R

P O W E R I N G R E S I L I E N C E

The
The Global
Global

OT & IoT
Threat
Threat Landscape
Landscape Assessment
Assessment
and
and Analysis
Analysis Report
Report
A Sectrio Threat Research Labs initiative

www.sectrio.com
 Table of contents
Data collection and research methodology ________________________________ 4
2023 in review ____________________________________________________ 6
Major ICS security trends recorded in 2023 _________________________________ 7
What do security leaders need to worry about in 2024? ________________________ 9
Nation-state actors are converging around utilities __________________________ 10
Update on the evolution of AI-based attacks ______________________________ 10
Impact of AI on malware development ___________________________________13
Use of AI by APT groups ______________________________________________13
Rise in volumes of various AI-powered cyberattacks _________________________ 14
Geographical distribution of cyberattacks on IoT and OT in 2023 _________________ 15
Which countries are getting attacked and why? ____________________________ 15
ICS ports accessible from the internet (June 2023) __________________________ 16
Vulnerability exploitation attempts on common IoT CVEs ______________________ 18
The rising cost of ransom ___________________________________________ 20
Attacks on sectors _________________________________________________21
Price of hacking kits _______________________________________________ 27
Critical infrastructure under seize ______________________________________ 28
Major cyber events in 20234__________________________________________ 29
Global APT activity in 2023 ___________________________________________ 45
Chinese APTs and their documented tactics _______________________________ 46
The connection with the Belt and Road project _____________________________ 48
Russian APT groups: pushing the frontiers_________________________________ 49
North Korean APT activity ___________________________________________ 50
Iranian APT activity________________________________________________ 52
Cyber threat predictions for 2024 ______________________________________ 54
Malware and malicious payload trends __________________________________ 55
Ports attacked___________________________________________________ 56
Most attacked countries on a per capita basis _____________________________ 61
Cities drawing the maximum cyberattacks _______________________________ 62
Threat landscape across regions ______________________________________ 62
North America ___________________________________________________ 62
i. Who is attacking North America? _______________________________________ 66
ii. b. Attacks on counties and government agencies ____________________________67
iii. c. Cyberattacks on IoT ________________________________________________67

www.sectrio.com 02
 South and Central America __________________________________________ 68
i. Expansion of the regional threat landscape _______________________________ 69
Europe ________________________________________________________ 74
i. Highest attacked sectors in Europe_______________________________________75
ii. The axis of cyberattacks in Europe _______________________________________76
iii. Lessons from the Rosvodokanal andTecnoquadri Srl incidents ___________________ 77
The Indo-Pacific region _____________________________________________ 79
i. Scams at scale ________________________________________________ 81
ii. Regional threat landscape ________________________________________ 81
iii. Attacks on sectors ______________________________________________ 81
iv. Attacks on countries ____________________________________________ 83
Middle East and Africa _____________________________________________ 84
i. The evolving threat landscape______________________________________ 84
ii. Regional APTs _________________________________________________ 85
iii. Targeted attacks on utilities and oil and gas ____________________________ 88
Sectrio recommends ______________________________________________ 88

www.sectrio.com 03
 Data collection and research methodology

This report has been prepared from threat Sectrio’s threat surveillance net runs across
intelligence gathered by our honeypot hackers' forums, malware platforms, IM
network which is today operational in 89 chats, the Dark Web, and other validated
cities across the world. These cities have at avenues where threat actors
least one of these attributes: congregate/collaborate. Sectrio runs dark
honeypots to monitor locations where
• Host a mix of industries with a diverse untested vectors of concern emerge in the
spectrum of use cases wild. In addition, we also monitor known and
• Are landing centers for submarine emerging threat sinks which are known
cables locations where tested malware and
• Are geopolitical hotspots with ongoing payloads are launched.
conflicts or are sitting on geopolitical
fault lines Our surveillance net gives our threat
• Are internet traffic hotspots intelligence more depth and relevance
• Are targeted by APT groups or other giving more latitude to bring out insights
sophisticated hackers that are exclusive to Sectrio.
• House multiple IoT projects with a high
number of connected endpoints This data is analyzed thread-bare by our
• House multiple connected critical global threat research team. The analysis
infrastructure projects focuses on these areas:
• Have academic and research centers
focusing on IoT and digital • Unearthing new threats and variants of
transformation existing threats
• Have the potential to host multiple IoT • Correlating the behavior of threats with
projects across domains in the future threat surface areas, breach tactics, and
security outcomes
On average, nearly 21 million attacks a day • Documenting threat environment
are registered across this network of dynamics
individual honeypots. These attacks are • Learning the latest strategies and tactics
studied, fingerprinted, analyzed, deployed by threat actors
categorized, and marked according to a • Understanding how the threat
threat rank index, a priority assessment environment is evolving
framework developed by Sectrio. • Preparing and sharing advisories

Sectrio’s honeypot network includes over

8000 physical and virtual devices covering
over 600 device architectures supported by
varied connectivity flavors. Devices are
connected to mimic real-world industrial
deployments and configured at a granular
level. The networks supporting these twins
are also configured to convey real
infrastructure at scale.

www.sectrio.com 04
 This report provides a context for the 10 reasons to read this report
evolving threat landscape as well. The
context is divided into four parts: • This is the industry’s most downloaded
report
• Triggers and actors: what are the threat • Widest range of industrial
actors up to: analyzed at tactical and security-focused threat intelligence
strategic levels; how are malware inputs from 89 cities around the world
evolving drawn from honeypots run by Sectrio
• Targets: what is being targeted and why • Detailed analysis of each data
• Enablers: what institutional gaps are presented to offer a complete view. Data
aiding the growth in cyberattacks [with to support all forms of decision-making
inputs from CISOs] around security priorities.
• Impact: How are such trends impacting • More information on sector-specific
cybersecurity and enterprises and threats and their impact
governments everywhere • Cybersecurity leaders can gain a much
deeper understanding of how the threat
Key findings are published by us every year landscape is evolving and its impacts on
to enable businesses, decision-makers, their business
academicians, students, CISOs, and those • Unlike other reports that cover security
interested in cybersecurity to gain a trends at a very high level, this report
comprehensive understanding of the goes into specifics with validated data.
evolving threat environment that envelops We have also attempted to look well
IoT deployments and OT installations and beyond reporting attacks. We explore
derive appropriate institutional responses to reasons for the rising attacks while
prevent, contain and dissuade such attacks. contextualizing institutional responses
• Deep dive into threat actor TTPs,
payloads, targets, and breach trends
Additional resources • More actionable insights and less
speculation
To try our IoT and OT threat intelligence
• Sectrio brought out the world’s first OT
feeds for free, please visit this link
and IoT-focused threat report way back
For more information on the malware in 2018. We have an established tradition
and attacks analyzed in this report, of multi-dimensional CTI analysis carried
please visit the malware reports out by the best intelligence analysts in
section of our website. the industry with extensive experience in
the trenches, APT tracking, threat surface
More information on the data and the mapping, and incident forensics
cyber incidents mentioned in this • Accurate cyber threat predictions
report is available in the blog section
of our website.

To access our datasets, reach out to us

at reachus@sectrio.com

Disclaimer: While every attempt is

made to ensure the integrity and
reliability of the data we have analyzed
herein, we cannot offer any guarantee
that this work is error-free. In case you
come across any discrepancy, do let
us know at feedbackTR@sectrio.com

www.sectrio.com 05
 2023 in review
In many ways, 2023 was the year of mode using stolen data while it fixed the
industrial cybersecurity awareness. Many site. After these attacks, there were reports
enterprises across the world took their first of BlackCat and Alphv joining forces to form
steps towards securing their industrial a new entity to combine operations.
operations footprint in 2023. That said,
however, the industrial threat landscape Subsequent investigations by Sectrio’s
also evolved for the worse this year with research team however showed very little
many new actors, breach tactics, and synergy in operations between the two
malware appearing on the spectrum for the groups. It is quite possible that the alliance
first time. Hackers continued to use AI only applies to very large operations. Threat
across the threat spectrum including actors joining forces is not a new
conducting probes, running C&C servers, phenomenon. In fact, all actors including
editing malware, and monitoring social the APT groups do collaborate at some
media to gather information on potential level. Usually, such collaborations are driven
targets. by affiliates or by former group employees
who switch sides or by the need to strike a
Threat actors ran many campaigns in 2023. common hardened target.
The most prominent among them were the
ones run by the threat group Lockbit which All regions monitored by us registered a rise
continues to rely on group members and in cyberattacks. This is in line with the trends
partners to select its targets. The Lockbit we have been noticing in the last 5 years
model which involves constantly scouting since we started publishing the threat
for new security weaknesses in the networks landscape report.
of its victims has become a playbook for
other actors who want to replicate its Gaps in security posture, lack of employee
success. sensitization, the prevalence of unpatched
legacy systems, and lack of a cohesive
Unlike 2022 which saw many actors co-exist strategy to manage cybersecurity are
in cyberspace, this year, Lockbit ran many some of the factors that continue to create
campaigns to target other threat actors. security challenges for enterprises. The
Operations of BlackCat/Alphv and evolution of the security posture of
NoEscape were disrupted for days together enterprises is often slowed by various
in a campaign run by Lockbit to recruit operational imperatives as well as a lack of
affiliates of these groups. Alphv’s data leak employee training and a lack of adoption of
site went offline for a while in December, basic cyber hygiene practices.
only to return later. Alphv meanwhile asked
its affiliates to continue in Business as Usual

www.sectrio.com 06
 Major ICS security trends recorded in 2023

Actor New affiliates added in 2023

Lockbit 98

AlphVM 31

Clop (erstwhile) 22

Royal 18

Blackbasta 18

• In addition to critical infrastructure, • When it comes to independent hacker

manufacturing plants, smaller utility groups, healthcare, manufacturing and
entities, smart cities, and health entities education are the preferred sectors.
were extensively targeted Most healthcare and education victims
• Recruitment of affiliates by major were targeted by actors with much
threat actors grew significantly: Lockbit lower sophistication. Thus, the volumes
was able to sign up the maximum of attacks logged in these sectors as
number of affiliates including former well as the number of groups involved is
Russian APT group members or those relatively higher as compared to sectors
trained by them. Lockbit is known to run such as manufacturing and oil and gas
widespread affiliate recruitment • The payload deployment and execution
campaigns models used by threat actors is also
• Affiliates are modifying ransomware: changing drastically. In terms of the
there are many variants with minor number of operating systems targeted
modifications. Some of these have been and the number of variants launched,
done by affiliates for various reasons Sectrio’s Threat Research Bureau logged
including using a different decryptor to the highest numbers this year. The
earn revenue outside their association numbers indicate the increasing
with the Lockbit group. involvement of new groups and shifts in
• Expansion of threat surface: based on targeting priorities. However, the most
our calculations, utilities, oil and gas important takeaway for all cyber
registered a significant growth in the defenders is the pace of evolution of
extent of threat surface linked to their threat actors which is now occurring
infrastructure faster than ever. With more money
• The utilities sector is the most preferred coming in from victims and the addition
target for cyberattacks by state-backed of trained affiliates, there is a bigger pool
actors. The degree of probing and of hackers and tactics to choose from
actual attacks heve both risen now than ever.
significantly. Most of these attacks have
geopolitical undertones as they were
driven by actors belonging to states that
were experiencing some form of conflict
or disturbances

www.sectrio.com 07
 • Chinese and North Korean APT groups The increasing sophistication of attacks has
continue to lead the list of most active to do with three major lines of support that
threat actors around the world. Their threat actors are receiving today.
footprint was found in segments as
diverse as healthcare and logistics. • Hacker groups are more organized and
While the Chinese APT groups are often structured now than ever before: this
after information of value, North Korean means that the larger groups now have
APT groups like Lazarus are after more resources to leverage. Consider
monetary gains. Lazarus is also known to the analogy of a start-up that is now
sell exfiltrated information on various past multiple rounds of funding and
forums. In terms of its overall reach, changes to its core business model. All
Lazarus is easily the biggest threat actor major threat actors are now working
in the world today. In addition to its with proven business models and the
digital footprint, Lazarus also maintains process of selecting targets, using
an army of foot soldiers to support its custom breach tactics, engaging in
activities negotiations and channels the ransom
• Lack of structured and rapid incident are all done in a very structured manner.
response is hurting enterprises. In as This has made ransom revenue
many as 38 big events in the ICS space predictions more plausible enabling
studied by our research team, the lack hacker groups to scale up or scale down
of ICS event management specialists, operations depending on various factors
documented response playbooks, and
adequate operational and asset visibility • Rise in number of independent hackers:
contributed to amplifying the impact of the threat actor talent pool has attained
the attack. a significant size now. While it is very
• IT-OT convergence is causing threats hard to predict, a back-of-the-envelope
to move both ways: while the calculation suggests that each year on
movement of threats from OT is known average between the years 2020 and
and understood, many enterprises 2023 (till December), close to 7000 highly
haven’t paid adequate attention to the trained hackers entered the market.
movement of threats from IT to OT. These are numbers that we have
Payloads designed to ride along with derived by monitoring conversations on
harmless traffic without registering on hacker chat forums, studying the unique
anti-virus systems due to low signatures TTPs of hacker groups and attribution,
were able to compromise OT networks and studying affiliate behavior. Further,
and OT workstations in many instances with the easy availability of hacking kits,
in 2023. breached data, and DIY tactics, the entry
• Lack of a properly architected network barriers have lowered significantly.
with zones that segregate the zones of
risk and functional zones to enable more • Low rates of prosecution and a
granular deployment of security significant rise in the number of days it
measures along with adequate visibility takes to detect a breach are also
and operational control are other contributing to hackers indulging in
essential security measures that are hit-and-run tactics to grab data for sale
currently missing. in hacker forums. Such data is then used
to target enterprises and government
agencies.

www.sectrio.com 08
 What do security leaders need to worry about in 2024?

Trend Concern

A rising number of threat actor With the increase in the number of affiliates, there will be an
affiliates increase in the businesses being targeted. Sectors such as
healthcare and education are already being targeted extensively.
Mid and small-scale manufacturers, entities connected with supply
chains will also be targeted at scale by these entities.

Use of varying/phased By using programming languages such as Rust, threat actors are
encryption/custom encryption and now able to control the pace of encryption to keep the breach
attack mode below the detection threshold for a longer period of time. Thus, the
actor can keep the target ready for a bigger attack in the future or
reveal the attack at a time when the target is in the middle of a
critical project or is hosting more critical information on their
networks. The security posture of enterprises is still not good
enough to address the surge in attacks that may occur.

Risks due to voluntary or involuntary Due to a lack of sensitization and training, cybersecurity priorities
insider activity are at an all-time get relegated to the background leading to employees resorting to
high practices that may increase the risk knowingly or otherwise. Such
risks may not just read to a breach but long-term risks in terms of
litigation and censure and/or fines from regulatory authorities.

Lack of shop floor visibility, network

architecture and related
documentation, Purdue-level view,
and asset information

High levels of reliance on OEMs In some of the enterprises, OEMs are responsible for cybersecurity
and day-to-day functionality of the devices. This creates a situation
wherein patches are not updated within a fixed timeframe making
the system and infrastructure vulnerable.

Lack of adequate supply chain

visibility

ICS and IoT cybersecurity audit is not

being done or is conducted
infrequently

Ransom demands are growing As threat actors and affiliates are looking to increase their revenue
per breach, the average ransom demand is expected to grow
significantly in 2024.

More mandates to comply As more breaches occur, regulators will enact more regulations to
push enterprises to improve their cybersecurity practices. Major
thrust areas for new regulations will be skill levels of employees,
establishing a central security operations center (for large
businesses), incident response requirements, resilience, and
reporting. This will place added pressure on CISOs and businesses.

www.sectrio.com 09
 Nation-state actors are converging around utilities
In over 300 major attacks on critical infrastructure across North America, Europe
infrastructure studied by Sectrio, we were and parts of Asia. By shutting down power
able to identify a common theme. Unlike or impacting the quality of transmission
2022 when attacks on critical infrastructure during peak consumption hours or during
were carried out at random intervals, in times of peak economic activity, threat
2023 we saw more discipline and structure actors can directly threaten and severely
in the way APT groups targeted CI. One of impact the economic output of a country.
the major targets of this attack was the
power sector with major attacks taking Every power plant that Sectrio’s researchers
place in Israel, India, Ukraine, the US, Norway, visited had layers of physical security.
and Sweden. These were the most attacked However, when it came to cybersecurity, the
operational aspects of power companies in security levels were certainly not up to the
2022: mark. Firewalls with poor or contradictory
rules, lack of visibility into the security status
• Digital pre-paid meters of key systems, and lack of frequent security
• Remote systems management audits were just some of the issues that we
operations for wind farms encountered. Further the level of visibility
• Exfiltration of customer PII into key operations was also not up to the
• Attacks on the grid mark. The threat environment that
surrounds power companies has to
The presence of unmapped legacy systems translate into robust cybersecurity
is one aspect that is adding to the security measures that widen the moat between
challenge that power companies are trying power infrastructure and threat actor
to address today. This poses a serious tactics. This is no longer an option.
threat to the reliability of the energy

Update on the evolution of AI-based attacks

Throughout 2023, there were many Data from as early as 2017 is being used in
instances where AI-modified malware the training process wherein, the LLMs are
made its appearance in the wild. This is in sensitized by exposure to pre-filtered
continuation of the trend we observed in datasets. The crude filtration process
2022. Many of these malware were involves scrubbing up the data, and
experimental in nature representing a removing noise and irrelevant data
continuation of the effort to build stealthier wherever possible. We have come across
and more potent vectors. Tampering training datasets that were fed to the
existing malware with AI-based tools is an model without any scrubbing. This may
ongoing trend. The LLMs behind these tools have been done to provide an enhanced
are trained on stolen datasets gathered context to the learning process. Both
from around the world. Data previously code-based and no-code platforms have
released on the Dark Web and other forums been used for building and training the AI
without backups were collated back by the tools.
actors who released them for training LLMs.

www.sectrio.com 10
 The trainers are often working with the such as breach confirmation, negotiations
assumption that the topology of the target with victims, handing out decryption keys,
networks wouldn’t have changed much and reattacking targets. This creates a
making older network data still relevant. By cycle of information modeled on a
bringing in automation at various levels, conveyor belt framework that some APT
hackers are trying to scale their operations groups working under the Ministry of State
to go after large and geographically Security in China have used and fine-tuned.
widespread targets such as: At the core of this model/framework is
constant refinement of targeting tactics to
• Small healthcare providers improve the data collected.
• Government departments, databases
and agencies As part of an experiment conducted by
• Schools and academic institutions Sectrio’s threat research team, we tracked
• Large renewable energy plants with multiple dummy data sets stolen from our
1000s of devices honeypots turning up across various data
• Manufacturing plants broking sites on the web and Dark Web.
• Oil and gas projects Even as late as a year and a half back,
there would be a lag of a few days before
Attacks at scale also help bring in more the stolen data makes its appearance on
datasets to further train the AI tools the the web. Hackers and data brokers would
hackers are using. In the future even often make minimal changes to the data
downstream activities (activities taken up offered for sale.
by hackers following a successful breach)

Average number of days taken for hackers to put data on sale

20

15
16

10

5 7
6
5

3
0
2018 2019 2020 2021 2022 2023

www.sectrio.com 11
 Al has helped hackers correlate data at scale. For instance, if the hackers have to target a
susceptible insider, earlier, hackers had to sift through multiple social and online platforms
and breach data manually to gather and analyze information of interest.

