Let’s travel together.

Hackers’ low-effort, high-reward strategy in 2022

Illustration: Brendan Lynch/Axios

2022 is the year everyone remembered just how little hackers need to make big trouble for companies and governments.

The big picture: For years, executives and network defenders have braced as more sophisticated attacks, like the SolarWinds supply chain intrusions, made headlines. But in 2022, most high-profile attacks could be traced back to simple tactics like phishing emails or spoofed text messages.

How it works: Although the damage in these attacks can be severe, hackers using techniques like MFA fatigue or ransomware often only need someone to click on a certain link to take hold of a network.

  • With ransomware, hackers often just send a link containing file-encrypting or data-stealing malware to employees to get their attack started.
  • And launching an MFA-fatigue attack can simply require hackers to find stolen passwords leaked on the dark web.

The intrigue: This past year hasn’t seen the same level of blockbuster attacks that marked the end of 2020 and all of 2021 — including SolarWinds, the Colonial Pipeline ransomware attack and the Log4j open-source software vulnerability.

  • “This year, a lot of simple things have been effective, not because security practitioners are doing anything wrong — it’s just that this is really complicated,” Ryan Olson, vice president of threat intelligence at Palo Alto Networks, tells Axios.

Between the lines: Most governments and companies running critical infrastructure across the U.S. and Europe prioritized preparing for major Russian cyberattacks that never came.

  • But throughout the war in Ukraine, Russian hackers, too, have heavily relied on less-sophisticated techniques — like phishing emails, distributed denial-of-service attacks and malware wipers — to cause mayhem.

Yes, but: These less-sophisticated hacking techniques aren’t unique to 2022 — they just took up most of the spotlight this year.

  • “I’ve been saying for years: The attacks are only as sophisticated as they need to be,” Adam Meyers, senior vice president of intelligence at CrowdStrike, tells Axios.

The success of this string of low-level attacks seems to stem from the challenges network defenders face in staying on top of their employees’ security practices.

  • “It’s one of the most challenging things to defend from because you can’t be over everyone’s shoulder all the time,” Chris Wysopal, co-founder and chief technology officer at Veracode, tells Axios.
  • For many companies, the choices individual employees make are the “frontline decisions” of cyber defense, he says.

What’s next: Experts anticipate low-level social-engineering attacks to become even more effective at fooling users in coming years as artificial intelligence tools get better.

Sign up for Axios’ cybersecurity newsletter Codebook here.

Comments are closed.