2016 was a particularly eventful year in the cyber threat landscape. Nation-state operations played large in the US presidential election, database breaches grew ever larger and cybercriminal tactics more innovative. Individual activists and mass-participation campaigns continued to target companies and organisations for ideological reasons. 2017 will be a year when geopolitical shifts and technological advances by nation state and criminal actors will combine to create an unprecedentedly complex cyber threat landscape.
State actors await signals from new US administration
In terms of nation-state activity, Donald Trump’s accession to the presidency is likely to mark a shift in US foreign policy, bringing a number of cyber security implications. Trump’s stated desire to prioritise what he feels are US interests and a more transactional foreign policy, and his indication that he will better tolerate the spheres of influence of other global powers, is likely to embolden these actors to conduct a range of cyber activity within their respective backyards, with reduced fears of US reprisals.
We anticipate this to be the case with China and the ASEAN states, particularly in relation to the South China Sea and associated territorial disputes; Iran within the Middle East region, particularly if Trump’s promised hardline stance materialises and aggravates existing regional and sectarian tensions; and Russia with the Baltic states, its near abroad and European powers. Elections in Germany, France and the Netherlands are particularly likely to attract Russian efforts at data leaks and disinformation, following the hack of the Democratic National Committee in an alleged attempt to aid Trump’s campaign.
In terms of technical developments, the most sophisticated cyber espionage units will adopt increasingly innovative means of avoiding detection and attribution for their efforts. Rather than depending on bulky malware with hardcoded connections to command and control infrastructure, these actors will instead increasingly look to exploit legitimate processes and protocols to steal data and achieve their objectives, all while avoiding alerting the victim to the infection.
Companies face further restraints on flow of data
The policy landscape will see increasing state-led efforts to legislate and regulate cyber security issues and enforce national borders for data. Russia and China will lead the push towards data protectionism and are likely to prompt similar approaches in their respective spheres of influence. These efforts are also likely to include specific anti-encryption provisions, in response to the increasing normalisation of encryption as a tool for privacy and security.
This in turn is likely to contribute to a more complicated international operating environment for companies, but also to continued difficulties for law enforcement agencies attempting to pursue malicious actors across jurisdictions.
Key legislation on cyber security and data flows in 2016
- China: Cyber security law outlines stricter government controls over ‘critical information infrastructure’
- Russia: Yarovaya Law increases government access to online content
- UK: Investigatory Powers Act places new obligations on telecommunications companies
- US: Amendments to Rule 41 expand hacking powers of law enforcement agencies
- US/EU: Ongoing challenges to Privacy Shield Agreement threaten companies’ ability to transfer data
- Net neutrality legislation and guidelines
- General Data Protection Regulations give companies greater responsibility for data security
- Proposed amendments to ePrivacy Directive to regulate communications services over the internet
- Directive on Security of Network Information Systems aims to harmonise cyber security standards
- Australia: Privacy Amendment Bill set to introduce mandatory disclosure of data breaches
- United Arab Emirates: Increased restrictions on use of virtual private networks in the country
Criminals look to mobiles
In terms of cybercriminal activity, threat actors are increasingly likely to focus on mobile devices, driven in part by the increasing connectivity and functionality of this platform. Demand on the cybercriminal underground, facilitated by the crimeware-as-a-service economy, will drive continued innovation from malware developers. There is likely to be a particular focus on the development of banking Trojans (malware that presents itself as legitimate software while performing malicious activity) and mobile malware with multiple functionality. This will in turn enable criminals to bypass two-factor authentication via text message, prompting financial institutions to develop countermeasures.
Criminals will also look to directly monetise the increasing use of mobile devices in their efforts to compromise near-field communication (NFC) technology. Security researchers have previously created proof-of-concept malicious apps to demonstrate this threat. The increasingly secure standards being applied to physical credit card payments will likely drive cybercriminals to begin developing their own contactless payment apps, similar to Apple Pay or Android Pay, to monetise stolen credit card data. Additionally, the porous nature of app stores on the Android platform means cybercriminals will continue to try to develop their own apps as an infection vector to compromise devices and to make fraudulent payments to accounts under their control.
Ransomware hits big businesses less, SMEs and individuals more
Following its widespread use in 2016, we anticipate that commodity ransomware will become a less pervasive threat for large corporations in developed cyber security markets in 2017. This will largely come from their familiarity with the threat and ability to mitigate it, the progress of anti-ransomware working groups and the availability of free decryption tools.
Generic malware variants will continue to plague developing countries, SMEs and individual users, with criminals continuing their attempts to stay ahead of signature-based detection systems by constantly developing new tools. Some more capable groups will instead develop and deploy more sophisticated variants with additional functionality to seek out more lucrative targets within organisations, in turn enhancing the prospect of a ransom being paid. This will include an increasing focus on targeting production networks and disrupting processes rather than just temporarily encrypting data, prompting victims into making snap responses to minimise downtime.
Further, the boundaries between grey and black hat hackers are likely to diminish as groups and individuals that have previously steered clear of explicit cybercriminal activity will look to profit from their skills. This will include collaborating with unscrupulous investment funds to access confidential company information with the intention to manipulate stock prices for financial gain. Others will attempt to give data leak extortion attacks a legitimate veneer, claiming to have uncovered sensitive information or vulnerabilities and threatening to exploit them or contact the media if the victim opts not to hire their services to remediate the alleged issue.
Cyber activists further blur lines with offline groups, criminals
In terms of cyber activist developments in 2017, we anticipate that South America in particular will see an increasing blend between conventional and online forms of activism as the economic and political situation in states such as Venezuela – and possibly Brazil – becomes increasingly unstable. Although the skillsets of these groups will remain limited (primarily to DDoS and defacement attacks, as shown in the graphic below), such actors will be emboldened by the lack of law enforcement capability in these states and the effective immunity this grants them.
Elsewhere, the sharing of tools and techniques and the market for commodity malware, particularly ransomware, will continue to endow activist groups with greater capabilities. Such groups will increasingly recognise the disruptive potential of ransomware and use this against governmental bodies and other targets without well-developed defences. Not only will this inconvenience victims and allow the attackers to signal their ideological opposition to their targets – and their purity by not relenting even if ransoms are paid – but the use of a new and more disruptive tactic will also enhance perceptions of their notoriety.
Finally, the potential for this crossover between activists and criminals will continue as individuals increasingly seek out the dark web as a means of communication, safe from what they see as government encroachment and surveillance. This shift may also encourage the development of decentralised peer-to-peer networks, such as ZeroNet, and allow these actors to share data leaks with large audiences.
Click here to view graph.