However, with the use of Al, hackers are now able to push crawlers to locate information
about a target employee in multiple breach data sets available for sale in addition to social
media platforms. Al-based Tools can also identify data belonging to persons of interest in a
given dataset.

Thus, in a matter of days, a complete profile of the target employee is created along with
potential phishing and deep fake messages. The targets are then added to an existing
campaign, or a new campaign is launched to target them in case of a strategic target.

This is the level of organization and persistence that Al is offering to hackers today.

That lag increased significantly (by 220 Among prominent threat actors, the Lockbit
percent) in 2023. This means that hackers group seems to be the one experimenting
are now holding on to stolen data for a most with AI. The group is known to use AI
longer period of time. This could be to feed for affiliate recruitment and tracking,
the data into multiple filtering tools to scrub payload generation, finetuning and
the data and then use the data to train monitoring, decryptor assembly, and victim
LLMs. Some of the data that may have communication. Considering the scale at
undergone this cycle may not even be sold which Lockbit operates today it comes as
if the hackers feel that the dataset is no surprise that the group is invested to
essential for training LLMs or has such an extent in AI. Other groups including
information to target the same or similar Revil are also adopting AI in some aspects
networks in the future. Thus, stolen data is of their operations.
not acting as a tactical and strategic agent
for these hackers.

While this is an early trend, we have reasons

to believe that hackers are investing
extensively in understanding the attack
paths available for targeting enterprises.
These paths include lateral movement after
privilege escalation, exploiting known
vulnerabilities, identifying and targeting
susceptible insiders, gathering
cross-platform datasets, leveraging weak
points in the supply chain to plant trojans or
self-assembling payloads, and targeted
phishing attacks.

www.sectrio.com 12
 Impact of AI on malware development

Malware developers have been using AI for The core malware configuration could thus
various end uses. A prominent AI use case be a function of the environment it is
in hacking has to do with the development operating in. Such malware could easily
of complex and adaptive malware. Such beat static defense mechanisms that are
malware could hypothetically render itself not designed to detect modifications in the
invisible in a target network by studying malware behavior.
network parameters and blending its
behavior into the baseline network and The adoption of AI by hackers is however
device behavior by either simulating a task, not without its share of challenges as well.
application or service or a data pattern. It There was at least one instance where a
could also demonstrate a very high level of Lockbit decryptor possibly programmed by
autonomous behavior by adapting to an affiliate failed to decrypt the data after
various network dynamics including the ransom was paid by the victim.
encryption. Considering the speed at which
cyberattacks and threat actors are
This malware can therefore turn into a evolving, AI-based targeting tools will
variant of itself in various environments as stabilize and offer a higher degree of
an active response mechanism. The predictability (about the odds of a
malware can be trained in simulated successful attack) in the next two years.
environments through an active feedback
mechanism where the hacker can enforce
multiple loops of data or network
characteristics to observe malware
behavior and trigger specific responses to
changes.

Use of AI by APT groups

Other than APT groups such as APT 41 based in China, a few other APT groups have also
started using AI in some way.

Group Origin Targets Level of maturity and use

Dark South-East Armed forces, hacktivist Beginner. This group is deploying AI mainly for
Pink/Cicada Asia groups and government phishing campaigns. Since it works through a
agencies in Thailand, spike model (a huge rise in the number of
Cambodia, Indonesia, probes logged within a short period), AI is being
Malaysia, the Philippines used to support the increase in demand for
and Vietnam resources and hackers.

Vixen Panda China Iranian and Qatar Beginner. Has been known to use AI to track the
governments and legal activity of its targets on social media and on
networks the web.

Static Kitten Iran US, UAE, Qatar, Israel, Beginer is using an AI tool to detect open ports
Germany, India, Central to listen to traffic
and Eastern Europe

www.sectrio.com 13
 Group Origin Targets Level of maturity and use

Imperial kitten Iran US, UAE, Qatar, Israel, Advanced. Uses LLM to generate convincing
Germany, Saudi Arabia phishing emails and content for fake websites.
and Egypt

Gamaredon Russia Ukrainian and NATO Advanced. Is using some form of AI for
targets gathering intelligence data from NATO and
other targets

APT 29 Russia Targets across Europe Advanced. Has developed individual-specific

and NATO tracking tools to track the digital footprints of
high-value targets

Turla Russia Diplomatic intel from Is known to support many APTs groups in
Eastern European Russia by developing blueprints of espionage
countries tools

Not all groups are currently working with AI models, tools, or frameworks. Various factors drive
the adoption of AI among APT groups. These include the scale of operations, nature of targets,
and resources available. APT groups targeting entities with hardened infrastructure with
widespread operations across geos prefer integrating AI-based tools to improve the
effectiveness of their campaigns.

Groups like Imperial Kitten from Iran are using LLMs to create content for phishing emails and
for creating fake websites. Groups like Kimsuky (North Korea) and APT 28 (Russia) are using
LLMs to gather information to create convincing content for fake donor websites to attract
activists and NGOs.

Rise in volumes of various AI-powered cyberattacks

Volume of AI-based cyberattacks in 2023

AI-Assisted AI-generated AI-involved

120000

100000

80000

60000

40000

20000

0
Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec

www.sectrio.com 14
 AI-assisted: attacks involving malware or payloads modified using AI
AI-generated: attacks involving scans initiated through AI tools or malware developed using AI
tools
AI-involved: attacks where some form of AI involvement at early levels is suspected.

The huge variation in the volume of AI-based cyberattacks is a point to analyze. Such a trend
indicates that the tools, models, and frameworks used by hackers have not stabilized and
multiple tryouts are going on in cyberspace. Most of these tryouts are being conducted by
mid-sized hacker groups such as Static Kitten who are trying to compete with the established
hacker groups.

Geographical distribution of cyberattacks on IoT and

OT in 2023

North
America 43% Europe 23%

APAC 13%
Middle
East 12%

Africa 6%
South
America 3%

Which countries are getting attacked and why?

Geopolitical instability and active APT players set the narrative for cyberattacks in 2022.
Attacks on Ukraine, the US, the UK, India, UAE, Estonia, Lithuania, France, and South Korea had
strong geopolitical undertones. While the targets are diverse, as far origin of cyberattacks
(including scans) goes, as many as 51 percent of all attacks were traced back to China. Russia
came in second followed by North Korea. For this assessment, we have only considered
cyberattacks that could be clearly attributed to an APT actor. In cases of ambiguity or where
the origin was not clear, we have tagged those attacks to ‘others’. Others does not include
countries that accounted for less than 4 percent of the overall attacks logged.

www.sectrio.com 15
 OT-specific attacks were targeted at countries with a significant industrial footprint and those
possessing a large OT-powered critical infrastructure landscape. While hackers operate more
democratically when it comes to scans, they use more discretion when it comes to escalating
the scanning into a full-fledged attack. There could be many reasons for this. As per our
analysis, most of the scans on OT networks are now automated and conducted using
automated tools. During these scans, hackers use port scanning and network vulnerability
scanning tools to identify security gaps to exploit.

Public networks and IP obfuscation is commonly used to hide tracks.

ICS ports accessible from the internet (June 2023)

In June, Sectrio’s threat research team were allowed to connect remotely or be
conducted a study to ascertain how many available for enabling remote connection
ICS-based infrastructures are accessible through the internet.
through the Internet. This was in continuation
of a project we did in 2022. Compared to The ease of access to these ports and their
2022, the number of ports accessible rose by relation with critical processes within
7 percent. Our scans are just pings designed enterprises is a matter of concern. To
to locate abusable devices, threat surfaces, understand the specific security concerns,
and ports open for no specific reason. We do further research needs to be done to identify
a validation scan as well to call only those misuse of legitimate insecure internet traffic
ports that continue to remain open 48 hours connected with these ports. Such research
after the initial scan. rests well outside the mandate of our
current research priorities.
To understand the context of this project we
need to go back a few decades. Since the More importantly, this is a significant security
early days, ICS systems were not designed to gap and must be addressed on priority. An
work with external networks. However, they open port renders systems vulnerable

Map: Geographical distribution of accessible ports across the globe.

www.sectrio.com 16
 Region-wise accessibility of ICS-linked ports

Region ICS ports accessible

North America 35341

Asia 17093

Europe 16778

South America 703

Africa 299

Australia 560

First scan on 15th June 2023 | Validated through repeat scan on 18th June 2023

State of global ICS exposure

When considering the level of exposure associated with ICS, there are a few factors that need
to be understood. First, these systems offer various levels of access to other networks and
systems within an organization. Secondly, the number of systems exposed varies from
organization to organization. North America showed the highest density of publicly accessible
ICS systems followed by Asia and Europe.

Enterprises segregated by exposure levels

54

29

17

Red Amber Blue

Red enterprises are those with over 10 exposed ports.

Amber are those with over between 3 and 9 exposed ports
Blue are those with less than 3 exposed ports

www.sectrio.com 17
 Percent of devices exposed

Modbus

S7COMM

Lantornix

KNX

Ethernet/IP

CODESYS

BAC Net

PROFINET

Foundation Fieldbus

HART

CAN

0 5 10 15 20 25 30 35 40

Vulnerability exploitation attempts on common IoT CVEs

In addition to open ports, the Sectrio research team also analyzed attempts to exploit
published CVEs linked to IoT systems. These attempts were logged on these devices in our labs
and real-world environments monitored by us. The level of attacks points to a high level of
awareness about these vulnerabilities and ways to exploit them. While some of these
vulnerabilities are old, they may remain unpatched, and more importantly, a threat actor could
leverage them to target IoT projects and if there are other devices and systems present, they
could be targeted after the actor gains access.

Post access, the devices could be converted to a bot farm. Which is a common occurrence.

Common vulnerabilities Vs. exploitation attempts logged

Vulnerability Total attempts

CVE-2017-17215 69,492

CVE-2023-26801 1,260

CVE-2019-12780 1,344

CVE-UNASSIGNED-2020-Zyxel-CPE-Command-Injection-RCE-01 456

EDB-41471 576

CVE-2014-8361 684

CVE-2017-18368 384

CVE-2016-10372 336

CVE-2018-10562 312

www.sectrio.com 18
 Vulnerability Total attempts

EDB-25978 192

EDB-39596 96

CVE-2015-2051 132

EDB-31683 60

CVE-2018-9995 84

EDB-44760 24

OPENVAS-1361412562310107187 108

CVE-2016-6277 48

CVE-2020-8515 24

CVE-2009-0545 24

CVE-2019-7192 60

CVE-2019-17270 24

CVE-2022-2488 24

CVE-2022-2486 24

CVE-2020-15920 24

CVE-2021-36260 24

CVE-2020-5847 24

CVE-2021-21805 24

CVE-2021-27561 24

CVE-2014-3206 24

CVE-2017-14135 24

www.sectrio.com 19
 The rising cost of ransom
The cost of ransom continued its upward trajectory for the third consecutive year. In 2023, the
average cost of recovering a GB of encrypted data stood at USD 53,001. While many victims
were given decryptors to get their data back, in almost all cases, the hackers were able to
retain copies to sell the data or use it to train AI tools as highlighted earlier.

Table: Cost per GB of data as demanded by hackers and what was paid by the victim
businesses^

The approximate ransom Cost per GB

Sample size*
Year demanded by hackers (Paid by the victim
(Number of incidents)
per GB (Demand) (USD) organization)

2016 4975 4900 23

2017 7600 7000 26

2018 10,000 9000 35

2019 14,567 12000 41

2020 27,340 22,045 49

2021 50,000 39,000 51

2022 54,990 49,044 82

* Number of incidents studied where the information was sufficient to arrive at the ransom numbers
^ The ransom demand varies according to the threat actor, size of the data, victim, and complexity of the
malware used

While the rise in ransom demand per GB may seem moderate, what is concerning is the rise in
the number of incidents. The number of incidents refers to incidents for which we have a full set
of data available and we were able to validate at least some part of the information from more
than one source. Due to the increase in the number of hackers associated with groups like
Lockbit (which continues to attract affiliates), the number of active hacker groups has grown
and so have the attacks. The rise in average ransom demand also has to do with the large
number of big organizations that were breached. These entities were made to pay a much
larger ransom for gaining access to lesser volumes of data stolen. This was reversed in case of
small and medium businesses where the ransom demand was much lesser for a bigger
volume of data.

The large increase in incidents is also due to many instances of healthcare and academic
institutions reporting cyberattacks. The ransom demand placed by hackers to institutions from
these two sectors is significantly less when compared to sectors such as oil and gas and
manufacturing.

www.sectrio.com 20
 Attacks on sectors
In 2023, Sectrio’s researchers visited power and sophisticated threat actor, attackers
plants and power distribution infrastructure can easily move across networks, take
in North America, Latin America, the Middle control of systems, escalate privileges,
East, and South Asia. We wanted to modify and crash systems and exfiltrate
understand why the attacks on the data.
infrastructure were growing and how the
sector was responding to the growing In one instance of a power distribution
threat. In almost all the entities we visited, company, we found that the consumption
digitization drives were occurring at various data collected from smart meters were
levels. Many had open security positions accessible through the web. This meant
that hadn’t been filled since 2022 and many that meter readings could be tampered
had legacy infrastructure that was running with or even reset.
without any specific security-related
controls or policies designed to reduce the The energy sector logged a whopping 109
risk exposure of these systems. percent rise in attacks in 2023 making it the
most attacked sector in the world.
The attack surface available in utility firms is
also growing and remotely exploitable. The growing attacks on healthcare can be
Since most plant and distribution attributed to the rise in the recruitment of
infrastructures are not modeled to offer affiliates and the lack of basic security
various levels of resistance to a persistent measures across the sector.

Trends in detection of smart factory threats

512

417
383

309

231

67

2018 2019 2020 2021 2022 2023

www.sectrio.com 21
 Attacks on manufacturing are rising for various reasons. With growing asset complexity,
convergence of IT and OT and less attention being paid to the security of legacy assets, the
sector is wide open to all types of cyber incidents. Smart factories with a very high degree of
automation are being targeted across the globe. 512 smart factory specific threats were
uncovered in 2023 with most of them targeting process-based manufacturing entities having
multi-geographic operational presence. With a significant expansion in our honeypot network
focused on smart factories, we were able to capture more data on the attacks being carried
out by groups targeting smart factories.

The objectives behind targeting smart factories are:

• Bad actors want to understand how the shop floor is evolving and the type of assets being
deployed to target them
• APT actors want to target smart factories to steal IP (more details below)
• Some of the smart factories are deploying new equipment without conducting a security
acceptance test which means that any backdoors in devices and components go
undetected. Hackers are interested in identifying these backdoors in a production
environment

One of the lesser-known aspects of cyberattacks on manufacturing entities is IP theft. Since the
attackers and victims often do not disclose the exact nature of data involved in a cyber
incident, there is no way of knowing for sure if the data lost involved IP backed by years of
research and investments. However, when one looks at the major attacks on industrial giants
there is a pattern that emerges.

Smart factories: what is being targeted

25

20 23
21

15

15
14
10

11
9
5
7

Physical Application Network Monitoring Data Storage Others

resource layer layer & control & access (including
layer layer reconissance)

www.sectrio.com 22
 Major cyber attacks on industrial giants in 2023 and the fallout

Disclosure timeline Target Ransom paid Data leaked

November 1st week Aircraft manufacturer No Partially

September last week Multinational tech co No No

Mid-June Large manufacturer No No

Mid-May Car manufacturer No No

In the case of many large corporations, common data sets that hackers commonly
sometimes, no ransom is given. In such seek to exfiltrate. These datasets fetch good
cases, the threat actor instead makes bids on hacker forums and data brokers are
money by selling the data to data brokers more than willing to pay top dollar to buy
or others. In case Intellectual Property such data and resell them in the open
information is involved, then the data is sold market or to select buyers.
to either a competitor or certain
state-backed APT actors that pay for such Companies that have lost such data and
data. If those two options don’t work out, do not have backups are also willing to pay
then the data is simply retained for training good money to get the data back. The
AI tools. threat of stolen data appearing in public
may also spook victims as it may open
Either way, businesses end up losing as the them to litigation or turn them vulnerable to
data exfiltrated may contain information regulatory scrutiny. Depending on the value
that could cause economic harm to them of the data stolen, the victim entities may
in the long run. Customer data, pricing approach hackers directly or depute
information, product roadmap, market intermediaries to engage and negotiate
research, contracts, legal positions, and with the hackers.
research information are among the

Pecentage of incidents

50 47

40

30

21

20

11
9
10 7

2 3

0
Disrupt flow Disrupt flow Slow down Impact Hinder flow Impact Unknown
(short term) (long term) lading on capacity to storage production
to tankers facilities

www.sectrio.com 23
 Thus, hackers win both ways. There is a third By analyzing factors such as potential
way as well wherein, hackers sell the data to target, level of accuracy of targeting, attack
the victim and data brokers. timing and the nature of malware used,
Sectrio’s threat research team was able to
The oil and gas sector has been a favorite assign a potential motive for each of the
of hackers of all hues. However, this sector attacks analyzed. Common variants of free
has always been on the radar of APT actors cyber tools that are designed to test ICS
everywhere. The biggest volume of defenses are also misused to enable data
cyberattacks was targeted at oil exfiltration and ransomware deployment.
transportation infrastructure. This included The prevalence of these tools is certainly
oil transferred via pipelines from offshore adding another dimension of risk to sectors
drilling platforms, refined products moved such as oil and gas and manufacturing. Not
to storage and consumption centers and only are these tools easily available but
facilities for further processing. The attacks they are also available for as low as $3.
on pipelines were mainly designed to
minimize capacity utilization, transfer The marketplace for crimeware is
efficiency and to cause disruption for a populated by actors, tools, services, and
prolonged period of time to impact gas even consulting help. Such marketplaces
prices. often serve as a hub for planning and
executing cyberattacks and enable faster
propagation of tools and TTPs.

