This story is a part of MIT Technology Review’s What’s Next series, where we look across industries, trends, and technologies to let you know what to expect in the coming year.
In the world of cybersecurity, there is always one certainty: more hacks. That is the unavoidable constant in an industry that will spend an estimated $150 billion worldwide this year without being able, yet again, to actually stop hackers.
This past year has seen Russian government hacks aimed at Ukraine; more ransomware against hospitals and schools—and against whole governments too; a seemingly endless series of costly crypto hacks; and high-profile hacks of companies like Microsoft, Nvidia, and Grand Theft Auto maker Rockstar Games, the last hack allegedly carried out by teenagers.
All these types of hacks will continue next year and in the near future, according to cybersecurity experts who spoke to MIT Tech Review. Here’s what we expect to see more of in the coming year:
Russia continues its online operations against Ukraine
Ukraine was the big story of the year in cybersecurity as in other news. The industry turned its attention to the embattled country, which suffered several attacks by Russian government groups. One of the first ones hit Viasat, a US satellite communications company that was being used by civilians and troops in Ukraine. The hack caused “a really huge loss in communications in the very beginning of war,” according to Victor Zhora, the head of Ukraine’s defensive cybersecurity agency.
There have also been as many as six attacks against Ukrainian targets involving wiper malware, malicious computer code designed to destroy data.
These were all in support of military operations, not acts of war per se, which could still mean that “cyberwarfare is a very misleading term and the cyberwar, as such, will not really happen,” says Stefano Zanero, an associate professor at the computer engineering department of Politecnico di Milano.
According to Lesley Carhart, a researcher at industrial cybersecurity company Dragos and a US Air Force veteran, these attacks show that “[cyber] is just a piece of warfare,” which can still play an important role and will continue to do so.
“I used to say that nearly everything that people just described as cyber war is actually cyber espionage,” says Eva Galperin, the director of cybersecurity at the Electronic Frontier Foundation. “And I would say that over the last several years, that is increasingly not the case.”
Initial expectations were that Russian hacks might lead directly to physical damage. But that has not panned out.
One of the reasons cyber hasn’t played a bigger role in the war, according to Carhart, is because “in the whole conflict, we saw Russia being underprepared for things and not having a good game plan. So it’s not really surprising that we see that as well in the cyber domain.”
Moreover, Ukraine, under the leadership of Zhora and his cybersecurity agency, has been working on its cyber defenses for years, and it has received support from the international community since the war started, according to experts. Finally, an interesting twist in the conflict on the internet between Russia and Ukraine was the rise of the decentralized, international cyber coalition known as the IT Army, which scored some significant hacks, showing that war in the future can also be fought by hacktivists.
Ransomware runs rampant again
This year, other than the usual corporations, hospitals, and schools, government agencies in Costa Rica, Montenegro, and Albania all suffered damaging ransomware attacks too. In Costa Rica, the government declared a national emergency, a first after a ransomware attack. And in Albania, the government expelled Iranian diplomats from the country—a first in the history of cybersecurity—following a destructive cyberattack.
These types of attacks were at an all-time high in 2022, a trend that will likely continue next year, according to Allan Liska, a researcher who focuses on ransomware at cybersecurity firm Recorded Future.
“[Ransomware is] not just a technical problem like an information stealer or other commodity malware. There are real-world, geopolitical implications,” he says. In the past, for example, a North Korean ransomware called WannaCry caused severe disruption to the UK’s National Health System and hit an estimated 230,000 computers worldwide.
Luckily, it’s not all bad news on the ransomware front. According to Liska, there are some early signs that point to “the death of the ransomware-as-a-service model,” in which ransomware gangs lease out hacking tools. The main reason, he said, is that whenever a gang gets too big, “something bad happens to them.”
For example, the ransomware groups REvil and DarkSide/BlackMatter were hit by governments; Conti, a Russian ransomware gang, unraveled internally when a Ukrainian researcher appalled by Conti’s public support of the war leaked internal chats; and the LockBit crew also suffered the leak of its code.
“We are seeing a lot of the affiliates deciding that maybe I don’t want to be part of a big ransomware group, because they all have targets on their back, which means that I might have a target on my back, and I just want to carry out my cybercrime,” Liska says.
“Adversaries are starting to realize that they don’t want to be under a specific name that brings the attention of the US government or other international partners,” says Katie Nickels, director of intelligence at Red Canary.
Also, both Liska and Brett Callow, a security researcher at Emsisoft who specializes in ransomware, stress that law enforcement action, including international cooperation among governments, was more frequent and effective this year, hinting that perhaps governments are starting to make inroads against ransomware.
Yet the war in Ukraine may make international cooperation more difficult. In January of this year, the Russian government said it was cooperating with the US when it announced the arrests of 14 members of REvil, as well as the seizure of computers, luxury cars, and more than $5 million. But this unprecedented cooperation wouldn’t last. As soon as Russia invaded Ukraine, there could be no more cooperation with Vladimir Putin’s government.
“When it comes to really cutting off ransomware from the source, I think we took a step back, unfortunately,” said Christine Bejerasco, the chief technology officer at cybersecurity company WithSecure.
Crypto is still going to crypto, baby
The crypto didn’t just flow from ransomware victims to hackers; in 2022 it also flowed straight out of crypto projects and Web3 companies. This was the year cryptocurrency hacks, which have been occurring since cryptocurrencies were invented, became mainstream, with hackers stealing at least $3 billion in crypto during the year, according to blockchain tracking company Chainalysis. (Elliptic, another crypto tracking company, estimated the theft total at $2.7 billion.)
There were more than 100 large-scale victims in the world of crypto; there are now websites and Twitter accounts specifically dedicated to tracking these hacks, which seemed to happen almost daily. Perhaps the most significant of them all was the hack on the Nomad protocol, where a hacker found a vulnerability and started draining funds. Because the hacker’s transactions were public, others noticed and just copy-pasted the exploit, leading to “the first decentralized robbery” in history. Just a few weeks ago, hackers accessed the server where the crypto exchange Deribit held its wallets, draining $28 million from them.
There was some good news in crypto too. Stephen Tong, a cofounder of blockchain security company Zellic, said that a “big new wave” of cybersecurity pros will keep coming to the crypto industry and create “the infrastructure, tooling, and practices needed to do things in a secure way.”
Tal Be’ery, a cybersecurity veteran who now works as CTO of the crypto wallet app ZenGo, says there are “building blocks” in place to make cybersecurity solutions specific to crypto and blockchains, which “hint that the future would be safer.”
“I think that we will start to see some hints of solutions in 2023,” Be’ery says. “But the advantage will still be with the attackers.”
One cohort of attackers that had an outsized success this year was the group known as Lapsus$. The hackers targeted software supply chain providers such as Okta, a company that provides identity and access management to other companies. That allowed the hackers to infiltrate big-name companies like Microsoft, Nvidia, and Rockstar Games.
“Attackers look for the path of least resistance, and some infrastructure suppliers are one of these paths,” Zanero says, stressing that supply chain attacks are both the present and the future, because some suppliers—especially cybersecurity companies—have a large footprint across several industries.
“Adversaries continue to be able to make a significant impact,” Nickels says, “without necessarily having to use advanced capabilities.”