Mandiant’s 2023 Forecast – What Do You Need to Be Looking Out For? 

As the new year approaches, it is the perfect time to close off 2022 and look to the new year, based of trends we are currently seeing we can get a picture of what the new year could look like. Mandiant present their 2023 security forecast and we have given you the key takeaways as we head into 2023.

Mandiant are market leaders recognised by enterprises, governments, and law enforcement agencies worldwide for their threat intelligence and expertise that drive dynamic security solutions. 

Threats evolve, attackers are constantly changing their tactics, techniques and procedures, and defenders must adapt and stay relentless in their approach if they want to keep up. The Forecast aims to help organisations frame the fight against cyber adversaries in 2023. 

More Attacks by Non-Organised Attackers and Non-Nation State Attackers 

In 2023 it is expected that we will see more intrusions conducted by non-organised attackers and non-nation state attackers. More of the threat actors will likely be younger and conducting intrusion operations not because they’re interested in making money specifically, or because governments have tasked them with doing it, but because they want to be able to brag to their friends or boast online that they’ve hacked into and brought embarrassment to prominent organisations. While they will be happy to achieve financial gain, that may not necessarily be their lead motivation. 

Europe May Surpass the United States as the Most Targeted Region for Ransomware 

Ransomware continues to have a significant impact on businesses across the globe. While reports show that the U.S. is the country most targeted by ransomware attacks worldwide, small indicators show that ransomware activity is decreasing in the United States and growing in other regions.

 In Europe, the number of victims is increasing, and if that increase continues, Europe will likely become the most targeted region in 2023. 

More Extortion, Less Ransomware 

Historically, cyber criminals have used ransomware to monetise access into a victim’s network. Due to several high-profile and visible breaches last year, organisations see mitigating brand damage as a much more compelling reason to pay a ransom than regaining access to encrypted systems. Over the next year, we will continue to see criminals rely on extortion, but actual ransomware deployments may decline. Ransomware-as-a-service (RaaS) providers will modernise their software to focus on data exfiltration and “leak sites” for public shaming. 

Information Operations (IO) Will Rely More on Third Party Organisations for Plausible Deniability 

Historically, IO have always been politically motivated, and state sponsored, as we observed in the 2016 U.S. elections. Since then, we have observed more outsourcing of IO work by state actors. This could be a growing trend in 2023 as “hack-for-hire” engagements become more common. In 2019, OSINT researchers observed a pro-Indonesian IO social media campaign conducted by Jakarta-based media company InsightID. This campaign was aimed at distorting the truth about events in the restive Indonesian province of Papua. Coincidentally supporting this observation, Meta testified in mid-2021 about an increase of hiring marketing or public relation firms in IO campaigns—to lower the barrier of entry for some threat actors and obfuscate the identities of more sophisticated ones.

Enterprises Will Lean into Password-less Authentication 

Corporate credential theft continues to be one of the top ways cyber criminals access victims. Furthermore, in 2022, there have been several examples of attackers finding ways to circumvent multi-factor authentication technologies. Apple, Google, and Microsoft have committed to consumer-based password-less resources based on standards from the FIDO Alliance and World Wide Web Consortium.  The initial roll out of these technologies will focus on consumer-grade password-less resources, but CISOs will demand enterprise identity platforms to expand password-less concepts to the enterprise market. 

Our advice: Over the next year look for enterprise focused password-less solutions.

Identity First, Identity Lost 

Threat actors have shifted from gaining control of an endpoint to gaining access to a user’s credentials and account. A user’s identity within an organisation has become more critical than access to the user’s endpoint. Over the next year, we will see threat actors find new ways to steal identities from users using a combination of social engineering, commodity information stealers and information gathering from internal data sources post-compromise. They will combine stolen credentials with new techniques to bypass multifactor authentication (MFA) and abuse Identity and Access Management (IAM) systems. 

Cyber Insurance Will Be Harder to Obtain and Coverage May Be Restricted 

More enterprises have relied on cyber insurance to cover their cyber risks over the years as management has become more aware of cyber security risks. However, claims have also skyrocketed, forcing insurance firms to re-evaluate their risk appetite and scale back coverage accordingly. Many firms attempting to renew their cyber insurance—or fresh in the market for cyber insurance—may find difficulty obtaining the coverage they desire. 

Widespread Rise of Info stealers and Credential Harvesting 

Credential theft leads to impactful intrusions. Mandiant has consistently seen credentials used in intrusions available via info stealers such as REDLINESTEALER, VIDAR and RACOONSTEALER. These stealers are widely available on the underground and purchasing credentials is an inexpensive alternative to trying 

to phish them from victims. More reporting of initial access brokers in forums and elsewhere (where attackers sell access once they have successfully exploited an entry point), as well as sale of credentials/cookies, will increasingly be used to gain access to organizations with lower cost, complexity, and time. 

When the Real World Meets the Virtual World 

We have already observed and encountered SMS attacks, email attacks and application redirection attacks. Now we see a new model coming—an approach that consists of deceiving victims in the real world. For example, in 2022 we observed a campaign in which victims received a receipt for the delivery of packages in their physical mailboxes. The receipt included a QR code directing them to an identity and credit card number theft site. In 2023, we expect to see more schemes like this, where the attacker uses everyday physical support to deceive their victims. Fake advertisements, fake USB keys, fake receipts—the possibilities for attackers are endless. Educating employees and the public is the best defence against these types of threats. 