Corelation between attacks and crude price

900000

800000
712876
700000

600000
499576
500000
346055
400000
369465
75.47
300000 214882
89.43
200000 331093
93.72
78.43
100000 73.28
82.94
77.69
0 71.58
0 0.5 1 1.5 2 2.5 3 3.5
-100000

-200000

Jan Mar May Jul Sep Nov

Oil data source: EIA2

www.sectrio.com 24
 Oil price fluctuations vs variation in the volume of cyberattacks during the same period

Cushing, OK WTI Spot

Europe Brent Spot Price
Date Price FOB Attacks logged
FOB (Dollars per Barrel)
(Dollars per Barrel)

January 78.12 82.5 331093

February 76.83 82.59 456444

March 73.28 78.43 499576

April 79.45 84.64 301000

May 71.58 75.47 712876

June 70.25 74.84 904001

July 76.07 80.11 346055

August 81.39 86.15 291000

September 89.43 93.72 214882

October 85.64 90.6 298418

November 77.69 82.94 369465

December 71.9 77.63 581939

The number of cyberattacks in the oil sector shows a high degree of correlation with the spot
price (FOB) for crude. During times of a rise in crude oil prices, we are registering small dips in
cyberattacks on the sector and vice-versa. Such attacks are often carried out to influence the
prices of crude oil globally. Cyberattacks may bring in a sense of leverage for the groups that
are controlling the threat actors carrying out such attacks. It also brings in a sense of control
over crude prices at the very least at a notional level.

This data also addresses the impression of cyberattacks being carried out at random. In
addition to the attacks being targeted at select entities, the frequency and volume of these
attacks are also controlled by threat actors to align with the objectives they may have at a
given point in time.

Attack stages and discovery

Stage Instances as a percentage

Planning 19

Preparation and payload testing 14

Weaponizing 11

Targeting and delivery attempts 17

C&C Communication 05

Exfiltrated data movement 11

Listening 09

Unknown 14

www.sectrio.com 25
 Attacks logged by target stages crude oil handling and processing stages

Attacks Target Phases

Data exfiltration Drilling, refining, transport and distribution

Ransomware Across operations

Sabotage Transport and refining, offshore drilling

Listening Drilling and refining

Payload testing Drilling, refining, and transport

Top systems being targeted

Top target systems in inbound attacks Percent

PLCs 15

Generic IT 11

SCADA workstations 13

Firmware 09

Well performance analysis systems 01

Process optimization and control 04

Safety instrumented systems/disable safety 09

Smart pumps 01

Pipeline monitoring 01

Directional drilling guidance system 05

Automated integrated drilling system 06

System state change 04

Cyberphysical monitoring systems 06

Production management systems 03

Impair process control 02

Unspecified HMI systems 03

ERP 02

Unknown 05

The diverse targets in the oil and gas sector that are receiving attention from hackers indicate
the high level of interest that threat actors have in the sector. Beyond the known motivations of
threat actors, there may be motivations at play that are not fully understood.

www.sectrio.com 26
 Price of hacking kits
There are as many as 93 GPT kits available to generate malware and/or codes for tampering
with existing malware. In addition, there are also basic kits available on forums to sniff packets,
correlate passwords and user name combinations across breaches, build kits for scanning
open ports and many more functions. Kits are also available to conduct a full-fledged cyber
attack on a trial mode. This includes deploying harmless payloads on target networks, moving
them laterally into zones with critical systems and pulling the payload back. This completes a
reconnaissance cycle.

Hacking kit Function Price in USD

Spyden Open port crawler 3-7

Xintas Password match algorithm 2

Anormus Network stealth level tracker 12

Elephus Network stealth level tracker 8-16

Gordata Data sampler 2-10

Composite kit Most of the above functions 21

“A bad actor can launch an attack, cause a breach, and sell access for as less as USD 3 today.”

By using these kits, hackers can even train new hackers or try out newer malware deployment
methods. Some of the kits also double up as reconnaissance tools for the malware developers
as they leave backdoors open for C&C communication and data exfiltration. Thus the threat
actors that buy such kits often end up supporting the nefarious goals of malware developers
wittingly or otherwise.

Such kits can also be used along with uncategorized data sold separately on various forums
to target specific entities whose data and credentials have already been leaked. This reduces
time taken to target businesses while increasing the chances of a breach.

The prevalence of many forums where malware and access information are sold also helps
bad actors gain access to hacking tools easily. This is the biggest factor that enables the
growth of cyberattacks at scales that we have not seen so far.

www.sectrio.com 27
 Critical infrastructure under seize
State-backed actors belonging to four Other than utility companies and oil and
nations (Russia, China, North Korea and gas infrastructure, data centers, port and
Iran) are actively targeting critical transport infrastructure, and institutions
information infrastructure (CII) across over related to governance are also on the radar
100 countries around the world. Attacks on of state-backed threat actors.
such infrastructure have grown in scale,
sophistication, and width in the last 4 years. The number of reconnaissance scans on
We are encountering the footprint of APT critical infrastructure has also increased
groups from these countries more often significantly in the last two years. The rise in
now than ever before. Even a casual look at such scans indicates the growing interest in
the level of targeting seen in the oil and gas critical infrastructure. State-backed actors
sector alone is sufficient to reveal the scale are keeping a vigil and exfiltrating data
at which the attacking operations are wherever possible. These scans yield a rich
carried out. trove of information including the state of
network, open ports, security gaps, user
In addition to long-term reconnaissance, account information, network vulnerabilities,
threat actors are also working to keep a security measures deployed, type and
grip on the infrastructure to retain a sense nature of assets and traffic patterns. Even if
of leverage in the event of a geo-political a scan does not lead to a full-blown attack,
event in the future. The breached assets will reconnaissance activity by hackers can
be manipulated or damaged or taken out slow down network traffic and create a
during such an event. Thus, even before nuisance for network administrators and
shots are fired, a nation involved can asset users.
hypothetically start taking out critical
infrastructure to degrade the quality of
response of its adversary.

Reconnaissance: from a real-world example

Sectrio’s threat research team documented a real-life attack on a manufacturing facility in

June 2023. The attack escalated from reconnaissance to a full-blown attack within a month.
In this case, the hacker used automated vulnerability scanning tools to identify exploitable
systems. The hacker then exploited 3 remote execution code vulnerabilities and opened a
communication channel to initiate evasive steps to mask the presence of a stager. The
behavior of the payload including the beacon frequency was also modified to evade
detection.

This attack led to a set of IIoT devices being compromised. The hacker also used a similar
tactic to breach the camera feed from CCTVs. The compromised IIoT devices were then used
to launch an attack on a port located halfway around the world during night hours.

www.sectrio.com 28
 Major cyber events in 20234

Israeli-linked hackers disrupted approximately 70%

December 2023 of gas stations in Iran.

Ukrainian state hackers crippled Russia’s largest

water utility plant by encrypting over 6,000 computers December 2023
and deleting over 50 TB of data

Russian hackers hit Ukraine’s largest mobile phone

December 2023 provider, Kyivstar, disabling access to its 24 million
customers in Ukraine

Ukraine’s military intelligence service (the GRU)

claims to have disabled Russia’s tax service in a December 2023
cyberattack. Russia’s tax service was allegedly
paralyzed as a result of this attack.

Suspected Chinese hackers launchsssed an

espionage campaign against Uzbekistan and the
November 2023 Republic of Korea. Hackers use phishing campaigns
to gain access to their target’s systems and
decrypt their information.

Chinese-linked hackers attacked Japan’s space

agency during summer 2023 and compromised the
organization’s directory. The agency shut down
November 2023
parts of its network to investigate the breach’s
scope, but claims it did not compromise critical
rocket and satellite operations information.

Chinese hackers compromised Philippine

government networks. Beginning in August 2023,
hackers used phishing emails to imbed malicious
November 2023
code into their target’s systems to establish
command-and-control and spy on their target’s
activities.

www.sectrio.com 29
 Trinidad and Tobago’s Prime Minister Dr. Keith
Rowley declared the latest ransomware attack
against the country’s telecommunications service
November 2023 to be a “national security threat.” Hackers stole an
estimated six gigabytes of data, including email
addresses, national ID numbers, and phone
numbers.

Denmark suffered its largest cyberattack on record

when Russian hackers hit twenty-two Danish power
companies. The attack began in May 2023 and
appeared to be aimed at gaining comprehensive November 2023
access to Denmark’s decentralized power grid.
Hackers exploited a critical command injection flaw
and continued to exploit unpatched systems to
maintain access.

Chinese cybercriminals targeted at least 24

Cambodian government networks, including the
National Defense, Election Oversight, Human Rights,
National Treasury, Finance, Commerce, Politics,
Natural Resources and Telecommunications
November 2023
agencies. Hackers disguised themselves as cloud
storage services to mask their data exfiltration. Initial
research indicates the attack is part of a broader
Chinese espionage campaign.

Hacktivists stole 3,000 documents from NATO, the

second time in three months that hacktivists have
breached NATO’s cybersecurity defenses. Hackers
described themselves as “gay furry hackers” and
October 2023
announced their attack was retaliation against
NATO countries’ human rights abuses. NATO alleges
the attack did not impact NATO missions,
operations, or military deployments.

Researchers discovered what appears to be a

state-sponsored software tool designed for
October 2023 espionage purposes and used against ASEAN
governments and organizations.

Pro-Hamas and pro-Israeli hacktivists have

launched multiple cyberattacks against Israeli
government sites and Hamas web pages in the
aftermath of Hamas’ attacks on Israel on October October 2023
7th. Russian and Iranian hacktivists also targeted
Israeli government sites, and Indian hacktivists have
attacked Hamas websites in support of Israel.

Vietnamese hackers attempted to install spyware

on the phones of journalists, United Nations officials
and the chairs of the House Foreign Affairs
Committee and Senate Homeland Security and
Governmental Affairs. The spyware was designed
to siphon calls and texts from infected phones, and
October 2023 the unsuccessful deployment comes while
Vietnamese and American diplomats were
negotiating an agreement to counter China’s
growing influence in the region.

www.sectrio.com 30
 New reporting reveals Chinese hackers have been
targeting Guyana government agencies with
October 2023 phishing emails to exfiltrate sensitive information
since February 2023.

North Korean hackers sent malware phishing emails

to employees of South Korea’s shipbuilding sector.
South Korea’s National Intelligence Service
October 2023
suggested that the attacks were intended to gather
key naval intelligence that could help North Korea
build larger ships.

Indian hacktivists targeted Canada’s military and

Parliament websites with DDoS attacks that slowed
system operations for several hours. Hacktivists
September 2023 referenced Canadian Prime Minister Justin Trudeau’s
public accusation against India of killing Sikh
independence activist Hardeep Singh Nijjar as
motivation for the hack.

Iranian hackers launched a cyberattack against

Israel’s railroad network. The hackers used a
phishing campaign to target the network’s electrical September 2023
infrastructure. Brazilian and UAE companies were
also reportedly targeted in the same attack.

U.S. and Japanese officials warn that Chinese

state-sponsored hackers placed modifying
software inside routers to target government
September 2023 industries and companies located in both
countries. The hackers use firmware implants to
stay hidden and move around in their target’s
networks. China has denied the allegations.

A massive cyberattack hit Bermuda’s Department of

Planning and other government services. The
country’s hospitals, transportation, and education
centers remained functional, but other services were September 2023
down for several weeks. Bermuda announced that it
is investigating the attack and declined to state if
any sensitive data was compromised.

Cybercriminals targeted Kuwait’s Ministry of

Finance with a phishing ransomware attack.
September 2023 Kuwait isolated the Ministry and other
government systems to protect them from
potential further attacks.

www.sectrio.com 31
 Russian is stepping up cyberattacks against
Ukrainian law enforcement agencies, specifically
units collecting and analyzing evidence of Russian
September 2023
war crimes, according to Ukrainian officials.
Russian cyberattacks have primarily targeted
Ukrainian infrastructure for most of the war.

Russian forces in occupied Crimea reported a

cyberattack on Crimean Internet providers. The
attack happened around the same time that a
September 2023
Ukrainian missile strike aimed at Russian naval
headquarters in the area. Ukrainian officials have
yet to comment.

Russian cybercriminals breached the International

September 2023 Criminal Court’s IT systems amid an ongoing probe
into Russian war crimes committed in Ukraine.

A new Microsoft report indicates an increase of

Chinese cyber operations in the South China Sea, as
well as increased attacks against the U.S. defense September 2023
industrial base and U.S. critical infrastructure. The
increase comes amid rising tensions between China
and the U.S.

A Russian ransomware group leaked Australian

federal police officers’ details on the dark web. The
leak is the latest phase of a Russian attack which
September 2023
started in April 2023 against an Australian law firm
that services several Australian government
agencies.

The iPhone of a Russian journalist for the

independent newspaper Meduza was infected with
Pegasus spyware in Germany this year. The incident
is the first known instance of the spyware being used
against a prominent Russian target. The country
September 2023
behind the spyware placement is unknown, but
Latvia, Estonia, Azerbaijan, Kazakhstan, and
Uzbekistan are all suspects given past use of
Pegasus spyware or their allegiance to Russia.

Suspected Chinese hackers attacked the

national power grid of an unspecified Asian
country earlier this year using Chinese malware.
September 2023
The group corrupted a Windows application that
allowed them to move laterally within their
target’s systems.

www.sectrio.com 32
 A ransomware attack wiped four months of Sri
Lankan government data. The country’s cloud
services system didn’t have backup services
available for the data from May 17 to August 26,
September 2023
according to reporting. Malicious actors targeted
Sri Lanka’s government cloud system starting in
August 2023 by sending infected links to
government workers.

An Indian cybersecurity firm uncovered plans from

Pakistani and Indonesian hacking groups to disrupt
the G20 summit in India. The hacktivists are expected
to use DDoS attacks and mass defacement in their September 2023
attacks, which are presumed to be the latest
development in the hacktivist battle between these
nations according to the firm’s research.

Russian hackers stole thousands of documents from

the British Ministry of Defense and uploaded them to
the dark web. The documents contained accessibility
details for a nuclear base in Scotland, high-security
September 2023
prisons, and other national security details. Hackers
acquired the documents by breaking into a British
fencing developer and gaining backdoor access to
Ministry files.

Russian cyber criminals accessed sensitive

information from South Africa’s Department of
Defense, including military contracts and personnel September 2023
information. The Department reversed its previous
statement denying the data leak.

Russian hacktivists launched DDoS attacks against

Czech banks and the Czech stock exchange. The
hackers cut online banking access to the banks’
August 2023
clients and demanded that the institutions stop
supporting Ukraine. Bank representatives claim the
hacks did not threaten their clients’ finances.

Unnamed hackers took X, formerly known as Twitter,

offline in several countries and demanded that
owner Elon Musk open Starlink in Sudan. Attackers August 2023
flooded the server with traffic to disable access for
over 20,000 individuals in the U.S., UK, and other
countries.

Cybercriminals are allegedly selling a stolen

dataset from China’s Ministry of State Security.
The full data set purportedly includes personal
August 2023
identification information for roughly half a billion
Chinese citizens and “classified document[s],”
according to the criminals’ post about the sale.

www.sectrio.com 33
 Russian hacktivists launched several DDoS attacks
that knocked the Polish government’s website
August 2023
offline, as well as the Warsaw Stock exchange and
several Polish national banks.

Russian hacktivists disabled Poland’s rail systems by

gaining access to the system’s railway frequencies
and transmitted a malicious signal that halted train
August 2023
operations. Attackers blasted Russia’s national
anthem and a speech from Putin on Russia’s military
operation in Ukraine during the attack.

Chinese hackers targeted a U.S. military

procurement system for reconnaissance, along with
several Taiwan-based organizations. Attackers
August 2023
targeted high-bandwidth routers to exfiltrate data
and establish covert proxy networks within target
systems.

Ukrainian hackers claim to have broken into the

email of a senior Russian politician and leaked
medical and financial documents, as well as August 2023
messages that allegedly connect him to money
laundering and sanctions evasion plots.

Ecuador’s national election agency claimed that

cyberattacks from India, Bangladesh, Pakistan,
Russia, Ukraine, Indonesia and China caused
August 2023
difficulties for absentee voters attempting to vote
online in the latest election. The agency didn’t
elaborate on the nature of the attacks.

Suspected North Korean hackers attempted to

compromise a joint U.S.-South Korean military
exercise on countering nuclear threats from North August 2023
Korea. Hackers launched several spear phishing
email attacks at the exercise’s war simulation
center.

Bangladesh shut down access to their central

bank and election commission websites amid
warnings of a planned cyberattack by an Indian
August 2023 hacking group. The shutdown was intended to
prevent a cyberattack similar to a 2016 incident in
Bangladesh where hackers stole nearly $1 billion,
according to the central bank’s statement.

www.sectrio.com 34
 Belarusian hackers targeted foreign embassies in
the country for nearly a decade, according to new
August 2023 reporting. Hackers disguised malware as Windows
updates to get diplomats to download it onto their
devices.

