Cyberwarfare / Nation-State Attacks
,
Fraud Management & Cybercrime
Review of Cyberespionage and Information Operations Reports ‘Aggressive’ Efforts
Government-sponsored cyberespionage campaigns and information operations are on the rise, and not just because of hacker spies sent by usual suspects Russia and China.
So warns Microsoft in its annual Digital Defense Report, which reviews nation-state and cybercrime activity it tracked from July 2022 through June.
Ransomware attacks naturally grab attention thanks to their obvious and immediate disruption, but behind the scenes, governments are doubling down on stealthy cyberespionage operations.
“Nation states are becoming increasingly sophisticated and aggressive in their cyberespionage efforts, led by highly capable Chinese actors focused on the Asia-Pacific region in particular,” Tom Burt, Microsoft’s corporate vice president for customer security and trust, said in an introduction to the report.
Based on Microsoft’s telemetry, the greatest number of online attacks last year targeted the United States, followed by Ukraine and Israel. It reported seeing a surge in activity last spring that targeted Western organizations, of which 46% were based in NATO states – primarily the U.S., the United Kingdom and Poland.
U.S. intelligence agencies repeatedly warn that the biggest online threats to national security and allies come from Russia, China, Iran and North Korea. Microsoft reports that the scale and sophistication of operations tied to each of those countries continues to improve and that their efforts to steal information and influence narratives target their adversaries and allies.
Since launching an all-out war against Ukraine in February 2022, “Russian intelligence agencies have refocused their cyberattacks on espionage activity in support of their war against Ukraine, while continuing destructive cyberattacks in Ukraine and broader espionage efforts,” Burt said in a blog post (see: Ukraine Cyber Defenders Prepare for Winter).
China remains a major player, focused especially on both collecting intelligence – especially from U.S. defense and critical sectors, as well as Taiwan and even its own partners – and running influence operations, Microsoft said.
Beijing also “deploys a vast network of coordinated accounts across dozens of platforms to spread covert propaganda” that targets Chinese speakers across the globe, and which sometimes promulgates anti-American narratives,” the report says. The country’s influence operations also focus on “promoting a positive image of China through hundreds of multilingual lifestyle influencers” (see: Facebook Links Massive Disinformation Operation to China).
The increased use of cyberespionage by Russia has been well documented. Western intelligence officials continue to caution that the true scale of such operations remains unclear, since such efforts are designed to be stealthy and sometimes highly targeted.
Long-terms attacks may go undetected for some time. One example is the SolarWinds supply chain attack that the White House attributed to the Russian Foreign Intelligence Service, or SVR, which injected a Trojan into the SolarWinds’ Orion software updater. The campaign may have begun in September 2019, and it wasn’t detected until December 2020, meaning the SVR had months of surreptitious access to multiple highly sensitive systems.
Microsoft reports that when it comes to cyber operations and intelligence gathering, nominal allies target each other. Despite last month’s meeting between Russian President Vladimir Putin and North Korean hereditary dictator Kim Jong Un, Pyongyang continues to run Moscow-focused espionage operations, especially focused on “nuclear energy, defense and government policy intelligence collection.”
Alongside the risk posed by nation-state groups, the threat posed by criminals also continues to intensify. “Ransomware‐as‐ a-service and phishing-as-a-service are key threats to businesses, and cybercriminals have conducted business email compromise and other cybercrimes, largely undeterred by the increasing commitment of global law enforcement resources,” Burt said.
Microsoft said that from September 2022 through July, it saw the number of human-operated or “hands on keyboard” ransomware attacks double compared to less sophisticated, fully automated attacks. Since last November, it said, it saw the number of security incidents that appeared to lead to data exfiltration double.
Why data was stolen wasn’t always clear. Even if a criminal was responsible, such data might still end up in the hands of an intelligence agency. “Not all data theft is associated with ransomware; it can also be for credential harvesting or nation-state espionage,” Microsoft said.