News

Time To Take Nation-State Cyberattacks Seriously, Microsoft and Tech Leaders Warn

• By David Ramel
• 10/17/2024

Microsoft is leading the growing chorus of tech giants calling for unified action against state-sponsored cyberattacks.

In introducing the company's latest Digital Defense Report, Corporate Vice President Tom Burt warned that such attacks "have been undeterred, increasing in volume and aggression."

"Once again, nation-state affiliated threat actors demonstrated that cyber operations -- whether for espionage, destruction, or influence -- play a persistent supporting role in broader geopolitical conflicts," he said. "Also fueling the escalation in cyberattacks, we are seeing increasing evidence of the collusion of cybercrime gangs with nation-state groups sharing tools and techniques."

The primary culprits have long been Russia, China, Iran and North Korea. Besides Microsoft, security vendors like IBM, Tenable and Fortinet have implicated each of these countries in their own respective security reports.

However, Microsoft seems to be calling the loudest for governments to become involved in fighting threats by combining defensive strategies with strong deterrence. Addressing the problem, Microsoft said, will require focusing and committing to cyber defense from individual users, corporate executives and government leaders.

According to Burt, highlights of Microsoft's report include:

• Russian threat actors appear to have outsourced some of their cyberespionage operations to criminal groups, especially operations targeting Ukraine. In June 2024, a suspected cybercrime group used commodity malware to compromise at least 50 Ukrainian military devices.
• Iranian nation-state actors used ransomware in a cyber-enabled influence operation, marketing stolen Israeli dating website data. They offered to remove specific individual profiles from their data repository for a fee.
• North Korea is getting into the ransomware game. A newly-identified North Korean actor developed a custom ransomware variant called FakePenny, which it deployed at organizations in aerospace and defense after exfiltrating data from the impacted networks -- demonstrating both intelligence gathering and monetization motivations.

North Korea was also mentioned in a report this month from IBM titled, "X-Force Cloud Threat Landscape Report 2024," which noted "Threat actors are increasingly leveraging trusted cloud-based services, such as Dropbox, OneDrive and Google Drive, for command-and-control communications and malware distribution," while adding, "North Korean state-sponsored groups, including APT43 and APT37, carried out multistage attacks against cloud-based services to distribute remote access trojans (RATs)."

While that report didn't otherwise focus on foreign threats, it did provide these takeaways:

• Phishing is the leading initial access vector. Over the past two years, phishing has accounted for 33% of cloud-related incidents, with attackers often using phishing to harvest credentials through adversary-in-the-middle (AITM) attacks.
• Business Email Compromise (BEC) attacks go after credentials. BEC attacks, where attackers spoof email accounts posing as someone within the victim organization or another trusted organization, accounted for 39% of incidents over the past two years. Threat actors commonly leverage harvested credentials from phishing attacks to take over email accounts and conduct further malicious activities.
• Continued demand for cloud credentials on the dark web, despite market saturation. Gaining access via compromised cloud credentials was the second most common initial access vector at 28%, despite overall mentions of SaaS platforms on dark web marketplaces, which decreased by 20% compared to 2023.

Tenable, meanwhile, just published its Cloud Risk Report 2024, which calls out North Korea and Russia. It discusses a Windows kernel elevation of privilege vulnerability, saying, "The exploitation activity was orchestrated by the North Korea-based Lazarus Group, with the end goal of establishing a kernel read/write primitive."

The company also noted Microsoft itself was the victim of foreign-sponsored bad guys: "Midnight Blizzard, a Russian state-sponsored actor also known as NOBELIUM, hacked the tech giant's corporate email systems."

Otherwise, just last week Fortinet published "Burning Zero Days: Suspected Nation-State Adversary Targets Ivanti CSA," which followed an August report from the Cybersecurity and Infrastructure Security Agency (CISA) titled, "Iran-based Cyber Actors Enabling Ransomware Attacks on US Organizations."

That latter government article said: [T]hese Iran-based cyber actors are associated with the Government of Iran (GOI) and -- separate from the ransomware activity -- conduct computer network exploitation activity in support of the GOI (such as intrusions enabling the theft of sensitive technical data against organizations in Israel and Azerbaijan)."

While those are ordinary, run-of-the-mill cyberattacks seeking data or ransom, the upcoming election in the U.S. provides unique opportunities for foreign actors to influence matters.

"Russia, Iran, and China have all used ongoing geopolitical matters to drive discord on sensitive domestic issues leading up to the U.S. election, seeking to sway audiences in the U.S. to one party or candidate over another, or to degrade confidence in elections as a foundation of democracy," Microsoft's Burt said. "As we've reported, Iran and Russia have been the most active, and we expect this activity to continue to accelerate over the next two weeks ahead of the U.S. election."