A Microsoft released the results of the Digital Defense Report, which reveals that cyberattacks reached 120 countries, driven by espionage instigated by governments and with influence operations also increasing. Based on more than 65 billion daily signals, the study covers trends between July 2022 and June 2023 in nation-state activities, cybercrime and defense techniques.
Almost half of these attacks targeted NATO member states and more than 40% were directed at government or private sector organizations involved in the construction and maintenance of critical infrastructure. Although the attacks that were in the spotlight last year were often associated with destruction or financial gain with ransomware, the data shows that the predominant motivation was once again the desire to steal information, secretly monitor communications or manipulate what people read:
- Russian intelligence has refocused its cyberattacks on espionage activities in support of the war against Ukraine, and continues to simultaneously carry out destructive cyberattacks on Ukraine but develop broader espionage efforts;
- Iranian efforts, once focused on taking down the networks of their targets, today also tend to amplify manipulative messages to promote geopolitical objectives or access data circulating on sensitive networks;
- China has expanded its use of espionage campaigns to obtain information to boost its initiative.”One Track, One Route” or regional policy, to spy on the US, including key installations for the US military, and to establish access to the networks of critical infrastructure entities;
- North Korean actors have been trying to covertly steal sensitive information; targeted a company involved in submarine technology and, on the other hand, used cyberattacks to steal hundreds of millions in cryptocurrency.
Although the USA, Ukraine and Israel continue to be the most attacked countries, the last year has seen an increase in attacks globally. This is the case, in particular, in the Global South, namely Latin America and Sub-Saharan Africa. Iran has increased its operations in the Middle East. Organizations involved in policy development and execution are among the most targeted, in line with the shift in focus to espionage.
Both Russia and China are increasing their influence operations against a number of diaspora communities. Russia aims to intimidate Ukrainian communities worldwide and sow distrust between war refugees and host communities in a number of countries, especially Poland and the Baltic States.
In contrast, China uses a vast network of coordinated accounts on dozens of platforms to spread disguised propaganda. These accounts directly target Chinese-speaking and other global communities, denigrating U.S. institutions and promoting a positive image of China.
Nation-state actors are more frequently using influence operations alongside cyber operations to spread favorable propaganda narratives. These aim to manipulate national and global public opinion to weaken the democratic institutions of opposing nations, which is more dangerous in the context of armed conflicts and national elections.
For example, in the wake of the invasion of Ukraine, Russia has consistently timed its influence operations with military and cyber attacks. Similarly, in July and September 2022, Iran launched destructive cyberattacks against the Albanian government with a coordinated influence campaign that is still ongoing.
Although there has been an overall increase in threats, trends have been observed in the most active nation-state actors.
- Russia targets Ukraine's NATO allies – Russian state actors have expanded their activities related to Ukraine to target Kiev's allies, mainly NATO members. In April and May 2023, Microsoft observed an increase in activity against Western organizations, 46% of which was in NATO member states, in particular the United States, the United Kingdom and Poland. Several Russian state actors posed as Western diplomats and Ukrainian officials, attempting to access accounts to obtain information about Western foreign policy toward Ukraine, defense plans and intentions, and war crimes investigations;
- China targets US defense, South China Sea countries and One Belt, One Road partners – China's extensive and sophisticated activities reflect its dual quest for global influence and intelligence gathering. Their targets are most often US critical and defense infrastructure, nations bordering the South China Sea (especially Taiwan), and even China's own strategic partners. In addition to the multiple sophisticated attacks on US infrastructure described in the report, Microsoft also identified China-based actors attacking One Belt, One Road partners such as Malaysia, Indonesia and Kazakhstan;
- Iran launches new attacks in Africa, Latin America and Asia – Last year, some Iranian state actors increased the complexity of their attacks. Iran has not only targeted Western countries that it considers to be fomenting unrest in Iran, it has also expanded its geographic reach to include more Asian, African and Latin American countries. On the IO front, Iran has promoted narratives that seek to reinforce Palestinian resistance, sow panic among Israeli citizens, foment Shia unrest in Gulf Arab countries and counter the normalization of Israeli and Arab ties. Iran has also made efforts to increase coordination of its activities with Russia;
- North Korea targets Russian organizations, among others – North Korea has increased the sophistication of its cyber operations over the past year, especially regarding cryptocurrency theft and supply chain attacks. Additionally, North Korea is using spearphishing emails and LinkedIn profiles to target experts from the Korean peninsula around the world to gather information. Despite the recent meeting between Putin and Kim Jong-Un, North Korea has targeted Russia, especially for gathering information on nuclear energy, defense and government policy.
Attackers are already using Artificial Intelligence (AI) as a weapon to enhance phishing messages and improve influence operations with synthetic images. But AI will also be crucial to successful defense, automating and augmenting aspects of cybersecurity such as threat detection, response, analysis and prediction. AI can also enable large language models (LLM) to generate natural language insights and recommendations from complex data, helping analysts be more effective and responsive.
In this period of analysis, it was possible to watch AI-driven cyber defense reverse the tide of cyber attacks; in Ukraine, for example, AI helped defend Russia.
As transformative AI reshapes many aspects of society, it is necessary to invest in responsible AI practices, which are crucial to maintaining user trust and privacy and creating long-term benefits. Generative AI models require evolving cybersecurity practices and threat models to address new challenges, such as creating realistic content – including text, images, video and audio – that can be used by threat actors to spread disinformation or create malicious code.
Microsoft telemetry indicates that organizations have seen human-executed ransomware attacks increase by 200% since September 2022. These attacks are typically a “type of” attack.hands on keyboard”, typically targeting an entire organization with personalized ransom demands.
Attackers are also developing attacks to minimize their footprint, with 60% using remote encryption, thus rendering process-based remediation ineffective. These attacks are also notable for the way they attempt to gain access to unmanaged devices – more than 80% of all observed compromises originate from these unmanaged devices.
MFA is the increasingly common authentication method that requires users to provide two or more identifying factors to gain access to a website or application. While implementing MFA is one of the easiest and most effective defenses organizations can implement against attacks, reducing the risk of compromise by 99,2%, threat actors are increasingly taking advantage of “MFA fatigue” to bombard users with MFA notifications in the hope that they will eventually accept and provide access.
Microsoft has observed approximately 2023 MFA fatigue attempts per day over the past year. Furthermore, the first quarter of 30 saw a dramatic tenfold increase in password attacks against cloud identities, especially in the education sector, from around three billion per month to over XNUMX billion – an average of four thousand password attacks per second targeting Microsoft cloud identities this year.
