Microsoft assesses the biggest nation-state threats

Cyber security professionals often describe the threat landscape as fast-changing and ever-evolving. But accurately identifying trends and articulating them to non-technical audiences is a difficult business. This is partly because many cybercriminals are smart and work hard to hide the traces of their infiltrations. It’s also because few organisations or people can see the whole picture over a long period of time. A huge amount of digital detective work is required to obtain information and analyse it to follow criminal groups and monitor their tactics and techniques.

Fortunately, Microsoft synthesises 65 trillion signals every day. Its huge team of 10,000 security and threat intelligence analysts track over 300 unique threat actors including 160 nation-state actors, 50 ransomware groups and many more. So it’s in the perfect position to study the actions of each of these groups over time and see how their behaviours change from one year to the next. Every year Microsoft publishes its Digital Defense Report and the fourth edition was released last month. The 131-page paper, subtitled ‘Building and improving cyber resilience’ covers the whole globe and spans the 12 months up to June 2023.

While the overwhelming majority of cybercriminal gangs and individuals are financially motivated, arguably the most sophisticated groups are backed or run directly by nation states, the most notorious being China, Russia, Iran and North Korea. That said, the lines between independent gangs and nation-state groups are blurring, which suits threat actors who don’t want to be identified and shadowed.

Focus on nation-state threats

A chapter of this year’s report is dedicated to the subject of ‘Nation State Threats’ which includes a warning of a growing threat from Palestinian actors and cyber mercenaries. Recent conflicts and more unstable geopolitics in several regions of the world are increasingly leading to some governments using underhand cyber tactics in various ways.As Microsoft reports, they are seeing “a blurring of lines between cyber operations, espionage, influence campaigns, and destructive attacks.” And while only a few years ago, cyber operations weren’t very well known to most of the public, today almost everyone knows what a cyber-attack is because they have gained much “more media attention, with the ongoing use of influence narratives to manipulate global and national opinion.”Its team of analysts believes that from July 2022 to June 2023, nation-state cyber actors reduced the number of high-volume destructive attacks and pivoted towards cyber espionage. However, this vastly depends on the specific state and the objectives they need to meet. For example, China’s hunger for advanced technology and insights into partner nations’ foreign policies is one side of this equation, and Russia’s continued use of wiper malware to disrupt Ukraine is the other.

A growing global challenge

Given who the most prolific nation states are, it’s no surprise that the countries that were targeted the most were Ukraine, the US, Israel, the UK, South Korea and Taiwan, with NATO countries also appearing high on the list due to their support for Ukraine. However, cybercrime is spreading, with the Middle East, Latin America, the Sahel in Africa and south-east Asia also witnessing heightened activity. As well as government agencies, think tanks and non-governmental organisations (NGOs), universities, academics and critical national infrastructure (CNI), IT and communications companies are also widely targeted. Naturally, those nations that attack are attacked back in retaliation.

Influence operations are also on the rise, as nations attempt to spread their narrative, manipulate populations and encourage citizens to vote for a particular party. In the next 18 months, around two-thirds of eligible citizens in democratic nations will have the opportunity to vote. So, cyber influence campaigns are expected to increase for the rest of the year and throughout 2024.

China

Microsoft sees China’s state-sponsored cyber groups closely adhering to the country’s geopolitical strategy by having two main goals: intelligence gathering and influence. They are known to be targeting US defence and CNI, nations around the contested South China Sea, and even their own strategic allies. Their influence operations are aimed at citizens in many different countries via lots of social media and news platforms.

Russia

Ukraine and NATO member states comprise the bulk of Russia’s targets. CNI, think tanks, transportation businesses and of course government agencies are routinely threatened. Many of its influence operations seek to change European citizens’ minds about the war in Ukraine. To make the work of security analysts more complex, Russia hosts many financially motivated cybercriminal groups which further the goals of the state.

Iran

While Iran’s top targets remain Israel and the US, it’s widened its sights to target countries in Europe, including NATO members. There’s also evidence that Iran, which has grown in sophistication over the past 12 months, is coordinating influence operations with Russia. The two already cooperate with media campaigns.

North Korea

Western mainstream media organisations have reported more on this isolated state in recent years, including that its cyber operations are primarily used to extort money to finance its secretive missile and nuclear programmes. Financial gain drives the majority of North Korean cyber-attacks which is highly likely due to economic sanctions inhibiting other streams of financial generation. South Korea and its close ally the US make up over 50% of Pyongyang’s attacks.

Palestinian threat actors

In early 2023 security experts started tracking a group known as Storm-1133 based in Gaza. Evidence has been gathered of it trying to breach Israeli defence, transport and energy organisations. In October 2023, Storm-1133 conducted strikes against Israel, almost certainly in coordination with kinetic activities.

Cyber mercenaries

A different emerging threat that Microsoft stresses is very serious is that of cyber mercenaries or private-sector companies that have been seen selling their technology to governments and other organisations around the world. Microsoft states that one of its missions is to actively shut down such actors to prevent them from doing harm. The Digital Defense Report states that, “The explosive growth of this market poses a real threat to democracy and the overall stability and security of the online environment.”
Microsoft has teamed up with over 150 partner companies to fight back against mercenaries and make cyberspace a safer place for everyone.

Learn more about cyber threats

Quorum Cyber regularly publishes advice and updates on the latest threats. You can find our threat intelligence bulletins, malware reports and threat actor profiles on our website. And, of course, if you believe you’re experiencing a cyber-attack, please call our Incident Response team on 0333 444 0041 and we’ll help you right away.