The success of high-profile, destructive cyber attacks on operators of critical national infrastructure (CNI) has clearly caught the attention of increasingly aggressive nation-state threat actors or advanced persistent threat (APT) groups, which are steadily incorporating them into their playbooks as a valuable weapon of hybrid warfare.
In the past year, attacks targeting CNI have leapt from comprising 20% of all nation-state attacks to 40%, according to data drawn from Microsoft’s telemetry, revealed on 4 November in Redmond’s third annual Microsoft digital defence report.
Speaking in advance of the report’s publication, Tom Burt, Microsoft corporate vice-president of customer security and trust, said a lot of this increase was clearly linked to the war in Ukraine.
“But it’s not limited just to Russia’s efforts in Ukraine. We’ve seen all nation-state actors increasingly targeting their espionage and information-gathering operations at critical infrastructure operations around the world,” he said.
Burt said that Microsoft saw nation-state actors becoming increasingly aggressive in their activity, and although it is important to note that the majority of nation-state backed cyber attacks are still conducted for the purpose of information and intelligence gathering and data theft, causing little permanent damage save to the egos of security teams, increasing volumes of highly disruptive and even destructive attacks are clearly more problematic.
“We certainly also see destructive attacks, and it is worrisome that those destructive attacks are not confined to Ukraine, and Russia’s efforts in Ukraine, but we’re also seeing others. For example, actors from Iran engaging in destructive attacks, especially targeting Israel,” said Burt. “The increasing willingness of nation-state actors to use cyber weapons for destructive purposes is clearly a trend – and a worrisome trend.”
In terms of victimology, the report data shows that the UK remains one of the countries most heavily targeted by nation-state actors, as one might reasonably expect – however, the US is the focus of the most hostile activity by some margin.
“In China, we’ve seen a real focus from Chinese actors in the past year on…Southeast Asia intelligence gathering in particular, and I would say in the Global South, countries like Namibia and Mauritius, Trinidad and Tobago, and others,” said Burt.
“Iran, again lots of focus on activities with Israel, but…during the year we saw them actively expanding their zone of operations outside the Middle East…to other regions.”
“With Russia, it’s really global activity depending on their intelligence-gathering goals. Certainly most of their attacks outside Ukraine…have been focused on the US. But we’ve seen a focus on Nato countries and especially border countries like the Baltic states [Estonia, Latvia and Lithuania]. We [also] saw increased activity in the Nordics after they announced their intention for a couple of those countries to join Nato,” he added.
Tom Burt, Microsoft
The increase in Chinese activity is likely a consequence of a more assertive regime seeking to establish regional influence over China’s neighbours and counter US activity in Southeast Asia. It has also been observed targeting countries that have endorsed or signed up to its Belt and Road Initiative. China is known to have become particularly adept at finding, compiling, hoarding and using zero-days – possibly helped by a recently introduced law requiring Chinese entities to report vulnerabilities they discover to the government before sharing them.
Iran’s growing assertiveness, meanwhile, comes following a recent transition of power within the regime from the moderate president Hassan Rouhani to hardliner Ibrahim Raisi. As Burt observed, much of its activity targets Israel, but there is also a sense that Iran is ramping up cyber operations against the regime’s perceived enemies to try to lever concessions from Tel Aviv and Washington as diplomatic efforts to revive the nuclear deal – signed by former president Barack Obama in 2015 – falter.
The other highly active nation-state actor, North Korea, continues its broad pattern of activity, targeting aerospace companies to steal technology, news and media organisations and Korean-speaking Christian groups that are outspoken against the regime, and cryptocurrency heists to bolster its faltering economy. North Korea, too, has become more aggressive in the cyber sphere this year, coinciding with a more aggressive period of missile testing.
Microsoft also reported on the activity of cyber mercenaries. Perhaps the most famous of these is the disgraced Israeli spyware developer NSO Group, but earlier in 2022, Microsoft called out Austria-based company DSIRF, which allegedly sold a malware called Subzero used in attacks around the world, including against the UK.
“A world where private sector companies create and sell cyber weapons is more dangerous for consumers, businesses of all sizes, and governments. These offensive tools can be used in ways that are inconsistent with the norms and values of good governance and democracy. Microsoft believes the protection of human rights is a fundamental obligation, and one we take seriously by curtailing ‘surveillance as a service’ across the globe,” said Microsoft.
“Microsoft has assessed certain state actors across democratic and authoritarian regimes outsource the development or use of ‘surveillance as a service’ technology. This is how they avoid accountability and oversight, as well as acquire capabilities that would be difficult to develop natively.”
Financially motivated cyber crime on the rise
That nation-state activity draws the focus of much high-profile work in the cyber security world is of little surprise, but this is not in any way coming at the expense of the more quotidian, financially motivated cyber criminal activity that is arguably of more concern to the average end-user organisation.
The 2022 Microsoft digital defence report found that, in general, cyber crime continued its upward trajectory in 2022, as the “industrialisation” of the underground criminal economy lowers barriers to entry by affording people who might not otherwise be drawn into its grip greater access to hacking tools and infrastructure.
This is most primarily evident in the rapid growth of ransomware as a service (RaaS), but Microsoft said it also observed steady year-on-year growth in phishing email volumes, with the Covid-19 pandemic being less prevalent as a lure, replaced by the war in Ukraine, and a “staggering” increase in emails impersonating legitimate organisations seeking cryptocurrency donations to support Ukrainian civilians and refugees.
The full 112-page report, which is now available to download in full, also includes more information than ever on steps for organisations to take to shield themselves from cyber attacks.
As ever, the most effective thing one can do is to focus on the basics – enabling multifactor authentication (MFA) to protect key accounts; applying patches quickly and often; being intentional about who is able to do what on company systems; and investing in up-to-date security solutions, particularly for endpoints, threat intelligence, and staff training and culture-building. Basic protections, said Microsoft, can still thwart 98% of attacks.