The cyber attack report
Organizations around the world face an expanding cyber threat landscape, with at least 30,000 daily cyber incidents. Discover the Cyber Attack Report.
Published March 14, 2023Organizations around the world face an expanding cyber threat landscape. With at least 30,000 daily cyber incidents and a growing list of attack methods, protecting access to corporate networks has never been more critical.
At IS Decisions, we’ve analyzed the last eight years of open-source data to uncover how specific industries, like government and public administration, healthcare, education, and other small and medium businesses (SMBs) face cyber challenges every day. What cyber protections can help them guard their key systems?
We also explore which countries and industries are the primary targets of threat actors, where attacks originate from, and the methods and motivations behind the attacks.
Cyber incidents can occur anywhere in the world. But our investigation revealed that some countries are more likely than others to become a target for cybercrime.
United States of America: The most common targets for cybercriminals, US-based organizations suffered 49% of all attacks analyzed in our report. Almost two-thirds of those attacks had profit in mind, through methods such as ransomware attacks. Since 2020, eight of the 10 largest ransoms were paid by US-based companies.
United Kingdom: Around 6% of attacks analyzed were aimed at UK-based organizations. While financial gain was the most common motive (55%), the UK also suffered a slightly higher percentage of political espionage and protest attacks than the USA. With only one of the top 10 ransom payments coming from the UK, it suggests that attackers see US-based organizations as a more lucrative target.
Italy, France, and Germany: European Union (EU)-based countries, Italy, France and Germany faced 593 cyber attacks in total. With the General Data Protection Regulation (GDPR) imposing harsh penalties for a data breach, attackers may use GDPR as leverage to extort more money from European countries. Attackers could see EU-based data as a valuable target. Indeed, money is the primary motivation for attacks on organizations based in France, Italy, and Germany.
Russia and Ukraine: Geopolitical causes also made a huge impact. Between 2021 and 2022, as the Russia-Ukraine war began, cyber attacks against the two countries grew by 950% and 400%, respectively. Understandably, protest was the most common motive in Russia and sabotage was the most common motive in Ukraine. The data also shows a similar trend in 2017, when sabotage numbers grew globally by 400% compared to 2016. The vast majority of these attacks were also aimed at Ukraine using the Petya malware.
Overall, it’s clear that outside influences, like geopolitics, have a dramatic effect on which countries are primary targets in a given year. However, some countries, such as the USA and UK, consistently remain a favorite target for cybercriminals each year.
Within the dataset, 81% of cyber attacks came from an undetermined location. This points to many attackers using protective measures to cover their tracks.
The remaining 19% of attacks revealed their locations of origin. Almost half of the attacks from known locations came from Russian Federation-based cybercriminals. Specific attack methods highlight a similar trend, with 74% of all ransomware revenue in 2021 going to Russian-linked accounts. The second-most common origin was the USA (8%), followed by Saudi Arabia (5%), Iran (4%), and Azerbaijan (4%).
Some of the most common attacker origins, such as Russia and Iran, appear on the CISA nation-state cyber risk list. Attacks from these countries often intend to benefit the country of origin. How does this tie in with 81% of attackers hiding their locations? It could show that attacks originating in these nation-states are indeed more common than others, as the data shows. Or perhaps those attackers simply have less incentive to hide their locations.
Have threat actors’ motives changed over time? The data shows us some clear trends.
Attacks motivated by financial gain have increased year after year — from 147 in 2014 to over 1,000 annually since 2020. Similar surveys confirm this trend. A recent cybersecurity report found that US-based organizations have a larger attack surface than ever before. The impact of the rise of cyber attacks has also led to more innovation for preventative tools and consequently patent applications with the cybersecurity innovation industry seeing a steady revenue growth, doubling from $83 billion in 2016 to $139 billion in 2021.
With ransomware becoming more common each year and hefty penalties for data breaches, the financial costs of unauthorized access have never been greater. IBM’s 2023 Data Breach Report found that the average cost of a data breach in 2022 was $4.45 million – a rise of 2.3% from 2022. With successful attacks worth vast amounts of money, it’s clear to see why financially motivated attacks increased in each year of the report.
