Cybersecurity is dynamic, ever changing and unpredictable. This past year contained significant surprises. Who would have thought the largest data breach incident of 2024 would involve no malware or vulnerability exploitation?
Subject matter experts often make inaccurate predictions. Rather than try to predict the future, here are insights into what 2025 may hold based on Intel 471’s historical analyses of trends and intelligence collection.
Artificial intelligence (AI) will enhance, scale attacks.
In 2024, the AI naysayers became almost as loud as its proponents, with questions regarding how much large language models (LLMs) can improve, questionable scraping of training material and why LLMs aren’t great at math. But AI shows strong capabilities with narrow-focused tasks, such as search, chatbots, image and text generation and simple coding tasks. Cybercriminals and nation-state actors have shown interest in applying LLMs to some of the mundane tasks they’re faced with when trying to breach organizations. Microsoft and OpenAI disabled accounts used by Russian, Iranian, Chinese and North Korean threat actors. Those actors were using OpenAI’s services for productivity-enhancing tasks, such as researching companies, finding cybersecurity tools, debugging code, writing basic scripts, creating content for phishing campaigns and translation.
Predicting AI’s course over the next year would be foolish, as this is a field that has surprised machine learning (ML) and AI experts with years of middling progress, which has been punctuated with sudden leaps in forward movement. AI is becoming cheaper and more accessible via open source models that allow more malicious actors to experiment. This has resulted in more customized AI tools being offered on forums. In short, the risks are already here.
While threat actors may not be writing exploits with AI (yet), productivity gains are worrisome in that it increases the scale and quality of attacks, whether it be through polished phishing, better selected targets or faster and more complete reconnaissance. Also, visibility into how nation-state adversaries are using LLMs will fall as countries develop their own LLMs. The status quo now — where natively developed LLMs aren’t as good as OpenAI — gives OpenAI and Microsoft an insightful window into threat actor activity. Actors have to enter prompts, and all of those prompts can be correlated and analyzed as to where they’re coming from, what they’re asking and their likely goals. It’s like looking over the shoulder of adversaries while they’re plotting. This position won’t last, however.
Malware distribution will bounce back.
One of the most significant law enforcement operations of 2024, Operation Endgame, targeted several types of “dropper” or “loader” malware — initial stage infections that can download other malware. The operation focused on IcedID, SystemBC, Pikabot, SmokeLoader and Bumblebee, which threat actors used to distribute other malicious code that could eventually lead to ransomware, data theft, or further illicit activity. The operation led to four arrests and the takedown of more than 100 servers worldwide. This action appeared immediately successful, with the targeted malware families dropping in circulation. These law enforcement operations impose costs on threat actors, as it takes time, effort and money for them to reconstitute malware distribution infrastructure.
Intel 471’s patented malware emulation and monitoring system showed a sharp drop between the second and third quarter in delivered payloads, or to put it another way, malware observed delivering other malware. This could be the result of the disruptions. Since the distribution of loader or dropper malware is critical for follow-on attacks, there is market demand for access to compromised machines. As such, Intel 471 has observed one targeted malware family, Bumblebee, rebound with a new version circulating in October 2024. The Bumblebee campaign yet again proves that dismantling a malware campaign’s infrastructure does not guarantee its permanent elimination. Despite exhibiting low activity and lacking significant sophistication or unique distribution methods, the observed changes in development indicate the actors are actively refining their malware. We would expect overall malware distribution to increase in 2025.
Rising geopolitical tension will influence cyber.
Geopolitical events and cybersecurity are becoming ever closer entwined. Offensive cyber actions are used by nations for espionage, intellectual property (IP) theft, pre-positioning in case of conflict and spreading misinformation. China poses one of the most formidable adversaries, as it has targeted government and civilian infrastructure at scale. U.S. FBI Director Christopher Wray has said China “has a bigger hacking program than every other major nation combined. In fact, if each one of the FBI’s cyber agents and intelligence analysts focused exclusively on the China threat, China’s hackers would still outnumber FBI cyber personnel by at least 50 to 1.” Russia, which continues a grinding war campaign in Ukraine, has long-running and highly effective advanced persistent threat (APT) groups that have continually demonstrated their expertise in infiltrating supply chains and compromising major software vendors.
The election of Trump for a second, non-consecutive term could change how the U.S. Department of Justice conducts cyber-related investigations. For at least a decade, the department has been aggressive in identifying, naming, sanctioning and indicting Russian, Chinese, Iranian and North Korean threat actors, both in the nation-state and financially motivated cybercrime spheres. A perceived weakening in how the U.S. approaches holding threat actors publicly accountable for their actions could open the door to more aggressive activity. However, cybersecurity has generally been one of the few non-partisan issues in an increasingly hostile U.S. political environment, so the department may be left to continue its solid work in holding threat actors accountable.
