OODA Loop

Understand tomorrow, today.

What’s In Store for Nation State Cyber Activity in 2022?

Archive, Disruptive Technology, OODA Original, Security and Resiliency / by

As 2021 winds down, online cybersecurity journals and cyber experts are providing their cyber threat forecasts for the new year. Ransomware, cloud security, supply chain attacks, and of course critical infrastructure are common themes in many of these prognostications. Cybercrime will continue to flourish, data privacy will remain at the forefront of many privacy advocates’ minds, and security proponents will beat the drum of the implementation of “zero trust” strategies for their enterprises.

Become A Member

OODA Loop provides actionable intelligence, analysis, and insight on global security, technology, and business issues. Our members are global leaders, technologists, and intelligence and security professionals looking to inform their decision making process to understand and navigate global risks and opportunities.

You can chose to be an OODA Loop Subscriber or an OODA Network Member. Subscribers get access to all site content, while Members get all site content plus additional Member benefits such as participation in our Monthly meetings, exclusive OODA Unlocked Discounts, discounted training and conference attendance, job opportunities, our Weekly Research Report, and other great benefits. Join Here.

Nation-states will invariably dominate the 2022 news cycle with respect to malicious cyber activities. As we come to the end of the year, the Log4j vulnerability impacting hundreds of millions of devices showed how quickly digital sharks circled potential prey. One cyber security company recorded approximately 900 thousand attacks over the first four days of the vulnerability’s public disclosure. More disconcerting was the speed with which alleged nation-state actors and prolific ransomware gangs scanned for the vulnerability. According to Microsoft’s Threat Intelligence, state groups affiliated with China, Iran, North Korea, and Turkey actively exploit the vulnerability with activities ranging from “experimentation during development to integrating the vulnerability into in-the-wild payload development.” Hostile actors are always one step ahead, capitalizing on the moment to give them an advantage over their targets and network defenders.

Looking back at the developments associated with state and state-affiliated actors in 2021 reveals that they were responsible for some of the most noteworthy cyber activity. And if past behavior is any indication of future behavior, we can expect these actors to be even more prominent in 2022. Successful compromises of supply chains as evidenced in the late December 2020 and the mid-2021 attacks against SolarWinds and Kaseya showed how pervasive and far-reaching these attacks could be. What’s more, even if such attacks start off as efforts to execute cyber espionage campaigns, the accesses obtained can quickly be used to deploy more disruptive and destructive malware should the actors’ intent change. Given the tenuousness and unpredictability of the geopolitical landscape, and the increasing willingness of states to inflict damage on vital critical infrastructure targets, this is extremely worrisome.

Looking over the past few years, nation-state attacks have doubled, according to one university’s research. Perhaps more important is the fact that these attacks have become more brazen and more disruptive, targeting critical infrastructures to send a clear message to their governments. For example, in April 2021, one state purposefully attempted to modify chlorine levels in water facilities the result of which could poison a civilian population. The victimized government responded in kind, targeting one of the offender’s port facilities, disrupting operations delaying shipments and deliveries. There are several more examples of these types of activities with states looking to compromise critical infrastructures in order to develop accesses that could be used to cause disruption at a time of their choosing (e.g., the October 2020 attack against the Mumbai power grid falls under this rubric).

Currently, there are several ongoing geopolitical crises that can quickly deteriorate into both cyber and kinetic conflict. Whenever cyber-attacks are used as a form of punishment, there is the inherent chance that the attack escapes into the wild or causes effects not originally intended. One needs to look no further than the 2017 NotPetya ransomware attack executed by Russian intelligence officers that initially targeted Ukraine but quickly spread to targets in 65 countries including Russian satellites. Some of the more prominent “hot spots” include but are not limited to the ongoing border dispute behind China and India; the China-Taiwan issue of the breakaway province’s sovereignty; the Russia-Ukraine border conflict; and the enduring hostilities between Iran and Israel. In addition to the kinetic and military courses of action that can ensue from escalating tensions, each of these actors possesses offensive cyber capabilities and has access to non-state sympathizers that could be used in a proxy engagement against one another.

