Financial gain, espionage and destabilization

With an overall level that remains high, ANSSI notes that this threat is affecting fewer and fewer regulated operators and is shifting to less well-protected entities. If the number of ransomware attacks reported to the ANSSI has decreased, the threat of computer espionage remains significant, having again strongly mobilized the agency's teams. After a lull in the first half of the year, the cybercriminal threat, and more specifically the threat of ransomware, increased again at the end of 2022, remaining at a high level. This cybercriminal threat particularly affects VSEs, SMEs and ETIs (40% of ransomware processed or reported to ANSSI in 2022), local authorities (23%) and public health institutions (10%). More stealthy than before, cryptomining, which generates significant funds that are reinvested by malicious actors to acquire new capabilities, should also not be overlooked.

Increase in destabilization actions in Europe

As in the previous year, the threat of computer espionage was the one that most mobilized ANSSI's teams. Nearly half of the agency's cyber defense operations in 2022 involved operating modes associated with open source China. Repeatedly, these intrusions demonstrate a sustained desire to break into the networks of strategic French entities. The Russian invasion of Ukraine has generated a favorable context for increased destabilization actions in Europe. ANSSI has observed distributed denial of service attacks, computer sabotage attacks as well as informational operations relying on information system compromises. While sabotage attacks have so far been relatively limited to Ukraine, the evolution of the conflict and its economic consequences call for particular vigilance, especially in the energy sector.

Persistent weaknesses that are constantly exploited

Uncontrolled digital uses and weaknesses in data security continue to offer too many opportunities to attackers. The use of the cloud and the outsourcing of services to digital services companies, when not accompanied by appropriate cybersecurity clauses, pose a serious threat. While the number of attacks targeting the supply chain or supply chain in 2022 has declined somewhat, this trend remains strong and underscores a systemic risk. Finally, patches on discovered vulnerabilities are not sufficiently applied in time by organizations, leaving the field open for attackers to exploit them.

Ever more capable attackers

As already observed earlier, different attacker profiles continue to use similar tools and techniques. This porosity makes it more complex to characterize and attribute malicious activity. State-sponsored attackers are taking inspiration from cybercriminal methods and increasingly using ransomware for destabilization purposes as part of computer sabotage operations. The attackers' targeting is evolving, now seeking to gain discreet and persistent access to their victims' networks with the compromise of peripheral equipment (firewalls or routers). This peripheral targeting is also reflected in the type of entities compromised and confirms attackers' interest in service providers, suppliers, subcontractors, umbrella organizations and the broader ecosystem of their targets.