Chinese hackers obtained personal and political

emails of a U.S. Congressman from Nebraska. The
hackers exploited the same Microsoft vulnerability August 2023
that gave them access to emails from the State
Department and Department of Commerce

Iranian cyber spies are targeting dissidents in

Germany, according to Germany’s domestic
intelligence unit. The spies are using false digital
August 2023
personas tailored to victims to build a rapport with
their targets before sending a malicious link to a
credential harvesting page.

Ukraine’s State Security Service (SBU) claims that

Russia’s GRU is attempting to deploy custom
malware against Starlink satellites to collect data on
Ukrainian troop movements. SBU members August 2023
discovered malware on Ukrainian tablets that were
captured by the Russians before being recovered by
Ukrainian forces.

Russian hackers launched a ransomware attack

against a Canadian government service provider,
August 2023 compromising the data of 1.4 million people in
Alberta. The organization paid the ransom and
claimed that very little data was lost.

A Canadian politician was targeted by a Chinese

disinformation campaign on WeChat. The attack
included false accusations about the politician’s August 2023
race and political views. The Canadian government
believes the attacks are retaliation against the
politician's criticism of China's human rights policies.

The Canadian government accused a “highly

sophisticated Chinese state-sponsored actor” of
August 2023
hacking a prominent Canadian federal scientific
research agency.

www.sectrio.com 35
 Russia’s military intelligence service attempted to
hack Ukrainian Armed Forces’ combat information
August 2023 systems. Hackers targeted Android tablets that
Ukrainian forces use for planning and
orchestrating combat missions.

The United Kingdom’s Electoral Commission

revealed that Russian hackers breached the
commission’s network beginning in August 2021.
August 2023
They obtained information on tens of thousands of
British citizens by accessing the commission’s email
and file-sharing system.

According to a new report, North Korean hackers

breached computer systems at a Russian missile
August 2023 developer for five months in 2022. Analysts could not
determine what information may have been taken
or viewed.

China claims that an earthquake monitoring system

in Wuhan was hacked by “U.S. cybercriminals.”
Chinese state media asserts that a backdoor July 2023
program with the capacity to steal seismic data was
inserted into the program.

Kenya’s eCitizen service was disrupted by

pro-Russian cybercriminals for several days.
July 2023 Kenya’s Ministry of Information, Communications,
and the Digital Economy claimed that no data was
accessed or lost.

Russian-linked cyber hackers have targeted

Ukrainian state services such as the app “Diia” using
July 2023
malware and phishing attacks. The primary targets
are Ukrainian defense and security services.

The Ministry of Justice in Trinidad and Tobago

was hit with a DDoS attack that disrupted court
July 2023 operations across the country. The ministry
reported outages beginning in late June, which
are believed to be linked to this same attack.

www.sectrio.com 36
 New Zealand’s parliament was hit by a cyberattack
from a Russian hacking group. The group said their
attack was retaliation against New Zealand’s
support for Ukraine, such as its assistance with
July 2023
training Ukrainian troops and sanctions against
Russia. Heckers temporarily shut down the New
Zealand Parliament, Parliamentary Counsel Office
(PCO) and Legislation websites in a DDoS attack.

Russian hackers targeted twelve government

ministries in Norway to gain access to sensitive
July 2023
information. The hackers exploited a vulnerability
in a software platform used by the ministries.

A South Korean government-affiliated institution fell

victim to a phishing scandal that resulted in a loss of
July 2023 175 million wons, reportedly the first phishing incident
against a South Korean government public
organization.

Chinese-linked hackers infected a Pakistani

government app with malware. A state bank and July 2023
telecoms provider were also targeted in the attack.

Chinese hackers breached the emails of several

prominent U.S. government employees in the State
July 2023
Department and Department of Commerce
through a vulnerability in Microsoft’s email systems.

Russian hackers targeted numerous attendees of

the latest NATO Summit in Vilnius. The assailants
July 2023
used a malicious replica of the Ukraine World
Congress website to target attendees.

A Polish diplomat’s advertisement to purchase a

used BMW was corrupted by Russian hackers and
used to target Ukrainian diplomats. The hackers
July 2023
copied the flyer, imbedded it with malicious
software and distributed it to foreign diplomats in
Kyiv.

www.sectrio.com 37
 A group allegedly tied to the private military
corporation Wagner hacked a Russian satellite
telecommunications provider that services the
June 2023 Federal Security Service (FSB) and Russian military
units. The attack comes after Wagner’s attempted
rebellion against President Vladimir Putin over the
war in Ukraine.

A Pakistani-based hacker group infiltrated the

Indian army and education sector in the group’s
latest wave of attacks against Indian government
June 2023
institutions.The hack is the latest in a series of
targeted attacks from this group that have
intensified over the past year.

Pro-Russian hacktivists attacked several European

banking institutions, including the European
June 2023 Investment Bank, in retaliation against Europe’s
continued support of Ukraine. The hacktivists used a
DDoS attack to disrupt EIB.

Several U.S. federal government agencies, including

Department of Energy entities, were breached in a
global cyberattack by Russian-linked hackers.
June 2023
Cybercriminalstargeted a vulnerability in software
that is widely used by the agencies, according to a
US cybersecurity agent.

An Illinois hospital became the first health care

facility to publicly list a ransomware attack as a
June 2023 primary reason for closing. The attack, which
occurred in 2021,permanently crippled the facility’s
finances.

Pro-Russian hackers targeted several Swiss

government websites, including those for Parliament,
the federal administration, andthe Geneva airport.
The DDoS attacks coincide in conjunction with June 2023
preparations for Ukrainian President Volodimir
Zelensky’s virtual address before the Swiss
parliament.

According to new reporting,North Korean hackers

have been impersonating tech workers or
employers to steal more than $3 billion since 2018.
June 2023
The money has reportedly beenused to fundthe
country’s ballistic missiles program, according to
U.S. officials.

www.sectrio.com 38
 Ukrainian hackers claimed responsibility for an
attack on a Russian telecom firm that provides
June 2023 critical infrastructure to the Russian banking
system. The attack occurred in conjunction with
Ukraine’s counteroffensive.

Russia’s Federal Security Services (FSB) alleged

that Apple worked closely with US intelligence
agencies to hack thousands of iPhones belonging June 2023
to Russian users and foreign diplomats. Apple
denied theclaims, and the NSA declined to
comment.

Belgium’s cyber security agency has linked

China-sponsored hackers to a spearfishing attack
May 2023 on a prominent politician. The attack comes as
European governments are increasingly willing to
challenge China over cyber offences.

Chinese hackers breached communications

networks at a U.S. outpost in Guam. The hackers May 2023
used legitimate credentials, making it harder to
detect them.

Chinese hackers targeted Kenyan government

ministries and state institutions, including the
May 2023 presidential office. The hacks appeared to be
aimed at gaining information on debt owed to
Beijing.

A likely Russia state group has targeted government

organizations in Central Asia. The group is using May 2023
previously unknown malware, and the attacks
focused on document exfiltration.

An unidentified group hacked targets in both

May 2023 Russia and Ukraine. The motive for the attacks was
surveillance and data gathering,

Russian-linked hackivist conducted an unsuccessful

cyberattack against Ukraine’s system for managing
May 2023
border crossings by commercial trucks through a
phishing campaign

www.sectrio.com 39
 Sudan-linked hackers conducted a DDoS attack on
Israel’s Independence Day, taking the Israeli
Supreme Court’s website offline for several hours.
Israeli cyber authorities reported no lasting damage
to network infrastructure. Hackers claimed to have
also attacked several other Israeli government and
media sites, but those attacks could not be
April 2023
confirmed. The group has been active since at least
January 2023, attacking critical infrastructure in
Northern Europe and is considered religiously
motivated.

NSA cyber authorities reported evidence of Russian

ransomware and supply chain attacks against
Ukraine and other European countries who have
April 2023
provided Ukraine with humanitarian aid during the
war in Ukraine. There were no indications of these
attacks against U.S. networks.

Iranian state-linked hackers targeted critical

infrastructure in the U.S. and other countries in a
series of attacks using a previously unseen
April 2023 customized dropper malware. The hacking group
has been active since at least 2014, conducting
social engineering and espionage operations that
support the Iranian government’s interests.

Recorded Future released a report revealing data

exfiltration attacks against South Korean research
and academic institutions in January 2023. The
April 2023
report identified Chinese-language hackers.
Researchers believe that this is a hacktivist group
motivated by patriotism for China.

Researchers at Mandiant attributed a software

supply chain attack on 3CX Desktop App software
to North Korea-linked hackers. During its
investigation, Mandiant found that this attack used
April 2023
a vulnerability previously injected into 3CX software.
This is Mandiant’s first discovery of a software
supply chain attack leveraging vulnerabilities from
a previous software supply chain attack.
Chinese hackers targeted telecommunication
services providers in Africa in an espionage
campaign since at least November 2022.
Researchers believe the group has targeted
pro-domestic human rights and pro-democracy
advocates, including nation-states, since at least
April 2023
2014. Using the access from the telecom providers,
the group gathers information including keystrokes,
browser data, records audio, and captures data from
individual targets on the network.

A Russia-linked threat group launched a DDoS

attack against Canadian prime Minister Justin
Trudeau, blocking access to his website for several
April 2023 hours. The operation’s timing coincided with the
Canadian government’s meeting with Ukrainian
Prime Minister Denys Shmyhal, suggesting that the
operation was retaliation.

www.sectrio.com 40
 North Korea-linked hackers are operating an
ongoing espionage campaign targeting defense
industry firms in Eastern Europe and Africa.
April 2023
Researchers at Kaspersky believe the hacking
group shifted its focus in 2020 from financially
motivated coin-mining attacks to espionage.

Researchers discovered Israeli spyware on the

iPhones of over 5 journalists, political opposition
figures, and an NGO worker. Hackers initially
April 2023
compromised targets using malicious calendar
invitations. The hackers’ origin and motivations are
unclear.

Ukraine-linked hacktivists targeted the email of

Russian GRU Unit26165’s leader, Lieutenant Colonel
Sergey Alexandrovich, leaking his correspondence to
April 2023 a volunteer intelligence analysis group. The
exfiltrated data contained Alexandrovich’s personal
information, unit personnel files, and information on
Russian cyberattack tools.

North Korean-linked hackers targeted people with

expertise on North Korea policy issues in a phishing
campaign. Hackers posed as journalists requesting
interviews from targets, inviting them to use April 2023
embedded links for scheduling and stealing their
login credentials. The amount of information stolen
and number of targets are unclear.

Russian hackers brought down the French National

Assembly’s website for several hours using a DDoS
March 2023 attack. In a Telegram post, hackers cited the French
government’s support for Ukraine as the reason for
the attack.

CISA and FBI reported that a U.S. federal agency was

targeted by multiple attackers, including a
Vietnamese espionage group, in a cyberespionage
campaign between November 2022 and January March 2023
2023. Hackers used a vulnerability in the agency’s
Microsoft Internet Information Services (IIS) server to
install malware.

A Chinese cyberespionage group targeted an East

Asian data protection company who serves
March 2023 military and government entities that lasted
approximately a year.

A South Asian hacking group targeted firms in

China’s nuclear energy industry in an espionage
campaign. Researchers believe the group commonly March 2023
targets the energy and government sectors of
Pakistan, China, Bangladesh, and Saudi Arabia.

www.sectrio.com 41
 Estonian officials claim that hackers unsuccessfully
targeted the country’s internet voting system during
March 2023 its recent parliamentary elections. Officials did not
release details about the attacks or provide
attribution.

North Korean hackers targeted U.S.-based

cybersecurity research firms in a phishing
March 2023
campaign. The campaign was meant to deliver
malware for cyberespionage.

A Chinese cyber espionage group targeted

government entities in Vietnam, Thailand, and
March 2023 Indonesia, using newly developed malware
optimized to evade detection.

Russian hackers launched social engineering

campaigns targeting U.S. and European politicians,
businesspeople, and celebrities who have publicly
denounced Vladimir Putin’s invasion of Ukraine.
Hackers persuaded victims to participate in phone
or video calls, giving misleading prompts to obtain March 2023
pro-Putin or pro-Russian soundbites. They
published these to discredit victims’ previous
anti-Putin statements.

Slovakian cybersecurity researchers discovered a

new exploit from a Chinese espionage group
March 2023
targeting political organizations in Taiwan and
Ukraine.

Poland blamed Russia hackers for a DDoS attack on

its official tax service website. Hackers blocked
users’ access to the site for approximately an hour,
but no data was leaked in the attack. A pro-Russian March 2023
hacking group had earlier published a statement
on Telegram about its intention to attack the Polish
tax service.

Russian hackers deployed malware to steal

information from Ukrainian organizations in a
phishing campaign. The malware is capable of
February 2023 extracting account information and files, as well as
taking screenshots. Researchers believe the group
is a key player in Russia’s cyber campaigns
against Ukraine.

www.sectrio.com 42
 A pro-Russian hacking group claimed responsibility
for DDoS attacks against NATO networks used to
transmit sensitive data. The attack disrupted
February 2023 communications between NATO and airplanes
providing earthquake aid to a Turkish airbase. The
attack also took NATO’s sites offline temporarily.

Polish officials reported a disinformation

campaign targeting the Polish public. Targets
received anti-Ukrainian refugee disinformation via February 2023
email. Officials claimed these activities may be
related to Russia-linked hackers.

A North Korean hacking group conducted an

espionage campaign between August and
November 2022. Hackers targeted medical research,
February 2023 healthcare, defense, energy, chemical engineering
and a research university, exfiltrating over 100MB of
data from each victim while remaining undetected.
The group is linked to the North Korean government.

Latvian officials claimed that Russian hackers

launched a phishing campaign against its Ministry
February 2023
of Defense. The Latvian Ministry of Defense stated
this operation was unsuccessful.

Iranian hacktivists disrupted the state-run

television broadcast of a speech by Iranian
president Ebrahim Raisi during Revolution Day
February 2023
ceremonies. Hackers aired the slogan “Death to
Khamenei” and encouraged citizens to join
antigovernment protests.

An Iranian hacking group launched an espionage

campaign against organizations in the Middle East.
Hackers used a backdoor malware to compromise February 2023
target email accounts. Researchers claim the
hacking group is linked to Iranian intelligence
services.

Iranian hacktivists claimed responsibility for taking

February 2023 down websites for the Bahrain international airport
and state news agency.

www.sectrio.com 43
 Hackers launched a ransomware attack against
Technion University, Israel’s top technology
education program. Hackers demanded 80 bitcoin
February 2023 ($1.7 million USD) to decrypt the university’s files.
Israeli cybersecurity officials blamed Iranian
state-sponsored hackers for the attack.

Hackers disabled Italy’s Revenue Agency (Agenzia

delle Entrane) website. While the website was
disabled, users received phishing emails directing February 2023
them to a false login page that mirrored the official
agency site.

Chinese cyberespionage hackers performed a

spear-phishing campaign against government and
public sector organizations in Asia and Europe. The
February 2023
emails used a draft EU Commission letter as its initial
attack vector. These campaigns have occurred
since at least 2019.

Latvian officials claimed that Russia-linked hackers

launched a cyber espionage phishing campaign
January 2023
against its Ministry of Defense. The Latvian Ministry
of Defense stated this operation was unsuccessful.

CISA, the NSA, and the Multi-State Information

Sharing and Analysis Center released a joint
advisory warning of an increase in hacks on the
federal civilian executive branch utilizing remote
January 2023
access software. This follows an October 2022
report on a financially motivated phishing
campaign against multiple U.S. federal civilian
executive branch agencies.

Russia-linked hackers deployed a ransomware

attack against the UK postal service, the Royal Mail. January 2023
The attack disrupted the systems used to track
international mail.

Iran-linked hackers executed ransomware attacks

and exfiltrated data from U.S. public infrastructure
January 2023 and private Australian organizations. Australian
authorities claim that the data exfiltrated was for
use in extortion campaigns.

www.sectrio.com 44
 Hackers used ransomware to encrypt 12 servers at
January 2023 Costa Rica’s Ministry of Public Works, knocking all its
servers offline.

Albanian officials reported that its government

servers were still near-daily targets of January 2023
cyber-attacks following a major attack by
Iran-linked hackers in 2022.

Hackers launched a series of cyber-attacks against

Malaysian national defense networks. Malaysian
January 2023 officials stated that the hacking activities were
detected early enough to prevent any network
compromise.

Hackers targeted government, military, and civilian

networks across the Asia Pacific leveraging
malware to obtain confidential information. The
January 2023
malware targeted both the data on victim
machines as well as audio captured by infected
machines’ microphones.

Hackers sent over a thousand emails containing

January 2023
malicious links to Moldovan government accounts.

Global APT activity in 2023

Almost all APT groups tracked by us logged a higher level of activity in 2023. Multiple
geopolitical events occurring around the world also triggered cyberspace to a significant
extent. APT actors from countries such as Iran, North Korea, China, and Russia ran multiple
campaigns and attacked critical and non-critical infrastructure.

www.sectrio.com 45
 Chinese APTs and their documented tactics
There is certainly a pattern to the behavior The PLA Strategic Support Force is also
of Chinese APT groups. Chinese APT groups helping various APT actors adopt AI in their
are among the most layered and tactics. We have reasons to believe that PLA
collaborative threat actor groups in the Strategic Support Force is hosting facilities
world. In addition to collaborations among to train APT actors in various aspects of AI
themselves, Chinese APTs also work with the and its use in post-hacking activities such
PLA Strategic Support Force which works to as data sorting, combing data to isolate
offer specific digital dominance innovations and validate important data sets and
to the Chinese PLA and to some extent to feeding this data into large models for
the threat actors working under the Ministry training AI tools.
of State Security. The PLA Strategic Support
Force, according to sources3, is tasked with
spearheading the infusion of new tech
across counter-warfare operations of the
PLA.

Supply Watering
Scans VPN Data theft Data sale
chain hole

APT41 Yes Yes No Unknown Yes No

APT22 Yes Yes Yes Yes Yes Yes

APT10 Yes Yes Yes Yes Yes Yes

APT18 Yes Yes No No Yes Yes

APT27 Yes Yes Yes Yes Yes Yes

Country focused campaigns

Since 2022, China's APT 41 has been running country focused campaigns targeting critical
infrastructure. In one such campaign, APT 41 targeted the power grid infrastructure in India. The fact that
this campaign is not bound by time brings another level of complexity to the fore.

