When War Meets Cyberspace

ESET Threat Report T3 2022: When war meets cyberspace – the impact of Russia’s invasion on digital threats

  • In T3 2022, China saw the largest number of ransomware attacks, followed by the US, Russia, Ukraine, and Japan. The yearly data, however, showed Russia in the lead with 8%, followed by the US with less than 7%, and the fourth-placed Ukraine less than 4%, of all 2022 ransomware attacks.
  • ESET products blocked more than double the number of phishing websites in T3 2022 than in T2 – more specifically, these blocks went up by 114.6%. ESET products also blocked 80% more unique phishing websites in 2022 than in 2021, a total of over 13 million, despite a small increase in the blocks of unique phishing URLs in T3 (just under 8%).
  • Since the start of the Russian invasion of Ukraine, ransomware has increased its destructive capabilities; in T3, several ransomware-mimicking wipers appeared in connection with the war, targeting Ukrainian entities.
  • RDP password-guessing attacks remained down in T3 2022, with daily averages oscillating around 100 million attack attempts (compared to 1 billion in T1 2022).
  • Despite patches having been available since December 2021, exploitation attempts of Log4j grew by 9% in T3 2022.
  • Cryptocurrency threats declined by 25% in T3 2022, with detections almost cut in half in a year-on-year comparison; while crimeware is decreasing, cryptocurrency-related scams are rising.

ESET released today its T3 2022 Threat Report, summarising key statistics from ESET detection systems and highlighting notable examples of ESET’s cybersecurity research. The latest issue of the ESET Threat Report (covering October to December 2022) highlights the impact of the ongoing war on Ukraine and its effects on the world, including cyberspace. The invasion continues to have a major impact on energy prices, inflation, and cyberthreats, with the ransomware scene experiencing some of the biggest shifts. 

“The ongoing war in Ukraine has created a divide among ransomware operators, with some supporting and others opposing the aggression. Attackers have also been using increasingly destructive tactics, such as deploying wipers that mimic ransomware and encrypt the victim’s data with no intention of providing a decryption key,” explains Roman Kováč, Chief Research Officer at ESET.

The war also affected brute-force attacks against exposed RDP services, but despite the decline of these attacks in 2022, password guessing remains the most favoured network attack vector. The Log4j vulnerability, patches for which have been available since December 2021, still placed second in the external intrusion vector ranking. 

The report also explains the impact of cryptocurrency exchange rates and soaring energy prices on various crypto-threats, with cryptocurrency-related scams experiencing a renaissance. ESET products blocked an increase of 62% in cryptocurrency-themed phishing websites in T3, and the FBI recently issued a warning about a surge in new crypto-investment schemes. Overall infostealer detections trended down in both T3 and the whole of 2022; however, banking malware was an exception, with detections doubling in a year-on-year comparison.

Other trends in T3 include increased phishing activity impersonating online shops during the holiday season and the rise in Android adware detections due to malicious versions of mobile games being placed on third-party app stores before Christmas. “The Android platform also saw an increase in spyware throughout the year, due to easy-to-access spyware kits available on various online forums and used by amateur attackers,” added Kováč.

The ESET T3 2022 Threat Report also reviews the most important findings and achievements by ESET researchers. They discovered a MirrorFace spearphishing campaign against high-profile Japanese political entities, and new ransomware named RansomBoggs that targets multiple organisations in Ukraine and has Sandworm’s fingerprints all over it. ESET researchers also discovered a campaign conducted by the infamous Lazarus group that targets its victims with spearphishing emails containing documents with fake job offers; one of the lures was sent to an aerospace company employee. As for supply-chain attacks, ESET experts found a new wiper and its execution tool, which they have both attributed to the Agrius APT group, aiming at users of an Israeli software suite used in the diamond industry.

Besides these findings, the report also summarises the many talks given by ESET researchers in recent months and introduces talks planned for both the RSA Conference and Botconf.