Ten years ago, as threat actors began following our growing customer base to the Microsoft Cloud, I founded the Microsoft Threat Intelligence Center (MSTIC), which focuses deeply on addressing this type of cyberattacker. One of the first things we learned was that to find threat actors you need to think like them. That’s what led me to begin thinking in graphs. Any infrastructure you need to defend is conceptually a directed graph of credentials, dependencies, entitlements, and more. Cyberattackers find footholds, pivot within infrastructure, and abuse entitlements and secrets to expand further. Software systems and online services are built from components—many of these components have logs of what’s happening, but this results in a lot of siloed logs. To see what a threat actor is doing, you have to reconstruct that red thread of activity from logs. Then, from those logs you can create a graph. 

By adopting this same graph-based thinking, we put ourselves on more even footing with cyberattackers. But we don’t really want to be on even footing. We want to retake the advantage for ourselves. That’s why it’s also important to keep our best practices up, making sure our infrastructure is well managed, maintaining a well-educated team of analysts on our team, and collaborating with our competitors on defense. All together, this is of course a lot of work. It’s easy to see why some security professionals out there see the physics of defense as being against them. And in some ways, it has been. So, let’s change that.

We’ve got more data and more advanced tools at our fingertips than ever before, including some very good AI. Let’s take a look at each of these best practices, as well as how we can use our new tools to reduce the cost and effort involved in maintaining the advantage against threat actors.

The defense benefits of attack graphs

Most defenders today live in a tabular, relational world of data and the databases in which that data lives. At Microsoft, this is Azure Data Explorer databases queried using Kusto Query Language (KQL). And we know that if we can represent data in other ways, like in a graph, we can suddenly look at our data in ways that are difficult to do in traditional databases. This is a chief reason why threat actors build attack graphs of their targets. The graph lets them more easily see the many ways they can break into the target’s network, pivot to the things they need, get the credentials they need, and exploit things within the blast radius those credentials give them. That’s why it’s important to build a great attack graph for all the things that you must defend and equip your defenders with it. With a graph, you can ask questions like “what’s the blast radius of this kind of access?”, “can I get from identity A to infrastructure B?”, or “if a threat actor has taken over this specific node, can they get to our crown jewels?” With an attack graph in hand, those questions become easier to answer.

Relational tables and graphs are just two of the ways to represent security data. We’re currently working on broadening those ways to also include anomalies and vectors over time. All together, these four data representations are what I refer to as the algebras of defense. As a defender equipped with these algebras, you can easily represent security data in multiple different ways. You can ask it questions in domains they are highly specialized in answering and get the answers you need from your security data in ways that drive you very quickly to the outcomes you need. What’s really exciting about this concept is that the benefits don’t just extend to your security team. Your advanced AI can use them to similar effect, turning each algebra into a new way to detect, for instance, what constitutes an anomaly and what does not. It’s giving AI the ability to use the same intuitions that human experts use but in a much more highly dimensional space.

Building difficult terrain through proper cyber defense hygiene

A well-managed target is a harder target to attack. Defenders that excel in security don’t just react to cyberthreats, they proactively shape their environments to be inhospitable to bad actors. This begins with investing in preventative controls. Rather than waiting for incidents to occur, successful defenders deploy technologies and processes that anticipate and block cyberattacks before they materialize. This includes endpoint protection, network segmentation, behavioral analytics, threat modeling, and more.

It’s also important to deprecate legacy systems as they often harbor vulnerabilities that cyberattackers exploit. By retiring outdated solutions and replacing them with modern, secure alternatives, organizations reduce their exposure and simplify their defense posture. The same goes for entitlement management. By continuously reviewing who has what access, organizations can help prevent lateral threat actor movement.

You’ll also want to make sure you’re conducting top-tier asset management. You can’t protect what you don’t know exists. Maintaining an accurate, real-time inventory of devices, applications, and identities helps defenders monitor, patch, and secure every component of the environment. Removing orphaned elements goes hand-in-hand with this concept. Unused accounts, forgotten servers, and abandoned cloud resources—all of these remnants of past projects can easily become low-hanging fruit for cyberattackers.

