Orange Cyberdefense launched its annual security research report, the Security Navigator 2024. The report, which gathers, cross-references and analyzes data from a wide variety of sources, paints a broad and complex picture of the world of cybersecurity, amplified by geopolitical, economic and social dimensions. With the environment more unstable and less predictable, it has become even more vital that organizations reduce their risk of exposure by understanding the threat landscape and how it can affect them.

The Security Navigator 2024 reveals that our Threat Detection teams processed 30% more events across the period, totalling to 129,395, of which 25,076 (19%) are confirmed security incidents. Of these, the threat action ‘Hacking' remained the most prominent, accounting for almost a third of confirmed incidents (30.32%), followed by Misuse (16.61%) and Malware dropping to third (12.98%).

Whilst the volume of events has increased, the actual number of confirmed incidents decreased by 14% YOY. The Manufacturing sector (32.43%) is by far the largest contributor in terms of confirmed incidents, following the same pattern as past years. Retail Trade (21.73%) and Professional, Scientific and Technological Services (9.84%) completed the top three, responsible for over two thirds of the confirmed incidents we raised with clients.

As well as criminal opportunities, more and more threat actors are politically or ideologically motivated, with the aims of espionage, sabotage, disinformation and extortion increasingly intertwined. We report on the increase of Cyber Extortion (ransomware) victims worldwide, alongside a significant surge in Hacktivism linked to the war against Ukraine. Current geopolitical events have also politicized some Cyber Extortion actors, some of whom have become more politically driven.

2023 has seen the highest count of Cyber Extortion victims on record

The Cyber Extortion threat landscape continues to evolve quickly and the past 12 months saw the number of Cyber Extortion victims globally increase by 46%, marking the highest numbers ever recorded. Large enterprises were the victim in the majority of attacks (40%), with those employing more than 10,000+ people seeing a steady increase. This trend was exacerbated by a single threat actor, Cl0p, which exploited two major vulnerabilities in 2023. Small organizations make up a quarter (25%) of all the victims, closely followed by medium-sized businesses, with a share of 23%.

Large, English-speaking economies continue to account for the highest numbers of victims, with over half (53%) headquartered in the United States, followed by the United Kingdom (2nd, 6%) and Canada (3rd, 5%). However, we are starting to see a lateralization of the geographic distribution, illustrated by major YOY increases to victims in India (+97%), Oceania (+73%), and Africa (+70%).

During 2023, we found 25 Cyber Extortion groups had disappeared from 2022, 23 had survived from the previous year and there were 31 new groups we had never seen before. Of the Cyber Extortion groups that existed, over half (54%) had a life span of up to 6 months, 21% 7-12 months and 10% of all groups made it to the age of 13-18 months, highlighting the challenges faced by those attempting to disrupt a Cyber Extortion operation.

A new levelling of the physical and cyber battlefields, hacktivism as a powerful political tool

Over the past two years, there has been an evident increase of activity in the hacktivism space to support causes of a political or social nature. We report that attacks from hacktivist groups involved in the war against Ukraine, siding with either Russia or Ukraine, have reached record-high levels, with Ukraine, Poland and Sweden the most impacted by the pro-Russian hacktivists we track. This upwards trend is being exacerbated further by other geopolitical events which have sparked the creation of new groups, most recently spawned following the latest developments in the Middle East.

We report that Europe was impacted by 85% of all hacktivist attacks seen in 2023, followed by North America (7%) and the Middle East (3%).  We observe that most of the over-attacked countries are geographically relatively close to the war against Ukraine.

Our research has shown a continuous evolution towards ‘cognitive' attacks, which seek to shape perception through technical activity. The impact has less to do with the disruptive effect of the attack or the value of the data or systems that are affected (e.g., stolen, leaked or destroyed) but with the impact that these attacks will have on societal perception. Not only do we witness cyber events that impact the physical world; we also observe physical events that illicit a direct cyber response from threat actors, thus in turn causing an escalation of those very same geopolitical tensions.

Most of the hacktivist attacks that we are observing are Distributed-Denial-of-Service (DDoS) attacks. Some hacktivist groups have developed strong DDoS capabilities, while others are noisy about their capabilities and impact, applying a language and narrative that is disproportional to their actual action (and impact).

Hacking remains in the top spot, with nearly a third of incidents we detect within our CyberSOCs

Based on the VERIS[1] framework, the threat action ‘Hacking' remains the most detected type of security incident, accounting for almost a third of confirmed incidents with 30.32%, a significant increase on the 25% on last year. ‘Malware' has historically been one of the two most detected true positive incident types. However, this year it has slipped to 3^rd place, with just 12.98%. 'Misuse' was the 2^nd most raised Threat Action with 16.61%, almost exactly in line with last year's report. Incidents categorised as ‘Error' (7.33%) again take 4^th place followed by ‘Social' (7.15%) which completes the top five.

The data found 37.45% of detected incidents within organizations originated from internal actors, with the majority coming from external actors (43.6%). Of these, the end user device was the most impacted asset (27.7%), followed by the server (27.34%).

The efficiency of mature, established clients can be four times higher than that of new clients

The CyberSOC teams have noted that there is a strong correlation between the detection efficiency of a client account, and the degree of feedback we get from the client. We observe this year that the efficiency of mature, established clients can be four times higher than that of new clients who are just starting their onboarding journey with us, and we argue that this client maturity is strongly expressed in the frequency with which we receive feedback on incidents.

We also show that while the ‘quantity' of incidents we report to our clients has decreased proportionally over the years, the ‘quality' has increased. This is apparent for "unknown events" which decrease from 15.33% for customers that have been onboard 1-10 months to 4.10% for customers that have been onboard for 41-50 months. We argue that this is a function of detection tuning, more rigorous analysis, and other service enhancements. In addition, as our clients mature in the service they improve their ability to act on the events we raise with them and refine the process of providing us with feedback. With sufficient feedback we are able to perform intelligent tuning and thereby improve detection efficiency, in a repeating cycle.

A trusted partnership to define and implement cybersecurity strategies to meet organizations' needs

"This year's report underlines the unpredictable environment we face today, and we see our teams working harder than ever as the number of detected incidents continues to increase (+30% YOY). Whilst we are seeing a surge in the number of large businesses impacted by Cyber Extortion (40%), small and medium businesses together are making up nearly half of all victims (48%)", said Hugues Foulon, CEO, Orange Cyberdefense.

"Together, with our customers, we are pursuing an unwavering policy of awareness and support for our increasingly interconnected world. We are adapting to new technologies and preparing for new threat actors by continuing to anticipate, detect and contain attacks when they emerge," Foulon concludes.