New threats, new strategies

​Stop me if you've heard this one before: a high-profile company goes even more prime time after losing sensitive data to cyber thieves. Or how about the one about a trusted service provider that suddenly goes offline because they are being held "hostage" by ransomware. These stories, and the headlines they generate, are all too common. But if you think that's the extent of today's cyber risk landscape, think again.

Ready or not, cyber threats continue to evolve. Just as organizations are maturing their approach to cybersecurity, threat actors are also increasingly coordinated, sophisticated and thorough.

As a result, new stories are taking shape. Today, KPMG frequently works with organizations that were compromised by an initial access broker (IAB), the primary goal of which is to gain access to an organization's IT environment and then sell that access to the highest black-market bidder. Similarly, KPMG has witnessed instances where threat actors have taken their threats to media outlets in an attempt to pressure organizations into paying lofty ransoms. Situations like this are surprisingly common, and only increasing in frequency. In another recent engagement, we responded to an incident suffered by a large-scale organization that experienced multiple attacks from multiple perpetrators, each of which had used ready-made ransomware "platforms" acquired from a "dark web" syndicate.

These are not cautionary campfire stories but real (and increasingly common) accounts that underscore cybersecurity's constantly shifting terrain—and the need for organizations of all shapes and sizes to dynamically adjust their footing.

The rise of cyber syndicates
In 2021, KPMG surveyed organizational, IT, and cyber professionals to map the modern cyber risk landscape. The results point to several emerging trends.

For one, the stereotype of cyberattackers being lone wolves in dark basements has run its course. Today's cyberattackers have formed an underground industry populated by the IABs I mentioned earlier, along with digital black markets, exploit sellers, and ransomware buyers.

"What we're seeing now is various attackers working in multiple syndicate groups," says my colleague, Ganesh Ramakrishnan, a senior manager in our Cybersecurity practice. "There are various roles in these syndicates to address specific objectives. On the other hand, you have IABs who don't necessarily conduct the attack themselves but instead create targeted vulnerabilities that they then pass on to syndicates or ransomware operators for a price."

"It has become a profitable business," Ganesh continues. "It's extremely lucrative, and since everybody deals in cryptocurrency, it's easy to do and difficult to track."

Syndicates specialize in multiple forms of attack, with ransomware remaining the most common. According to our research, "zero-day" and unpatched vulnerabilities are taking over phishing scams as the number one means of holding critical digital infrastructure hostage.

The risk of ransomware isn't new, but the rising level of sophistication is catching organizations off guard. For example, many threat actors are taking advantage of turn-key ransomware software (aka the aforementioned ransomware "platforms") that any buyer can use to infiltrate targets of every size. As a result, digital vulnerabilities are being taken advantage of faster than ever.

For example, Chris Walker, a senior Manager in KPMG's Forensic Technology practice, reports the following: "We worked with a client that was attacked within four to six hours of a zero-day vulnerability being published or known in one of their business applications."

And they weren't the only ones. According to Chris: "As soon as a vulnerability is made public, threat actors immediately start scanning systems that are open to the internet to identify organizations that are running vulnerable software versions with the intent to get into an organization's IT systems."

Now is no time to underestimate the sophistication of today's attackers. Cyber syndicates are forming in greater numbers and ransomware as a platform will only gain steam as their leading tactic.

Everyone in the crosshairs
Our 2021 cybersecurity study reinforced the fact that everyone is at risk. No company or public sector entity is too small or unimportant to fly under the radar.

"It's industry agnostic," Chris insists. "[Cyberattackers] are not targeting particular companies or industries. Instead, they are taking advantage of all known exploits and vulnerabilities."

Targeting is the key word. Indiscriminate attacks are becoming less common, while highly targeted attacks on organizations and industries are growing in volume. This is as true for large, multi-national firms as it is for smaller, less mature targets who are seen as easy victims or a steppingstone to larger prey in their supply chain.

"In many cases, attackers will choose a less complex organization because they know they have their guard down. They just want to get in, create enough trouble to get paid, but not cause any big waves," says Ganesh.

We often think of data as being the main target for cyberattackers. That's still true, but syndicates are also going beyond IT systems and targeting operational technologies (OT) through zero-day attacks, worms, wipers, trojans, and other malicious software.

The issue is that organizations don't typically spend too much time and effort or money to fix, patch, or upgrade their OT. As long as the system runs, they think, it's doing the job. And yet, as Ganesh aptly notes, "Threat actors know these aren't being protected and are starting to target OT because they know it can hit the business in a way that other attacks don't."

Act. Now.
Stories like these emphasize the need for better cyber hygiene. That begins by taking a systematic approach to risk management, which means investing in staff training, user verification tools, threat intelligence, and real-time monitoring. It also means ensuring that organizations have an incident response plan in place ahead of an attack, one that includes a list of third parties who can be called upon to help mitigate the impact of an incident, such as a breach coach, lawyers, forensic firms, public relations firms, and cyber insurers, among others.

The important thing to remember is no one is in this alone. Cyber syndicates may be forming, but organizations also have access to a network of cybersecurity supports. Remember the story about the organization that was attacked by multiple threat actors exploiting the same vulnerability? It's one of many we've responded to, and thanks to our team's help in quickly assessing the attack, the organization was able to recover from its backups and avoid paying a ransom.

The short story is that just as there are headlines about more sophisticated attacks, there are stories about organizations staying on top of the necessary upfront work that keeps them out of those very same headlines. You should be doing everything possible to be that kind of organization.