You should invest time and effort into creating difficult terrain for attackers, making it harder for them to traverse your networks. Phishing-resistant multifactor authentication is a way to do this. So is not just having strong identity management, but requiring it to be used from expected, well-defined places on the network. For example, forcing admin access to be used from hardened, pre-identified locations.

Layered defenses with multiple controls working in concert help quiet your network. By reducing randomness and enforcing predictability, you can eliminate much of the noise that threat actors rely on to hide, ultimately removing entire classes of threat actors from the equation.

Invest in internal expertise and collaborate with others who do the same

While preventative controls are essential for raising the cost of cyberattacks, no defense is impenetrable. That’s why remediation remains a critical pillar of cyber hygiene. Organizations must be equipped to both block threats and to detect and respond to those that slip through.

This begins with data visibility. Security teams need to be on top of their telemetry so they can spot anomalies quickly. And you’ll need a team of educated analysts who understand cyberattacker behavior and can distinguish signal from noise. With their expertise, you’ll be better equipped to identify subtle indicators of compromise and initiate swift, effective remediation efforts.

It’s also important to work on cyber defense together with organizations that you otherwise view as your competitors. And, thankfully, here’s where I get to impart a bit of good news. Over the past decade, the tech industry has undergone a profound shift in how it approaches this concept. As organizations, we’re now way better about taking news about the security events happening to us to trusted spaces and talking about them in trusted ways than we were 10 years ago. What was once taboo, like the sharing of breach details with competitors, is now a mainstay of our collective defense. This cultural shift has led to the rise of trusted security forums, cross-industry intelligence sharing, and joint incident response efforts, allowing all of our defenders to learn from each other and respond faster to emerging threats.

Optimizing the defense curve

We now operate in a world where vast, high-fidelity data sets and advanced AI systems can amplify our reach, sharpen our detection, and accelerate our response. By embracing graph-based thinking, cultivating difficult terrain, and investing in collaborative intelligence, defenders can fundamentally shift the physics of defense beneath their would-be attackers’ feet.

With the algebras of defense, defenders can interrogate their environments in ways that were previously impossible, surfacing insights that drive proactive, precision-based security. And with AI as a partner, we can turn complexity into clarity, noise into signal, and partner swift remediations with anticipation. By rewriting the physics of defense, we can reclaim the advantage and redefine what it means to be secure.

Microsoft
Deputy CISOs

To hear more from Microsoft Deputy CISOs, check out the OCISO blog series:

To stay on top of important security industry updates, explore resources specifically designed for CISOs, and learn best practices for improving your organization’s security posture, join the Microsoft CISO Digest distribution list.

Learn more

To hear more from Microsoft Deputy CISOs, check out the OCISO blog series. To stay on top of important security industry updates, explore resources specifically designed for CISOs and best practices for improving your organization’s security posture  join the Microsoft CISO Digest (sent every two months) distribution list, go to this webpage.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

The post Changing the physics of cyber defense appeared first on Microsoft Security Blog.

April 19, 2023 update – We have published a JSON file mapping old threat actor names with their new names in the updated taxonomy, summarized here: https://aka.ms/threatactors. We also added hunting queries that Microsoft customers can use while transitioning to the new taxonomy. See the Resources section.

Today, Microsoft is excited to announce that we are shifting to a new threat actor naming taxonomy aligned to the theme of weather. The complexity, scale, and volume of threats is increasing, driving the need to reimagine not only how Microsoft talks about threats but also how we enable customers to understand those threats quickly and with clarity. With the new taxonomy, we intend to bring better context to customers and security researchers that are already confronted with an overwhelming amount of threat intelligence data. It will offer a more organized, memorable, and easy way to reference adversary groups so that organizations can better prioritize threats and protect themselves. Simply put, security professionals will instantly have an idea of the type of threat actor they are up against, just by reading the name.