Indian power grid infrastructure was breached in 2020 and 2023 as part of the same campaign. The
sub-group of APT 41 responsible for this campaign is known to run multi-year reconnaissance cycles
targeting the same infrastructure. Such campaigns involve the deployment of a malicious payload
that sits undetected in the victim's network till an order is released to create havoc in the network and
systems it is linked with.

APT 41 is certainly showing a significant appetite for targeting critical infrastructure.

Such an approach is inspired by a tactical blackout campaign run by Russian threat actor Sandworm
targeting Ukraine last decade. The focus in on maintaining access to the breached infrastructure for
the longest period of time while retaining the ability to strike during a period of geopolitical tension or
during an unrelated event.

The APT 41 subgroup will certainly seek to create more disruption in the future through a subsequent attack.

www.sectrio.com 46
 APT 41 which includes many sub-threat axis of attack. The targets have been
actors operating with similar TTPs is the chosen carefully not just to deliver a
frontline threat actor linked to the Chinese message but also to showcase the
Ministry of State Security (MSS). With capabilities of Chinese threat actors. The
offensive and deceptive capabilities, APT 41 pattern of attacks and the level of
operates under the specific instructions of disruption targeted also points to a degree
the MSS and maintains a higher degree of of desperation in MSS to push a certain
links with it. APT 41’s mandate includes geopolitical agenda within a short time.
targeting civilian and military infrastructure
in countries across the Indo-Pacific. APT 41 Both APT 41 and 17 connect to a shell
also carries out extensive reconnaissance technology company Lixia district of Jinan
and listening operations to locate province in China. The local agency here is
communications and assets of interest. believed to be known as the Jinan Bureau.
APT 41 ran 21 known campaigns this year
Sectrio has isolated IOCs connected with targeting entities in the countries
APT 41 from across Japan, the USA, India, mentioned earlier. Unlike the hit-and-run
Germany, Estonia, Norway, Sweden, the UK, operations run by other Chinese APT groups,
UAE, Malaysia, Singapore, and South Korea. APT 41 maintained a higher degree of loiter
Unlike APT 17 which is another group time sometimes waiting for nearly 39 days
operating with a higher degree of before exfiltrating data from a target in
interaction with the MSS, APT 41 is more Japan.
active throughout the year and hoards
data including confidential information. APT APT 41 has multiple listening stations across
17 is a feeder threat actor and more of a China that tap into communications
launchpad for testing new trainees and originating from its targets. In 2023, many of
works closely with other MSS threat actors its campaigns were focused on deploying
on a project-to-project basis. APT 41 enjoys payloads on networks connected with ports,
a higher level of autonomy in operations power grids, railway networks and defense
but not in the selection of targets which is infrastructure. Power grids are among the
decided by the MSS. most favored targets of the group with
evidence coming in from as many as 9
The repeated attacks on power grids in countries.
India (see box) are a case study of Chinese
threat actors trying to attain multiple
geo-political objectives through a single

“It is also clear that China’s MSS is not worried about the repercussions of
weaponizing cyberspace. If the MSS was concerned about a potential fallout
of its activities, it wouldn’t have pursued cyberattacks at such scales in such
a brazen manner.”

www.sectrio.com 47
 The connection with the Belt and Road project
While the other APT groups operating under intelligence agencies belonging to these
MSS maintain a relatively low profile and states by targeting loose ends. For instance,
footprint, we have reasons to believe that in the case of a South East Asian country, a
some of them are tasked with maintaining Chinese threat actor accessed embassy
a vigil on countries that are part of the communications belonging to the target
China-led Belt and Road (BRI) project. China nation. The embassy located in a European
retains a very high level of interest in nation was preparing for a media briefing
learning how the BRI project is being by a high-ranked government official and
perceived in the countries that have opted was exchanging classified material via
for it. Thus, such countries are surveilled to a regular emails.
very high extent with GBs of strategic
intelligence being transferred through There are also instances of Chinese APT
digital espionage every year. groups working together to steal feeds from
military infrastructure in friendly nations. APT
Sometimes, the MSS pits threat actors 22 is known to vacuum TBs of data from
against each other by asking one group to defense facilities belonging to close allies
validate the findings of the other (one in South Asia and the other in Africa). It
independently. This double-blind exercise is not known whether the nations involved
ensures the collection of high-value data are aware of this espionage. But it is
that feeds into the diplomatic maneuvers certainly clear that MSS relies heavily on
that the Chinese government undertakes. In exfiltrated data much more than Humint or
the case of the BRI, in addition to monitoring what it is told by government officials.
political sentiments, Chinese APT groups
also target data gathered by the

“We can say with a very high degree of confidence that China is retaining a
very high level of surveillance interest in BRI countries.”

Documented APT 41 activity in 2023

Data exfiltration Communication

Scan instances Spam messaging
attempts monitoring

North America 11,453 3400 1392 103

South America 7843 932 465 18

Africa 13999 1033 102 10

Europe 23384 14011 6453 99

Asia 77098 39001 11452 177

Australia 9777 1090 79 11

www.sectrio.com 48
 Russian APT groups: pushing the frontiers
APT 29 is one of the frontline Russian APT When it comes to targets, Russian APT
groups. Also known as ‘Cozy Bear’, this groups are more focused on critical
group is known to go after high-value infrastructure, media, diplomatic
targets such as the US government and communication, research bodies, and
Fortune 500 businesses around the world. global leaders. APT 29 is the most
This group is known to retain a very high sophisticated actor in Russia and uses
level of situational awareness about the techniques such as API manipulation, token
unique security and operational features of theft, password spray, long-term
its target networks. This group also masks reconnaissance, and employee targeting to
traffic using routers to obfuscate origin and gain access to data of interest.
to evade IP-based traffic filters. APT 29 is
just one of the many threat actors that are APT 29 was behind the Solar Winds attack.
run by Russia. The group has also been known to exploit
CVE-2021-34523 and CVE-2021-34473. Since
In terms of tactics, targets, and quality of March 2023, this group has been targeting
attacks, Russian APT actors display a senior NATO officials and Members of the
remarkable level of maturity. Russian APTs European Parliament through a long-drawn
are among the most experienced threat campaign. The group also ran campaigns
actors in the world. They operate at themed on Think Tank jobs, used
diplomatic, military, industrial, political, and automobiles, and conflict updates. These
economic levels. The same actor may campaigns were used to target high-value
engage a target at all these levels. Data targets by luring susceptible individuals to
exfiltration is a baseline motive. download malware.

All Russian APT actors work to support In addition to supporting state and
Russian state security policy objectives. diplomacy aims, Russian APT groups also
Because of a lack of support from local indulge in economic espionage and are
cloud service providers, Russian APT groups known to have links with independent
are not able to scale their data crunching hacker groups like Lockbit. These links are
operations which leads to plenty of only leveraged for specific projects
exfiltrated data being wasted. This is quite involving attacks on government agencies
unlike their Chinese counterparts where such as those in Canada and US.
every KB of exfiltrated data is sorted and
analyzed. Once inside target networks, the group is
known to wipe out all signs of its presence
This is also why Russian APT groups run very in a meticulous manner.
targeted campaigns as they do not want to
collect data that they are not interested in.

www.sectrio.com 49
 Rapid evolution

APT actors are now evolving faster than ever. With more access to data, expansion of R&D
capabilities and enhanced budgets, APT groups are now on an evolutionary highway. The role
of these groups is also now expanding like never before.

Gone are the days when they were merely treated as a means to irritate or punish an
adversary. Today, APT groups are involved in a wide spectrum of cyber operations conducted
with military discipline and precision.

This is also why APT groups are becoming more integrated with agencies of statecraft
including think tanks, embassies, spy agencies, militias and proxies, and more. Such
integration brings in efficiencies of scale and it also widens the impact of an event. In
countries such as North Korea and Iran, APT groups are not just part of the core state narrative
but in many instances, they may define the narrative itself.

Another trend is the rising role of APT actors in hybrid warfare.

ICS cyberattacks tied to Russian APT groups

The CosmicEnergy malware targeted specific systems linked to power companies in Europe
and elsewhere and has its origins in a group that has links to at least two Russian APT actors
including APT 29. CosmicEnergy is no ordinary malware. It was scripted to create large-scale
disruptions that could bring a nation or at the very least a part of a nation to a complete
standstill. CosmicEnergy represents the evolution of Russian breach tactics and the
development of sector and outcome-specific malware. The days of generic malware may not
be over yet, but sector or even operation-specific malware may start grabbing a bigger piece
of the ransom/disruption pie in the future.

North Korean APT activity

North Korean threat actors continue to APT 38 reports to the 110th Research Center,
demonstrate agility and presence across a 3rd Bureau of the Reconnaissance General
spectrum of incidents and sectors. For Bureau (RGB). The Third Bureau is
possibly the first time, a North Korean threat responsible for technical surveillance and
actor was also documented trying to reach full-spectrum cyber operations including
out to threat analysts and researchers data exfiltration, continuous surveillance,
using fake social media profiles. Unlike and terrorizing foreign nationals who speak
Chinese, Iranian and Russian threat actors, against the government of North Korea. The
North Korean APT groups are primarily RGB is the nodal agency within North Korea
focused on generating revenue in hard for all types of malicious cyber activities.
currency. Sectrio’s research has shown that RGB is known to support other initiatives of
there could be as many as 7 subgroups of the North Korean government including gun
APT actors who are operating out of North running, smuggling hard currency,
Korea forming the bulk of what is commonly exfiltrating agents into South Korea, carrying
called as APT 38. out misinformation operations, and
facilitating the trade of commodities.

www.sectrio.com 50
 North Korea’s Ministry of State Security runs Together, APT 37 and 38 account for a large
another APT group called APT 37 which is a volume of all malicious cyber activity
more strategic threat actor than APT 38. registered around the world. Further, these
This threat actor aligns with the strategic two groups are also among the most
objectives charted by its parent body which evolved threat actors in cyberspace when it
is said to report directly to Kim Jong. comes to running scams throughout the
SlowDrift, Blue Whistle, and M2RAT are the year. The chart below gives a break-up of
tools used by this group. APT 37 is known for emails intercepted by Sectrio’s threat
its long-term reconnaissance capabilities research in 2023.
and hides its activities behind layers of
subterfuge. In addition to Zero Day The volume of emails linked to campaigns
exploitation capabilities, APT 37 also runs run mostly by APT 38. A casual perusal of
what could be among the most effective the frequency of these campaigns points to
spear phishing campaigns in the world. a rise in the volume of phishing emails
during the holiday season. With a high level
In 2023, Sectrio observed the footprint of of distraction prevailing during such
both APT 37 and APT 38 around the world. months, the possibility of breaches does rise
While the former was targeting embassies, disproportionality. These emails were
oil companies, defense contractors, targeted at multiple entities and seemed
defectors, and governments, the latter went more like a spray-and-pray campaign than
after financial institutions (especially banks a highly targeted one. Since North Korean
and stock exchanges), NGOs, and APTs are not using AI at levels where it could
enterprises. Amongst all APT actors, the generate high volume and high-quality
threats that enterprises face from North data for subsequent targeting, these
Korean APTs are among the highest. This is groups do not retain data for long. Such
because North Korean APT groups operate data are either sold or dumped on forums
with a much wider set of objectives than or passed to the governments of friendly
almost any other threat actor. This means countries.
that every business out there could be a
potential target for North Korean APT
activity.

Volume of phising emails intercepted

45000

40000

35000

30000

25000

20000

15000

10000

5000

Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec

www.sectrio.com 51
 Sample email intercepted in June 2023. Actor APT 38.
Target: multiple profiles within a manufacturing company in South East Asia

In June and July 2023, APT 37 and 38 scaled up their campaigns globally to exfiltrate
documents and information from many Asian and European nations. Specific targets in this
campaign included research bodies, think tanks, and businesses connected with nuclear
power plants. North Korean APT groups are also used to target media houses, government
officials and other influential entities that speak out against the North Korean government.

Iranian APT activity

While the footprint of Iranian APT actors is At a much broader level, Iranian APT groups
not as pronounced as that of their Chinese, target many more sectors including
Russian, and North Korean counterparts, financial services and healthcare. However,
Iranian APT actors are highly evolved and these are not among the key targets. In the
pervasive. APT 35 and APT 34 are the manufacturing sector, Iranian APT groups
frontline threat actors among the APT are constantly seeking IP around processes,
groups maintained by Iran. Aviation, oil and raw materials(input), and automation. While
gas, financial services, manufacturing, Iranian APT groups together account for a
critical infrastructure, and aerospace are small proportion of the overall threat
the key targets for this threat actor. The spectrum associated with APTs, they have
common link between these sectors substantially increased their activity
appears to be a need for Iran to infuse footprint since 2021.
technology into various domestic sectors.
Competitive aspirations in core sectors When Iranian APTs began targeting global
such as oil and gas where Iran has a lot at entities around Apr 2013, most of their
stake may be another factor. attacks were directed against a few
countries. Today, however, we are finding

www.sectrio.com 52
 the fingerprints of Iranian APTs across the Watering hole attacks are among the most
globe and sectors. These APTs can launch preferred breach tactics that Iranian APT
huge volumes of attacks against a few actors rely on. This eliminates the need for
targets in a very short period. In November more direct breach methods. These actors
2023, Iranian APT activity surged 900 also operate with a very high level of
percent across the Middle East. In terms of persistence when targeting critical
days, this rise was restricted to just 21 days infrastructure. APT 35 is known to lurk for
between November 4 and November 25. months in networks associated with critical
This attack could be linked to certain infrastructure waiting for an opportunity to
geopolitical events happening in the region strike. In networks of interest, Iranian threat
at the same time. actors are known to follow a very
aggressive reinfection cycle as well.
Iranian APT groups are highly opportunistic Typically, they make attempts to reinfect
when it comes to targeting. the network within 48-105 hours.

Top Iranian APT targets

Country Percentage of attacks logged attributable to

Iranian APT actors

Israel 39

USA 17

Sweden 09

Saudi Arabia 08

UAE 06

Jordan 04

Others 17

The rising interest shown by Iranian APTs in targeting critical infrastructure is clearly a matter
of concern. Iran along with its proxy actors in the region will continue to pose a significant
threat to critical infrastructure. Iran may also augment its cyber capabilities in collaboration
with Russia with whom it has developed a strategic relationship.

Supply Watering Vulnerability

Scans VPN Data theft Data sale
chain hole exploitation

APT 33 Yes No No Yes Yes No Yes

APT 34 Yes Yes Yes Yes Yes No Yes

APT 35 Yes No Yes Yes Yes No No

www.sectrio.com 53
 Cyber threat predictions for 2024
While it is easy to state that the volume and quality of attacks will go up in 2024, it is important
to isolate the trends that will define the threat landscape first. This will help us draw a more
informed and accurate picture of the threat landscape that will emerge based on the interplay
of the forces involved.

These are the major trends that will define the threat landscape in 2024:

• Threat actors will also improve the level of encryption to keep victim data locked for longer
periods of time and it will make it harder for victims to get access to their data

• Bad actors will launch more multi-layered attacks involving phishing campaigns, software
vulnerability exploitation and targeted social engineering

• In 2024, threat actors will continue focusing on three areas: ransom, data exfiltration and
sale and long-term reconnaissance. As we have mentioned in 2022 and 2023, kinetic
attacks will be driven more by geopolitics than by cybercriminals. Independent threat
actors often prefer leaving the victim alone if they are paid ransom or locking access or
selling victim data. Kinetic attacks especially those that lead to loss of lives or injury to plant
personnel are not a priority for independent actors.

• OT security will get more attention in 2024: focus areas will be risk management, neutralizing
vulnerabilities, and improving operational visibility and control across the shop floor.
Maintaining adequate documentation about shop floor equipment and architecture and
security training are other areas that will become imperative in 2024.

• More involvement of independent threat actors: bad actors with modified tools belonging to
larger threat actors and APT groups will play a bigger role in 2024. With larger players
coming under the law enforcement scanner across the US, the European Union, and many
other countries, small actors have a chance to target small and medium businesses to gain
ransom at scale. Independent threat actors may also rely on diffused enabling
infrastructure across multiple countries including mixed data processing capabilities. Such
capabilities allow bad actors to maintain a low digital profile while scaling up their attacks.

www.sectrio.com 54
 Malware and malicious payload trends
Malware sources Within critical infrastructure, availability is a
key parameter of operational significance.
In 2023, many unidentified sources of
With many OT environments running legacy
malware were added to the mix of sources.
systems that lack vulnerability assessments
Due to this, we were unable to clearly
and patches, access management and
identify the sources of such malware in
controls, there is an ever-present risk of
circulation. This indicates three things.
massive disruption in such plants and sites.
The maturity of security programs needs to
• Most of the sophisticated malware
be improved and the protection of
comes from countries that are either
cyber-physical systems needs to be
engaged in a conflict or are involved in
elevated as an immediate priority.
some way. We saw this in Ukraine, Israel
and Armenia.
Operational technology (OT) availability
• Enablers and level two actors are
and uptime are the primary concerns within
obfuscating the header information and
the critical infrastructure sector. Taking
other properties to hide their origin. We
down a critical system for maintenance
were however able to detect their
could result in a power outage or a loss of
presence through proprietary
access to drinking water. Therefore, many
technology used by our research team
OT environments are running legacy
that detects even the stealthiest
systems that lag vulnerability patches and
malware out there.
other updates.
• Hackers want to cover their tracks all the
way
The enablers are also acting as third-party
• Undiscovered malware forums are
conduits facilitating the exchange of
trading in complex malware
sophisticated malware, vulnerability
information, and stolen data in addition to
Independent threat actors remained active
supporting the exchange of malware and
throughout 2023. The high-profile attacks
breach tactics between friendly APT groups
(and even the low-profile but critical ones)
to maintain a level of plausible deniability
on gas pipelines, utility infrastructure, and
and distance.
project management software, and other
applications indicate an attempt by them
to create pathways to open networks to
deploy malware and for long-term
snooping and network access.

