Hackers’ low-effort, high-reward strategy in 2022
Illustration: Brendan Lynch/Axios
2022 is the year everyone remembered just how little hackers need to make big trouble for companies and governments.
The big picture: For years, executives and network defenders have braced as more sophisticated attacks, like the SolarWinds supply chain intrusions, made headlines. But in 2022, most high-profile attacks could be traced back to simple tactics like phishing emails or spoofed text messages.
How it works: Although the damage in these attacks can be severe, hackers using techniques like MFA fatigue or ransomware often only need someone to click on a certain link to take hold of a network.
- With ransomware, hackers often just send a link containing file-encrypting or data-stealing malware to employees to get their attack started.
- And launching an MFA-fatigue attack can simply require hackers to find stolen passwords leaked on the dark web.
The intrigue: This past year hasn’t seen the same level of blockbuster attacks that marked the end of 2020 and all of 2021 — including SolarWinds, the Colonial Pipeline ransomware attack and the Log4j open-source software vulnerability.
- “This year, a lot of simple things have been effective, not because security practitioners are doing anything wrong — it’s just that this is really complicated,” Ryan Olson, vice president of threat intelligence at Palo Alto Networks, tells Axios.
Between the lines: Most governments and companies running critical infrastructure across the U.S. and Europe prioritized preparing for major Russian cyberattacks that never came.
- But throughout the war in Ukraine, Russian hackers, too, have heavily relied on less-sophisticated techniques — like phishing emails, distributed denial-of-service attacks and malware wipers — to cause mayhem.
Yes, but: These less-sophisticated hacking techniques aren’t unique to 2022 — they just took up most of the spotlight this year.
- “I’ve been saying for years: The attacks are only as sophisticated as they need to be,” Adam Meyers, senior vice president of intelligence at CrowdStrike, tells Axios.
The success of this string of low-level attacks seems to stem from the challenges network defenders face in staying on top of their employees’ security practices.
- “It’s one of the most challenging things to defend from because you can’t be over everyone’s shoulder all the time,” Chris Wysopal, co-founder and chief technology officer at Veracode, tells Axios.
- For many companies, the choices individual employees make are the “frontline decisions” of cyber defense, he says.
What’s next: Experts anticipate low-level social-engineering attacks to become even more effective at fooling users in coming years as artificial intelligence tools get better.
Sign up for Axios’ cybersecurity newsletter Codebook here.