The Microsoft Threat Intelligence community has spent over a decade discovering, tracking, and identifying targeted malicious activity and sharing that critical intelligence with customers. Our threat research has grown to track more than 300 unique threat actors, including 160 nation-state actors, 50 ransomware groups, and hundreds of others. A global multi-disciplinary assembly of threat intelligence analysts, pen testers, and data scientists work together alongside experts in geopolitics and disinformation to take a whole-of-adversary approach. This helps Microsoft Threat Intelligence teams fully understand the what of an attack, make assessments on the why, then forecast and implement protections for where an attacker might go next. Our vision is that this new naming model helps our customers and the industry move to a more proactive approach to defense.

We realize that other vendors in the industry also have unique naming taxonomies representing their distinct view of threats based on their intelligence. However, there are often overlaps or close alignments with tracked actors, and keeping track of these names can be challenging for defenders. Microsoft Threat Intelligence is committed to helping customers understand threats, no matter which naming taxonomy they are familiar with. Therefore, we will strive to also include other threat actor names within our security products to reflect these analytic overlaps and help customers make well-informed decisions.

The Microsoft threat actor taxonomy explained

In our new taxonomy, threat actor groups will be named after weather events. A weather event or “family name” represents either a nation-state actor attribution (e.g., Typhoon indicates origin or attribution to China) or a motivation (e.g., Tempest indicates financially motivated actors). The table below shows the threat actor groups Microsoft tracks and their assigned weather events in the new naming convention.

Threat actors within the same weather family are given an adjective to distinguish actor groups that have distinct TTPs, infrastructure, objectives, or other identified patterns. The examples below show how the naming system works for Russia and Iran.

Note: Our latest blog about the Iranian threat actor Mint Sandstorm (previously PHOSPHORUS) reflects the new naming taxonomy: Nation-state threat actor Mint Sandstorm refines tradecraft to attack high-value targets.

Where there is a newly discovered, unknown, or emerging cluster of threat activity, we use a temporary designation of Storm (previously DEV) and a four-digit number, allowing us to track it as a unique set of information until we can reach high confidence about the origin or identity of the actor behind the operation. Once our analysis has developed to meet high confidence criteria, a Storm is converted to a named actor.

We believe this new approach, along with the new icon system shown in some of the examples above, makes it even easier to identify and remember Microsoft’s threat actors. Each icon uniquely represents a family name, and where it makes sense will accompany the threat actor names as a visual aid. This new naming approach does not in any way change who the threat actors are that we are tracking, or our current analysis behind the names.

The naming approach we have used previously (Elements, Trees, Volcanoes, and DEVs) has been retired. We have reassigned all existing threat actors to the new taxonomy, and going forward will be using the new threat actor names. Over the next few weeks, you will start seeing changes across public facing content and in-product experiences. We estimate to complete prioritized in-product updates by September 2023. There will be some surfaces that will not be updated. To ease the transition from old names to new names, we developed a reference guide at https://aka.ms/threatactors. Make sure to bookmark it for future reference.

Microsoft’s approach to threat actor tracking

The way Microsoft Threat Intelligence approaches identifying and naming threat actors is outlined below in Figure 4. As is sometimes the case, when a new threat surfaces, we don’t know all the details. We might know about a subset of victims and the malware they were infected with, and/or the command-and-control infrastructure, but we sometimes don’t immediately know the full scope of the actor’s capability or victimology. Microsoft maintains an internal process for tracking these ‘in-development’ activity clusters (now Storm-###) for reference across our hunting teams. In-development names (e.g., Storm-0257) apply to all actor types (nation-state, financially motivated, PSOA, etc.).

Storm names may persist indefinitely, but we strive to progress our understanding of all clusters of threat activity to either merge them with existing fully named actors (thereby expanding the definition), or merge multiple in-development clusters together to define a new fully named actor.

