ENISA Threat Landscape 2022 – Threat Actor Trends

On 3 November 2022, ENISA published its Threat Landscape 2022 report, which is the annual report of the EU Agency for Cybersecurity on the state of the cybersecurity threat landscape. This is the 10th edition of the ETL report and covers a reporting period from July 2021 to July 2022. ETL report is an annual must-read for most cyber security professionals (at least) within the EU. The report might look long at first glance (~150 pages), but it is split into separate sections:

• Threat Actor Trends
• Ransomware
• Malware
• Social Engineering
• Threats Against Data
• Threat Against Availability
• Disinformation – Misinformation
• Supply Chain Attacks
• ATT&CK TTPs per Threat Category
• Indicative List of Incidents per Threat Category
• Analysis of the CVE Landscape
• Recommendations per Threat Category

On a personal level, I have this report very close to my heart as it was my first Cyber Threat Intelligence publication back in 2013, together with Louis Marinos. Almost ten years since the 1st edition of the ETL, quite a lot of things have changed in the cyber threat landscape as well as in this document. ETL is now regarded as a well-recognized and anticipated report on an annual basis. Moreover, based on the feedback by ETL’s stakeholders, the report’s content has evolved to serve the needs of a diverse set of stakeholders: operational audience, strategic audience, and decision-makers. Each of them can identify parts of this report that are relevant and (re)use them accordingly.

Another sign of, what I call, progress is the publication of ENISA Threat Landscape Methodology , which aims to set a baseline for the transparent and systematic delivery of horizontal, thematic, and sectorial cybersecurity threat landscapes. This report is a very good first step for ENISA and any CTI team tasked to deliver cyber threat landscapes. I firmly believe that any CTI team should have a similar document describing (at a high level) the process followed to produce CTI deliverables.

For the second consecutive year, I had the honor to be the author of the Threat Actor Trends part of the ETL report. The below trends have been identified for the four following categories of cybersecurity threat actors:

State-sponsored actor trends

• Increased exploitation of 0-day and other critical vulnerabilities 
• Heightened risk for Operational Technology (OT) networks 
• Destructive attacks as a prominent component of state actors’ operations 
• Public attribution and legal actions continue 
• State-backed threat actors increasingly focus on supply chain compromises 
• Geopolitics continue to influence cyber operations 
• Armies of cyber volunteers (?) 
• Tech companies’ increasing defensive role in cyber operations during conflicts 
• Increasing sophistication and scope of disinformation 

Cybercrime actor trends

• Cybercriminals exhibit increasing capability and interest in supply chain attacks 
• Widespread cloud adoption provides attack opportunities for cybercriminals 
• Imposing cost on ransomware threat actors 
• Cybercriminals continue to disrupt the industrial sector 
• Continuous ‘retirements’ and rebranding to avoid law enforcement and sanctions 
• Russia Ukraine conflict impacted the cybercrime ecosystem 
• Cybercriminals love CVEs 
• Data exfiltration and extortion without the use of ransomware 
• The cybercrime ecosystem is still thriving and further evolving 

Hacker-for-hire actor trends

• The Access-as-a-Service market continues to enable state actors 
• The Pegasus case triggered media coverage and governmental actions 
• Surveillance and targeting of civil society 

Hacktivists’ trends

• A new wave of hacktivism 

As CTI professionals, ENISA’s ETL team and I would appreciate any feedback that you might have! I hope you enjoy the report and find it helpful. Finally, I would like to thank ENISA’s ETL team for the opportunity that gave me as well as all the contributors of this report for their hard work.