Persistent challenges

ICS environments with a small maintenance window offer less scope for patches or new
devices to be tested from a cybersecurity standpoint.

Thus, every new update or even a new device that gets added could significantly increase
the threat surface and consequently the level of risk exposure both at an institutional and
operational level.

www.sectrio.com 55
 Malware origin

Possible Source Percentage detected

Dark web 25

Procured via malware forums 18

Mixed 09

Military-grade 03

Academic\research labs 03

Unknown 42

At one of our research labs, we were able to segregate malware based on observed traits, deep
content inspection, multi-layer inspection and analysis, and code slicing. Using dual
sandboxing and some of our proprietary techniques, we were also able to do a behavior
analysis and stealth evaluation. While the properties of malware keep changing, the baseline
trait that all malware share is stealth and persistence.

This year saw the release of a huge cache of malware developed in what seems to be
academic or research facilities. This is because many of these malware had code inserts and
traits that do not belong to any known malware labs we have seen in the past. Malware
development is sometimes a complex process with many actors collaborating and sharing
inputs. Sometimes, malware developers also build their malware on a base code developed by
labs in academic institutions or facilities belonging to government agencies.

Ports attacked

Top Ports attacked

Port Attacks in million

23 -Telnet 700

445 - SMB 305

22 SSH 297

1433 MSSQL 380

3306 MySQL 559

80 - HTTP 680

7547 - CWMP 45

25 - SMTP 87

20 FTP 98

Others 16

www.sectrio.com 56
 Types of attacks and frequency

Types Percentage occurrence

Integrity violation with malicious code Injection 21

Brute force attacks 305

Phishing emails 297

Privilege abuse 380

3306 MySQL 559

Simple reconnaissance 680

Persistent reconnaissance 45

Port/asset scan/TCP dump (specific recon) 87

Firmware downgrade attempts (corrosion) 98

Crypto mining/jacking 16

Types of attacks and frequency

Trait detection rates Geographic distribution

Trait Verticals targeted
(in percentage) or focus

Persistence High 58 North America, Western Manufacturing and

Med 32 Europe, and SE Asia critical infrastructure
Low 10 projects

High levels of stealth 76 Global Defense,

healthcare-connected
vehicles, and
manufacturing

Faster deployment 81 Global Almost all verticals

Crypto mining 29 All except Latin America Smart cities and

manufacturing

High network mobility 65 Global Manufacturing, smart

plus Lateral cities, Defence, telecom
movement

www.sectrio.com 57
 Types of attacks and frequency

Malware type VS Percentage observed

09

01

03

87

Highly generic

Generic

Industry or System specific

Others

Attacks on key sectors

Sector Trend (in percentage)

Energy 109

Healthcare 77

Manufacturing 75

Oil and gas 68

Education 60

Banking and Finance 61

Defense 44

Retail 39

Smart devices 33

Critical infrastructure excluding energy/utilities and oil and gas

33
pipeline and infra

Others including agriculture, public safety, unspecified projects,

42
and telematics projects not falling under the above categories

www.sectrio.com 58
 Top countries of origin of cyberattacks

Country cyberattacks

China 24

North Korea 19

Russia 14

Iran 11

Malaysia 06

Vietnam 05

Unknown 21

Most attacked countries in cyberspace

USA still remains the most attacked nation in cyberspace (based on the volume of
cyberattacks). The ranking remains largely unchanged except for a few nations moving up or
down. When one views the rankings based on the quality of the attack, there is an entirely
different view that emerges. In this list, while US is still number one, it is followed by Ukraine and
Belgium. While Ukraine is in the midst of an ongoing conflict, Belgium and Estonia are
attracting cyberattacks of higher quality as they are home to strategic agencies and
intergovernmental bodies.

Most attacked countries (volume)

Country Rank

USA 01

Germany 02

United Kingdom 03

Canada 04

France 05

Ukraine 06

India 07

Australia 08

UAE 09

South Korea 10

www.sectrio.com 59
 Most attacked countries (quality and sophistication of cyberattack)

Country Rank

USA 01

Ukraine 02

Belgium 03

UAE 04

Germany 05

Israel 06

Norway 07

Estonia 08

Saudi Arabia 09

Vietnam 10

Most targeted nations (based on the number of sites/countries of origin of attacks)

Country Rank Verified attacks originating from

USA 01 317 sites across 51 countries

UK 02 310 sites across 47 countries

Germany 03 299 sites across 44 countries

Israel 04 278 sites across 37 countries

France 05 210 sites across 35 countries

India 06 207 sites across 33 countries

UAE 07 192 sites across 29 countries

Ukraine 08 165 sites across 21 countries

Vietnam 09 115 sites across 19 countries

Philippines 10 95 sites across 17 countries

www.sectrio.com 60
 Cyberattacks on Ukraine and its global implications

After unleashing waves of cyberattacks on Ukraine in 2022, Russian threat actors affiliated with
the GRU continued to wreak havoc on Ukraine in 2023. These actors demonstrated high levels
of mobility and agility targeting multiple sectors and victims within and outside the Ukrainian
government. Common tactics include credential phishing, malware, external exploitation of
select services and social engineering. Ukraine suffered at least one major attack every 63
days in 2023. Defense, energy, transport and government were the key sectors targeted.
The Russo-Ukraine war has changed cyberspace forever by hastening the pace of the
weaponization of cyberspace. In addition, this weaponization expanded in width and depth
with coordinated attacks in cyberspace and on the ground.

This war has also spawned a new breed of highly trained and motivated cyber mercenaries
ready to strike when called for by APT groups or state handlers.

Most attacked countries on a per capita basis

To explore another dimension of the impact of cyberattacks on various countries, we decided
to bring the population of countries into the picture. This number is arrived at by considering
the number of cyberattacks logged per citizen of that country. Based on the population source
Worldometer, Ukraine comes as the number one country on this parameter. While this comes
as no surprise, the cyber attacks on Ukraine are not consistent or uniform in terms of
distribution.

Cyberattacks on Ukraine rise during periods of intense conflict and exchange of fire and shells
across the battle lines. Russian APT groups have modified their tactics from stealth to
generation of adequate and visible impact of their activity in Ukraine. These groups do not
even make a passive attempt to hide their tracks or to create some level of plausible
deniability (except in some instances where the media is the target). This could be the result
of battle/alert fatigue on the part of Russian APT actors or could simply be due to an
instruction from above.

Table: Countries drawing maximum number of cyberattacks on a per capita basis

Country Rank

Ukraine 01

Lithuania 02

Finland 03

Israel 04

Taiwan 05

Belarus 06

Sweden 07

Chile 08

Oman 09

Estonia 10

Population source: Worldometer, 2023 data

www.sectrio.com 61
 Cities drawing the maximum cyberattacks
If any evidence was needed to understand the influence of geopolitics in cyberspace, then one
just has to parse the list of the most-attacked cities in the world. Many East European cities
made their debut in the top 10 list in 2022 and continued to stay there in 2023. Most of these
cities drew attacks from Russian, Chinese, and Iranian APTs. Over 60 percent of attacks on
Vilnius were traced to Chinese APT players. There is no evidence to prove that these attacks
were carried out in collaboration by these APT groups but we can say with a high degree of
certainty that these attacks were clearly motivated by geo-political considerations.

City Rank in 2023 Rank in 2022

New York 01 03

Kiev 02 06

Tokyo 03 -

Talin\Prague 04 -

New Delhi 05 05

Vilnius 06 -

Dubai 07 07

Oslo 08 -

London 09 02

Washington D.C 10 01

Threat landscape across regions

North America
North America in numbers

330 Bn 14 Bn 3.9 Bn
Total Sophisticated Targeted
attacks attacks attacks

171 Bn 239 %
Reconissance Growth in volume
volume of attacks over
2022

www.sectrio.com 62
 Cyberattacks on North American The lack of regulatory action helped this
enterprises, healthcare and education group morph its business model multiple
providers and government agencies times. When Lockbit started its operations,
continue to rise. In 2023, we saw a 239 its attack tactics were focused on a handful
percent rise in attacks across sectors over of targets. By the end of 2022, Lockbit’s
the number reported in 2022. affiliates were attacking everything in
Manufacturing, healthcare, education, cyberspace (in some cases despite
critical infrastructure (utilities and water knowing that the victim would not be able
treatment), start-ups and oil and gas were to pay the ransom). Soft targets such as
the most impacted sectors in the region. educational institutions and small
Businesses hosting complex environments healthcare providers even were not spared.
with a mix of IT-OT and OT-IT and IoT were
most impacted by this surge in attacks. The In the case of US businesses, info-stealing
US continues to be the most attacked malware has been used to augment data
country in the world with attacks being stolen from social media outlets such as
traced to almost all large and small groups Twitter to create a breach profile for
of actors and APT groups. employees working in sensitive locations
and roles. Such profiles and exfiltrated
North America dominates the digital credential data are then fed into AI tools
transformation market globally. It is today that then work to churn out potential
home to the maximum number of digital access credentials. A business email
transformation projects according to multiple compromise is commonly caused this way.
studies. On the threat front, the US continues
to be the center of attention drawing scans US businesses account for the largest
and attacks from a range of countries. US volume of leaked data on the Dark Web and
networks are probed by APT and non-APT other forums. Of the 3 Petabytes of stolen
groups from Iran, North Korea, China, Russia, data scanned by Sectrio as many as 1.2 PB
and even nations that are not traditionally belongs to US-based businesses. The
known to host hackers or APT actors. volume of stolen data has grown by 39
percent on a year-on-year basis in 2023.
One of the largest groups active in North Attacks on Canadian businesses grew by
American cyberspace in 2023 was the 203 percent in the assessment year with a
Lockbit group accounting for as many as 33 high percentage of attacks succeeding as
percent of all reported events. Lockbit per publicly available information accessed
through its affiliates had managed to by Sectrio.
create a large footprint in the region.
Education and healthcare were its favorite
sectors. Lockbit’s activities in the region offer
a deep insight into the way threat actors
have evolved in the last half a decade.

Lockbit has been around since 2019 it

scaled its operations rapidly targeting
victims around the world costing billions of
dollars in ransom payments and downtime
and recovery costs. Lockbit affiliates flocked
to US and Canada throughout the first half
of this decade attacking entities across
industries. In the process, Lockbit managed
to hack some of the biggest businesses in
the region.

www.sectrio.com 63
 Percentage of overall attacks

25

20

21
20
15 18

15
10

11

5 8
7

0
Manufacturing Oil and gas Utilities Counties Defense Healthcare Others

Manufacturing and oil and gas continue to Oil and gas and manufacturing are sectors
gather a huge volume of overall attacks in where the attacks cover a much wider
the region. The volume of attacks on ground including multiple supply chain
utilities varies significantly throughout the entry points all the way to more
year. The fluctuations may have to do with downstream security gaps. The wide range
some trend that the hackers are trying to of attack targets also indicates a very high
exploit. The volume of attacks on counties level of interest in these systems and the
has been obtained from data available in businesses that are hosting them.
the public domain.
Cyber-attacks on manufacturing, utilities,
The volume of attacks on manufacturing is and oil and gas entities point to a
skewed towards high-end and heavy concerted pre-war effort from potential
manufacturing units involving proprietary adversaries. The geographical spread of
manufacturing processes. The exfiltrated these attacks also points to an interest in
data accessed by our threat research team defense-related infrastructure as well. The
points to threat actors having a significant pre-war adversarial effort is impacting all
degree of interest in the personal data and the critical sectors and the attacks are
credentials of plant personnel. While the better planned and organized than what
volume of IP encountered may appear low, appears on the surface. Reconnaissance on
such attacks may be targeted at IP of very critical infrastructure in North America is not
high significance. The threat actors behind just consistent and deep but pervasive and
such attacks are not script kiddies or even complex.
mid-level actors but are instead groups
that run an IP exfiltration chain with
branches leading to an APT group (such as
APT 41) or an established data selling
operation.

www.sectrio.com 64
 Composition of stolen data related to manufacturers (percent)

Personal data and credentials 35

Supply chain info 12

IP 3

Network information 16

Production information 9

Information on senior management 1

Financial information 7

Information deemed confidential 3

Stock and raw material information 9

Shop floor info 5

0 5 10 15 20 25 30 35

There could be more than one adversary involved in these attacks. We have been able to trace
the attacks to 2 continents and three countries. While Russia and China are obfuscating attacks
by routing them through harmless home and industrial equipment such as routers, Iran is more
direct in attacking critical infrastructure across North America. While China and Russia focus on
long-term reconnaissance and data exfiltration, Iranian attacks are mostly disruption-oriented
and focus on utilities and manufacturing plants.

During times of war or geopolitical tension, the entrenched access and payloads can be
triggered and activated to add to the confusion of war and to degrade the quality of response.
This is not an implausible scenario. These exploits could also be leveraged to create a small
event to send a geopolitical message across as well.

Number of reconissance attacks per month

198348584

99795966 105676686

77876896
63390034

2019 2020 2021 2022 2023

www.sectrio.com 65
 The rising number of reconnaissance attacks across sectors in North America is another reason
for concern and action. These attacks are not just probing networks and systems but also
exfiltrate data and maintain a vigil on target networks for future openings (in case they haven’t
found anything thus far). The data stolen from such attacks can be fed into LLMs to train these
models to predict network behaviors and responses of security systems in targets of interest.

We expect this trend to continue as most of these attacks are carried out using hijacked
infrastructure resting in non-adversarial nations. The expansion of automated botnets and use
of AI-powered control applications to manage them have together resulted in a significant
reduction in the need for people to monitor the operation of global botnets.

Further, botnets are today more adaptive and responsive. They operate with more IP ranges and
turn ports on and off randomly to avoid them from coming under the scanner of botnet
detection applications.

Who is attacking North America?

Percent of attacks attributed to a category of threat actors

APT Groups 15

Independent actors 12

Actors with loose affiliation 14

Lockbit gang 26

Unknown threat actors 21

Others 12

0 5 10 15 20 25 30

The highest volume of attacks are from unknown actors, Lockbit affiliates, and individuals or small
actors. These actors rely on volume over quality of attacks while the APT groups rely more on
cyberattacks that have a higher probability of success. However, it should be noted that APT
groups are behind most of the reconnaissance attacks logged in the region.

www.sectrio.com 66
 Attacks on counties and government agencies
Attacks on counties in the US grew by 649 days. In some instances, counties that were
percent in 2023. The most basic form of attacked in Feb 2023 hadn’t returned to
attack involved a brute force attack to log full-service status till late November 2023.
on to a specific server. Between June and Cumulatively, citizen services in the US were
December, counties across the US were impacted for almost 764 days in 2023 due
subjected to an average attack volume of to cyberattacks. The average
nearly 24,000 login attempts every 72 hours. (pre-negotiation) ransom demand was
Such a huge volume of inbound attacks is a $900,000 and the time given to the victim to
clear indication of the challenge the payout was usually 3 days.
hackers are posing to counties and smaller
governance entities in the region. While the Why are counties getting attacked?
system has blocked such attempts in many
instances, but in others, the system allowed • Lack of foundation security measures
multiple login attempts to be logged including password hygiene
without the attack being blocked. • Lack of qualified staff and funding
• Huge volumes of data collected from
In other instances, the attacker tried to victims through previous multi-stage
modify files linked to applications linked to reconnaissance attacks
key services. The average cost of recovery • Poor data storage security practices
for a county was $12,00,000and the average
time to revert to full-service status was 97

Cyberattacks on IoT

Attacks on Internet of Things and smart extended periods of time. This indicates that
projects can be divided into the following most of these attacks are carried out by
categories: using AI and automation services that
ensure the sustenance of a certain degree
• Denial of Service (DoS) of attacks and probes within a given
• Distributed Denial of Service (DDoS) amount of time.
• Botnet attacks
• Man-in-the-Middle (MitM) Changes in the security levels of the targets
• Malware due to the addition of new and untested
• Credential stuffing applications and devices could eventually
• Firmware allow these attacks to succeed to various
• Side-Channel degrees and that is what these actors are
• Encryption counting on.
• Brute Force Password

While DoD and DDoS are the most common

attack types, it’s the MitM and malware
attacks that lead to more damage and
data loss. In over 14 cities in the region, the
attacks on IoT infrastructure maintained a
steady pulse holding on to a threshold for

www.sectrio.com 67
 Percentage detected

25
23

20 19

15

11
10 9 9 9
7
6
5 4
3

0
Denial of Distributed Botnet Man Malware Credential Firmware Side- Encryption Brute Force
Service Denial of Attacks in-the Attacks Attacks Attacks Channel Attacks Password
(DoS) Service Middle Attacks Attack
(DDoS) (MitM)
Attacks

South and Central America

North America in numbers

22.8 Bn 1.3 Bn 901 M

Total Sophisticated Targeted
attacks attacks attacks

12.3 Bn 579 % $2 M
Reconissance Growth in volume Average ransom
volume of attacks over demand
2022

The South and Central American region storage as well. When put together, these
witnessed the highest-ever growth in the trends point to a huge and sudden rise in
volume and quality of cyberattacks in 2023. threat surface which is proving to be an
This region has started receiving a high attractive lure for hackers.
level of interest from Russian and Chinese
APT actors. Latin America's organisations are also being
targeted, not matter the size. In fact, it is not
The region has seen a fairly high level of immune to supply chain cyber attacks, as
uptake in use of digital communication they are becoming more prevalent. In
technology in the past few years. This October 2023, Chile saw a
includes broadband, smart and digital telecommunications company, GTD hit by
production tools, automation across the the Rorschach ransomware gang which
board, digital aids for commodity saw 3,500 companies impacted.
management (including mining), and cloud

www.sectrio.com 68
 Expansion of the regional threat landscape
In addition to the expansion of the threat are still relying on messages sent using the
surfaces available in the region, the entry of traditional SMS channel to target victims.
new players and the increasing activities of
existing players are also contributing The growing volume of bot traffic also
significantly to the expansion of the threat points to the ease of access to the target
landscape in the region. APT 41, Lazarus, APT devices as well. Bot farms in the region have
35, and APT 29 are among the state-backed evolved over the last half a decade to pose
threat actors active in the region. All of a much bigger threat than before. In 2018,
them have expanded their regional regional bot farms were only involved in
activities ostensibly to entrench their carrying out DDoS attacks at a much lower
presence in the region. scale. The number of farms was low and the
traffic emerging from these farms was also
Latin America is being sought out actively low.
by USA, EU, and China for building closer
trade links5. Many countries are looking at Today, however, these farms are being used
the region to fulfill their requirement for by bad actors for various reasons.
commodities. Further, its close proximity to
US and Canada means that the region can In South and Central America, we have seen
also play host to manufacturing facilities botnets operated and managed at multiple
whose output targets these two countries. levels. The individual botnets are controlled
As the region gets tightly integrated into by a Bot manager which is in turn managed
multiple global supply chains, it is also by a Bot master. The Bot manager is
getting drawn into geopolitical issues responsible for the day-to-day operations
playing out in other regions. of the bot while the Bot master guides the
bot for the task assigned through the Bot
The most worrying data point about Latin manager. The Bot master is directly
America has to do with the percentage of controlled by the bad actor while the Bot
successful attacks in the region. The Managers work under the Bot master. The
success rate of cyberattacks in the region roles of the two are often interchanged
touched an all-time high of 0.01 percent in randomly across an infection cycle. Each
June 2023. In addition to the factors new wave of infection adds new bots to the
mentioned above, the lack of skilled security botnet. Only Botnets that have been part of
professionals and lack of strong legal the hijacked network for a certain period of
mandates for ensuring basic cyber hygiene time are eligible for promotion to Bot
is also hurting the region. manager and Bot master as well.