To meet the requirements of a full name, we aim to gain knowledge of the actor’s infrastructure, tooling, victimology, and motivation. We expand and update the definitions supporting our actor names based on our own telemetry, industry reporting, and a combination thereof.

The new centralized home of Microsoft threat actor intelligence

As a security industry leader, Microsoft has unique capabilities to track threats and the expectation to provide timely, consistent analysis will only increase. In a growing industry of complexity, confusion, and an overwhelming amount of data, we see an opportunity to provide customers with hyper relevant threat intelligence enabling them to implement even more proactive defenses.

We know defenders benefit from context and actionable insight– they need to understand what threat actor is behind an attack and how they can take steps to mitigate the issue. This is where Intel Profiles in Microsoft Defender Threat Intelligence can bring crucial information and context about threats.  Integrated into Microsoft 365 Defender, Intel Profiles are updated daily and put the wealth of information tracked by the Microsoft Threat Intelligence community about threat actors and their tools and techniques directly into the hands of security operations professionals so that they can investigate, analyze, and hunt for threats.

We’re excited to share this new threat actor update with you, our defenders, and help bring clarity and relevance to the threat intelligence you are getting from Microsoft.

Resources

To ease the transition to the new naming taxonomy, use this reference guide to look up the old and new names of Microsoft threat actors: https://aka.ms/threatactors.

In addition to the reference guide, we have also published a JSON file that contains the most up-to-date and comprehensive mapping of old threat actor names with their new names:  https://github.com/microsoft/mstic/blob/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json

Microsoft customers can use the following queries to transition to the new taxonomy.

Name lookup

Use this query on Microsoft Sentinel, Microsoft 365 Defender, Azure Data Explorer, and other products that support Kusto Query Language (KQL) to get information about a threat actor using the old name, new name, or industry name:

let TANames = externaldata(PreviousName: string, NewName: string, Origin: string, OtherNames: dynamic)[@"https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json"] with(format="multijson", ingestionMapping='[{"Column":"PreviousName","Properties":{"Path":"$.Previous name"}},{"Column":"NewName","Properties":{"Path":"$.New name"}},{"Column":"Origin","Properties":{"Path":"$.Origin/Threat"}},{"Column":"OtherNames","Properties":{"Path":"$.Other names"}}]');
let GetThreatActorAlias = (Name: string) {
TANames
| where Name =~ NewName or Name =~ PreviousName or OtherNames has Name
};
GetThreatActorAlias("ZINC")

TI indicator rename

Use this query on Microsoft Sentinel to look up TI indicators that have been tagged with threat actor name to get the new name.

let TANames = externaldata(PreviousName: string, NewName: string, Origin: string, OtherNames: dynamic)[@"https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json"] with(format="multijson", ingestionMapping='[{"Column":"PreviousName","Properties":{"Path":"$.Previous name"}},{"Column":"NewName","Properties":{"Path":"$.New name"}},{"Column":"Origin","Properties":{"Path":"$.Origin/Threat"}},{"Column":"OtherNames","Properties":{"Path":"$.Other names"}}]');
let TIIndicatorNewTAName = (T:(Tags: string)) {
TANames
| join kind=inner T on $left.PreviousName == $right.Tags
};
TIIndicatorNewTAName((ThreatIntelligenceIndicator
| mv-expand todynamic(Tags) | extend Tags = tostring(Tags)))
| extend Indicator = case(NetworkSourceIP != "", NetworkSourceIP, 
NetworkIP != "", NetworkIP, 
DomainName != "", DomainName, 
FileHashValue != "", FileHashValue, 
Url != "", Url,
"")
| project IndicatorId, Type, Indicator, ConfidenceScore, ExpirationDateTime, PreviousName, NewName, Origin, OtherNames

Further reading

Our latest blog about the Iranian threat actor Mint Sandstorm (previously PHOSPHORUS) reflects the new naming taxonomy: Nation-state threat actor Mint Sandstorm refines tradecraft to attack high-value targets.