Further Federal Emphasis on Protecting National Technical Infrastructure Against Malicious Activity 

In 2023 we expect to see the Biden Administration implement a consistent stream of policies following the 2021 Executive Order on Improving the Nation’s Cybersecurityand the 2022 National Security Memorandum.Although public and private sector collaboration has grown recently, deeper coordination between agencies and big tech organizations is required. We expect the government may implement more safeguarded checkpoints for organizations to reflect on how they have progressed to meet regulatory requirements. As such opportunities are established, we can expect to see more knowledge-sharing between public and private organizations, heightening transparency and protection around the latest impactful threats. 

It is also thought that attackers will:

Read More Security Research to Learn Offensive and Defensive Tactics – Threat actors will continue to study the blogs and research of analysts in the security community. They will do this to learn offensive tactics and techniques, defensive strategies and how to exploit vulnerabilities. 

The Big 4

Russia Cyber and the Invasion of Ukraine 

Russia’s invasion of Ukraine created unprecedented circumstances for cyber threat activity. This likely is the first instance in which a major cyber power has conducted disruptive attacks, cyber espionage, and information operations concurrently with widespread, kinetic military operations. 

Mandiant anticipates future disruptive attacks in Ukraine and suggests that they are likely to be accompanied by concurrent information operations. We expect that Russia’s willingness to use disruptive tactics as well as false or co-opted hacktivist fronts—to claim credit for data leaks and data destruction—to increasingly expand outside of Ukraine and its immediate neighbours. 

Chinese Cyber Assertiveness 

Chinese cyber espionage poses a high-frequency and high-magnitude threat to organisations globally, both in the public and private sectors. Key drivers of Chinese cyber threat activity will include territorial integrity and internal stability, regional hegemony, and expanding global political and economic influence. Cyber espionage and information operations activity in support of China’s national security and economic interests will continue to escalate.

In 2022, a pro-People’s Republic of China (PRC) information operations campaign directly targeted commercial entities in an industry of strategic significance to Beijing. We consider this broader targeting of private sector entities to be notable, and we may see global competitors to Chinese firms in other industries targeted by such information operations. 

Iranian Escalation 

Mandiant expects that Iranian cyber espionage groups will continue to conduct widespread intelligence collection activity, particularly against government and Middle Eastern targets, as well as telecommunications, transportation, and other entities. We anticipate Iranian threat actors’ continued willingness to use disruptive and destructive cyber-attacks to remain elevated, absent a significant change to Iran’s current international isolation. 

North Korea Desires Revenue and Intelligence


We assess with high confidence that North Korea will continue to pursue operations that support the regime with both revenue streams and strategic intelligence. International political and economic isolation along with public health challenges will likely inform North Korean cyber espionage against diplomatic, military, financial and pharmaceutical targets. We expect activity to be focused primarily on South Korea, Japan, and the United States, with operations also noted in Europe, the Middle East and North Africa, and South Asia. 

EMEA Forecasts:

Russia to Expand Targets Across Europe 

2023 could see Russia further expand its cyber operations across Europe. During the past year, Russia has typically conducted information-gathering campaigns against European organisations outside Ukraine while most of its disruptive and destructive attacks have been focused within Ukraine. 

This may change in 2023, with Russia using more of its (potentially increased) disruptive cyber capabilities against European organisations. This could impact a range of organisations, including energy and military suppliers, logistics companies involved in the supply of goods to Ukraine and organisations involved in the introduction and implantation of sanction regimes. 

European Energy Concerns to Play Out in the Cyber Realm 

Concerns around energy supply and prices within Europe are likely to manifest
as malicious cyber operations. Mandiant has already observed an uptick in energy- themed phishing campaigns. Ransomware groups are known to target sectors under pressure, as shown through remorseless healthcare targeting during the pandemic. 

European energy suppliers are also a target for Russian state-sponsored threat actors looking to impose further pressure on countries involved in Russian sanction regimes or seeking to reduce their reliance on Russian energy. 

The energy crisis in Europe may also result in more targeting of critical infrastructure. Critical infrastructure is already at risk of destructive cyber-attacks when nations are in conflict, but the energy crisis amplifies the threat. We could see critical infrastructure being targeted in ransomware campaigns focused on disrupting energy and power supply. 


Ransomware has been a staple of Mandiant reports for several years, while it is well-established as part of many threat actors’ toolkits, data shows a rise in European ransomware incidents. While entities in European regions need to stay especially vigilant, organisations around the world need to be ready for increased attempts at extortion. Extortion actors will stop at nothing to achieve their goals, even using physical devices and less common types of social engineering. 

Next year is also expected to bring an increase in the number of attackers motivated simply by bragging rights. These actors are often younger and not tied to a nation state or organised group. However, that doesn’t mean we won’t see nation-state activity. The Big Four – Russia, China, Iran, and North Korea, will be highly active in 2023, using destructive attacks, information operations, financial threats and more.

The road to stronger cyber defences has never been simple, especially for security professionals. Organisations have a lot to keep in mind for 2023. As always, Mandiant’s relentless work on the frontlines gathers insights and developing best practices that is regularly shared with security leaders, so they can take the steps needed to prevent these threats—and respond quickly and effectively to the attacks that invariably get through. 

Working with Mandiant improves our threat intelligence portfolio, complementing our 24x7x365 Managed SOC capabilities. Not only does our partnership enhance our threat detection capabilities but helps to improve our incident response and breach management services, ensuring that our customers get the very best out of the services that we are offering. 

If you would like to hear more about our partnership with Mandiant, or how our partnership could help your organisation, please Contact Us.