{"id":96900,"date":"2021-10-25T09:00:17","date_gmt":"2021-10-25T16:00:17","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?p=96900"},"modified":"2023-08-10T13:40:07","modified_gmt":"2023-08-10T20:40:07","slug":"microsoft-digital-defense-report-shares-new-insights-on-nation-state-attacks","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/10\/25\/microsoft-digital-defense-report-shares-new-insights-on-nation-state-attacks\/","title":{"rendered":"Microsoft Digital Defense Report shares new insights on nation-state attacks"},"content":{"rendered":"

Microsoft is proud to promote Cybersecurity Awareness Month<\/a> as part of our ongoing commitment to security for all<\/a>. Year-round, Microsoft tracks nation-state threat activities to help protect organizations and individuals from these advanced persistent actors. We\u2019re constantly improving our capabilities to bring better detections, threat context, and actor knowledge to our customers so they can improve their own defenses. To learn more about how Microsoft responds to nation-state attacks and how to defend your organization, watch the Decoding NOBELIUM docuseries<\/a>. Hear directly from the frontline defenders who helped protect organizations against the most sophisticated attack in history.<\/p>\n

The aims of nation-state cyber actors\u2014largely espionage and disruption\u2014remain consistent, along with their most reliable tactics and techniques: credential harvesting, malware, and VPN exploits. However, a common theme this year among the actors originating from China, Russia, North Korea, and Iran has been increased targeting of IT service providers as a way of exploiting downstream customers.1<\/sup><\/p>\n

Earlier this month, we published the 2021 Microsoft Digital Defense Report<\/a> (MDDR), which provides more in-depth findings about Microsoft\u2019s tracking of nation-state threat groups, including information on the most heavily targeted sectors and countries, specific threat actors, attack methods, and more. This blog captures the high-level themes from the MDDR, and we encourage you to download the full report for additional details.<\/p>\n

Government agencies and non-governmental organizations are favored targets<\/h2>\n

Whenever an organization or individual account holder is targeted or compromised by observed nation-state activities, Microsoft delivers a nation-state notification (NSN) directly to that customer to give them the information they need to investigate the activity. Over the past three years, we\u2019ve delivered over 20,500 NSNs. According to the analysis of the actor activity behind these NSNs, nation-state attacks in the past year have largely focused on operational objectives of espionage and intelligence collection rather than destructive attacks.<\/p>\n

\u201cNation-state activity spans nearly every industry sector and geographic region. In other words, protections against these tactics are critical for every organization and individual.\u201d<\/em>\u20142021 Microsoft Digital Defense Report.<\/p><\/blockquote>\n

The Microsoft Threat Intelligence Center<\/a> (MSTIC) and the Microsoft Digital Crimes Unit<\/a> (DCU) have observed that nearly 80 percent of nation-state attacks were directed against government agencies, think tanks, and non-government organizations<\/strong> (NGOs). The nation-state groups we refer to as NOBELIUM, NICKEL, THALLIUM, and PHOSPHORUS were the most active against the government sector, targeting mostly government entities involved in international affairs.<\/p>\n

\"The<\/p>\n

Figure 1: Sectors targeted by nation-state attacks (July 2020 to June 2021).<\/em><\/p>\n

Russia-based cyber attackers in particular have increasingly set their sights on government targets. Year-on-year comparisons of NSN data depict a marked increase in successful compromises, from a 21 percent success rate between July 2019 and June 2020, up to 32 percent since July 2020. In turn, the percentage of government organizations targeted by Russian threat actors exploded from roughly 3 percent last year, to 53 percent since July 2020 (see figure 3).<\/p>\n

Most-targeted countries<\/h2>\n

The United States remained the most highly targeted country in the past year. Russia-based NOBELIUM also heavily targeted Ukraine, particularly focusing on government interests involved in rallying against a build-up of Russian troops along Ukraine\u2019s border\u2014driving the number of Ukrainian customers impacted from 6 last year to more than 1,200 this year. This past year also saw a near quadrupling in the targeting of Israeli entities, driven exclusively by Iranian actors as tensions escalated between the two countries.<\/p>\n

\"The<\/p>\n

Figure 2: Countries most targeted (July 2020 to June 2021).<\/em><\/p>\n

Microsoft identifies nation-state activities by chemical element names, some of which are shown in the table below, along with their countries of origin. This small sample of the total nation-state actors tracked by Microsoft represents several of the most active in the last year.<\/p>\n

\"Reference<\/p>\n

Figure 3: Reference map for nation-state actors.<\/em><\/p>\n

Volume versus precision<\/h2>\n

Rates of successful compromises varied widely among threat groups this year. Some, such as North Korea-based THALLIUM, had a low rate of successful compromise likely because their common tactic of large-scale spear-phishing campaigns<\/a> has become easier to detect and deter as users become increasingly aware of these lures and organizations use security solutions to detect them more effectively. Russia-based NOBELIUM, in contrast, had more successful compromises as a result of their more targeted attack against software supply chains coupled with more high-volume password spray campaigns in pursuit of credential theft. Nation-state actors appear to be increasing the scale of these blunt attacks in an attempt to evade detection and improve their chances of a successful breach. The first fiscal quarter of 2020 (July to September) saw a proportionally higher compromise rate; not necessarily because threat actors were more successful, but because we saw fewer high-volume campaigns during this time.<\/p>\n

