We all know that disruption is the threat actor’s playground—and there’s plenty of it around at the moment. Threat actors are connecting the dots to improve their tactics and collaborate with each other to take advantage of an evolved ecosystem. Not only have we seen increased pressure from threats related to remote working vulnerabilities, but also cybercrime actors have profited from the crucial roles played by local government, healthcare and supply chain providers. In particular, they’ve stepped up and stepped in to challenge critical infrastructure business operations continuity.

In our 2021 Cyber Threat Intelligence Report Accenture draws out the often unseen connection between the new ecosystem, the Dark Web economy, ransomware disruptions, commodity malware and pirated software abuse and their collective, disruptive effects on both information technology (IT) and operational technology (OT) environments.

Public policy responses are now positioning businesses, especially in OT and other critical infrastructure sectors, to reach for long-needed security improvements. The idea is to convert the new ecosystem into an opportunity for improving security, exploiting its potential more than ever before—in short, providing an environment in which organizations can recover better.

What threat trends tell us

Recovering better will take sustained effort in a high-risk environment. In our monitoring and threat analysis operations, the Accenture Cyber Threat Intelligence team (Accenture CTI) has examined recent threat trends and offers expert perspectives on what to do about them. And we monitor this landscape on an ongoing basis.

Here’s a snapshot of what we’ve seen:

  • Dark Web forums are a feeding ground for new threat actors. Online forums are making it easier and cheaper than ever for newcomers to launch cybercrime operations. Along with traditional commerce in malware logs, threat actors are selling parser tools that more easily compile logs, credentials, certificates and cookies. Such tools help other threat actors, including inexperienced ones, create new campaigns and assume the identities of legitimate users in a target network.
  • Ransomware actors are growing bolder. They are targeting manufacturing and a range of critical infrastructure sectors—from financial, to energy, to food production worldwide—using high-pressure tactics to escalate infection consequences. Increasingly, they deploy multiple pressure points at once to extract ransom payments.
  • Threat actors are abusing pirated versions of the commercial penetration testing framework Cobalt Strike. Their use of this familiar tool for malicious purposes adds to the perennial arsenal of commodity malware—an enduring feature of cybercrime operations that spreads easily within victim networks.

Hidden threats and payment pressures

Threat actors buy malware logs and extraction tools easily on the Dark Web. From these, they pull out network credentials. Stolen credentials offer a gateway vector for often-debilitating network intrusions and operations, letting threat actors avoid anti-phishing defenses. For example, actors who launched a critical infrastructure ransomware attack in May 2021 did so using compromised VPN credentials.

There is also a great deal of churn in the alliances among cybercriminal threat actors’ social networks, making attribution difficult. Groups are rebranding or swapping code amongst themselves to hide their identities within criminal communities.

After gaining access to a victim’s network, threat actors need to deploy malware that spreads easily in the network to pull out the data they intend to ransom. Commodity malware including Qakbot, IcedID, DoppelDridex, Hancitor fits the bill, alongside pirated versions of Cobalt Strike.

The global ransomware crisis has entered a new phase, as threat actors adopt stronger pressure tactics and tackle targets such as manufacturing and critical infrastructure. Ransomware actors can choose from four pressure techniques: local denial of access (encryption); leak extortion (also known as “name and shame” tactics); distributed denial-of-service (DDoS); and contact with a victim’s customers. Responding to multiple techniques at once can be challenging and stressful, especially if a victim organization has not already invested in prevention, preparation and pre-deployment defenses.

To pay or not to pay ransoms is still a big question in many people’s minds. Accenture has reinforced United States federal government guidance: Don’t pay ransoms. Companies could be subject to financial penalties if they inadvertently pay a sanctioned entity and cannot guarantee the return or deletion of stolen data.

Instead, organizations should focus on prevention and recoverability: protect against commodity malware; stay alert for Dark Web sales of stolen credentials; segment systems to minimize the lateral movement of ransomware; deploy good logging systems to detect anomalous network behavior; and create backups and playbooks to strengthen operational resilience.

Act fast and first

When a breach does occur, Accenture recommends reacting quickly, working with legal counsel and applying incident response and communications best practices. With all these trends happening together, it can be a particularly worrying time for OT and critical infrastructure providers. Three possible things to remember are:

  1. Preparation and preventative measures are paramount. In industrial OT, just as in purely IT environments, when these measures are neglected or fail, threat mitigation becomes reactive, focusing on triage and response.
  2. Threat actors’ use of easily purchased commodity malware, if not detected quickly, can help an adversary buy time to traverse from IT to OT networks.
  3. DarkSide ransomware use against a critical infrastructure target is a reminder that OT environments are in the crosshairs.

For OT and critical infrastructure and key resources providers in the United States, the Executive Order on Improving the Nation’s Cybersecurity issued in May 2021 goes a long way towards addressing these threats and trends.

Providers are now on a path to improve software design, secure supply chains, invest in more easily secured digital technologies, improve cybersecurity focus and work more transparently with government counterparts to drive a more stable business environment. It will help all security teams everywhere to connect their own dots and protect their business operations from cyber threat evolution.

Accenture Security helps organizations build resilience from the inside out, so they can confidently focus on innovation and growth. Leveraging its global network of cybersecurity labs, deep industry understanding across client value chains and services that span the security lifecycle, Accenture helps organizations protect their valuable assets, end-to-end. With services that include strategy and risk management, cyber defense, digital identity, application security and managed security, Accenture enables businesses around the world to defend against known sophisticated threats, and the unknown. Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security.

Accenture, the Accenture logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Accenture and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. All materials are intended for the original recipient only. The reproduction and distribution of this material is forbidden without express written permission from Accenture. The opinions, statements, and assessments in this report are solely those of the individual author(s) and do not constitute legal advice, nor do they necessarily reflect the views of Accenture, its subsidiaries, or affiliates. Given the inherent nature of threat intelligence, the content contained in this report is based on information gathered and understood at the time of its creation. It is subject to change. Accenture provides the information on an “as-is” basis without representation or warranty and accepts no liability for any action or failure to act taken in response to the information contained or referenced in this report.

This document makes reference to marks owned by third parties. All such third-party marks are the property of their respective owners. No sponsorship, endorsement or approval of this content by the owners of such marks is intended, expressed or implied.

Copyright © 2021 Accenture. All rights reserved.

Howard Marshall

Managing Director – Accenture Security, Global Cyber Threat Intelligence Lead

Subscribe to Accenture's Cyber Defense Blog Subscribe to Accenture's Cyber Defense Blog