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

For additional insights into the threat landscape, visit the Microsoft Security Insider.

The post Microsoft shifts to a new threat actor naming taxonomy appeared first on Microsoft Security Blog.

The threat hunters had but weeks to unravel a global attack that had been planned and executed by an advanced adversary for over a year. The early days of a cyberattack investigation can feel like joining a high-stakes chess match after your opponent has already made a series of moves. You must figure out what your adversary has done while anticipating their next step, and launching a counterplay—all simultaneously. Instead of on a chessboard, your clues are found in the code, logs, and responses to your counterattacks. In the case of the NOBELIUM nation-state attack, this was a highly skilled chess player, but we came together as a company and as an industry to take on this shared adversary. This all started when one security company, Mandiant (formerly known as FireEye), spotted an anomaly in its own environment and shared the evidence with Microsoft for additional analysis, but this story would eventually involve thousands of defenders across the industry to uncover the full picture and help protect organizations.

As explained in our first post in this series, How nation-state attackers like NOBELIUM are changing cybersecurity, nation-state attacks are malicious cyberattacks that originate from a particular country and are an attempt to further that country’s interests. The nation-state attack from NOBELIUM, a Russia-sponsored group of hackers, is widely recognized as the most sophisticated in history. The group gained access to multiple enterprises before their actions were detected. This second episode of “Decoding NOBELIUM” explores how the group was detected and how defenders responded in the weeks that followed.

How was NOBELIUM detected?

It was late November 2020 when a security analyst at cybersecurity company Mandiant detected something unusual in its environment. While reviewing sign-in logs for the previous day, she noticed an event for a user with a different registered device. Intuition told her something was off so she called the user to ask if they’d registered a new device. The answer would set off an unprecedented, industry-wide hunt to catch a cybercriminal. The user said, “No.”

The security professional alerted her colleagues, including her supervisor, Charles Carmakal, Mandiant Senior Vice President and Chief Technology Officer. While they didn’t yet know the identity of the adversary, they would come to realize the importance of this initial detection.

Recognizing that his company needed more collaboration and telemetry to better understand the nature of the attack, Carmakal quickly turned to Microsoft. It was about 9:00 PM when Microsoft Detection and Response Team (DART) Lead Dan Taylor received the call asking for help. Dan initially thought Carmakal was joking and when he realized it was serious, he called Microsoft DART Lead Investigator Roberto, who was taking his dog for the last walk of the day, to ask him if he recognized the anomalous code Mandiant had found. Roberto confirmed that he had seen this anomaly during a previous nation-state investigation.

How did the defense team come together?

Every second counts when responding to large-scale cyberattacks like this. NOBELIUM had a year-long advantage on the defenders. A global threat-hunting effort was formed around the Microsoft Threat Intelligence Center, which defends Microsoft and its customers from advanced threat actors around the world. They immediately activated Microsoft’s team of global security experts, who are on-call for major incidents.

Microsoft Security Analyst Joanne was lacing up her hiking boots on a Saturday when she received a text from her supervisor to the entire team that read, “We need all hands on deck for an active incident.” The hike would have to wait as she and her teammates began studying the available data for indicators of an attack.

As Microsoft continued to partner with Mandiant, it quickly became clear that this attack extended well beyond one security company. The Microsoft response team grew along with this knowledge. With every meeting, another 50 to 100 Microsoft threat experts joined in—everyone came together to help. And the industry-wide collaboration grew as well. “Many different partners across the industry came together with a common goal,” said Ramin, Senior Malware Reverse Engineer with the Microsoft Threat Intelligence Center.

The biggest challenge was the sophisticated tradecraft of the attacker. They practiced extreme variability. “It became very clear to us that we were dealing with a highly capable, highly clandestine, and advanced adversary,” said Carmakal. NOBELIUM would never use the same IP address across organizations—even going so far as to change it every time the group re-entered the same organization’s network. That meant that traditional markers—including hashes, file names, and IP addresses—were all brittle indicators and less helpful for tracking the attacker’s path. Over time, they began identifying subtle markers of malicious activity.