\"The<\/p>\n

Figure 4: Average rates of compromise (all tactics, July 2020 to June 2021).<\/em><\/p>\n

Snapshot: Nation-state activity<\/h2>\n

Russia<\/h3>\n

Russia-based NOBELIUM<\/a> proved how insidious software supply chain attacks<\/a>\u00a0can be with its devastating compromise of the SolarWinds Orion software update.2<\/sup>\u00a0Although the group limited its follow-up exploitation to approximately 100 organizations, its backdoor malware was pushed to roughly 18,000 entities worldwide. In other incidents, NOBELIUM has employed password spray and phishing attacks to compromise third-party providers and facilitate future compromises. This threat actor targeted cloud solution providers (CSPs) and leveraged the backdoor to steal a Mimecast private key.3<\/sup>\u00a0Get the full account from world-class defenders on what it took to respond to the most advanced nation-state attack in history by watching the Decoding NOBELIUM docuseries<\/a>.<\/p>\n

China<\/h3>\n

Chinese nation-state threat actors have been targeting the United States political landscape for insight into policy shifts. In early March 2021, Microsoft blogged about HAFNIUM<\/a> and the detection of multiple zero-day exploits used to attack on-premises versions of Microsoft Exchange Server<\/a>. HAFNIUM operates primarily from leased virtual private servers in the United States and targets entities across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.<\/p>\n

Iran<\/h3>\n

Iran continued its streak of destructive cyberattacks against regional adversaries, including a string of ransomware attacks against Israeli entities. Iran-linked threat actor RUBIDIUM has been implicated in the Pay2Key4<\/sup>\u00a0and N3tw0rm5<\/sup>\u00a0ransomware campaigns that targeted Israel in late 2020 and early 2021. A common element in Iranian nation-state cyberattacks was the targeting of Israeli logistics companies involved in maritime transportation. Despite Tehran\u2019s less aggressive approach toward the United States in the wake of last year\u2019s election, United States entities remained Iranian threat actors\u2019 top target, comprising nearly half of the NSNs Microsoft delivered to cloud-service customers.<\/p>\n

North Korea<\/h3>\n

Just over half the NSNs Microsoft issued were for North Korea-based state actors during the last three months of 2020. The majority of the North Korean targeting was directed at consumer account targets, based on the likelihood of obtaining non-publicly available diplomatic or geopolitical intelligence. As Microsoft reported in November 2020, \u00a0ZINC and CERIUM targeted pharmaceutical companies and vaccine researchers<\/a> in several countries, probably to speed up North Korea\u2019s own vaccine research. North Korea also continued to target financial companies with the intent of stealing cryptocurrency and intellectual property.6<\/sup><\/p>\n

Private sector actors supply the tools<\/h2>\n

Though not nation-state actors themselves, private sector offensive actors (PSOAs) create and sell malicious cyber technologies to nation-state buyers. PSOA tools have been observed targeting dissidents, human rights defenders, journalists, and other private citizens. In December 2020, Microsoft\u2019s efforts to protect our customers led us to file an amicus brief in support of WhatsApp\u2019s case against Israel-based NSO Group Technologies.7<\/sup>\u00a0The brief asks the court to reject NSO Group\u2019s position that it\u2019s not responsible for the use of its surveillance and espionage products by governments. Microsoft also worked with Citizen Lab<\/a> to disable malware used by Israel-based PSOA, SOURGUM (aka Candiru)<\/a>, which created malware and zero-day exploits (fixed in CVE-2021-31979<\/a> and CVE-2021-33771<\/a>) as a part of a hacking-as-a-service package sold to government agencies and other malicious actors.<\/p>\n

Comprehensive protection starts with individuals<\/h2>\n

One thing is clear: nation-state actors are well-funded and employ techniques of tremendous breadth and sophistication. More than other adversaries, nation-state attackers will also target individuals specifically for access to their connections, communications, and information. These attackers are constantly refining their tactics and techniques; therefore, defense-in-depth strategies should include educating employees<\/a> on how to avoid being targeted themselves. Most importantly, applying Zero Trust principles<\/a> across corporate resources helps secure today\u2019s mobile workforce\u2014protecting people, devices, applications, and data no matter their location or the scale of threats faced.<\/p>\n

Learn more<\/h2>\n

For a deep dive into our latest information on nation-state threats, download the 2021 Microsoft Digital Defense Report<\/a> and watch the Decoding NOBELIUM docuseries<\/a>. Also, look for more blog posts providing information for each themed week of Cybersecurity Awareness Month 2021. Read our latest posts:<\/p>\n