Microsoft has detected increased nation-state attacks as competing governments rush to compromise systems for cyber espionage and to spread misinformation. The company also observed increased password attacks as hackers “industrialize” cybercrime, thus lowering the entry barrier.
According to Microsoft, nation-state attacks targeting critical infrastructure doubled from 20% to 40% in a year. This increase is primarily due to Russia targeting the critical infrastructure of Ukraine and its allies while also trying to gather intelligence by compromising IT firms worldwide.
Microsoft’s threat intelligence team also found that the time between the discovery and commoditization of software vulnerabilities had significantly reduced. The tech giant observed that it takes 14 days from when a vulnerability is publicly disclosed to its exploitation in the wild.
Subsequently, Microsoft warned against focusing on nation-state threats and forgetting other cybercrimes that posed a more significant threat.
Nation-state attacks against critical infrastructure and IT firms increased
While Russia was the main perpetrator, other countries also stepped up nation-state attacks against the West and their allies. For example, the Islamic Republic of Iran launched destructive nation-state attacks against Israel, ransomware attacks, and info-stealing campaigns beyond its regional adversaries. In one incident, Iranian actors executed an attack disguised as a ransomware incident to wipe Israeli data, while in another, they attempted to set off emergency rocket sirens.
Similarly, North Korea embarked on an aggressive cyber campaign to steal technology from aerospace companies. Nation-state groups from the hermit nation also tried to break into news organizations reporting on the country and Christian groups. Additionally, they attempted to breach cryptocurrency firms to steal funds to support the country’s struggling economy.
China also stepped up its cyber espionage activities to counter U.S. influence and steal information. The Chinese threat groups relied on zero-day vulnerabilities to execute attacks. And the tech giant attributed the trend to the law forcing Chinese entities to report new vulnerabilities to the government before informing product developers.
In October 2022, CISA published a list of vulnerabilities actively exploited by Chinese state-sponsored threat actors. Other exploits include targeting hundreds of accounts of prominent people in East Asia ahead of scheduled meetings with U.S. officials and a malware attack on Solomon’s Island government days after signing a military pact with the country.
Chinese nation-state actors also attempted to interfere with elections in various countries in the global south, including Namibia, Mauritius, and Trinidad and Tobago, among others.
Supply chain attacks are still on the cards
Microsoft says nation-state actors targeted IT firms to compromise downstream customers in government, policy, and critical infrastructure.
Since 2021, NOBELIUM, a Russian threat actor, has targeted cloud solutions and managed service providers to access US and European customers. Other nation-state groups, such as Iranian DEV-0198 and DEV-0228, used similar tactics to target the Israeli government.
However, Microsoft observed a shift from compromising the software supply chain to the IT services supply chain to reach downstream customers. Another notable trend is using legitimate software utilities and user accounts to evade detection once they compromise the victims’ network.
The rise of password attacks
The report found that hackers had “industrialized” cybercrime by availing hacking infrastructure to others, thus lowering the entry barrier. Consequently, the number of password attacks had increased by 74%, up to 921 attempts per second within a year.
“This research illuminates a common dilemma that is affecting billions of people and millions of businesses, globally,” said Darren Guccione, CEO and Co-Founder at Keeper Security. “As cybercrime skyrockets, cybercriminals continue to rely on their most successful attack vector: password-based attacks.”
According to Microsoft, password attacks were the entry point for other cyberattacks, including ransomware and data exfiltration.
“Up until recently, stolen credentials were the leading attack vector entry – exploited vulnerabilities just surpassed stolen creds,” said Timothy Morris, Chief Security Advisor at Tanium. “It is unclear if better password policies, implementations of one-time passwords (OTP) or multi-factor authentication (MFA), reduced the quality of stolen creds, or if the increased quantity of exploitable vulnerabilities caused the shift.”
Hackers used various tactics to bypass MFA, such as generating multiple MFA requests hoping that the victim would inadvertently accept them because of MFA fatigue.
Although password attacks decreased in North America and Europe, they increased in Latin America. The top methods of obtaining passwords were brute force attacks, cracking simple passwords, and phishing.
How to protect your organization against attacks
Microsoft advised organizations to promote a security culture from within to avoid becoming victims of nation-state attacks or financially-motivated digital threats.
According to Microsoft, observing basic security hygiene could stop 98% of successful cyberattacks. The tech giant recommended multi-factor authentication (MFA), timely security patches, managing privileged access, deploying modern security solutions from trusted providers, and considering the human element.