A new report today from Forescout Technologies Inc. finds that the U.S. remained the primary target for threat actors amid 164 countries targeted by malicious actors in 2023.

The Forescout Research Vedere Labs 2023 Global Threat Roundup Report found that the U.S. was targeted by 168 malicious actors in 2023, followed by the U.K. being targeted by 88, Germany 77, India 72 and Japan 66. The highest concentration of threat actors was from China with 155, followed by Russia with 88 and Iran with 45. The three countries collectively account for nearly half of all identified threat groups.

Operational technology was found to bear the brunt of persistent attacks, suggesting the strategic targeting of infrastructure integral to national security and public welfare. Targeted were the Modbus communication protocol for industrial devices, accounting for a third of attacks, followed by Ethernet/IP, Step7, DNP3 — each at about 18% — and IEC10X, with 10% of attacks. Most attacks target protocols used in industrial automation and the power sector.

When it comes to malware used in such attacks, the Agent Tesla Remote Access Trojan topped the list with a 16% share of observed malicious activity. Among command-and-control servers, Cobalt Strike was the undisputed leader, commanding a substantial 46% share. Most servers were in the U.S., constituting 40% of the global landscape, with China and Russia following at 10% and 8%, respectively.

Web applications were the most attacked service type in 2023, followed by remote management protocols. The report notes that remote management services were often targeted with specific usernames linked to internet of things devices, whereas web applications were often targeted with vulnerability exploits.

One particularly notable finding in the report was that attackers hang around longer, with a notable shift in post-exploitation tactics. Persistence tactics were found to have increased by 50%, up from 3% in 2022. That demonstrates that incidents are becoming harder to contain and eradicate after an initial breach and that threat actors intend to remain longer in vulnerable systems.

The report also emphasized the importance of three key pillars in cybersecurity: risk and exposure management, network security, and threat and detection response. Organizations are advised to start with comprehensive risk and exposure management by identifying every asset on the network and its security posture, then mitigating risks using a strategy that spans across information and operational technology and IoT environments.

For network security, the report recommends segmenting networks to isolate different types of devices and prevent lateral movement and data exfiltration. Lastly, in threat detection and response, the use of IoT- and OT-aware monitoring solutions and extended detection and response systems is recommended to detect and respond to malicious activities effectively. The overarching message is the critical need for a holistic, integrated approach to cybersecurity.

Image: DALL-E 3