• United States



Contributing Writer

AI-automated malware campaigns coming soon, says Mikko Hyppönen

May 30, 20237 mins
Artificial IntelligenceCyberattacksMalware

The industry pioneer also expects cybersecurity to remain a growth business for years and sees Russian hacktivists as demoralizing European infosec teams.

Cybersecurity pioneer Mikko Hyppönen began his cybersecurity career 32 years ago at Finnish cybersecurity company F-Secure, two years before Tim Berners-Lee released the world’s first web browser. Since then, he has defused global viruses, searched for the first virus authors in a Pakistani conflict zone, and traveled the globe advising law enforcement and governments on cybercrime. He has also recently published a book, If It’s Smart, It’s Vulnerable, where he explains how the growth of internet connectivity has fueled cyber threats.

CSO recently had the opportunity to speak with Hyppönen at this year’s Sphere conference for a wide-ranging interview about the state of the industry, the growing cybersecurity threats facing Europe, and the promise and peril of artificial intelligence.

A maturing cybersecurity industry

The once-hot tech sector has hit a wall, trimming its ranks by 168,243 employees so far in 2023. Tech giants Google, Amazon, Microsoft, and Meta have retrenched from their past decade of seemingly boundless upsides as recessionary pressures and other economic factors have cooled their once-rosy projections.

Despite pockets of layoffs, the cybersecurity industry seems to be largely immune to the woes affecting Silicon Valley, with the demand for new employees seemingly “as strong as it ever has been” in the chronically understaffed sector. “There will always be threats. There will always be bad people,” Hyppönen, who is now the chief research officer at WithSecure, tells CSO. “There’s a steady need for security. Cybersecurity will remain a growth business for as long as I can see. I do believe there’s job security in cybersecurity.” (WithSecure was known as F-Secure for Business until last year when it split off from the now consumer-oriented F-Secure, for which Hyppönen also serves as principal research advisor).

When Hyppönen began his career, there was no cybersecurity industry of significance. Now, analysts project that the industry will top $162 billion USD in revenue during 2023, with slightly more than three dozen companies that collectively have a market cap exceeding $624 billion USD and account for the lion’s share of that revenue.

Given this state of maturation, the question remains whether there is room for new cybersecurity entrants. “For years the barriers for entry for newcomers and to cybersecurity were massive because of the amount of work you had to do to understand the problems that build a library of detections for all the possible attacks, which took years and years for companies to build,” Hyppönen says. “So, we believe there won’t be real new startups in endpoint security.”

“You actually can enter the game with new technologies based on anomaly detection and machine learning,” Hyppönen says. “So, you don’t have to be able to detect all the possible attacks we’ve always seen. It’s enough if you can detect anomalies, that something weird is happening, something unusual, something which doesn’t happen normally.”

Hyppönen believes the need to detect weird and unusual things has “actually opened the doors for plenty of new companies stood up by a new generation of researchers” who grew up online and are unconstrained by conventional thinking. “So, it’s probably not good for business for us to welcome new competitors in the space,” he says. “But personally, I love seeing that.”

European cyber threats rise in wartime

Since Russia invaded Ukraine last year, European organizations have experienced a rising tide of cyber threats from Russian-allied threat actors, who, while inflicting only minor damage, have subjected government agencies and companies across the continent to psychological malaise, Hyppönen says. One group in particular, the little-reported so-called hacktivist group NoName057(16), has engaged in a steady onslaught of DDoS attacks across Europe through a project called DDosia since March 2022 alongside other pro-Russian groups, including Killnet.

Hyppönen scanned the NoName057(16) Telegram channel, the group’s primary mode of communication, and read aloud a list of the group’s recent attacks. “France. An airport in Germany. A German weapons manufacturer. An Italian bank. The Italian public sector. These kinds of attacks are the wake-up calls for companies because many of the targets of the attacks done by gangs which are not from the government but are like private patriot hackers from Russia,” he says. (However, Illia Vitiuk, the head of the Department of Cyber Information Security in the Security Service of Ukraine, said at the RSA conference in April that she believes the Russian hacktivists are state-sponsored.)

“They hit surprising targets like an airport in France,” which is likely baffled to be caught up in the conflict, Hyppönen says. “But these guys are looking for symbolic hits, which are on our hearts and minds. These attacks are specific to the war in Ukraine, and almost all the targets we see are in Europe.”

A separate group of pro-Russian hackers took down Finland’s defense ministry website just as Ukrainian President Volodymyr Zelenskyy began a video address to the country’s parliament. “When was the last time anyone visited the website of the defense ministry? No one ever goes there,” Hyppönen says. “So, the website has no importance whatsoever. Go down and stay down for the rest of the year, and no one will miss the website. That has no effect on the operational capability of our ministry, defense forces, or military. None of that.”

With no actual destructive component, the point of these attacks is to weaken European morale, Hyppönen says. “It feels bad. It really does feel bad. And that’s what they’re trying to do.”

Complete automation of malware campaigns is coming

ChatGPT and dozens of rapidly emerging AI apps were the hottest topics at Sphere, with their potential to foster cybercrime and scams more effectively. “They’re exciting and scary at the same time,” Hyppönen said during his keynote. “And make no mistake: We are all living the hottest AI summer in history.”

Despite AI’s potential for upending industries and making it easier for threat actors to advance their malicious activities, Hyppönen tells CSO that it’s “mandatory” for the cybersecurity industry to embrace the technology. “There’s no other way for companies like us to keep up with the number of attacks except by using automation, machine learning, and AI,” he says. “We’ve been using it for quite a while already.”

It will only be a matter of months before malicious threat actors use widely available AI source code to perfect their techniques. “What I’m really waiting for, and it’s going to happen in the next couple of months, is complete automation of malware campaigns,” he says. “Because right now it’s humans, attackers working at human speed against defenders like our systems or security companies in general, which use automation and machine learning to find and react to new attacks very quickly.”

The downside for cyber defenders is that AI functioning becomes impenetrable at a certain point due to a lack of visibility and understanding of how it works. For example, Hyppönen says, “A customer calls and asks, ‘Hey, you’re blocking this program we made, and why did you block this?’ We can’t answer. The machine says so.”

That program could be whitelisted and manually checked, “but we can’t answer the client anymore why it believes it’s bad because it’s a machine learning framework,” Hyppönen says. “It’s a black box. It’s been teaching itself for too long.”