Wednesday, December 18, 2024

Microsoft reports rising cyberattacks on critical infrastructure, blurred lines between state and criminal actors, need for deterrents

Must read

According to the fifth annual Microsoft Digital Defense Report, data reveals that its customers encounter over 600 million cybercriminal and nation-state attacks daily, encompassing threats like ransomware, phishing, and identity theft. The report notes the blurring lines between nation-state threat actors and cybercriminals, amidst the many faces of hybrid war as critical infrastructure is a key target of physical strikes and cyberattacks in modern hybrid conflicts. It detects a need for a more robust deterrent framework that will help to promote stability, protect critical infrastructure, and avoid some of the most harmful cyberattacks. To support this, governments should deepen partnerships across stakeholder groups to identify the essential critical infrastructure. 

Highlighting trends from July 2023 to June 2024, the Microsoft Digital Defense report revealed that nation-state hackers conduct operations for financial gain, enlist cybercriminals to collect intelligence, particularly on the Ukrainian military, and make use of the same infostealers, command and control frameworks, and other tools favored by the cybercriminal community. These threat hackers continue to use cyber operations for espionage, destruction, and influence, impacting geopolitical conflicts. The rise in cyberattacks is also linked to cybercrime gangs collaborating with nation-states, and sharing tools and techniques.

Specifically, Russian threat hackers appear to have outsourced some of their cyberespionage operations to criminal groups, especially operations targeting Ukraine. In June 2024, a suspected cybercrime group used commodity malware to compromise at least 50 Ukrainian military devices. Iranian nation-state hackers used ransomware in a cyber-enabled influence operation, marketing stolen Israeli dating website data. They offered to remove specific individual profiles from their data repository for a fee. 

“These cyberattacks are continuing at a breathtaking scale, and as they increasingly put human health at risk, the stakes for stopping them couldn’t be higher,” Tom Burt, corporate vice president for customer security and trust at Microsoft, identified in an executive summary. “In the US alone this fiscal year, 389 healthcare institutions were successfully hit by ransomware, resulting in network closures, systems offline, critical medical operations delayed, and appointments rescheduled. Worse, the increased risk of cyberattacks is no longer limited to civilian cybercriminals.” 

He added that nation-states are becoming more aggressive in the cyber domain, with ever-growing levels of technical sophistication that reflect increased investment in resources and training. “These state-sponsored hackers are not just stealing data, but launching ransomware, prepositioning backdoors for future destruction, sabotaging operations, and conducting influence campaigns.”

Identifying that improved defense will not be enough, Burt noted that “the sheer volume of attacks must be reduced through effective deterrence, and while the industry must do more to deny the efforts of attackers via better cybersecurity, this needs to be paired with government action to impose consequences that further discourage the most harmful cyberattacks.”

Highlighting that in recent years a great deal of attention has been given to the development of international norms of conduct in cyberspace, Burt said that “those norms so far lack meaningful consequence for their violation, and nation-state attacks have been undeterred, increasing in volume and aggression. Cybercriminals similarly continue to attack with impunity, knowing that law enforcement is hampered by the challenges of investigation and prosecution of cross-border crime, and often operating from within apparent safe havens where government authorities turn a blind eye to the malicious activity.” 

The Microsoft Digital Defense report noted that critical infrastructure is a key target of physical strikes and cyberattacks in modern hybrid conflicts. “Since late 2023, Microsoft has observed an increase in reports of attacks on internet-exposed, poorly secured OT devices that control real-world critical processes. As discussed in greater detail in previous editions of this report, this is particularly concerning given these systems often have inadequate security practices, including being left unpatched, using default passwords, or even no passwords at all.” 

It added that Internet-exposed OT (operational technology) equipment in water and wastewater systems (WWS) in the U.S. were targeted in multiple attacks from October 2023 through June 2024 by different nation-backed actors, including IRGC-affiliated CyberAv3ngers (tracked at Microsoft as Storm-0784) and pro-Russian hacktivists.12 CyberAv3ngers and the pro-Russia Cyber Army of Russia group, conduct, claim, or amplify attacks likely intended to intimidate targeted nations into capitulating or ceasing support for Israel and Ukraine, respectively. 

