the country, both ransomware victims. In France, the biotech company Yposkesi allegedly fell victim to the same tactics. The company is thought to have been targeted by the Babuk ransomware. The result: part of its IS was encrypted, and the stolen data was published on the dark web. As a result of this cyber trend, health systems and medical institutions in many countries are being weakened by these attacks. Dax, Villefranche and Oloron Sainte-Marie in France, Newberry County Memorial Hospital and Rehoboth McKinley Christian Health Care in the United States, and the Munich Planegg Urological Clinic in Germany are part of a (depressingly) long list of hospitals that have already been hit by ransomware in 2021. At the end of last year, through the FBI and the National Security Agency, among others, the United States issued a report on the worrying increase in ransomware attacks against the healthcare sector, which is thought to have cost the country $21 billion in 2020. In France, Cédric O, theSecretary of State for Digital Transition, recently added up the figures for France: “27 major attacks in 2020, and one per week in 2021.”

Attackers are putting additional pressure on organisations by hitting them where it really hurts: publishing stolen data

Jean-Jacques Latour, Head of cybersecurity expertise of the platform

The issue of cybersecurity in healthcare institutions is a complex one, brought to the fore by the health crisis. Some institutions suffer from a lack of IT resources, while others lag behind in terms of maturity on cyber issues. And when faced with organisations who refuse to comply and pay the ransom, attackers may go so far as to attack patients directly. Like in Finland, where patients of the company Vastaamo – which runs psychotherapy centres and was the victim of a ransomware attack in 2018 – were threatened by hackers two years after the attack. Because there can be many different types of data within a hospital, as Borja Perez, Country Manager at Stormshield Iberia, explains: “Attacks on the health sector are also being conducted to steal data: patient data, patent data, and scientific research data.” Another form of data relates to the employees of these establishments, information on how its services operate, strategic data, etc. All these sensitive elements add to the pressure – and particularly on hospitals, which must remain operational at all times, as the slightest interruption in activity can have consequences for the health of patients and endanger human lives.

In addition to the health sector, the entire public sector is susceptible to ransomware. Although there have been no noteworthy recent innovations in the modus operandi, infection or propagation of ransomware, the frequency of this category of attack is of concern. At the end of last year, the French urban areas of La Rochelle and Annecy were partially paralysed by ransomware. The same fate befell the municipalities of Vincennes and Alfortville, where attacks damaged part of the administrative services, followed by council offices in the towns of Houilles, Angers and Douai at the beginning of 2021. This shows that French local authorities are also potential cyber-malware victims and cannot escape the threat posed by ransomware. Here too, this growing cyber-trend knows no boundaries. In Spain, the SEPE - Servicio Publico de Empleo Estatal (government employment agency), was also recently hit. SEPE’s 710 branches were paralysed by the Ryuk ransomware, forcing staff to “work with paper and pens for several days”, says Borja Perez.


A growing cyber threat against publishers

For IT software companies, a threat such as SolarWinds is still a potent one. In 2021, supply chain attacks are no mere secondary phenomenon, and there seems to be a trend towards the continuing use of SolarWinds. Attacks against major IT vendors (such as Mimecast, Codecov or Qualys) through the exploitation of vulnerabilities with increasingly sophisticated malware, such as Sunburst, are a popular modus operandi for cybercriminals. These cyberattacks spread a cascade of insecurity and generate a very potent strike force. “These are highly technical cyberattacks that can simultaneously hit organisations of any size, anywhere in the world. This weakens security by capillary action: the owners of these tools are de facto weakened, and this plays a part in infecting entire sectors of the economy or the government,” warns Nicolas Arpagian.

This type of incident encourages us to remain humble in the face of cyber risk, because it highlights the fact that no one is safe, or even should think they are safe

Pierre-Yves Hentzen, CEO of Stormshield

“Starting in 2020, there was a real explosion of this type of attack,” explains Davide Pala, Pre-Sales at Stormshield Italy. This implies that the attacking groups have time and resources, and are well organised to achieve their goals. A real development, however, has been attacks targeting cybersecurity vendors. In 2020, Stormshield was also the victim of an intrusion into these networks. A security incident allowed unauthorised access to a technical portal, used mainly for managing product support tickets. “This type of incident encourages us to remain humble in the face of cyber risk, because it highlights the fact that no one is safe, or even should think they are safe,” explains Pierre-Yves Hentzen, President of Stormshield. “On the positive side, it has tested our responsiveness and resilience, as well as the virtues of transparent communication – transparency builds trust. An incident like this, which is now resolved, makes you stronger in many areas. However, despite these benefits, I wouldn’t wish it on anyone.”