Some countries saw dramatic changes in cyberattack numbers between 2021 and 2022. The Russia-Ukraine war, for example, led to increases of 950% and 400% in attacks against those countries.
China also saw a dramatic increase of 400%, but still experienced a relatively small number of reported attacks overall.
Italy and Germany were also targeted more in 2022, seeing increases of 122% and 86%, respectively. This is consistent with a general rise of attacks against EU nations, although it contrasts with France’s 71% decrease in attack numbers. This could signal that the French government’s 2021 cybersecurity strategy has brought an increased awareness of cyber risks, with 54% of French organizations having been targeted that year.
New Zealand experienced 88% fewer attacks in 2022 compared with 2021, although the government breaches it did suffer in December 2022 made global headlines. Attacks against Turkey dropped by 83%, in part, thanks to locally-developed applications against cyber attacks.
Among the data, we can see some interesting country-specific industry trends:
New Zealand’s agricultural industry is over 12 times more likely than average to suffer a cyberattack. Many agricultural organizations in New Zealand began increasing their cybersecurity defenses following the 2021 JBS attack that affected the entire food production industry. This is in line with a 2020 announcement from a Russian-based criminal group that they were going to specifically target the agricultural industry. Because a great deal of agricultural businesses are interdependent, even just a minor attack can have a catastrophic knock-on effect, felt across every step of the supply chain, which is one reason why such businesses make for attractive targets. With around 50,000 farms in New Zealand, there are plenty of potential targets for criminals.
The Management of Companies and Enterprises sector is also a common target in many countries, such as the Netherlands, Japan, and India. Organizations in this industry often hold funds or data on behalf of others, making them an appealing target for cybercriminals.
The construction industry is regularly targeted in many countries, like the UK, Germany, and Spain. A relatively poor rate of cybersecurity adoption in construction led to the UK government releasing cybersecurity guidance specific to the industry.
Healthcare in the US has become 1.62 times more likely than average to be targeted. We’ve seen attacks on US healthcare providers grow in recent years, with sensitive patient data on the line.
There are also some interesting industry-specific trends:
Government and public administration: Almost 20% of all attacks target government bodies, non-profits, and other legal and political organizations. What are the motives? Attackers likely target the valuable, classified data held by those organizations — much of which could be of national security importance. This led to the US government implementing multi-factor authentication (MFA) requirements for all government agencies and contractors with access to national security systems.
Healthcare: The second-most commonly targeted industry is healthcare and social assistance, at 13%. Cybersecurity threats in healthcare range from disrupting critical services to stealing sensitive patient data, as seen when attackers gained access to NHS servers with stolen credentials.
The information sector: In third position is the information sector, including telecommunications, computing, publishing, broadcasting, and other media outlets. While the information sector brings potential financial gains, it also offers attackers the opportunity for knock-on supply chain disruption. Around 11% of all analyzed attacks targeted this sector, consistent with the rise in attacks against national infrastructure seen in recent years.
Education: Overall, 10% of attacks targeted schools, universities, and other educational institutions. Cyber attacks against schools might target valuable information and intellectual property. Many institutions also hold personal data, as well as having comparatively weak cybersecurity measures when compared to some other industries. These factors make education an attractive target for cybercriminals.
Professional services and insurance: Many organizations within these sectors deal with sensitive data or large amounts of money, making them an appealing cybercrime target. Many are also classed as small or medium businesses (SMBs). It’s common for SMBs to lack the expertise or budget to implement cybersecurity measures, making them up to three times more likely than others to suffer a cyber attack.
The exploitation of application servers is the most common method threat actors use overall, with 69% of attacks with an industrial-espionage motive employing this method to steal sensitive, classified, or valuable information from organizations.
Data attacks, such as manipulating, destroying or encrypting a victim’s data through various attack types, are also one of the most common methods threat actors use. This method was used in 34% of attacks with a sabotage motive and 35% of attacks with a financial motive.