The report also detailed China-based cyber actors Raspberry Typhoon, Flax Typhoon, and Granite Typhoon have intensively targeted entities associated with IT, military, and government interests around the South China Sea. “The activity has particularly targeted countries within the Association of Southeast Asian Nations (ASEAN). Raspberry Typhoon has been extremely active, successfully infiltrating military and executive entities in Indonesia and Malaysian maritime systems in the lead-up to a rare naval exercise involving Indonesia, China, and the United States in June 2023. Similarly, Flax Typhoon focused on entities linked to joint US-Philippines military exercises. Since August 2023, Flax Typhoon has expanded its targets to include IT and government organizations in the Philippines, Hong Kong, India, and the United States.” 

Since July 2023, the Microsoft Digital Defense report detailed that Granite Typhoon has compromised telecommunication networks in Indonesia, Malaysia, the Philippines, Cambodia, and Taiwan. This group’s activities highlight a sustained pattern of strategic cyber engagements by Chinese state-affiliated actors aimed at gathering intelligence and potentially disrupting military activities in strategically important areas like the South China Sea.

The report said that since 2023, Microsoft has identified three major North Korean threat groups – Jade Sleet, Sapphire Sleet, and Citrine Sleet – that have been particularly active in targeting cryptocurrency organizations. Moreover, North Korea may also be getting into the ransomware game. Moonstone Sleet, a new North Korean actor identified in May 2024, developed a custom ransomware variant called FakePenny which it deployed at organizations in aerospace and defense after exfiltrating data from the impacted networks. This behavior suggests the actor had objectives for both intelligence gathering and monetization of its access. 

Aside from the U.S. and the U.K., most of the nation-state-affiliated cyber threat activity observed was concentrated around Israel, Ukraine, the United Arab Emirates, and Taiwan. In addition, Iran and Russia have used both the Russia-Ukraine war and the Israel-Hamas conflict to spread divisive and misleading messages through propaganda campaigns that extend their influence beyond the geographical boundaries of the conflict zones, demonstrating the globalized nature of hybrid warfare.  

The report identified that approximately 75 percent of Russian targets were in Ukraine or a NATO member state, as Moscow seeks to collect intelligence on the West’s policies on the war. “Chinese threat actors’ targeting efforts remain similar to the last few years in terms of geographies targeted – Taiwan being a focus, as well as countries within Southeast Asia – and intensity of targeting per location. Iran placed significant focus on Israel, especially after the outbreak of the Israel-Hamas war. Iranian actors continued to target the US and Gulf countries, including the UAE and Bahrain, in part because of their normalization of ties with Israel and Tehran’s perception that they are both enabling Israel’s war efforts,” it added. 

Microsoft also observed Iranian nation-state threat actors seeking financial gain from some of their offensive cyber operations. “This marks a change from previous behavior, whereby ransomware attacks that were designed to appear financially motivated were actually destructive attacks. For example, a cyber-enabled influence operation run by an Islamic Revolutionary Guard Corps (IRGC) group we track as Cotton Sandstorm (also known as Emennet Pasargad) marketed stolen Israeli dating website data through two of its cyber personas between September 2023 and February 2024. The personas also offered to remove specific individual profiles from their data repository for a fee.

Meanwhile, Russian threat actors have integrated evermore commodity malware in their operations and appear to have outsourced some cyberespionage operations to criminal groups. In June 2024, Storm-2049 (UAC-0184) used Xworm and Remcos RAT–commodity malware associated with criminal activity–to compromise at least 50 Ukrainian military devices. There was no obvious cybercriminal use for this compromise, suggesting the group was operating in support of Russian government objectives.

