Nation State Threats
Espionage operations rising
Persistent and stealthy espionage operations pose a long-term global threat. Russian and Iranian state-sponsored actors reduced their destructive operations, but threat actors worldwide are increasing their collection capacity against foreign and defense policy organizations, technology firms, and critical infrastructure.
Threat actors expand their global target set
Nation state actors’ cyber operations increased their global reach, expanding in the Global South to more parts of Latin America and sub-Saharan Africa. While cyber operations remained most pronounced against the US, Ukraine and Israel and pervasive throughout Europe, operations increased in the Middle East owing to Iranian actors. Organizations involved in policymaking and implementation were among those most targeted, in line with many groups’ espionage-focused remits.
Source: Microsoft Threat Intelligence events data
Russian state actors widen their scope
Russian state-sponsored threat actors used diverse means – from phishing campaigns to zero-days – to gain initial access to devices and networks in industries across NATO member states, while malign influence actors sought to intimidate the Ukrainian diaspora and encourage protest movements across Europe.
Source: Microsoft Threat Analysis Center investigations
Cyber and influence operations continue to converge
The scope and intensity of cyber-enabled influence campaigns between state actors and hacktivist groups has matured over the course of the Russia-Ukraine war. The dates between attacks and public leaks have reduced from a few days to nearly same-day operations.
Chinese state-sponsored espionage campaigns reflect political goals
Cyber threat groups continue to carry out sophisticated worldwide campaigns targeting US defense and critical infrastructure, nations bordering the South China Sea, and even China’s strategic partners.
Chinese state-sponsored cyber activity around the South China Sea reflects Beijing’s strategic goals in the region and heightened tensions around Taiwan. Much of the targeting appears to be for intelligence collection purposes. The primary Chinese threat groups in the region are Raspberry Typhoon and Flax Typhoon.
Influence operations expand their global reach
China continues to improve its influence campaigns, operating at a scale unmatched by other malign influence actors. Chinese-affiliated covert propaganda campaigns deploy thousands of accounts across dozens of websites spreading memes, videos, and articles in multiple languages. In 2023, influence operations targeted additional audiences by using new languages and branching out to new platforms.
Source: Microsoft Threat Analysis Center investigations
Iranian state actors enhance their offensive cyber capabilities
Iranian cyber and influence operations turned firmly against the West and used sophisticated tradecraft, enhancing operations in cloud environments, rolling out custom implants, and exploiting newly released vulnerabilities.
-
Source: Microsoft Threat Analysis Center investigations
-
Source: Microsoft Threat Analysis Center investigations
Targeting the Global South
We observed increasingly global targeting by Iranian groups, particularly in the Global South. Iranian cyber operations increased across the board, with greater persistence against countries of most interest to Tehran and expanding into enterprises in Southeast Asian, African, Latin American, and European countries, particularly in Eastern and Southern Europe.
North Korean cyber operations becoming more sophisticated
North Korean cyber threat actors pursued cyber operations to collect intelligence on the policy plans of adversaries, gather intelligence about other countries’ military capabilities, and steal cryptocurrency to fund the state.
Cryptocurrency theft and supply chain attacks
North Korean actors continued to steal cryptocurrency with greater sophistication. In January 2023, the US Federal Bureau of Investigation publicly attributed the June 2022 heist of $100 million in cryptocurrency from Harmony’s Horizon Bridge to North Korean cyber actors. Microsoft attributed this activity to Jade Sleet, which we estimate has stolen approximately $1 billion in cryptocurrency so far.
This year marks the first time Microsoft has observed a supply chain attack conducted by North Korean threat actor groups. Microsoft attributed the March 2023 3CX supply chain attack to Citrine Sleet, which leveraged a prior supply chain compromise of a US-based financial technology company in 2022. This is the first time we have observed an activity group using an existing supply chain compromise to conduct another supply chain attack.
Cyber mercenaries: an emerging threat
The expanding mercenary marketplace threatens to destabilize the online environment. Cyber mercenaries are commercial entities that create and sell cyberweapons to customers, often governments who select targets and operate the cyberweapons.
Explore other Microsoft Digital Defense Report chapters
Introduction
The power of partnerships is key to overcoming adversity by strengthening defenses and holding cybercriminals accountable.
The State of Cybercrime
While cybercriminals remain hard at work, the public and private sectors are coming together to disrupt their technologies and support the victims of cybercrime.
Nation State Threats
Nation state cyber operations are bringing governments and tech industry players together to build resilience against threats to online security.
Critical Cybersecurity Challenges
As we navigate the ever-changing cybersecurity landscape, holistic defense is a must for resilient organizations, supply chains, and infrastructure.
Innovating for Security and Resilience
As modern AI takes a massive leap forward, it will play a vital role in defending and ensuring the resilience of businesses and society.
Collective Defense
As cyberthreats evolve, collaboration is strengthening knowledge and mitigation across the global security ecosystem.
More on security
Our commitment to earn trust
Microsoft is committed to the responsible use of AI, protecting privacy, and advancing digital safety and cybersecurity.
Cyber Signals
A quarterly cyberthreat intelligence brief informed by the latest Microsoft threat data and research. Cyber Signals gives trends analysis and guidance to help strengthen the first line of defense.
Nation State Reports
Semi-annual reports on specific nation state actors that serve to warn our customers and the global community of threats posed by influence operations and cyber activity, identifying specific sectors and regions at heightened risk.
Microsoft Digital Defense Reports archive
Explore previous Microsoft Digital Defense Reports and see how the threat landscape and online safety has changed in a few short years.
Follow Microsoft Security