The team’s relentless investigation led to a breakthrough—they discovered that the unknown threat actor was stealing credentials and moving through the networks undetected. During the ongoing investigation, the team uncovered that anomalous activity was happening within the SolarWinds platform. After decompiling 50,0000 lines of SolarWind’s code, Mandiant and Microsoft’s reverse engineers identified NOBELIUM malware carefully obfuscated within layers of code, designed to easily spread undetected to thousands of target organizations. “When we found that scope, it was a combination of exciting and scary,” said Pete, Senior Software Engineer of the Microsoft Threat Intelligence Center.

“You got a sense that this attacker could start in hundreds of customer networks, very deep into them with elevated rights,” said John Lambert, General Manager of the Microsoft Threat Intelligence Center. “When you realize how many enterprise customers and government departments use [SolarWinds], you knew that this attacker had achieved a place to have major impact, across the globe.”

Over weeks, the hunters uncovered a sophisticated, advanced threat with a scale and scope beyond anything they could have initially guessed. Now, it was time to use that hard-won knowledge to find and repel the current threat from NOBELIUM and prepare for future attacks.

NOBELIUM lessons

How did cybersecurity professionals identify NOBELIUM as the threat actor behind the attack and what can your organization do to detect and respond to nation-state attacks? In the second episode of our four-part video series “Decoding Nobelium,” security professionals talk about the investigation that followed the discovery of NOBELIUM’s attack. Watch the episode for tips on how to protect your organization against cyberattacks.

Microsoft is committed to helping organizations stay protected from cyberattacks, whether cybercriminal or nation-state. In particular, nation-state adversaries have significant expertise and resources and will develop new attack patterns to further their geopolitical objectives. Consistent with our mission to provide security for all, Microsoft will use our leading threat intelligence and global team of dedicated cybersecurity defenders to help protect our customers and the world. Just two recent examples of Microsoft’s efforts to combat nation-state attacks include a September 2021 discovery, an investigation of a NOBELIUM malware referred to as FoggyWeb, and our May 2021 profiling of NOBELIUM’s early-stage toolset compromising EnvyScout, BoomBox, NativeZone, and VaporRage.

For immediate support, reach out to the Microsoft Security Response Center. Keep an eye out for future posts in the Nobelium nation-state attack series where we share how we fought the NOBELIUM threat and predict the future of cybersecurity. Read our previous post in this series:

• How nation-state attackers like NOBELIUM are changing cybersecurity

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post The hunt for NOBELIUM, the most sophisticated nation-state attack in history appeared first on Microsoft Security Blog.

The aims of nation-state cyber actors—largely espionage and disruption—remain consistent, along with their most reliable tactics and techniques: credential harvesting, malware, and VPN exploits. However, a common theme this year among the actors originating from China, Russia, North Korea, and Iran has been increased targeting of IT service providers as a way of exploiting downstream customers.¹

Earlier this month, we published the 2021 Microsoft Digital Defense Report (MDDR), which provides more in-depth findings about Microsoft’s tracking of nation-state threat groups, including information on the most heavily targeted sectors and countries, specific threat actors, attack methods, and more. This blog captures the high-level themes from the MDDR, and we encourage you to download the full report for additional details.

Government agencies and non-governmental organizations are favored targets

Whenever an organization or individual account holder is targeted or compromised by observed nation-state activities, Microsoft delivers a nation-state notification (NSN) directly to that customer to give them the information they need to investigate the activity. Over the past three years, we’ve delivered over 20,500 NSNs. According to the analysis of the actor activity behind these NSNs, nation-state attacks in the past year have largely focused on operational objectives of espionage and intelligence collection rather than destructive attacks.

“Nation-state activity spans nearly every industry sector and geographic region. In other words, protections against these tactics are critical for every organization and individual.”—2021 Microsoft Digital Defense Report.

