According to the Security Navigator 2024 report by Orange Cyberdefense, India saw a 97 per cent year-on-year (YoY) rise in cyber extortion victims in 2023, followed by Oceania (73 per cent) and Africa (70 per cent). The report states that the cyber extortion threat landscape continues to evolve quickly, and the past 12 months saw the number of cyber extortion victims globally increase by 46 per cent, marking the highest numbers ever recorded. Large enterprises were the victim in the majority of attacks (40 per cent), with those employing more than 10,000+ people seeing a steady increase. This trend was exacerbated by a single threat actor, Cl0p, which exploited two major vulnerabilities in 2023. Small organisations make up a quarter (25 per cent) of all the victims, closely followed by medium-sized businesses, with a share of 23 per cent. Large, English-speaking economies continue to account for the highest numbers of victims, with over half (53 per cent) headquartered in the United States, followed by the United Kingdom (6 per cent) and Canada (5 per cent).
The report finds that during 2023, 25 cyber extortion groups had disappeared from 2022, 23 had survived from the previous year and there were 31 new groups. Of the cyber extortion groups that existed, over half (54 per cent) had a life span of up to 6 months, 21 per cent 7-12 months and 10 per cent of all groups made it to the age of 13-18 months, highlighting the challenges faced by those attempting to disrupt a cyber extortion operation.
As per the report, the company’s threat detection teams processed 30 per cent more events across the period worldwide, totalling to 129,395, of which 25,076 (19 per cent) are confirmed security incidents. Of these, the threat action ‘hacking’ remained the most prominent, accounting for almost a third of confirmed incidents (30.32 per cent), followed by misuse (16.61 per cent) and malware dropping to third (12.98 per cent). Whilst the volume of events has increased, the actual number of confirmed incidents decreased by 14 per cent year-over-year (YOY). The manufacturing sector (32.43 per cent) is by far the largest contributor in terms of confirmed incidents, following the same pattern as past years. Retail trade (21.73 per cent) and professional, scientific and technological services (9.84 per cent) completed the top three, responsible for over two thirds of the confirmed incidents the company raised with clients.
The report states that more and more threat actors are politically or ideologically motivated, with the aims of espionage, sabotage, disinformation and extortion increasingly intertwined. The report on the increase of cyber extortion (ransomware) victims worldwide, alongside a significant surge in hacktivism linked to the war against Ukraine. Current geopolitical events have also politicised some cyber extortion actors, some of whom have become more politically driven.
Further, the report states that over the past two years, there has been an evident increase of activity in the hacktivism space to support causes of a political or social nature. According to the report, the attacks from hacktivist groups involved in the war against Ukraine, siding with either Russia or Ukraine, have reached record-high levels, with Ukraine, Poland and Sweden the most impacted by the pro-Russian hacktivists. This upwards trend is being exacerbated further by other geopolitical events which have sparked the creation of new groups, most recently spawned following the latest developments in the Middle East. While, Europe was impacted by 85 per cent of all hacktivist attacks seen in 2023, followed by North America (7 per cent) and the Middle East (3 per cent). The report observes that most of the over-attacked countries are geographically relatively close to the war against Ukraine.
The research also showed a continuous evolution towards ‘cognitive’ attacks, which seek to shape perception through technical activity. The impact has less to do with the disruptive effect of the attack or the value of the data or systems that are affected (stolen, leaked or destroyed) but with the impact that these attacks will have on societal perception. Most of the hacktivist attacks as per the report are distributed-denial-of-service (DDoS) attacks. Some hacktivist groups have developed strong DDoS capabilities, while others are noisy about their capabilities and impact, applying a language and narrative that is disproportional to their actual action (and impact).
Furthermore, based on the VERIS framework, hacking remains the most detected type of security incident, accounting for almost a third of confirmed incidents with 30.32 per cent, a significant increase on the 25 per cent on last year. Malware has historically been one of the two most detected true positive incident types. However, this year it has slipped to third place, with just 12.98 per cent. ‘Misuse’ was the second most raised threat action with 16.61 per cent, almost exactly in line with last year’s report. Incidents categorised as ‘error’ (7.33 per cent) again take fourth place followed by ‘social’ (7.15 per cent) which completes the top five. The data found 37.45 per cent of detected incidents within organisations originated from internal actors, with the majority coming from external actors (43.6 per cent). Of these, the end user device was the most impacted asset (27.7 per cent), followed by the server (27.34 per cent).
Additionally, cyber security operations centre teams have noted that there is a strong correlation between the detection efficiency of a client account, and the degree of feedback that the company gets from the client. This year, the efficiency of mature, established clients can be four times higher than that of new clients who are just starting their onboarding journey with the company.
As per the report, while the quantity of incidents reported to the clients has decreased proportionally over the years, the ‘quality’ has increased. This is apparent for “unknown events” which decrease from 15.33 per cent for customers that have been onboard 1-10 months to 4.10 per cent for customers that have been onboard for 41-50 months. This is a function of detection tuning, more rigorous analysis, and other service enhancements. In addition, as the clients mature in the service, they improve their ability to act on the events Orange Cyberdefense raises with them and refine the process of providing feedback. With sufficient feedback the company was able to perform intelligent tuning and thereby improve detection efficiency, in a repeating cycle.
Commenting on the report, Hugues Foulon, chief executive officer, Orange Cyberdefense, said, “This year’s report underlines the unpredictable environment we face today, and we see our teams working harder than ever as the number of detected incidents continues to increase (+30 per cent YoY). Whilst we are seeing a surge in the number of large businesses impacted by cyber extortion (40 per cent), small and medium businesses together are making up nearly half of all victims (48 per cent). Together, with our customers, we are pursuing an unwavering policy of awareness and support for our increasingly interconnected world. We are adapting to new technologies and preparing for new threat actors by continuing to anticipate, detect and contain attacks when they emerge.”