External denial of service attacks, such as DDoS, were most commonly used to create disruption for sabotage and protest, or to support a military operation. Message manipulation, like hijacking and editing websites or social media accounts, was also commonly used for the same motives, along with personal attacks.
A massive 82% of data breaches across all industries involved human error to some extent. Threat actors can target system users in several ways. Phishing attacks, for example, which sometimes aim to steal passwords, sensitive data, and financial information, grew by 61% in 2022. Once an attacker has access to a device, network, or account, they can carry out many types of cyber attacks, including:
Stealing or encrypting sensitive data
Installing malware on corporate systems
Taking essential services offline
Gaining entry to other networks or organizations with their access.
With a growing cyber threat landscape, organizations should ensure that corporate systems are surrounded by multiple layers of protection, such as MFA.
Some industries are more likely than average to be targeted for specific motives. Cybercriminals, for example, often aim at the utilities and mining industries for reasons of sabotage. This is partly due to the technologization of the operations which presents criminals with new ways to gain access to an organization’s systems. Another key reason is that organizations within these industries are continuously generating highly valuable data. Any successful attack within these industries also has a hugely devastating effect that can affect everything from the vast monetary losses to power supply to homes. These are all highly desirable goals for cyber criminals.
Industrial-espionage is also more common in many markets and is 6.7x more likely to be used in the manufacturing industry. In fact, 85% of cyber threats to the manufacturing industry are from phishing emails. With the supply chain being so long, involving a large number of cross-communicating organizations, criminals have a greater number of opportunities to gain access to systems.
Financially motivated attacks are the most common cyber threat in our data, with construction and accommodation and food services being 1.6 times more likely than average to be the target.
There are many reasons why an organization could suffer a cyber attack. We have seen that financial gain is a major motive for cybercriminals (55% of all attacks), particularly from receiving ransoms or stealing sensitive data. Attackers might also see SMBs or specific industries with inadequate cybersecurity as easy targets, offering them a better chance for a successful attack.
The US leads the way as the country most targeted by criminals, with US organizations the focus of almost half (49%) of attacks. More than four out of every five (81%) attacks are from unknown locations and more than a quarter (27%) have an undetermined motive — this highlights that many attackers don’t necessarily need a reason to consider an organization a target.
However, more than half (55%) of attacks were backed by a financial motive, with these attacks being the most common in the healthcare and education industries. This showcases the high value of personal data in particular, and why it remains a popular target for criminals.
Geopolitics can have a huge impact on targets, which is a landscape that changes almost daily. For this reason every organization, regardless of country or industry, should consider itself a potential target and be particularly cautious around the time of political events.
Government and public administration, healthcare, and the information sector are the most commonly targeted sectors. But, while the motivations vary by target nation, industry, and origin, any organization is a potential target for cybercriminals. Whatever size or sector, it’s vital to have the proper defenses in place.
The best way to protect your organization is by preventing bad actors from gaining access to corporate systems. Two of the most effective techniques to help prevent unauthorized access are two-factor authentication and access management, each helping to reduce your exposure to cyber attacks.
Two-factor authentication solutions, such as UserLock, require users to enter two forms of identification before they can access valuable data. Should a user’s credentials fall into the wrong hands, the threat actor would face another layer of authentication — helping to protect your systems, data, and finances. Check out how UserLock can help protect all employee access to corporate networks, reducing the threat of cyber attacks to your organization.
Data on 9,937 attacks was sourced from the Center for International & Security Studies via the University of Maryland’s Cyber Events database on 14 Dec 2022. The database includes attacks from Jan 2014 to Sep 2022.
When looking at target countries and industries by motive, only those with more than 50 attacks in the dataset were included to ensure representativeness. Percentages may add up to more than 100% as attacks may have multiple motives. Attacks involving multiple countries are considered separate incidents for each country. Attacks with the motive ‘Espionage’ were regrouped to ‘Political Espionage’ or ‘Industrial Espionage’ depending on the target. Attacks where motive, country, and method were ‘undetermined’ have been omitted from the results.