France’s National Cybersecurity Agency (ANSSI) observed a significant rise in cyber espionage campaigns targeting strategic organizations in 2023.
These operations are increasingly focused on individuals and non-governmental structures that create, host or transmit sensitive data, ANSSI observed in its 2023 Cyber Threat Landscape report, published on February 27, 2024.
Besides public administration, the primary targets of cyber espionage activity included organizations associated with the French government, such as technology and defense contractors, research institutes and think tanks.
Overall, cyber espionage remained the top cyber threat ANSSI’s teams dealt with in 2023.
ANSSI has also noted an increase in attacks against business and personal mobile phones aimed at targeted individuals.
There has also been an upsurge in attacks that have used methods publicly associated with the Russian government.
“These attacks are not limited to mainland French territory: in 2023, ANSSI dealt with the compromise of an IT network located in a French overseas territory using an attack modus operandi publicly associated with China,” reads the report.
30% Rise in Ransomware
Meanwhile, financially motivated attacks were also on the rise, with an observed 30% increase in ransomware attacks compared to 2022.
Small and medium enterprises (SMEs) and mid-sized businesses were the most targeted organizations, representing 34% of all cyber-attacks observed by ANSSI in 2023. Local administration came second, suffering 24% of all attacks in 2023.
In total in 2023, ANSSI recorded 3703 cyber events, 1112 of which were labeled as cyber incidents. In 2022, it recorded 3018 cyber events, including 832 cyber incidents.
The latest version of the LockBit ransomware, LockBit 3.0 (aka LockBit Black), was the most used malware in financially motivated cyber-attacks in 2023, taking over previous ransomware versions from the same threat group that dominated the ransomware landscape in 2022.
Read more: LockBit Takedown – What You Need to Know about Operation Cronos
Software Supply Chain Vulnerabilities Rule Supreme
Overall, 2023 has seen significant changes in the structure and methods of attackers. They are perfecting their techniques in order to avoid being detected, tracked, or even identified.
“Despite efforts to improve security in certain sectors, attackers continue to exploit the same technical weaknesses to gain access to networks. Exploiting 'zero-day' vulnerabilities remains a prime entry point for attackers, who all too often still take advantage of poor administration practices, delays in applying patches and the absence of encryption mechanisms,” reads the report, translated from French to English by Infosecurity.
The top five vulnerabilities exploited by threat actors to compromise French organizations’ IT systems in 2023 include flaws in VMWare, Cisco, Citrix, Atlassian and Progress Software products.
These include the Citrix Bleed and the MOVEit vulnerabilities.
Read more: MOVEit Exploitation Fallout Drives Record Ransomware Attacks
Pre-Positioning Activities on ANSSI’s Radar for 2024
Finally, in a tense geopolitical context, ANSSI noted new destabilization operations aimed mainly at promoting a political discourse, hindering access to online content or damaging an organization's image.
“While distributed denial of service (DDoS) attacks by pro-Russian hacktivists, often with limited impact, were the most common, pre-positioning activities targeting several critical infrastructures in Europe, North America and Asia were also detected.
“These more discreet activities may nevertheless be aimed at larger-scale operations carried out by state actors waiting for the right moment to act,” the report explained.
Vincent Strubel, ANSSI’s director general, commented: "While financially motivated attacks and destabilization operations saw a clear upturn in 2023, it was once again the less noisy threat, which remains the most worrying, that of strategic and industrial espionage and pre-positioning for sabotage purposes, which mobilised the ANSSI teams the most.”
These geopolitically driven threats will particularly be on ANSSI’s radar in 2024, as Paris is prepares to host the 2024 Olympic and Paralympic Games.
ANSSI’s report relies on a variety of resources. Those include:
- Cyber events detected by the agency (23% of all cyber events observed)
- Cyber events collected from open source data (21%)
- Cyber events reported by ANSSI’s national partners (18%)
- Cyber events that have been reported by victim organizations to the agency (10%)
- Cyber events that have been reported by victim individuals to the agency (10%)
- Cyber events reported by ANSSI’s international partners (5%)
