The National Cyber Security Centre Finland’s weekly review – 52/2022

Topics covered in this week’s review

• Be mindful of the cyber risks associated with the life cycle management of subscriptions
• A brief look back at 2022 as the year nears its end
• Happy New Year!

Be mindful of the cyber risks associated with the life cycle management of subscriptions

As we get ready to usher in a new, better year, now is a good time to check the validity of your subscriptions, registrations and licences. Letting a domain name registration or software licence expire can lead to all kinds of trouble, so you should make sure not to be caught by surprise.

Terminating services in a controlled manner and the related risk analysis are also parts of life cycle management. As regards domain names, for example, you should consider what might happen if a domain name under your control were to expire and end up being picked up by someone else: could it be used for scams targeting your own organisation or cooperation partners, or are there user accounts tied to associated email addresses?

A brief look back at 2022 as the year nears its end

As regards cyber security, 2022 differed from its predecessor 2021 in many ways. The year 2021 is remembered particularly for numerous vulnerabilities that had global impacts, some of which we also published alerts about. It was also the year that mobile malware, such as FluBot, broke through into the mainstream of cyber security. This year, we have also published some vulnerability notices, though the total number of notices published was approximately half of the number of notices published the previous year. In addition to notices, we also typically publish 1–3 alerts a year, though this year we only published a single alert, which concerned FluBot. In 2021, the number of alerts published was five, which was significantly higher than the average.

“Looking at the number of alerts, the year appears to have been quite calm, but this is only half true. In reality, the past year was neither quiet nor calm, even though the number of vulnerabilities and alerts published decreased. On the contrary, cyberattacks have only increased across the globe this year,” says Senior Specialist Juha Tretjakov from the NCSC-FI.

As part of its invasion of Ukraine, Russia also carried out a large number of cyberattacks against Ukraine, which were expected to spread to elsewhere in Europe as well. However, the spring did not bring with it any widespread cyberattacks, with the situation remaining calm in Finland. After the relatively calm spring, the number of cyberattacks in Finland increased throughout the year. According to reports submitted to the NCSC-FI, the numbers of malware, phishing and denial-of-service attacks on Finnish organisations increased, in particular.

The number of denial-of-service () attacks increased significantly in Finland during 2022

Early in the year, the NCSC-FI received numerous reports of denial-of-service attacks. This prompted the NCSC-FI to compare its situational picture with those of Finnish telecommunications operators in order to establish an overview of the situation, revealing that the number of denial-of-service attacks had not actually increased, but people’s willingness to report them had, leading to more reports. However, towards the end of the year the situation changed, with the actual number of denial-of-service attacks targeting Finnish websites and services also increasing.

The year’s statistics show clear spikes in the number of attacks in the spring, the autumn and the end of the year. The most active months of the year in terms of denial-of-service attacks were October, November and December. Attacks were carried out on several different websites and services, particularly in the central government, social welfare and healthcare services, financial, transport and logistics and media sectors.

The new rise of hacktivism

One of the types of groups behind denial-of-service attacks are hacktivist groups, which have been one of the year’s most notable phenomena. While various hacktivist groups have been active in the past as well, this year marked a considerable increase in their activity and saw the emergence of new kinds of groups, with pro-Russia hacktivists, in particular, claiming responsibility for many cyberattacks. These types of groups usually consist of volunteers and are organised on social media channels, such as Telegram. These channels, and occasionally Twitter, are also where different hacktivist groups claim responsibility for attacks. The single most visible pro-Russia hacktivist group in 2022 has been Killnet, which also seems to serve as an ‘umbrella group’ of sorts for other hacktivist groups.

Originally a criminal organisation that sold denial-of-service attacks, Killnet has become more focused on hacktivism since the Russian invasion of Ukraine. Initially targeting Ukrainian organisations, the group has since expanded its range of targets to countries that support Ukraine as well, such as the European Union and its member states.

Killnet is also connected to a number of other criminal operators and groups. On its own communications channels, the Killnet group will also often encourage other groups to act, thus exercising some degree of control over the activities of other groups as well. These groups may not always have clear hierarchies or chains of command, as their operations are based on the activity of volunteers. The partial interlinking of the groups and their tenuous chains of command are reflected in how chaotic their operations are and how excessively even small successes are celebrated.

Reports of ransomware have increased

During the year, an increasing number of Finnish organisations fell victim to ransomware and also reported ransomware attacks to the authorities. The parties that spread ransomware do not focus solely on large organisations, which means that organisations of all sizes can be hit by ransomware attacks, which has been the case in Finland as well. Criminals have found ransomware an effective way to benefit financially, because organisations unprepared for the threat are easy targets. Paying the ransom to resolve the situation is not the right solution, however. Payment does not necessarily guarantee that the data will be restored or even prevent the blackmail or other attacks from continuing. The attacker’s objective may also be simply to destroy the data, which means that the blackmail is just a smokescreen. In that case, the data cannot be restored even by paying the ransom. A ransomware attack can also lead to the attacked organisation’s data being leaked.

This year, the Information Security Trailblazer award given out by the Finnish Transport and Communications Agency Traficom was awarded to the Finnish News Agency STT. In the award rationale, STT was praised for the open communication that the agency engaged in when it suffered a ransomware attack in summer 2022.

Happy New Year!

It is time to put the year 2022 behind us and look forward to a new, altogether better year in 2023. The turn of the year also means turning a new page in the cyber security calendar, in relation to which it is worth remembering that everyone can contribute to our shared cyber security. If you notice an information security breach during or after the holidays, be sure to notify us .

Have a peaceful Christmas!

With the year nearing its end, now is a good time to rest and look back on the past year. That being said, the NCSC-FI will be staying vigilant over the holidays as well, making sure that everyone in Finland can enjoy a peaceful Christmas. If you notice an information security breach during or after the holidays, be sure to notify us (External link).

Subscribe to the NCSC-FI’s newsletters  (External link)or RSS feeds  (External link)to be notified as soon as new information is published.