Cyber-attacks are not surgical, no matter how much their orchestrators try to tailor them to limit their effects against the intended target. The Stuxnet attack against Iran’s centrifuges is a prime example of this. The malware’s authors wrote it to target a specific make of programmable logic controllers (PLC). Only after the malware identified that the PLC was the correct make did it alter its programming. Nevertheless, despite being air-gapped and despite its highly targeted nature, the malware escaped into the wild, infecting systems in 115 countries. If this happened to two of the most sophisticated countries that created Stuxnet, it’s easy to see how this could happen to far less advanced cyber actors.

Stuxnet occurred in 2010. Nearly 12 years later more state actors, including those considered to be “lesser capable” have either developed indigenous capabilities to conduct offensive cyber activities, or can easily purchase them from private sector companies like NSO and the now-defunct Hacking Team. Dark web markets offer hacking-as-a-service business models for anyone able to pay the prices. As evidenced by the recent NSO scandal, these capabilities can be abused and quickly get out of hand leading toward serious consequences.

States are not seeing a reason to curb their activities. Economic sanctions and legal indictments are not deterring cyber bad behavior, enabling states to continue to conduct bolder activities whether it be via soft power channels like influence operations or more stealthy actions designed to impact power grids. What’s clear is that 2022 is setting up to be a year where state cyber operations will continue, with governments’ content to provide a token denial of their involvement. Depending on their outcomes, geographic hot spot areas will likely signal the next evolution of state use of offensive cyber operations, which could potentially set a new normal. If this happens, expect the aperture for unchecked cyber malfeasance to further widen and the hopes for cyber norms to be that much harder to achieve.

Related Reading:

Black Swans and Gray Rhinos

Now more than ever, organizations need to apply rigorous thought to business risks and opportunities. In doing so it is useful to understand the concepts embodied in the terms Black Swan and Gray Rhino. See: Potential Future Opportunities, Risks and Mitigation Strategies in the Age of Continuous Crisis

Cybersecurity Sensemaking: Strategic intelligence to inform your decisionmaking

The OODA leadership and analysts have decades of experience in understanding and mitigating cybersecurity threats and apply this real world practitioner knowledge in our research and reporting. This page on the site is a repository of the best of our actionable research as well as a news stream of our daily reporting on cybersecurity threats and mitigation measures. See: Cybersecurity Sensemaking

Corporate Sensemaking: Establishing an Intelligent Enterprise

OODA’s leadership and analysts have decades of direct experience helping organizations improve their ability to make sense of their current environment and assess the best courses of action for success going forward. This includes helping establish competitive intelligence and corporate intelligence capabilities. Our special series on the Intelligent Enterprise highlights research and reports that can accelerate any organization along its journey to optimized intelligence. See: Corporate Sensemaking

Artificial Intelligence Sensemaking: Take advantage of this megatrend for competitive advantage

This page serves as a dynamic resource for OODA Network members looking for Artificial Intelligence information to drive their decision-making process. This includes a special guide for executives seeking to make the most of AI in their enterprise. See: Artificial Intelligence Sensemaking

COVID-19 Sensemaking: What is next for businesses and governments

From the very beginning of the pandemic, we have focused on research on what may come next and what to do about it today. This section of the site captures the best of our reporting plus daily intelligence as well as pointers to reputable information from other sites. See OODA COVID-19 Sensemaking Page.

Space Sensemaking: What does your business need to know now

A dynamic resource for OODA Network members looking for insights into the current and future developments in Space, including a special executive’s guide to space. See: Space Sensemaking

Quantum Computing Sensemaking

OODA is one of the few independent research sources with experience in due diligence on quantum computing and quantum security companies and capabilities. Our practitioner’s lens on insights ensures our research is grounded in reality. See Quantum Computing Sensemaking.

The OODAcast Video and Podcast Series

In 2020, we launched the OODAcast video and podcast series designed to provide you with insightful analysis and intelligence to inform your decision-making process. We do this through a series of expert interviews and topical videos highlighting global technologies such as cybersecurity, AI, quantum computing along with discussions on global risk and opportunity issues. See: The OODAcast

About Emilio Iasiello

Emilio Iasiello has nearly 20 years’ experience as a strategic cyber intelligence analyst, supporting US government civilian and military intelligence organizations, as well as the private sector. He has delivered cyber threat presentations to domestic and international audiences and has published extensively in such peer-reviewed journals as Parameters, Journal of Strategic Security, the Georgetown Journal of International Affairs, and the Cyber Defense Review, among others. All comments and opinions expressed are solely his own.