While nation-state attacks continue to be a concern, so are financially motivated cyberattacks. In the past year, Microsoft detected a 2.75 time increase year over year in ransomware attacks. “Importantly, however, there was a threefold decrease in ransom attacks reaching the encryption stage. The most prevalent initial access techniques continue to be social engineering—specifically email phishing, SMS phishing, and voice phishing—but also identity compromise and exploiting vulnerabilities in public-facing applications or unpatched operating systems.” 

“Tech scams skyrocketed 400% since 2022. In the past year, Microsoft observed a significant uptick in tech scam traffic with daily frequency surging from 7,000 in 2023 to 100,000 in 2024,” Microsoft Digital Defense reported. “Over 70% of malicious infrastructure was active for less than two hours, meaning they may be gone before they’re even detected. This rapid turnover rate underscores the need for more agile and effective cybersecurity measures.”

Last year, Microsoft observed that cybercriminals and nation-state hackers began experimenting with AI. As AI becomes increasingly utilized to enhance human efficiency, these threat hackers are discovering ways to exploit AI’s capabilities to effectively target victims. With influence operations, China-affiliated hackers favor AI-generated imagery, while Russia-affiliated hackers use audio-focused AI across mediums. So far, the researchers have not observed this content being effective in swaying audiences. 

Microsoft disclosed last May that Iran remains a major threat to hackers. In addition to its conventional cyberattacks, Iran has developed a new strategy, utilizing cyber-enabled influence operations to further its geopolitical objectives. It also covered Iran’s attempts at conducting higher-impact cyberattacks against OT environments.

“But the story of AI and cybersecurity is also a potentially optimistic one,” according to the Microsoft Digital Defense report. “While still in its early days, AI has shown its benefits to cybersecurity professionals by acting as a tool to help respond in a fraction of the time it would take a person to manually process a multitude of alerts, malicious code files, and corresponding impact analysis. We continue to innovate our technology to find new ways that AI can benefit and strengthen cybersecurity.”

Between June to July 2023, Microsoft observed Federal Security Service (FSB)-attributed Aqua Blizzard appeared to ‘hand-off’ access to 34 compromised Ukrainian devices to the cybercriminal group Storm-0593 (also known as Invisimole). The hand-off occurred when Aqua Blizzard invoked a Powershell script that downloaded software from a Storm-0593-controlled server. 

Storm-0593 then established command and control (C&C) infrastructure and deployed Cobalt Strike beacons on most of the devices for follow-on activity. This beacon was configured with the domain da shcloudew[dot]uk, which Microsoft assesses Storm-0593 registered and used in a previous spear-phishing campaign against Ukrainian military machines last year, suggesting a pattern by Storm-0593 of supporting state intelligence collection objectives. 

The Microsoft Digital Defense report underscores the increasing frequency of cyberattacks, with nation-state sponsored assaults intensifying to create a state of perpetual conflict in cyberspace. It emphasizes the need for counteractive measures to reduce the overall incidence of these online threats. 

To deter such harmful activities, a strong blend of technological advancements and geopolitical strategies is essential. “This deterrence can be achieved in two ways – by denial of intrusions or imposing consequences. While companies like Microsoft can help “deny” successful cyberattacks via innovation and further improvements in cybersecurity, enforcing international rules with deterrent consequences must fall on governments,” it added.

Microsoft therefore urges governments to consider a couple of actions to improve adherence to international law and online norms by strengthening digital diplomacy to deter clear expectations around acceptable and unacceptable behavior. To that end, Microsoft calls upon governments to embrace new norms; multi-stakeholder inclusion; and bilateral agreements. It also sought to impose deterrent consequences, as the escalating volume of nation-state sponsored cyberattacks necessitates more decisive governmental action that stems the growth. Possible response strategies include enhanced countermeasures; collective countermeasures; and clarified red lines. 

A more robust deterrent framework will help to promote stability, protect critical infrastructure, and avoid some of the most harmful cyberattacks. To support this, governments should deepen partnerships across stakeholder groups to identify the essential critical infrastructure. Given the growing significance of this technology, this should also include essential AI infrastructure and the intellectual property behind the development of new AI models that might otherwise be attractive targets for rival governments.

Latest article