Trace Id is missing
Register now to watch the on-demand web seminar featuring Microsoft Digital Defense Report 2024 insights.

Nation State Threats

Nation-state actors are increasing their investments and launching more sophisticated cyberattacks to evade detection and achieve strategic priorities.
Storm cloud over green field.

Espionage operations rising

Persistent and stealthy espionage operations pose a long-term global threat. Russian and Iranian state-sponsored actors reduced their destructive operations, but threat actors worldwide are increasing their collection capacity against foreign and defense policy organizations, technology firms, and critical infrastructure.

Threat actors expand their global target set

Nation state actors’ cyber operations increased their global reach, expanding in the Global South to more parts of Latin America and sub-Saharan Africa. While cyber operations remained most pronounced against the US, Ukraine and Israel and pervasive throughout Europe, operations increased in the Middle East owing to Iranian actors. Organizations involved in policymaking and implementation were among those most targeted, in line with many groups’ espionage-focused remits.

Three pie charts showing the most targeted regions in Europe, Middle East and North Africa and Asia-pacific

Source: Microsoft Threat Intelligence events data

Russian state actors widen their scope

Russian state-sponsored threat actors used diverse means – from phishing campaigns to zero-days – to gain initial access to devices and networks in industries across NATO member states, while malign influence actors sought to intimidate the Ukrainian diaspora and encourage protest movements across Europe.

pie chart showing intrusions against organizations within NATO member states

Source: Microsoft Threat Analysis Center investigations

Cyber and influence operations continue to converge

The scope and intensity of cyber-enabled influence campaigns between state actors and hacktivist groups has matured over the course of the Russia-Ukraine war. The dates between attacks and public leaks have reduced from a few days to nearly same-day operations.

Chinese state-sponsored espionage campaigns reflect political goals

Cyber threat groups continue to carry out sophisticated worldwide campaigns targeting US defense and critical infrastructure, nations bordering the South China Sea, and even China’s strategic partners. 

Chinese state-sponsored cyber activity around the South China Sea reflects Beijing’s strategic goals in the region and heightened tensions around Taiwan. Much of the targeting appears to be for intelligence collection purposes. The primary Chinese threat groups in the region are Raspberry Typhoon and Flax Typhoon.

Map of Asia-Pacific region to depict cyber events in the South China

Influence operations expand their global reach

China continues to improve its influence campaigns, operating at a scale unmatched by other malign influence actors. Chinese-affiliated covert propaganda campaigns deploy thousands of accounts across dozens of websites spreading memes, videos, and articles in multiple languages. In 2023, influence operations targeted additional audiences by using new languages and branching out to new platforms.

Logos for 28 social media platforms which are available in various languages

Source: Microsoft Threat Analysis Center investigations

Iranian state actors enhance their offensive cyber capabilities

Iranian cyber and influence operations turned firmly against the West and used sophisticated tradecraft, enhancing operations in cloud environments, rolling out custom implants, and exploiting newly released vulnerabilities.

Targeting the Global South

We observed increasingly global targeting by Iranian groups, particularly in the Global South. Iranian cyber operations increased across the board, with greater persistence against countries of most interest to Tehran and expanding into enterprises in Southeast Asian, African, Latin American, and European countries, particularly in Eastern and Southern Europe.

North Korean cyber operations becoming more sophisticated

North Korean cyber threat actors pursued cyber operations to collect intelligence on the policy plans of adversaries, gather intelligence about other countries’ military capabilities, and steal cryptocurrency to fund the state.

 

Cryptocurrency theft and supply chain attacks

North Korean actors continued to steal cryptocurrency with greater sophistication. In January 2023, the US Federal Bureau of Investigation publicly attributed the June 2022 heist of $100 million in cryptocurrency from Harmony’s Horizon Bridge to North Korean cyber actors. Microsoft attributed this activity to Jade Sleet, which we estimate has stolen approximately $1 billion in cryptocurrency so far.

This year marks the first time Microsoft has observed a supply chain attack conducted by North Korean threat actor groups. Microsoft attributed the March 2023 3CX supply chain attack to Citrine Sleet, which leveraged a prior supply chain compromise of a US-based financial technology company in 2022. This is the first time we have observed an activity group using an existing supply chain compromise to conduct another supply chain attack.

Fast-moving forklift in industrial warehouse.

Cyber mercenaries: an emerging threat

The expanding mercenary marketplace threatens to destabilize the online environment.  Cyber mercenaries are commercial entities that create and sell cyberweapons to customers, often governments who select targets and operate the cyberweapons.

Abstract computer screen text.

Explore other Microsoft Digital Defense Report chapters

Introduction

The power of partnerships is key to overcoming adversity by strengthening defenses and holding cybercriminals accountable.

The State of Cybercrime

While cybercriminals remain hard at work, the public and private sectors are coming together to disrupt their technologies and support the victims of cybercrime.

Nation State Threats

Nation state cyber operations are bringing governments and tech industry players together to build resilience against threats to online security.

Critical Cybersecurity Challenges

As we navigate the ever-changing cybersecurity landscape, holistic defense is a must for resilient organizations, supply chains, and infrastructure.

Innovating for Security and Resilience

As modern AI takes a massive leap forward, it will play a vital role in defending and ensuring the resilience of businesses and society.

Collective Defense

As cyberthreats evolve, collaboration is strengthening knowledge and mitigation across the global security ecosystem.

More on security

Our commitment to earn trust

Microsoft is committed to the responsible use of AI, protecting privacy, and advancing digital safety and cybersecurity.

Cyber Signals

A quarterly cyberthreat intelligence brief informed by the latest Microsoft threat data and research. Cyber Signals gives trends analysis and guidance to help strengthen the first line of defense.

Nation State Reports

Semi-annual reports on specific nation state actors that serve to warn our customers and the global community of threats posed by influence operations and cyber activity, identifying specific sectors and regions at heightened risk.

Microsoft Digital Defense Reports archive

Explore previous Microsoft Digital Defense Reports and see how the threat landscape and online safety has changed in a few short years.

Follow Microsoft Security