Cyber Criminals Are Increasingly Exploiting Cloud Environments, Report Finds

Threat actors are increasingly targeting cloud services and moving beyond malware to conduct digital operations—with cyberespionage groups affiliated with the Chinese government accounting for a growing share of these overall attacks—according to an annual global threat report released on Tuesday by the cybersecurity company CrowdStrike.

The firm found that “the number of observed cloud exploitation cases grew by 95% year-over-year in 2022,” with threat actors “using a broad array of [tactics, techniques and procedures] (e.g., misconfigurations, credential theft, etc.) to compromise critical business data and applications in the cloud.”

“As cloud integration continues to increase across business environments, adversaries are adding the cloud to their targeting aperture to expand the impact of their attacks,” the report said, noting that this growth “indicates a larger trend of eCrime and nation-state actors adopting knowledge and tradecraft to increasingly exploit cloud environments.”

Adam Meyers—senior vice president of intelligence at CrowdStrike—told Nextgov that the number of “cloud conscious threat actors tripled” from 2021 to 2022, which underscores the need for organizations and agencies to prioritize the security of their cloud services as adversaries increasingly move to exploit these environments. 

“It's really about making sure that things are deployed securely, because the cloud is very secure,” Meyers said. “But if you deploy it wrong, it's not. So it's about making sure that you have an eye on what you’ve rolled out, and then also making sure that you have continuous monitoring of that cloud environment, which we know is a constant struggle for organizations to get that visibility into their security operations and their security environment.” 

The increase in “cloud conscious” threat actors is part of a broader trend the report identified of adversaries revamping and reworking their attack methods to more easily exploit vulnerabilities and circumvent existing cybersecurity measures.

The report found that threat actors were moving away from the use of malware, with “malware-free activity accounting for 71% of all detections in 2022 (up from 62% in 2021).” CrowdStrike said that this was “partly related to adversaries’ prolific abuse of valid credentials to facilitate access and persistence in victim environments,” as well as “the rate at which new vulnerabilities were disclosed and the speed with which adversaries were able to operationalize exploits.”

This included threat actors continuing to exploit the Log4Shell vulnerability—a software flaw in the Log4j open source logging library. The report said Log4Shell has “ushered in a new era of ‘vulnerability rediscovery,’ during which adversaries modify or reapply the same exploit to target other similarly vulnerable products.”

Given these shifting trends and attack vectors, hackers and other cyber criminals are moving through compromised systems and networks at a faster pace. The report noted that the average breakout time—”the time an adversary takes to move laterally, from an initially compromised host to another host within the victim environment”—also decreased “from 98 minutes in 2021 to 84 minutes in 2022,” as threat actors worked to more expeditiously access and pilfer data. 

While U.S. officials and NATO countries have also expressed concerns about the scope of Russia’s cyber operations following its full-scale invasion of Ukraine last February—worries that were reinforced in an alert issued last week by the Cybersecurity and Infrastructure Security Agency ahead of the war’s one-year anniversary—CrowdStrike said that “the overall impact of Russia’s cyber operations within the context of the 2022 Ukraine invasion is unclear.”

“While Russia’s cyber capabilities have undoubtedly contributed to Russia’s military campaign, they have also demonstrated inherent wartime limitations,” the report said, adding that “in addition to the effects of significant assistance Ukraine received from the international community, Russia’s operational efficacy was also likely reduced due to Ukraine’s improved defensive capabilities since Russia’s invasion of Crimea in 2014.”

CrowdStrike found, however, that Beijing’s cyber operations are far eclipsing Russia’s international reach, with the report noting that “China state-nexus adversaries dominated the cyber threat landscape with a significant increase in espionage operation volume and target scope.”

The firm said these Chinese-affiliated adversaries were “the most active targeted intrusion groups,” with affiliated threat actors “observed targeting nearly all 39 global industry sectors and 20 geographic regions.”

“Throughout 2022, China-nexus adversaries primarily targeted organizations based in East Asia, Southeast Asia, Central Asia and South Asia that operated in the government, technology and telecommunications sectors,” the report said. “Intrusions in these regions accounted for roughly two-thirds of the China-nexus targeted intrusion activity CrowdStrike Intelligence confirmed in 2022.”