“Disturbing” Rise in Nation State Activity, Microsoft Reports

Written by

There has been a “disturbing” increase in aggressive nation state cyber activity in the past year, according to Tom Burt, corporate VP, customer security & trust at Microsoft, discussing the 2022 Microsoft Digital Defence Report (MDDR) during a virtual press briefing on November 3, 2022.

Impact of Russia-Ukraine Hybrid War

The new report showcased trends Microsoft had observed in the cyber-threat landscape between July 2021 and June 2022. It found that the proportion of cyber-attacks perpetrated by nation states targeting critical infrastructure jumped from 20% to 40%. This was largely due to Russia’s heavy attacks on Ukraine’s critical infrastructure, as well as aggressive espionage targeting of Ukraine’s allies, including the US.

“It’s impossible to start a report about this year’s cybersecurity activity without talking about the hybrid war in Ukraine.,” Burt acknowledged.

He reiterated recent praise from the UK and US governments about Ukraine’s impressive defenses in the face of relentless Russian cyber-attacks on its government and critical services during the conflict. While Russia has been successful in causing disruption to Ukraine networks, “Ukraine has been resilient in its recovery from successful attacks,” he said.  

A key factor in this success was the Ukrainian government’s decision at the outset of the conflict to migrate its data and workload to the cloud, a process that was assisted by Microsoft. In a recent interview with Infosecurity, Microsoft’s EMEA chief security advisor Sarah Armstrong-Smith highlighted Microsoft’s role in helping move Ukrainian ministries’ data to the cloud.

This move provided “world class cybersecurity because of the ability to utilize AI technologies and visibility into the data that helps us protect and defend against cyber-attacks.” Additionally, he noted the physical security component of this move, as it ensured data could not be destroyed by physical attacks on data centers.

Burt also noted that after experiencing years of cyber-attacks by Russian actors, “Ukraine has evolved strong communications between their government, their CERT and their private sector so they can recover quickly from successful cyber-attacks.”

He added that Microsoft has observed Russia continuously evolve the destructive malware it is using to target Ukraine, and it’s now on its “7th or 8th generation of malware that its deployed in Ukraine.”

Overall Nation-State Activities

The report demonstrated that nation state actors have become increasingly aggressive in cyberspace, even beyond the Russia-Ukraine conflict. These actions were primarily for espionage and surveillance purposes, but Microsoft also saw an “increasing willingness of nation state actors to use cyber weapons for destructive purposes.”

Iranian threat actors have been particularly aggressive following a transition of presidential power in the past year. This includes numerous destructive attacks targeting Israel, including an Iranian actor executing an attack that set off emergency rocket sirens in Israel.

Interestingly, Burt said that Iranian actors have been engaging in ransomware attacks, sometimes “as a means of encrypting useful data of a nation-state target with no intent to ever provide the key – it’s more of a destructive attack.”

In September 2022, the Albanian government cut all diplomatic ties with Iran following a July 15 ransomware attack that temporarily shut down numerous Albanian government digital services and websites.

The report also highlighted a continuing crossover between cybercrime and nation-state activities in North Korea.

“We now see North Korea increasingly engaged in thefts of cryptocurrency, and for a number of years that has been the source of funding for their cybercrime activity and other activities,” said Burt.

Microsoft observed China expanding its espionage and information cyber-attacks in an effort to exert more regional influence in South East Asia, amid growing tensions with the US in the region.

Cybercrime Trends

Attacks perpetrated by cyber-criminals seeking financial gain also grew in volume and sophistication during the period July 2021 to June 2022, according to the report. Burt noted that the two most impactful vectors were ransomware and business email compromise. The main evolution in ransomware attacks was adapting techniques used to evade detection, a trend he believes will continue in 2023.

Another concerning trend is a surge in cybercrime-as-a-service across all threat vectors, especially ransomware. Here, “sophisticated cybercrime syndicates” are increasingly offering services to others, including those with limited technical capability. This has significantly lowered the barrier to entry for cyber-criminals. This means that often, perpetrators’ only role is “to pick the victim and then conduct the negotiation in order to get paid.”

On November 3, The European Cybersecurity Agency (ENISA)’s threat landscape annual report 2022 found that the cyber landscape has been heavily influenced by the Russian invasion of Ukraine this year.

What’s hot on Infosecurity Magazine?