Latin America is also home to a growing lot The role shifts are choreographed through
of hijacked bot farms. Many of these farms a master algorithm which is also reset
have been created using large volumes of multiple times each day. Further, botnets
hijacked industrial infrastructure and are also turned off and on multiple times to
personal devices. While only 30 percent of add another layer of stealth and intrigue.
the traffic from bot farms is used to target Hackers may also add more layers of
businesses within the region, hackers do control between themselves and the Bot
use these farms to run scans and test master.
malware and malicious payload delivery
mechanisms and tactics. Brazil and
Columbia are two countries where hackers

www.sectrio.com 69
 Botnet category Usage

Industrial breach bot Used to generate malware payload enriched traffic to breach
industrial environments

TrackBot Tracks specific users across cyberspace

DataexfilBot Used to exfiltrate data from specific networks and environments

DDoSBot To launch Distributed DoS attack using Layer 3 to 7 protocols

SpamBot Launches spiders to collect email addresses and host spam

mail-generating apps

BrowseBot Collects user info across websites

ChatBot Collect chat transcripts to find user's chatting trends

idBot Steals use authentication credentials

Payment bot Collects payment card information from e-commerce portal screens

PollBot Manipulate online polls meant for products and services

BruteForceBot Attack websites with TCP and application layer attacks

NetBot Attack networks using Layer 2 and 3 protocols

In South and Central America, we have seen botnet. Only Botnets that have been part of
botnets operated and managed at multiple the hijacked network for a certain period of
levels. The individual botnets are controlled time are eligible for promotion to Bot
by a Bot manager which is in turn managed manager and Bot master as well.
by a Bot master. The Bot manager is
responsible for the day-to-day operations The role shifts are choreographed through
of the bot while the Bot master guides the a master algorithm which is also reset
bot for the task assigned through the Bot multiple times each day. Further, botnets
manager. The Bot master is directly are also turned off and on multiple times to
controlled by the bad actor while the Bot add another layer of stealth and intrigue.
Managers work under the Bot master. The Hackers may also add more layers of
roles of the two are often interchanged control between themselves and the Bot
randomly across an infection cycle. Each master.
new wave of infection adds new bots to the

Diagram showing the shift of the Bot manager role to another Botnet entity.

Hour Two
Hour Zero
(shift of Bot Master)

Master
Bot

Bot Manager

Master
Bot

www.sectrio.com 70
 Average number of days taken for hackers to put data on sale

37

21

15
14

7
6

Healthcare Manufacturing Mining Oil and gas Utilities Others

The high volume of attacks on healthcare and manufacturing have their origin in different sets
of actors who are targeting them. While manufacturing involves multiple independent threat
actors, healthcare has been targeted by Lockbit affiliates.

Regional botnets - suspect numbers

67019

59094

44934
39001

23094
19400

2018 2019 2020 2021 2022 2023

*Data based on traffic pattern and load sequence analysis

www.sectrio.com 71
 The rise in regional botnets also correlates with a rise in attacks on multiple sectors in the
region. Manufacturing and oil and gas are two sectors that have seen a significant rise in the
volume of attacks routed through global Botnets. Such a routing points to an increase in the
level of sophistication of these attacks. The involvement of botnets also points to the
involvement of multiple players in the

Regional botnets - suspect numbers

31

24

18

11
9
7

Manufacturing Oil and gas Retail Government Utilities Others

There is also plenty of hacker interest in the critical minerals sector in the region. Two minerals
viz., Lithium and Copper deserve special mention in this context. The region already produces
large quantities of lithium, which is needed for batteries, and copper, and underpins the
expansion of renewables and electricity networks. But Latin America could expand into a range
of other materials such as rare earth elements that are required for electric vehicle motors and
wind turbines, and nickel, a key component in batteries.6

The race to gather a high volume of the supply of these minerals in the region has been led by
China among other countries. This could also be a reason why Chinese threat actors are very
active in this region. Social engineering and phishing attacks are also rising in the region. Threat
actors are working to cultivate insiders for the long term.

www.sectrio.com 72
 Most attacked nations in South America

24

21
20

11
9 9

Brazil Mexico Argentina Chile Peru Colombia Others

Brazil is the most attacked country in the region followed by Mexico. Both these countries are
home to established and diversified manufacturing infrastructure. In addition Mexico and Brazil
also among the largest oil producers in the region7. Argentina and Chile are among the largest
Lithium producers in the world. This puts them in the crosshairs of threat actors that work with
Lithium spot price fixers to manipulate the prices of Lithium. The prices of Lithium have swung
wildly in 20238 and this does indicate the work of forces behind these price fluctuations.

The attack on Chilean Army in 2003

Surprisingly, some patterns of the attack we have logged in Argentina, Chile, and Bolivia to
some extent have also been logged in some parts of Australia which is another major producer
of the same set of minerals. Cyberattacks on oil and gas entities in Mexico and Brazil have
already been correlated with those of other OPEC countries in the last edition of our Threat
Landscape Report. This year, we were able to do a much deeper dive into cyberattack
correlations and found that a set of threat actors including a few state-backed actors are
behind cyber attacks on the commodity sector. Such attacks target the entire value chain
including extraction, processing, trade, shipping and buying entities.

On the critical infrastructure side, utilities and ports are among the most attacked targets in
South America.

www.sectrio.com 73
 Europe
Europe in numbers

174.8 Bn 3.7 Bn 1.9 Bn

Total Sophisticated Targeted
attacks attacks attacks

30.4 Bn 201 % $2.9 M

Reconissance Growth in volume Average ransom
volume of attacks over demand
2022

The ongoing conflict between Russia and Ukraine continues to cast a long shadow on
cyberspace in the region. The region witnessed the largest phase of APT activity stretching for
over two years now (as of November 2023). As the war in the physical realm threatens to enter
a frozen state, Russian APT actors are trying their best to escalate the conflict in cyberspace.

In addition to the existing APT groups from the region, new ones from Iran and two APTs from
Turkey made their presence felt. All sectors in the region reported a significant rise in attacks
and cyber espionage. Unlike 2022 and 2021, most of the attacks in 2023 were not focused on
urban centers and cities with the presence of NATO assets.

It can be said with a high level of confidence that the APT groups operating in the region are
preparing for something big in 2024. The reason for this assertion is:

• Higher levels of focused and targeted APT activity spanning all nations in Europe
• Higher levels of demand for data on regional critical infrastructure in various hacker forums
• The attack window has been open for a while and several businesses have reported breach
events
• Because of the successful breaches and loss of data, hackers could be maintaining a vigil
on multiple critical information and civic infrastructures in the region including those
connected to banking, governance, mobility, EV charging, healthcare and education
• Europe has also reported the maximum number of new malware variants ever recorded.
This indicates a high level of hacker interest in the region

New APT actors in the region

We are noting with concern the rising activity footprint of APT actors from Iran
and Turkey in the region. Most of these actors are targeting manufacturing and
critical infrastructure in addition to exfiltrating a huge volume of data from the
region.

www.sectrio.com 74
 Highest attacked sectors in Europe
Hackers are certainly trying to harm the fragmentation of the overall effort. Thus, in the
manufacturing capacity of countries within case of a defection by an employee or a leak,
the region. The high volume and sophistication only a part of the program is revealed which
of these attacks along with persistence point means that China will only have to dismantle
to a clear intent in strategy and tactics. The those operations in case of a disclosure or
ongoing conflict in the Middle East has also adverse action by the target country.
impacted cyberspace in the region with many
hacktivist groups turning active towards the The odd actor out in this grouping is North
end of October 2023. This includes groups that Korea which is operating purely out of
seem to be based in Europe as well. monetary considerations. North Korea’s
cyberattacks in Europe are also oriented
Hacktivist groups are targeting sectors that toward gathering technology inputs for its
generate high visibility and media interest nuclear and missile program while balancing
after a successful breach. This includes chiefly the need for funds to avoid the shortfall in
the oil and gas and utility sectors. These foreign currency caused by sanctions.
groups are surveilling cyberspace connecting
with their targets as well to keep them in a As per information gathered by our threat
multi-tier digital surveillance sink so to speak. analysts from forums connected with
The oil and gas and utility sectors also suspected North Korean threat actors, it is
represent a rare convergence of interests worried about the following:
between APT groups, independent threat • Its critical infrastructure and military
actors and hacktivists. response capability being degraded by
Western military alliances through a
Chinese threat actors are targeting European massive attack in the event of a
manufacturers in order to facilitate IP theft. Our geopolitical event
research indicates that on average in an • North Korean defense entities being left
average successful attack, as many as 70,000 out of technological advancements due
records are exfiltrated by Chinese threat to sanctions
actors. Germany is one of the main targets for • North Korean trade and its economy
such attacks as it possesses many high tech suffering an outright collapse due to
firms that are of interest to it. These attacks sanctions.
align with the larger strategic priorities of
China in areas such as semiconductors, North Korean cyberattacks on Europe are
renewable energy, defense hardware, space meant to alleviate the problems arising from
tech, and automobiles. In a way such attacks all three challenges. North Korea sees Europe
are not just a means of economic warfare but as a target for extortion and to carry out its
they are designed to enable technology theft agenda of three-pronged warfare -viz.,
at a fundamental level. China also targets technology theft, transfer of fungible digital
Uyghur and Tibetan populations (in exile in assets, and exfiltration of information of
European nations and elsewhere) and patent interest to project a position of power to
holders at an individual level. countries in the region and beyond. North
Korea views European Union as a subset of
China’s efforts at targeting Europe involve the perceived existential threat it faces from
Chinese entities at four levels viz., its private the USA.
sector, freelance contractors, universities, and
front companies. In addition to helping In light of the above, we expect North Korea to
maintain plausible deniability at many levels maintain a very high level of interest in
(by using proxies), China also ensures European cyberspace in the future.

www.sectrio.com 75
 The axis of cyberattacks in Europe

Zone 1

Zone 2

Most cyberattacks within Europe have concentrated within a radius of approximately 700 miles
from Ukraine away from Russia (North, South, and Western Europe). This zone doesn’t just log
the maximum attacks but some of the hijacked assets in this area are serving as a conduit to
enable further cyberattacks on Ukraine and the Baltic countries. Finland lies just outside this
zone. This landmass in this area falls within what we call Zone 1.

Zone two is the zone that lies outside this zone stretching up to approximately 1600 miles from
Ukraine this region also faces attacks but the volume is much lesser than that of Zone 1. While
the vectors and tactics are more or less common, the degree of hacker interest is what makes
this region stand out.

This axis clearly indicates that Ukraine is more or less at the center of cyber attention as far as
hackers go. While geographical distances don’t matter as far as cyberspace is concerned, the
existence of such an axis indicates high levels of hacker interest in these countries because of
the proximity to the war zone. At various points of time in 2023, unusual patterns of internet
traffic were observed in countries falling within zone 1. These patterns were linked to ongoing
cyberattacks and intrusion attempts logged across Europe.

www.sectrio.com 76
 Lessons from the Rosvodokanal and Tecnoquadri Srl
incidents
Moscow's Rosvodokanal water-management company was ransacked by a Ukraine-aligned
Blackjack group, with reports that the company's IT infrastructure was "destroyed." The hackers,
with the help of the cyber specialists from the Security Service of Ukraine, were able to
"demolish" Rosvodokanal's IT infrastructure, according to Ukraine Pravda8.

Pro-Russian hacker group UserSec announced that it had stolen 33 million lines of Italian data
from TECNO QUADRI S.r.l and were planning to make it publicly accessible. The group
mentioned that it possessed an extremely large file, containing as many as 33,000,000 lines of
data to be made available for download.

Both events occurred towards the end of 2023 and highlight the weaponizing of critical
infrastructure cyberattacks. While on one end, one can categorize these events as part of the
ongoing war in the region, it is important to understand the ramifications of such attacks on the
wider cyberspace and critical infrastructure across the globe.

• Hackers are now looking at inflicting more harm to critical infrastructure than ever before
• Attacks are not limited to shutting infrastructure down. Instead, the focus is now on
damaging the infrastructure beyond recovery, selling stolen data and moving laterally
across infrastructures
• Such attacks have also occurred in the Middle East where Iran and Israel are locked in cyber
combat
• New hackers are now being trained to target critical infrastructure as we have seen in case
of Chinese and Russian APTs. These critical infrastructure specialists are sometimes given
specific infrastructure to target
• UserSec is an actor trained to attack critical infrastructure. One of its training modules
accessed by Sectrio’s Threat Research team lists out in detail various methods to identify
critical assets and information within a target and mentions in detail how to exfiltrate data
and cripple the asset once that is done
• Unfortunately, critical infrastructure is not being accorded the level of protection that it
deserves and needs

Percentage of attacks

24
22

16

13

10
9

Manufacturing Utilities Oil and gas Education Defense Healthcare Others

www.sectrio.com 77
 Percentage of attacks

45

26

9 8 7
5

APT Groups Independent Actors Lockbit Unknown Others

actors with loose gang threat actors
affiliation

Where are the cyber threats to Europe coming from?

Country of origin Main actors Percentage

Russian APT 29, SEABORGIUM 21

China APT 41 USA

Iran APT 35, Static Kitten 9

Turkey Unnamed 10

Pakistan Transparent Tribe/Mythic Leopard 5

North Korea Lazarus 3

Others NA 32

Most attacked countries

Country Rank

United Kingdom 01

France 02

Ukraine 03

Germany 04

Finland 05

www.sectrio.com 78
 France and the UK are drawing a huge volume of sophisticated attacks on their manufacturing
infrastructure linked to defense. While Ukraine is in the third position, attacks on Ukraine rose by
as much as 371 percent in 2023 which is more or less aligned with the growth in cyberattacks
we registered in Ukraine in 2022. Ukraine, Lithuania, and Finland top the list of most attacked
nations in Europe on a per capita basis.

Percentage detected

19

14 14

11

8 8
7
6 6
4
3

Denial Distributed Botnet Man-in- Data Malware Credential Firmware Side- Encryptin Brute
of Service Denial Attacks the- Middle exfiltration Attacks Attacks Attacks Channel Attacks Force
(DoS) of Service (MitM) attempt Attacks Password
(DDoS) Attacks Attack

Attacks on IoT systems and infrastructure

In addition to DoS and DDoS, Europe is also witnessing a large volume of attacks designed to
steal data.

The Indo-Pacific region

The Indo-Pacific comprises 40 countries Indo-Pacific is witnessing a growing security
and economies: Australia, Bangladesh, challenge from China. In addition to
Bhutan, Brunei, Cambodia, Democratic physically challenging the sovereignty of its
People’s Republic of Korea (DPRK), India, neighbors, China is also leveraging
Indonesia, Japan, Laos, Malaysia, Maldives, cyberspace to further its agenda.
Mongolia, Myanmar, Nepal, New Zealand,
the Pacific Island Countries, Pakistan, “China [state-sponsored threat activity]
People’s Republic of China (PRC), the probably currently represents the broadest,
Philippines, Republic of Korea (ROK), most active, and persistent threat to U.S.
Singapore, Sri Lanka, Taiwan, Thailand, Timor Government and private-sector networks.
Leste, and Vietnam9. China’s latest [state-sponsored] cyber
pursuits and its industry’s export of related
Since we are adopting this format of technologies increase the threats of
regional categorization for the first time, we aggressive cyber operations against the
have outlined the countries that are part of U.S. homeland…”10
this grouping.

www.sectrio.com 79
 The above statement appears in the 2023 China believes in keeping cyberspace hot
Office of the Director of National but does not prefer it to reach a tipping
Intelligence’s annual threat assessment. point though.
This statement holds good not just for the
United States but also for many nations in Analysis by our Threat Research Team
the Indo-Pacific region that China views as indicates that overall, nations that are part
a strategic or tactical threat. We have of China’s Belt and Road initiative are
covered the activities of Chinese targeted less by it. However, even these
state-backed threat actors in detail in the countries are not insulated from large-scale
first half of this report. Now let’s take an surveillance activities carried out by China.
in-depth look at the implications of this China has also been working on making it
activity on the threat landscape in the hard for security analysts to attribute these
Indo-Pacific region. attacks to it. As part of its combat
readiness, China is arming its APT teams
Going back to the 2023 annual threat with enough capabilities to carry out
assessment by the US Office of the Director attacks with a very high level of stealth.
of National Intelligence (ODNI) states that
China “uses coordinated, Starting with large-scale phishing attacks,
whole-of-government tools to demonstrate Chinese threat actors have moved up the
strength and compel neighbors to evolutionary ladder and are today carrying
acquiesce to its preferences11.” As part of out sophisticated attacks at scales never
this strategy, China is applying strategic seen before. Chinese threat actors are
force in cyberspace to deter nations it developing and deploying malware
perceives as adversaries. China is also payloads that are stealthy, light, and
maintaining a very high level of digital self-configuring. Some of these payloads
surveillance on nations within its come with a loiter time of over 3 years and
geopolitical orbit such as Pakistan. work with minimal supervision.