The Microsoft Threat Intelligence Center (MSTIC) and the Microsoft Digital Crimes Unit (DCU) have observed that nearly 80 percent of nation-state attacks were directed against government agencies, think tanks, and non-government organizations (NGOs). The nation-state groups we refer to as NOBELIUM, NICKEL, THALLIUM, and PHOSPHORUS were the most active against the government sector, targeting mostly government entities involved in international affairs.

Figure 1: Sectors targeted by nation-state attacks (July 2020 to June 2021).

Russia-based cyber attackers in particular have increasingly set their sights on government targets. Year-on-year comparisons of NSN data depict a marked increase in successful compromises, from a 21 percent success rate between July 2019 and June 2020, up to 32 percent since July 2020. In turn, the percentage of government organizations targeted by Russian threat actors exploded from roughly 3 percent last year, to 53 percent since July 2020 (see figure 3).

Most-targeted countries

The United States remained the most highly targeted country in the past year. Russia-based NOBELIUM also heavily targeted Ukraine, particularly focusing on government interests involved in rallying against a build-up of Russian troops along Ukraine’s border—driving the number of Ukrainian customers impacted from 6 last year to more than 1,200 this year. This past year also saw a near quadrupling in the targeting of Israeli entities, driven exclusively by Iranian actors as tensions escalated between the two countries.

Figure 2: Countries most targeted (July 2020 to June 2021).

Microsoft identifies nation-state activities by chemical element names, some of which are shown in the table below, along with their countries of origin. This small sample of the total nation-state actors tracked by Microsoft represents several of the most active in the last year.

Figure 3: Reference map for nation-state actors.

Volume versus precision

Rates of successful compromises varied widely among threat groups this year. Some, such as North Korea-based THALLIUM, had a low rate of successful compromise likely because their common tactic of large-scale spear-phishing campaigns has become easier to detect and deter as users become increasingly aware of these lures and organizations use security solutions to detect them more effectively. Russia-based NOBELIUM, in contrast, had more successful compromises as a result of their more targeted attack against software supply chains coupled with more high-volume password spray campaigns in pursuit of credential theft. Nation-state actors appear to be increasing the scale of these blunt attacks in an attempt to evade detection and improve their chances of a successful breach. The first fiscal quarter of 2020 (July to September) saw a proportionally higher compromise rate; not necessarily because threat actors were more successful, but because we saw fewer high-volume campaigns during this time.

Figure 4: Average rates of compromise (all tactics, July 2020 to June 2021).

Snapshot: Nation-state activity

Russia

Russia-based NOBELIUM proved how insidious software supply chain attacks can be with its devastating compromise of the SolarWinds Orion software update.² Although the group limited its follow-up exploitation to approximately 100 organizations, its backdoor malware was pushed to roughly 18,000 entities worldwide. In other incidents, NOBELIUM has employed password spray and phishing attacks to compromise third-party providers and facilitate future compromises. This threat actor targeted cloud solution providers (CSPs) and leveraged the backdoor to steal a Mimecast private key.³ Get the full account from world-class defenders on what it took to respond to the most advanced nation-state attack in history by watching the Decoding NOBELIUM docuseries.

China

Chinese nation-state threat actors have been targeting the United States political landscape for insight into policy shifts. In early March 2021, Microsoft blogged about HAFNIUM and the detection of multiple zero-day exploits used to attack on-premises versions of Microsoft Exchange Server. HAFNIUM operates primarily from leased virtual private servers in the United States and targets entities across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.

Iran

Iran continued its streak of destructive cyberattacks against regional adversaries, including a string of ransomware attacks against Israeli entities. Iran-linked threat actor RUBIDIUM has been implicated in the Pay2Key⁴ and N3tw0rm⁵ ransomware campaigns that targeted Israel in late 2020 and early 2021. A common element in Iranian nation-state cyberattacks was the targeting of Israeli logistics companies involved in maritime transportation. Despite Tehran’s less aggressive approach toward the United States in the wake of last year’s election, United States entities remained Iranian threat actors’ top target, comprising nearly half of the NSNs Microsoft delivered to cloud-service customers.

