2024 Threatscape report

9 min

As we step into 2024, we anticipate a year that is poised to set several significant precedents. In this blogpost, we provide our Threatscape report, presenting our predictions for the global threats that lie ahead in the upcoming year. These are rooted in the trends we’ve been monitoring, with the goal of providing insights to decision-makers at all levels for proactive protections.

In brief:

  • We anticipate an increase in cyber attacks that bolster information operations. Such attacks are likely aimed at amplifying messages, acquiring and leveraging data, impeding counter-influence efforts, or instilling fear.
  • Going into 2024, we foresee the lines between hacktivist groups and state-sponsored actors becoming increasingly indistinct.
  • We predict that ongoing conflicts will lead to more direct and official attribution of cyberattacks.
  • We expect various retaliation and deterrence aimed at cybersecurity practitioners, in the form of cyber attacks, legal actions or IO (Information Operations) campaigns.
  • We foresee that the deep, unchecked integration of big tech AI will provide a new attack surface, while fast-paced open-source initiatives become more powerful.
  • Destructive malware plays a critical role, and we anticipate traditional electronic warfare (EW) techniques like jamming to become more widespread.
  • Given the quantity and maturity of malware and exploit tools targeting mobile platforms, the emergence of a destructive worm affecting them on a large scale in 2024 would not surprise us.

More cyber information operations influencing public opinion (and more cyber attacks in support of such operations)

As evidenced by numerous publicly documented cases, such as Ghostwriter, the spread of COVID-19 misinformation and Doppelganger, the use of information operations (IO) that exploit social networks to influence public opinion has become a common tactic to support political and/or international agendas. Notably, some of these operations, including GRIZZLY STEPPE and MacronLeaks, were preceded or supported by cyber attacks. 

For 2024, we anticipate a significant uptick in information operations aimed at influencing public opinion on major global events. These include ongoing conflicts in Israel and Ukraine, critical elections such as the 2024 U.S. Presidential Election, the Russian National Elections, and the European Parliament Election, as well as the Paris 2024 Olympics, especially considering Russia’s exclusion, which is anticipated to provoke responses similar to the ‘Olympic Destroyer’ incident.

Hacktivist serving as an extension of state-sponsored cyber capabilities

We expect the distinction between hacktivist groups and state-sponsored actors to continue to blur in 2024. Cases such as Anonymous Sudan having no ties to the original group behind 2019’s OpSudan and collaborating with Killnet which by itself proclaims it holds ‘independent operations’ against Western targets, and the countermeasures by the ‘IT Army of Ukraine’ have prompted the International Committee of the Red Cross to draft a rulebook for ‘civilian hackers’. Hacktivism is progressively being viewed as an acceptable – or even endorsed and crowdsourced – form of cyber engagement. This perception is advantageous for states, especially during conflicts, as it allows them to tap into a versatile reserve of cyber capabilities or even disguise their own operations. At the same time, it complicates retaliation against such actions, given their potential characterization as independent initiatives by civilians.

More direct attribution of cyber attacks

In a recent notable shift, Ukraine’s military intelligence agency openly admitted to a cyberattack on Russia’s tax system, a departure from the norm of attackers concealing their identities. This transparent self-attribution together with the ongoing trend of “naming and shaming” suggests a future with less hesitation in publicly identifying the perpetrators of cyberattacks. Moreover, attributing cyber attacks during conflicts can appear more straightforward, as the interests and positions of conflicting parties are often explicit. The act of Ukraine openly claiming responsibility for attacks on Russia, regardless of whether these actions were independent or not, sparks a debate on the concept of ‘proportionate responses’ by the targeted entities.

State-sponsored actors retaliate against cybersecurity organisations and practitioners

The capabilities of the private sector in cybersecurity are continuously advancing, allowing for the detection of sophisticated cyber operations that could bolster military objectives during wartime. This can serve to obstruct military actions. Additionally, these private sector efforts are often viewed as contributing to wartime military strategies by safeguarding mission-critical assets, to the point of being occasionally accused of laundering information provided by intelligence services. Furthermore, when defenders expose cyber attacks, they can effectively dismantle months of effort and funds (i.e, taxpayer money) invested by attackers in developing these malicious operations.

As a result, states (or the actors they sponsor) are likely to increasingly target organizations and researchers in the cybersecurity world, particularly during periods of heightened tension. Notable incidents such as the Triangulation affair, the intrusion at FireEye and, more recently, at Microsoft by NOBELIUM, as well as the inclusion of cybersecurity experts on the Ukrainian government’s persona non grata list in 2023, already illustrate this tendency to view companies and researchers in the field as legitimate targets for counter-espionage. In the future, we anticipate more retaliatory measures against these entities: cyber attacks, legal action, deterrence strategies and psychological operations.