With so many objectives converging, it Beyond Chinese threat actors, the region is
comes as no surprise that China has been also home to several independent threat
investing heavily in expanding its ability to actors operating with monetary goals. North
surveil and attack the critical infrastructure Korea is another major influence on the
of its neighbors. Its investments in this area regional threat landscape. APT Lazarus is
rests on building 4 core capabilities: known to operate across India, Malaysia,
Thailand, Indonesia, and the Philippines
• Intercepting and analyzing targeting bitcoin wallets and financial
communication of interest institutions. As mentioned earlier, North
Korean threat actors are always after
• Degrading critical civil infrastructure to foreign currency and are often found in
slow down or degrade the ability to businesses and institutions dealing with
respond in the event of a conflict money.

• Maintaining an infrastructure that can Lazarus could also be building a separate

surveil key targets on an ongoing basis competency to engage in attacks involving
data for ransom. As the North Korean
• Keep neighbors tied through infrequent regime turns more desperate for revenue, it
low-intensity cyber strikes during periods will expand the spectrum of operations to
of disagreement open up more revenue generation streams.

www.sectrio.com 80
 Scams at scale
Criminal elements from China are also working with agents across the region to run scams
revolving around get-rich-quick schemes. These involve large-scale phishing, the use of AI to
morph voices and trapping individuals through cryptocurrency rewards. The revenue
generated by China-based criminal groups is hard to determine but could easily run into over
US$ 500 million based exclusively on the number of such cases that have come to light so far.

While the level of government involvement is hard to discern, we find it difficult to believe that
such criminal schemes are being run without the knowledge of the Chinese government. We
believe that such groups or individuals are being tolerated for services rendered to various
Chinese state agencies at various points in time by them.

These scams add another layer of complexity in understanding the broader goals of the
Chinese state. At one level, China tries hard to evade any attention being generated by the
activities of its APT groups while on the other, the level of freedom enjoyed by scammers and
the ease of transfer of large sums of money into China points to a very high level of Chinese
state complicity in such scams.

Regional threat landscape

Just like Europe, the Indo Pacific region is also test bed for many new threat actors and
malware. Indo-Pacific logged the largest rise in the volume of cyberattacks in 2023. There are
many factors contributing to this rise:

• Lack of policies and regulatory norms around OT cybersecurity

• In industrial environments the present levels of visibility and control are not in line with the
evolving threat environment
• Poor patch discipline
• Lack of security audits and risk assessments
• Lack of documentation on plant architecture
• Lack of security acceptance testing before adding new machinery
• Presence of unsecured legacy equipment

Attacks on sectors
Manufacturing is the most attacked sector in the region. If we club utilities, oil and gas and
defense and tag them as critical infrastructure, then this segment becomes the most attacked
segment in the region accounting for as much as 32 percent of all attacks logged. Among the
sectors tagged as others, the maritime sector accounts for almost 6 percent of all attacks
ranking it among the most attacked sectors.

With a big chunk of global commerce passing through the shipping lanes of commerce in the
region, maritime infrastructure in the region is drawing attention from hackers and
state-backed threat actors.

www.sectrio.com 81
 The manufacturing sector in the region is today hosting a mix of technologies including machinery
running on legacy systems, operational technologies, and the Internet of Things. The shop floor is
coming online with more systems being connected and bearing an IP. However, this digitization
has not come with a similar improvement in the security posture of the companies hosting these
systems. This has rendered them vulnerable to cyberattacks and bad actors are leveraging these
security gaps effectively to breach these networks and move into the corporate network to deploy
malicious payloads and to listen to the traffic.

Percentage of attacks on individual sectors

29

25
22

9
7
5
3

Manufacturing Utilities Oil and gas Education Defense Healthcare Others

In terms of the threat actors that are active in the region, APT groups and Lockbit affiliates
dominate the landscape. We feel that the ‘unknown’ and ‘others’ category also contain threat
actors with state affiliations. Chinese threat actors also maintain a very high level of active interest
in surveilling other threat actors in the region.

Threat actor categories and percent

39

19

14
11
9 8

APT Groups Independent Actors with Lockbit gang Unknown Others

actors loose affiliation threat actors

www.sectrio.com 82
 Attacks on countries
India, Australia and South Korea are among websites, Chinese threat actors targeted
the most attacked countries in the region. It is Indian critical infrastructure, especially in the
the critical infrastructure in these countries country's capital where the summit was
that is getting attacked at volumes and scale taking place.
that have made them top the ranks. India
faces attacks from both China and Pakistan. From a preliminary round of forensic analysis
The attacks from China target utility and TTP tracking, we were able to conclude
companies, defense entities and that these attacks were planned well in
manufacturers while Pakistan through two advance to coincide with the summit. The
actors is attacking India’s armed forces, attacks were conducted at a much larger
government departments, and research scale than planned possibly because China
organizations. decided not to participate in the event which
made things easier for the hackers to go all
A high volume of attacks from Pakistan are out in attacking diverse targets in India.
targeted at websites as well. The attacks from
Pakistan may be a distraction intended to South Korea is witnessing a high volume of
keep Indian security planners away from attacks against its manufacturing
sectors and targets of interest to China. In the infrastructure and government bodies. The
past, we have seen at least two instances of attacks are seasonal but of very high quality.
collaboration between Chinese and Pakistani Primarily, South Korea is targeted by China
threat actors. The latest instance of this was and North Korea which is also the case with
during the month of September when a Malaysia, Singapore, Vietnam, and Thailand.
summit of G 20 leaders was organized in New These countries are also targeted through
Delhi. In the days leading up to the summit, huge volumes of business email compromise
Indian cyberspace was targeted by actors attacks as well.
from Pakistan and China. While actors from
Pakistan were mostly working to deface

Percentage of attacks on individual sectors

26

19
17

11

6 6 6
5
4

India Australia South Malaysia Singapore Vietnam Thailand New Others

Korea Zealand

www.sectrio.com 83
 Middle East and Africa
• Volatility in the threat environment • Chinese and Iranian APT activity in the
triggered by bad actors increasing their region touches an all-time high
activity in the region defined the major • Oil and gas is a sector that is under the
cyber events manifested as a result of this radar of bad actors globally and ME is no
trend in 2023. The role of cyberspace as a exception in this regard
battleground continues to expand as bad • About 80 percent of all businesses across
actors ramp up their game in the search large and small segments have been
for new targets to exploit and data to scanned in 2022. That is also a new high
harvest.
• Overall, the volume of attacks rose 248 The rise in scans and the rise in successful
percent in 2023. The number of cyberattacks are also linked to the use of
cyberattacks aimed at causing a kinetic ransomware such as Lockbit 3.0 by regional
impact rose by almost 78 percent in 2023. groups and independent actors. The
The implications of such a rise will be felt in democratization of cyberattacks involving
2024 when many attacks may breach the regional threat actors and acquired
kinetic threshold by sheer virtue of the ransomware has brought a whole new
volume and sophistication of these dimension to the challenge of securing
attacks. businesses in the region.
• Hackers have moved goals to target
physical disruption rather than the virtual The attacks on critical infrastructure including
one they were targeting till 2023. The other ports, telecom networks, water and power
cyber security major trends that we plants, and power distribution infrastructure
recorded in the region include: by APT players from within the Middle East
• The emergence of two new APT actors in and beyond continued on predictable lines.
the region. Major countries are investing in Large-scale disruption was the clear intent
building offensive capabilities and APT actors continue to run scans and
• Utilities and manufacturing were the most maintain a high level of interest in networks
targeted sectors across the Middle East connected with critical infrastructure in the
• 69 percent of all attacks had geopolitical Middle East.
undertones. The rest were predominantly
motivated by monetary considerations

The evolving threat landscape

In the Middle East, DDoS attacks are a preferred means of targeting and disrupting critical
infrastructure. Utility operators, media entities, government infrastructure, and emergency
response systems across battle lines have been repeatedly targeted adding huge volumes of
cyberattacks to the global volume. External threat actors linked to Russia are also targeting the
same infrastructure as part of achieving various geopolitical aims.

Several botnets for hire firms have also capitalized on the conflict by offering their services to threat
actors across the region. The huge rise in DDoS attacks is being sustained by a constant addition
of DDoS capacity in the back end. Such campaigns are being funded through cryptocurrency.

The evolving nature of the geopolitical chasms in the region makes it difficult to predict the nature
of attacks that may occur in the future. But we can say with a high level of confidence that more
ICS-based critical infrastructure will be targeted in 2024.

www.sectrio.com 84
 Compromise attempts logged in the region (Severe instances only)

Type Percentage occurrence*

VPN exploit 11

CCTV feed exfiltration 9

Connected device manipulation (remote) 4

Workstation RAT injection/scans 11

IoT device manipulation 2

Spear phishing 6

Phased DDoS (inbound) 7

Data exfiltration through rogue devices and twining 2

Insider targeting 15

Brute force email compromise 1

Safety instrumentation modification 6

Code injection attempts 5

Reconissance (long term) 21

*As a total of the overall attacks logged 100

Regional APTs
Iran is home to the most number of APTs in the region. While the tactics, techniques,
procedures, and persistence are not comparable in scale to China and Russia, Iranian threat
actors are evolving in scale and quality. Most APTs in the region operate under or within the
realm of the defense and armed forces of the countries they are affiliated with. Individuals from
the armed forces are also placed on duty in these APT groups on rotation.

Iranian APT groups mainly target Saudi Arabia, Israel, Qatar, Oman, and Turkey in the region.
While the targets are usually government entities. Within this segment, Iranian APT groups
prefer ministries and utilities. Iranian APTs accounted for the biggest rise in attacks in the region
in the last quarter of 2023. This rise followed regional geopolitical disturbances witnessed in the
same period.

In December Iran faced a crippling cyberattack targeted at gas pumps. The attack was
attributed to a group called Gonjeshke Darande or "Predatory Sparrow" with alleged ties to
Israel. Overall, the region has witnessed a nearly 700 percent rise in APT activity. While none of
these attacks were ransom-driven, many were targeted at causing large-scale disruption and
exfiltration of data.

www.sectrio.com 85
 Table: What is getting attacked?

Sector Percentage occurrence*

Utilities 11

Manufacturing 9

Oil and gas 11

Financial services 6

Government 6

Healthcare 6

Others including Not for Profit bodies 7

Table: Motivation factor for bad actors

Factor Percentage

Geo-political intent 69

Monetary considerations 9

IP/Data Theft 11

Rogue insider 3

Unknown 3

Table: Top APT groups in the region

Name(s) Country of origin Target countries

APT 34 OilRig, Helix Kitten, GreenBug, IRN2 Iran UAE, Saudi Arabia, Oman

APT 35 Newscaster, Rocket Kitten, Phosphorus, Iran The whole of the

Charming Kitten, Saffron Rose Middle East

APT 39 – Chafer 03 Middle East

APT 41 China Middle East

APT 28 Russia UAE, Saudi, and Egypt

Groups from China targeted the data centers belonging to oil and gas entities, financial
services institutions and utility companies extensively in 2023. We believe that these units are
being attacked not just for data but also for their strategic value and to exploit the access that
these facilities provide to multiple networks and locations. Across 15 major attacks that we
studied in 2023, we were able to identify attempts to deploy infostealers and loiterware
designed to stay hidden on networks to be activated later.

www.sectrio.com 86
 While Oil and Gas ranks number 3 in the list of most attacked sectors, it is a sector that gets the
maximum number of sophisticated attacks. These include long-term listening attacks on core
networks to sniff data of interest and stealthy movement across networks to ensure
persistence and presence in as many networks as possible.

In the case of IoT devices, certain pre-infected ones studied by our threat research team were
found to be rigged at the firmware level to enable the deployment of trojans and backdoors.
Smart cameras were the most rigged devices followed by smart fire alarms and medical
sensors. Vulnerable IoMT devices are one of the reasons the sector is attracting so many
attacks. The presence of such backdoors in multiple classes of IoT devices (at random) points
to a sustained effort by bad actors to breach IoT projects to gain access to core networks.

The presence of these backdoors at random reduces the chances of their discovery during a random
vulnerability assessment. An AI-based threat bot can use these devices to launch cyberattacks that
are separated in time and space – this is what we call the sequential botnets which participate in
cyber attacks at random intervals with varying IP ranges and thus are hard to detect.

The attacks on intelligent subsystems connected to sensors and data lakes in the region is also
rising. This is especially true of projects in the infrastructure sector. In addition to pre-existing
backdoors in such systems, many of them are being scanned at regular intervals from various
IP ranges. The addition of IoT gateways to critical infrastructure systems including power and
power backup systems is also leading to a deterioration in the security posture of the
infrastructure associated with them.

Systemic attacks in the region

System Percentage attacks

IT-OT 40

IT-IoT 19

IIoT 14

IoMT 8

Others 19

Most attacked countries in the region

Country Percentage attacks

UAE 1

Saudi Arabia 2

Oman 3

Kuwait 4

Egypt 5

Nigeria 6

Kenya 7

www.sectrio.com 87
 On a per capita basis, Kuwait was the most attacked country in the region. Kuwait drawing a
disproportionate volume of attacks is chiefly due to the presence of facilities connected with
the oil and gas sector.

Targeted attacks on utilities and oil and gas

Attacks on oil and gas and the utility sector in the region target almost all aspects of operations
in these two sectors. Repeated incursions designed to cause sub-kinetic physical disruption in
2020 have now turned into more complex attacks designed to control sub-systems and use
that control to unleash mayhem. Many of these attacks were discovered because of sheer
carelessness on the part of the hacker. For instance, during one episode, the hacker (Witchetty
group AKA APT 10) coded the wrong activation time for the vector to perform file and directory
actions possibly due to a time zone difference and the malware was triggered during work
hours and the anomalous activity was detected and neutralized. In another case, the C&C
server address was wrong.

One is not sure why an actor as mature as APT 10 did these mistakes. But there is certainly a
need to rapidly improve security practices in the region else we may see some of these attacks
evolve and create more disruption and chaos, especially in the oil and gas sector where such
attacks could also be coupled with airborne strikes by drones to create an even bigger impact.
In the utility sector, bad actors are working to shut down critical systems and subsystems at will
and to time such shutdowns to geopolitical triggers.

Sectrio recommends
There are many steps that can be taken without consuming too many resources and with less
investment of personnel time. A few of these are listed below and we recommend that some
or all of these measures be implemented at the earliest opportunity to prevent attacks.

Know your assets: discover and Reinforce multifactor Detect and close open port
map assets; identify critical authentication; promote
assets; prepare and maintain unique passwords
an asset inventory

Network diagrams are another Ensure physical restrictions Ensure patch discipline. No
key component. These visual for crown jewels unpatched devices should be
representations are operational
indispensable for understanding
your environment.

www.sectrio.com 88
 https://www.weforum.org/publications/global-risks-report-2022/in-full/chapter-3-digi
tal-dependencies-and-cyber-vulnerabilities/#chapter-3-digital-dependencies-and-
cyber-vulnerabilities

https://www.eia.gov/todayinenergy/detail.php?id=61142

https://www.brookings.edu/articles/the-plas-strategic-support-force-and-ai-innovati
on-china-military-tech/

https://www.csis.org/programs/strategic-technologies-program/significant-cyber-inc
idents

https://market-insights.upply.com/en/latin-america-at-the-crossroads-of-supply-ch
ain-diversifications

https://www.iea.org/commentaries/latin-america-s-opportunity-in-critical-minerals-f
or-the-clean-energy-transition

https://www.investopedia.com/articles/investing/101315/biggest-oil-producers-latin-a
merica.asp

https://www.darkreading.com/ics-ot-security/ukrainian-hackers-strike-russian-water
-utility

https://www.international.gc.ca/transparency-transparence/indo-pacific-indo-pacifiq
ue/index.aspx?lang=eng

https://lawenforcementtoday.com/fbi-director-christopher-wray-hones-in-on-cyber-
security-threat-from-china

https://www.dni.gov/files/ODNI/documents/assessments/ATA-2023-Unclassified-Repo
rt.pdf

www.sectrio.com 89
ABOUT SECTRIO
London Spain

Qatar

Toronto Dubai
Seattle Myanmar
Mumbai
Portugal
Malta
Denver Kuwait Hong Kong
Saudi
Ivory Coast Ghana Bangalore

ISOC and Malaysia Singapore

Honeypot Botswana

Locations Johannesburg

Sydney
Honeypot Locations
Security operations

Sectrio offers proven OT and IoT security solutions, managed services, OT SOC, cyber threat
intelligence, and consulting under one roof. Built for resilience, Sectrio’s offerings have been developed
ground up keeping the challenging security needs of enterprises on the radar. We are the preferred
go-to vendor for various industries including manufacturing, oil and gas, healthcare, maritime, smart
cities, defense, and utilities.

INDIA AMERICAS EUROPE

Pritech Park-SEZ, Block 9, Westminster: 1st Floor, Rama Apartment,
4th Floor, B Wing, Survey 1499 W. 120th Ave, Ste 210 17 St Ann’s Road, Harrow,
No. 51 to 64/4, Outer Ring Road, Westminster, CO 80234 Middlesex, HA1, 1JU
Bellandur Village, Varthur Hobli
Tel : +1 303 301 6200 Tel : +44 207 8265300
Bangalore – 560 103
Fax : +1 303 301 6201 Fax : +44 207 8265352
Tel : +91 80 6659 8700
Fax : +91 80 6696 3333

MIDDLE EAST & AFRICA ASIA PACIFIC

#Office number 722, 175A Bencoolen Street
Building number 6WA, #08-03 Burlington Square
Dubai Airport Free Zone Singapore 189650
Authority(DAFZA,Dubai
Tel : +65 6338 1218
United Arab Emirates
Fax: +65 6338 1216
Tel : +9 714 214 6700
Fax : +9 714 214 6714

twitter.com/SectrioOfficial facebook.com/SectrioOfficial instagram.com/sectrio_official linkedin.com/company/Sectrio info@sectrio.com