As nations like Russia and Iran increasingly use cybercriminals and their tools, nation-state threat activity has become more muddled with financially driven cybercrime, according to Microsoft’s fifth annual “Digital Defence Report.”
The report, which was released on Tuesday, discusses information security and cyber trends that Microsoft saw from July 2023 to June 2024. While nation-state concerns make up a significant amount of the report, experts also discuss other topics like ransomware, generative AI, and fraud. In the latter instance, Microsoft saw a dramatic drop in attacks that advanced to the encryption stage but a 2.75x spike in encounters associated with human-operated ransomware year over year.
According to Microsoft, “Despite efforts by law enforcement and partners in the public and private sector, the complexity, speed, impact, and severity of cybercrime is escalating.” This number is in line with the notion that defenders are improving.
According to the research, state-sponsored actors are increasingly using the resources and strategies of financially motivated cybercriminals, sometimes even the criminals themselves, to carry out threat activities. According to Microsoft’s research, there is a “blurring” of the boundaries between cybercrime and nation-state operations.
“Microsoft observed nation-state threat actors conduct operations for financial gain, enlist cybercriminals to collect intelligence on the Ukrainian military, and make use of the same infostealers, command and control frameworks, and other tools favoured by the cybercriminal community,” the report read.
Russia, for example, has integrated commodity malware such as the Xworm and Remcos remote access Trojans (RAT) into its cyber arsenal and outsourced “some cyberespionage operations” to otherwise independent cybercriminals. “In June 2024, Storm-2049 (UAC-0184) used Xworm and Remcos RAT—commodity malware associated with criminal activity—to compromise at least 50 Ukrainian military devices,” Microsoft said.
Similarly, the organisation witnessed 34 hacked Ukrainian machines being persistently accessed by Aqua Blizzard, a state-sponsored organisation associated with Russia’s Federal Security Service, which then “hand-off” the devices to a cybercriminal gang known as Storm-0593. As part of their operations, the gang used Cobalt Strike beacons. According to the study, Microsoft evaluated the beacons’ configuration with a domain that “Storm-0593 registered and used in a previous spearphishing campaign against Ukrainian military machines last year, suggesting a pattern by Storm-0593 of supporting state intelligence collection objectives.”
Microsoft also noticed that Iran was engaging in offensive cyber operations with financial motivations. The software giant says Iran’s recent actions are different from its past actions, which tended more towards destructive attacks and less towards ransomware with financial motivations, even though this isn’t exactly new behaviour. One instance was the sale of stolen Israeli dating site data by an Islamic Revolutionary Guard Corps cell known as Cotton Sandstorm, which offered “to remove specific individual profiles from their data repository for a fee,” according to the study.
Similar to this, CISA issued a warning in August about Iranian APT Pioneer Kitten operating as access brokers and carrying out ransomware assaults.
The UN estimates that since 2017, North Korea, a government notorious for utilising state actors to enrich itself, has stolen more than $3 billion in cryptocurrencies. However, Microsoft claimed to have discovered a new state-sponsored, North Korean-backed ransomware actor in May that it tracks as Moonstone Sleet, in addition to its well-known propensity for cryptocurrency theft.
“Moonstone Sleet, a new North Korean actor identified in May 2024, developed a custom ransomware variant called FakePenny, which it deployed at organisations in aerospace and defence after exfiltrating data from the impacted networks,” Microsoft said. “This behaviour suggests the actor had objectives for both intelligence gathering and monetisation of its access.”
In addition to the growing overlap with cybercrime, Microsoft warned that nation-state threat activity is intensifying. “The pace of nation-state-sponsored cyberattacks has escalated to the point that there is now effectively constant combat in cyberspace without any meaningful consequences to the attacker,” the report stated.
Microsoft stated that deterrence necessitates a blend of geopolitical and technological solutions with the ultimate objective of preventing incursions and/or enforcing penalties. Although firms will almost probably be responsible for denying invasions, “enforcing international rules with deterrent consequences must fall on governments.”
Microsoft offered a number of recommendations to Microsoft based on three main points: enforcing deterrent conditions, improving government attributions of hostile conduct, and bolstering international norms and diplomacy.
The first pillar is more innovative and aspirational, even though the other two are self-explanatory. Microsoft advises governments to embrace inclusive diplomatic processes, establish bilateral agreements to curb state-backed cyber threat activity, and introduce new norms in government forums like the U.N. to make cloud and information and communications technology supply chains off-limits for targeting as critical infrastructure.
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: CIO News LinkedIn Account | CIO News Facebook | CIO News Youtube | CIO News Twitter
About us:
CIO News is the premier platform dedicated to delivering the latest news, updates, and insights from the CIO industry. As a trusted source in the technology and IT sector, we provide a comprehensive resource for executives and professionals seeking to stay informed and ahead of the curve. With a focus on cutting-edge developments and trends, CIO News serves as your go-to destination for staying abreast of the rapidly evolving landscape of technology and IT. Founded in June 2020, CIO News has rapidly evolved with ambitious growth plans to expand globally, targeting markets in the Middle East & Africa, ASEAN, USA, and the UK.
CIO News is a proprietary of Mercadeo Multiventures Pvt Ltd.