Fast-evolving cyber threats to critical national infrastructure, along with new regulations, should spark a rethink among senior decision makers, says Martin Riley of Bridewell

Three evolving cyber threats pose significant new levels of risk to critical national infrastructure (CNI) across Europe, each with distinct challenges. An incursion from any one of them could trigger a variety of outcomes, from extensive power outages to disruptions in transport and communication systems.

After a year of detailed observation at Bridewell’s Security Operations Centre (SOC), a clearer understanding of these cyber threats has been developed. Bridewell’s ‘2024 CyberScape Briefing’ emphasised three primary areas of concern for CNI, providing crucial insights for developing proactive defences. Given the potential for damage and disruption they pose, it is crucial that CNI operators take the initiative to protect their assets against them.

Cobalt Strike within C2 frameworks

One of the most prominent of these threats is the Cobalt Strike malware framework. This is a potent tool initially crafted for legitimate penetration testing but is now frequently exploited by criminals to establish command and control over infiltrated networks.

The C2 framework refers to the tools and infrastructure that criminals use for these purposes, giving them remote control and the ability to evade detection and reboots. The Cobalt framework enables cyber criminals to puncture defences and enter systems to collect credentials and extract sensitive information. Our CyberScape report identified that it constitutes 22% of the global cyber threat landscape which Bridewell has been discreetly monitoring, a figure mirrored in the percentage of its clients affected over the past year.

In 2023, there was a notable 27% surge in Cobalt Strike incidents. Further analysis into the origins of these attacks revealed that more than a third (37%) were traced back to China. There are also links between Cobalt Strike incidents and a new Qakbot malware campaign known as SODA, and Black Basta ransomware, which pose a serious risk to any CNI organisation. Qakbot collects information and transmits it to a C2 server, which in turn facilitates the intrusion of Cobalt Strike.

As we move further into 2024, CNI entities must remain vigilant against Cobalt Strike, but it is not the only evolving cyber risk.

Sharp teeth of information stealers

Similar to their cunning animal namesakes, Raccoon Stealer malware variants are the opportunist thieves of the cyber world. They have proved highly skilled at pilfering data and were used extensively around the globe in 2023. Their deployment enables criminals to harvest sensitive information such as credit card details, passwords, browser cookies, and autofill data. However, as the year progressed, Raccoon Stealer usage saw a 42% decline among threat actors.

In its place, Ficker Stealer and WhiteSnake Stealer rose to prominence in the last quarter of 2023, offering cyber criminals capabilities akin to those of Racoon Stealer. Insights from a managed detection and response (MDR) service disclosed that 38% of their clients experienced attempts by information stealers, which underlines the ongoing and future threat posed by these types of malware. 

Fake updates

The third evolving threat is the criminals’ shift in focus from phishing and malspam campaigns to search engine optimisation (SEO) poisoning, which includes fake update campaigns. These schemes involve clever tactics by malicious actors to convince users they are downloading legitimate updates, when in fact, they are installing harmful code onto the user’s device. Once the device is compromised, criminals can access systems, services, and information.

Monitoring by Bridewell reveals up to a third (33%) of organisations have been affected by these deceptive update campaigns. SocGholish is the most prevalent malware used in such attacks. It operates as a malware distribution network that represents a significant threat due to the speed in which it escalates an attack from gaining initial access to ransomware deployment.

Tackling the subversion of legitimate cyber tools

The insights extracted by Bridewell reveal a growing trend where the distinction between legitimate tools and malicious usage is increasingly blurred. Cyber criminals are adapting commercial solutions for nefarious purposes, making it crucial for CNI organisations to take action so they stay ahead. To counter these threats, organisations must develop robust threat intelligence strategies, allowing them to create incident response plans tailored to their specific risk profiles. This approach will enable CNI entities to collaborate and tackle evolving threats effectively.

Additionally, achieving comprehensive visibility over their assets is vital. Employing threat-informed managed detection and response (MDR) and extended detection and response (XDR) services will empower CNI organisations to detect, mitigate, contain, and remediate threats throughout their entire technology ecosystem, ensuring no vulnerabilities are left unaddressed.

New threats have triggered new regulation

These capabilities have become all the more urgent because regulators have increased their requirements significantly to match the scale of threats CNI organisations face. In Europe the EU’s NIS Directive and now NIS2 should be stimulating action in the sector and among businesses that are its partners and suppliers. The UK also has its own version of these regulations in the pipeline.

The new regulation covers a much broader definition of CNI organisations and includes financial market infrastructure, banking and the aerospace sector, as well as elements of digital services and manufacturing.

NIS2 introduces the concept of liability for senior management. Member states can hold management bodies liable in the event of infringement against the directive. Management must also undergo a degree of cyber training so they can make properly informed risk decisions.

In terms of reporting requirements, NIS2 introduces the concept of early warning reports within 24 hours of an incident. The definition of incidents is expanded to include events that might fall just below the tier of actually causing downtime but coming close to doing so. CNI organisations might like to note that member states will also have the option of imposing a minimum financial penalty of €10m or 2% of global turnover.

Navigating the shifting sands of compliance

To ensure compliance, most organisations will need to invest in continuous vulnerability assessments to provide a detailed picture of their attack surface. Penetration testing methods and continual training can help employees understand how to identify and respond to suspicious activity. This should be delivered on a regular basis and updated to reflect how threats change.

Engaging with managed detection and response (MDR) and extended detection and response (XDR) services can enable organisations to remain compliant and monitor for threats. These solutions are specifically designed to detect, mitigate, contain and remediate threats across a company’s entire estate.

As industry experts highlight the rapid evolution of cyber threats and the increasing complexity in the CNI sector, action is required. It is vital for CNI organisations to maintain vigilance and implement holistic cyber security strategies. This should be a critical focus for organisations so they can successfully avoid a devastating breach in 2024 and maintain compliance with fast-evolving regulation. 

About the author
Martin Riley is Director of Managed Security Services at Bridewell.