6 Cyber Threat Trends to Watch This Year as Forecast by MS-ISAC

The Multi-State Information Sharing and Analysis Center (MS-ISAC) anticipates the following in 2023 based on what we have observed over the past few years:

1. Open-Source Supply Chain Security: Cyber threat actors (CTAs) have shown specific interest in software supply chain vulnerabilities over the last few years. Examples include the attacks on SolarWinds, Microsoft Exchange, and the open-source logging library, Log4j. We should expect this to continue, with a particular focus on open-source software repositories. This is particularly concerning for the average corporate consumer because there is a level of trust every organization must place in their software vendors. Expect to see a wide array of attackers, from lesser-skilled script kiddies through organized cyber criminals and even state-associated CTAs, converge on disclosed vulnerabilities when the potential yield is high. The MS-ISAC continues to observe mass scanning and exploit attempts against known vulnerabilities associated with major incidents going back at least to late 2021.
2. More Threats Coded in Newer Languages: The MS-ISAC anticipates an increase in malware, specifically ransomware, coded in more uncommon programming languages such as Rust and Golang. There are several advantages to using non-standard languages, which include making the malware more difficult to detect and reverse engineer, reducing code re-use by other CTAs, and providing themselves with opportunities to “skill up” and gain some control over their intellectual property. As CTAs evolve their unique code, expect to see more targeted ransomware attacks against specific sectors that have more to lose by not responding quickly. This includes schools, hospitals, and critical infrastructure, such as power and water systems. CTAs target these organizations because they are more likely to pay due to the real-world impacts of systems being down, such as missed school days and power outages.
3. Insider Threats: Since the beginning of the COVID-19 pandemic, attackers have used social engineering and other tried-and-true tactics to leverage worldwide economic issues and global recession to their advantage. Organized cybercriminal groups specifically seek out organizations that are rich in financial or other resources while they are reorganizing or reducing their workforce, especially IT and security staff. As a result, we expect an increase in insider threats from both witting and unwitting personnel. For example, employees who may be concerned about their financial future may attack in retaliation for pay reductions, pay freezes, or layoffs. In other cases, negligent employees may unknowingly invite an external CTA in by opening a malicious document related to potential layoffs or similar themes. Recent high-profile intrusions that leveraged insiders include attacks on Okta and Nvidia in the commercial sector and multiple K-12 schools that suffered data dumps from the cyber actor mud in 2022.
4. New Techniques in Response to Security Features: Since Microsoft’s recent efforts to increase security by default, CTAs have shifted away from traditional methods (e.g., sending malware-laden Office documents) toward more novel techniques. One such technique is hiding malicious files within other container files. Additionally, as of January 2023, the security community has observed CTAs exploiting feature updates in common note-taking applications such as Microsoft OneNote and Evernote. Attackers send attachments or links to legitimate notebooks which contain links or scripts that run in the background of a victim’s system. Once invoked, a process begins to install malware onto the victim’s computer or otherwise provide unauthorized access to the system or its data. The MS-ISAC has observed phishing and malspam (i.e., emails with malicious attachments) as the two most successful intrusion vectors across our membership for many years. Phishing is generally considered an unsophisticated, yet highly effective, attack vector and shows no signs of slowing in the near future.
5. Threats Stemming from Geopolitical Conflicts: In 2022, following Russia’s invasion into Ukraine, pro-Russian cyber threat actors targeted organizations in nations supporting Ukraine. Most prominently, the hacktivist collective known as Killnet made headlines for their threats and DDoS attacks on various entities, including targeting U.S. state and local governments and critical infrastructure. As the war in Ukraine enters its second year, the MS-ISAC expects low-impact attacks from groups like Killnet to continue. The potential for higher-impact, state-directed cyberattacks becomes increasingly likely as tensions between the U.S. and Russia build up.
6. Increased use of Artificial Intelligence to Support Malware Development & Delivery: Developments in artificial intelligence (AI), including the rapid availability of open AI, are highly likely to enhance CTAs’ offensive operations against victims over the next two years. In the near term, expect AI to primarily enhance the operations of sophisticated cybercriminals and state-aligned CTAs. These groups are able to integrate AI into their existing tooling, and, in some cases, state actors may already be involved in AI research and development. The security community has already observed targeted email language written by AI for various purposes, including phishing emails intended to collect sensitive victim information. As AI becomes more available and more CTAs leverage it, we can expect more sophisticated, believable phishing emails, free of the common historical markers for such emails, like typos and unusual phrasing. A very near-term capability is likely to be ransomware actors leveraging chatbots to communicate with victims, allowing victims to interact with AI in much the same way internet customers do when returning items or asking basic questions about transactions with large retailers today. Although AI use in cyberattacks is currently limited, CTAs’ recognition of, and intention to harness, the potential and rapid development of AI signals an emerging threat. These potentially rapid developments will require significant defensive maturity in the West.

Randy Rose

Randy Rose is the Senior Director of Security Operations and Intelligence for the Multi-State Information Sharing and Analysis Center (MS-ISAC). He is responsible for overseeing the operational components of the MS-ISAC and EIections Infrastructure Information Sharing and Analysis Center (EI-ISAC), including a team of more than 55 analysts and operators providing around-the-clock support to U.S. State, Local, Tribal, and Territorial (SLTT) organizations across the spectrum of cybersecurity operations, from proactive identification of threats, through detection of ongoing attacks in real-time, to response and remediation following an incident. Rose has been a public servant in varying capacities since 2003 when he enlisted in the United States Air Force. Prior to joining CIS, he was a Department of Defense (DoD) civilian, running the largest Security Operations Center (SOC) in Europe for the Defense Information Systems Agency (DISA). Rose moved to Germany from Hampton Roads, Virginia where he had spent years building the DoD’s first team dedicated to providing Intelligence support to Defensive Cyber Operations (DCO). As the Deputy Intelligence Officer for the Navy Cyber Defense Operations Command (NCDOC) in Suffolk, VA, he oversaw the operations of over 100 sailors and civilians, led incident response efforts on 7 named operations, drove the design and implementation of a $2M digital forensics and malware analysis enclave, and brought innovative solutions to bear including cloud browser isolation, saving hundreds of millions of dollars in incident response costs per year. Rose has previously supported the Defense Intelligence Agency, the NY State Comptroller’s Office, the NY Air National Guard, and the Naval Nuclear Propulsion Program at Knoll’s Atomic Power Laboratory. While at the NYS Comptroller’s Office, he developed and implemented the first cybersecurity audit and assessment program for municipalities and special districts as well as the first cybersecurity assessment program for municipally-owned Operational Technology, focused primarily on energy, water, and port control systems. Rose holds a Master’s of Science in Cybersecurity and a Bachelor’s in Anthropology with a focus on Human Biology and Forensics. His independent research focuses on physical security, social engineering, and future technologies, particularly as they pertain to the humane use of technology.

See Full Bio