North Korea

Just over half the NSNs Microsoft issued were for North Korea-based state actors during the last three months of 2020. The majority of the North Korean targeting was directed at consumer account targets, based on the likelihood of obtaining non-publicly available diplomatic or geopolitical intelligence. As Microsoft reported in November 2020,  ZINC and CERIUM targeted pharmaceutical companies and vaccine researchers in several countries, probably to speed up North Korea’s own vaccine research. North Korea also continued to target financial companies with the intent of stealing cryptocurrency and intellectual property.⁶

Private sector actors supply the tools

Though not nation-state actors themselves, private sector offensive actors (PSOAs) create and sell malicious cyber technologies to nation-state buyers. PSOA tools have been observed targeting dissidents, human rights defenders, journalists, and other private citizens. In December 2020, Microsoft’s efforts to protect our customers led us to file an amicus brief in support of WhatsApp’s case against Israel-based NSO Group Technologies.⁷ The brief asks the court to reject NSO Group’s position that it’s not responsible for the use of its surveillance and espionage products by governments. Microsoft also worked with Citizen Lab to disable malware used by Israel-based PSOA, SOURGUM (aka Candiru), which created malware and zero-day exploits (fixed in CVE-2021-31979 and CVE-2021-33771) as a part of a hacking-as-a-service package sold to government agencies and other malicious actors.

Comprehensive protection starts with individuals

One thing is clear: nation-state actors are well-funded and employ techniques of tremendous breadth and sophistication. More than other adversaries, nation-state attackers will also target individuals specifically for access to their connections, communications, and information. These attackers are constantly refining their tactics and techniques; therefore, defense-in-depth strategies should include educating employees on how to avoid being targeted themselves. Most importantly, applying Zero Trust principles across corporate resources helps secure today’s mobile workforce—protecting people, devices, applications, and data no matter their location or the scale of threats faced.

Learn more

For a deep dive into our latest information on nation-state threats, download the 2021 Microsoft Digital Defense Report and watch the Decoding NOBELIUM docuseries. Also, look for more blog posts providing information for each themed week of Cybersecurity Awareness Month 2021. Read our latest posts:

• #BeCyberSmart: When we learn together, we’re more secure together
• How cyberattacks are changing according to new Microsoft Digital Defense Report
• Get career advice from 7 inspiring leaders in cybersecurity
• Defenders wanted—building the new cybersecurity professionals

Be sure to visit our Cybersecurity Awareness Month page for links to additional resources and information on protecting your organization year-round. Do your part. #BeCyberSmart

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

¹Awareness Briefing: Chinese Cyber Activity Targeting Managed Service Providers, Cybersecurity Infrastructure Security Agency.

²A ‘Worst Nightmare’ Cyberattack: The Untold Story Of The SolarWinds Hack, Monika Estatieva, NPR. 16 April 2021.

³Mimecast attributes supply chain attack to SolarWinds’ hackers, David Jones, Cybersecurity Dive. 14 January 2021.

⁴Pay2Key Ransomware Joins the Threat Landscape, Tomas Meskauskas, Security Boulevard. 30 November 2020.

⁵N3TW0RM ransomware emerges in wave of cyberattacks in Israel, Lawrence Abrams, Bleeping Computer. 2 May 2021.

⁶North Korean hackers charged in massive cryptocurrency theft scheme, Dan Mangan, CNBC. 17 February 2021.

⁷Google, Cisco and VMware join Microsoft to oppose NSO Group in WhatsApp spyware case, Zack Whittaker, Tech Crunch. 21 December 2020.

The post Microsoft Digital Defense Report shares new insights on nation-state attacks appeared first on Microsoft Security Blog.