Escalating destructive attacks and the revival of jamming tactics

We are seeing an uptick in the use of destructive malware, increasingly employed as non-kinetic weapons in conflicts. These politically-motivated attacks, whether by state actors or hacktivist and crimeware groups, underline the importance of understanding the motives behind cyberattacks for accurate attribution.

Similarly, the ongoing war in Ukraine and Russia has brought attention to the strategic use of drones for force projection and surveillance, minimizing frontline exposure. In Europe, law enforcement and security services are gearing up to utilize drones for crowd monitoring and arrests, especially during major events, such as the upcoming Olympic Games in France. As drones become more integral in both everyday life and military conflicts, we anticipate heightened efforts to discover and exploit techniques for drone hijacking and jamming. This resurgence in more traditional electronic warfare could lead to these methods becoming more accessible and widespread.

More attacks leveraging off-radar devices, such as SOHO devices

Because they are less monitored, difficult to patch and poorly managed from a cybersecurity standpoint, certain devices are of particular interest for attackers: getting control of them might offer long-term deniable infrastructure or a stealth foothold in targeted perimeter.  

Such devices include SOHO (small office/home office) appliances, firewalls and routers. Some publicly documented cases (such as APT31, APT28, LuoYu or Volt Typhoon) demonstrate such SOHO devices are already compromised and leveraged as a proxying infrastructure by advanced threat actors. We expect additional research and findings demonstrating further exploitation of such devices.

Widespread destructive attacks reaching smartphones

Exploiting remote vulnerabilities has already been incorporated into destructive malware and ransomware, granting them self-replication capabilities, resulting in widespread outbreaks like WannaCry and NotPetya. 

Such catastrophic scenarios were made possible, in part, by the disclosure of state-sponsored vulnerability exploitation tools (e.g., Shadow Brokers), which were subsequently repurposed by other entities. We are concerned that the current landscape includes a sufficient array of advanced vulnerability exploitation capabilities, as exemplified by publications related to the NSO Group. This raises the potential for a similar scenario to unfold in the realm of smartphones: the emergence of an advanced, remotely exploitable vulnerability, whether disclosed publicly or privately, could be harnessed by malicious actors to disseminate destructive payloads on smartphones globally.

The rise of open-source AI models and the expanding AI attack surface

2023 was defined by AI blowing up, with ChatGPT at ground zero.

These large language models are being deeply integrated into everyday tools, products and services, making it increasingly challenging to regulate their usage retroactively. It becomes increasingly apparent that these poorly organized AI models introduced uncharted vulnerability surface, akin to traditional software as a service. With the emergence of prompt injection attacks, allowing third parties to hijack company chatbots for unexpected actions or data disclosure, it is anticipated that more vulnerabilities will be uncovered and exploited in the upcoming year.

While more products are coming from tech giants, it’s the dynamic open-source community that’s making substantial contributions to the field, and working to develop models and tools which are then made freely available to the general public. This community is moving fast with the release of homemade fine-tuned variations of open-source models, and 2024 could be the year where enthusiasts start deploying custom ChatGPT-like systems on personal server and computers, and possibly smartphones.

A constantly adapting and ever-growing ransomware threat

While law enforcement agencies, international cooperation, insurance companies, and corporations are increasingly recognizing the gravity of the ransomware threat and intensifying their efforts to combat it, cybercriminals demonstrated their seemingly endless will and flexibility by constantly adapting to growing pressure against their malicious actions, and overcoming most obstacles.

From gangs reorganizations to botnets revivals, innovative affiliation models, new extortion techniques, advanced tradecraft and security tools bypasses, the lucrative ransomware ecosystem keeps causing damages like clockwork.

Amidst global inflation, economic sanctions against states, corporations and individuals, as well as ongoing wars and political conflicts, there are even greater incentives to employ the ransomware model as a tool for deterrence, a revenue stream, or a destructive weapon.

We expect that the ransomware threat will continue to expand, potentially introducing new extortion schemes, such as reporting data breaches to authorities and threatening GDPR fines, alongside existing tactics. These developments may further elevate ransomware threats to a level comparable to state-sponsored cyberattacks.

Critical Infrastructure in the crosshairs and the need for protection frameworks

With the attack on the KA-SAT system occurring on its very first day, the Ukraine-Russia conflict illustrated vulnerability of satellite communication infrastructures to targeting during warfare, and that associated impacts can extend far beyond the immediate conflict zone.

This is especially concerning because certain global infrastructures, such as communication systems, serve both civilian and military purposes during conflicts, rendering them ‘dual-use’ and potentially legitimate military targets under the laws of war. This line of reasoning exposes critical global infrastructures – most notably energy and communications – to tragic global disruptions as soon as a conflict erupts.

Existing domestic frameworks for protecting critical infrastructures may prove inadequate to address such risks. We anticipate that states and international organizations will reassess critical infrastructure protection in light of these developments. This could involve the establishment of coordinated international frameworks or, conversely, a heightened focus on safeguarding national infrastructures.