Keypoints
- Information operations (IO) will increasingly be backed by coordinated cyberattacks targeting public opinion around major events and conflicts.
- Hacktivist groups are likely to act as extensions or proxies for state-sponsored campaigns, blurring attribution and complicating retaliation.
- Destructive malware and worm-style propagation via remotely exploitable vulnerabilities remain a major risk, including potential large-scale smartphone impacts.
- Off-radar and poorly managed devices (SOHO routers, firewalls, appliances) are attractive long-term proxy infrastructure for advanced actors.
- Traditional electronic warfare tactics such as jamming and drone hijacking are resurging as complementary attack vectors to cyber operations.
- Open-source AI models and integrations introduce new attack surfaces (e.g., prompt injection) that can be abused to leak data or alter system behavior.
- Cybersecurity firms and researchers are increasingly targeted for exposing operations, prompting retaliatory cyber, legal, or IO measures against defenders.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – Remote vulnerabilities are highlighted as enablers for destructive outbreaks and large-scale compromise: ‘the emergence of an advanced, remotely exploitable vulnerability…could be harnessed by malicious actors to disseminate destructive payloads on smartphones globally.’
- [T1485] Data Destruction – Use of destructive malware as non-kinetic weapons in conflicts: ‘destructive malware…increasingly employed as non-kinetic weapons in conflicts.’
- [T1498] Network Denial of Service – Jamming and electronic warfare tactics to disrupt communications and drone control: ‘traditional electronic warfare (EW) techniques like jamming to become more widespread.’
- [T1090] Proxy – Compromise and reuse of SOHO devices as deniable proxying infrastructure and stealth footholds: ‘SOHO devices…are already compromised and leveraged as a proxying infrastructure by advanced threat actors.’
Indicators of Compromise
- [Malware names] referenced as historical and present threats – WannaCry, NotPetya (used as examples of worm-like destructive outbreaks).
- [Threat actor / groups] named in context of IO and attacks – Ghostwriter, Killnet, NOBELIUM, Anonymous Sudan (examples of actors tied to influence operations or attacks).
- [Exploit leaks / vendor tools] referenced as enabling large-scale reuse – Shadow Brokers, NSO Group (cited as sources/examples of advanced exploitation capabilities).
- [Affected systems / device classes] targeted infrastructure – KA-SAT (satellite communications attack), SOHO devices and routers (compromised for proxying and stealth access).
Technical summary (procedural focus):
Adversaries will increasingly combine information operations with kinetic-style cyber tactics: scanning for and exploiting remote, public-facing vulnerabilities (e.g., unpatched services on phones, routers, or internet-facing servers) to deploy destructive payloads or self-propagating worms. Historical leak events and exploit disclosures (Shadow Brokers, published NSO-related details) serve as precedents for how state or state-leaked tooling can be repurposed to create rapid, widespread compromise; defenders should prioritize patching exposed services and monitoring for indicators of exploitation on public-facing endpoints.
Operational tradecraft will favor stealthy, long-lived infrastructure established through compromised off-the-shelf devices: SOHO routers, firewalls and appliances are attractive for persistent proxying and lateral access because they are often unmonitored and poorly patched. Detection and mitigation should include network-based profiling of such devices (baseline behavior, unexpected outbound connections, proxying patterns), hardening default credentials and firmware management, and segmentation to limit their use as covert staging or pivot points.
New and resurging vectors will broaden the attack surface: prompt-injection and other AI-model attacks can be used to exfiltrate data or manipulate automated workflows, while electronic warfare techniques (jamming, drone control interference) can be paired with cyber operations to disrupt communications and recovery. Prepare by implementing adversarial-aware testing for AI integrations (input validation, isolation of model access to sensitive data), anomaly detection for communications disruptions, and redundancy for critical links (satcom, comms) to reduce single points of failure.
Read more: https://harfanglab.io/en/insidethelab/2024-cyber-threatscape-predictions/