But the threat can take an even more worrying form when security products themselves are targeted...


Security products under attack

“This is a new trend, and a logical evolution of cyber attacks: as security solutions have high privileges and occupy strategic locations within information systems, there is a need to attack them,” says Adrien Brochot, Product Manager at Stormshield. He adds: “The principle of malware is to avoid detection by a system so that it can spread. Disabling or even compromising security solutions is a good way to achieve this.” Indeed, cyber-criminals have understood gaining access to security products means gaining access to a part of the information systems run by the organisations that these same products protect.

The principle of malware is to avoid detection by a system so that it can spread. Disabling security solutions is a good way to achieve this

Adrien Brochot, Product Manager, Stormshield

The beginnings of this trend were observed as early as 2019-2020, with the example of Mitsubishi in particular. The attackers exploited a vulnerability in a Trend Micro solution used by the Japanese firm, compromising part of its information system and causing a leak of data belonging to the company’s partners. Using this modus operandi, attackers turn the protection device against an organisation and thus find entry points. This trend is now forcing cybersecurity publishers to develop even more robust protection for their products: hardening of firmware, better-protected software solutions, compliance with tight security standards... “Enhanced protection of security products is the responsibility of the publishers, but it is a complex task because behind each security product, there is an entire architecture that must be taken into account,” explains Adrien Brochot. Not to mention the associated technological and organisational imperatives, such as rigorous production and code review to squash bugs that could then be exploited for malicious purposes; continuous management of vulnerabilities and their patches; and code audits conducted by the competent authorities. But publishers also need to control their own integrity and resources, and even the robustness of their information systems. Cybersecurity players have always faced questions about the security of their products, yet they will have to do still more to protect themselves in 2021.

All the more so as at the same time, another form of cyber-threat is emerging. It targets security publishers, consulting companies and researchers, creating fake cybersecurity companies to trap experts in the sector. A recent example is North Korea, where a group of hackers reportedly created SecuriElite a fake cybersecurity company. Attacking cybersecurity publishers thus seems to be a nascent but already polymorphous trend.


Photofit of the ideal target employee

In 2021, we should be keeping not one, but five photofit portraits in mind. This is because although, in general, the entire chain of an organisation can present technical or functional vulnerabilities, a number of employee profiles come under particular scrutiny.

In line with the trend of attacks against cybersecurity vendors, technical players – cyber specialists, developers and cybersecurity researchers – are at risk and particularly exposed to social engineering on social networks, or identity theft. For attackers, what matters is the ability to extract key technical information and then attack security products. In the same vein, service providers, because of the variety of their end customers, are also a key element and can no longer be ignored in questions of corporate security when it comes to fighting threats such as supply chain attacks. IT departments and managers are also a prime target, as they operate or administer infrastructures and often have elevated privileges for the organisations’ information systems.

But companies also face risks on the numbers side, via employees in charge of approving or initiating financial movements within an organisation, or staff with elevated privileges over financial decisions. These employees are more likely than others to be targeted by CEO scams or money transfer fraud. “Experience shows that cyber-criminals target financial, accounting or commercial departments to give the impression that the transactions are legitimate,” says Nicolas Arpagian. Lastly, company managers are also at risk. According to Jean-Jacques Latour, “Managers handle highly strategic information, but not all of them apply the same high level of security to themselves as they do to their own company” – an observation that will be of interest to many.


There is no indication that cyber threats will subside in 2021. The profitability of attacks and the increased use of digital tools for extended periods of time both constitute good reasons for attackers to maintain their lucrative efforts. And while it is very difficult to get into the minds of cyber criminals, it is at least possible to predict two things: they will continue to be creative and surprisingly inventive, and organisations will need to continually reinforce their digital hygiene and cyber security.

Share on

[juiz_sps buttons="facebook, twitter, linkedin, mail"]
To prevent cyber attacks targeting the agent itself, the Stormshield Endpoint Security endpoint protection solution is based on a hardened product architecture: a robust software solution with a self-protecting, self-healing mechanism.
The primary purpose of a firewall is to protect your company’s resources. This is why the latest version of Stormshield Network Security includes a general toughening of the embedded firmware. Enhanced overall security and increased resistance to cyber attacks that attempt to exploit firewalls to harm protected resources.
About the author
Sébastien Viou Cybersecurity Product Director & Cyber-Evangelist, Stormshield

Fan of fighting sports (ju-jitsu, kick-boxing, ice hockey), Sébastien also has a passion for mechanics. The real thing, the one where all the parts are dismantled and reassembled until all the mechanisms are understood. An obvious parallel with his missions at Stormshield, where he is in charge of shedding light on developments, innovations and trends in the cyber-threats.