Enterprise security executives that perceive nation-state-backed cyber groups as a distant threat might want to revisit that assumption, and in a hurry.
Several recent geopolitical events around the world over the past year have spurred a sharp increase in nation-state activity against critical targets, such as port authorities, IT companies, government agencies, news organizations, cryptocurrency firms, and religious groups.
A Microsoft analysis of the global threat landscape over the last year, released Nov. 4, showed that cyberattacks targeting critical infrastructure doubled, from accounting for 20% of all nation-state attacks to 40% of all attacks that the company’s researchers detected.
Furthermore, their tactics are shifting — most notably, Microsoft recorded an uptick in the use of zero-day exploits.
Multiple Factors Drove Increased Nation-State Threat Activity
Unsurprisingly, Microsoft attributed much of the spike to attacks by Russia-backed threat groups related to and in support of the country’s war in Ukraine. Some of the attacks were focused on damaging Ukrainian infrastructure, while others were more espionage-related and included targets in the US and other NATO member countries. Ninety percent of Russia-backed cyberattacks that Microsoft detected over the past year targeted NATO countries; 48% of them were directed at IT service providers in these countries.
While the war in Ukraine drove most of the activity by Russian threat groups, other factors fueled an increase in attacks by groups sponsored by China, North Korea, and Iran. Attacks by Iranian groups, for instance, escalated following a presidential change in the country.
Microsoft said it observed Iranian groups launching destructive, disk-wiping attacks in Israel as well as what it described as hack-and-leak operations against targets in the US and EU. One attack in Israel set off emergency rocket signals in the country while another sought to erase data from a victim’s systems.
The increase in attacks by North Korean groups coincided with a surge in missile testing in the country. Many of the attacks were focused on stealing technology from aerospace companies and researchers.
Groups in China, meanwhile, increased espionage and data-stealing attacks to support the country’s efforts to exert more influence in the region, Microsoft said. Many of their targets included organizations that were privy to information that China considered to be of strategic importance to achieving its goals.
From Software Supply Chain to IT Service Provider Chain
Nation-state actors targeted IT companies more heavily than other sectors in the period. IT companies, such as cloud services providers and managed services providers, accounted for 22% of the organizations that these groups targeted this year. Other heavily targeted sectors included the more traditional think tank and nongovernmental organization victims (17%), education (14%), and government agencies (10%).
In targeting IT service providers, the attacks were designed to compromise hundreds of organizations at once by breaching a single trusted vendor, Microsoft said. The attack last year on Kaseya, which resulted in ransomware ultimately being distributed to thousands of downstream customers, was an early example.
There were several others this year, including one in January in which a Iran-backed actor compromised an Israeli cloud services provider to try and infiltrate that company’s downstream customers. In another, a Lebanon-based group called Polonium gained access to several Israeli defense and legal organizations via their cloud services providers.
The growing attacks on the IT services supply chain represented a shift away from the usual focus that nation-state groups have had on the software supply chain, Microsoft noted.
Microsoft’s recommended measures for mitigating exposure to these threats include reviewing and auditing upstream and downstream service provider relationships, delegating privileged access management responsible, and enforcing least privileged access as needed. The company also recommends that companies review access for partner relationships that are unfamiliar or have not been audited, enable logging, review all authentication activity for VPNs and remote access infrastructure, and enable MFA for all accounts
An Uptick in Zero-Days
One notable trend that Microsoft observed is that nation-state groups are spending significant resources to evade the security protections that organizations have implemented to defend against sophisticated threats.
“Much like enterprise organizations, adversaries began using advancements in automation, cloud infrastructure, and remote access technologies to extend their attacks against a wider set of targets,” Microsoft said.
The adjustments included new ways to rapidly exploit unpatched vulnerabilities, expanded techniques for breaching corporations, and increased use of legitimate tools and open source software to obfuscate malicious activity.
One of the most troubling manifestations of the trend is the increasing use among nation-state actors of zero-day vulnerability exploits in their attack chain. Microsoft’s research showed that just between January and June of this year, patches were released for 41 zero-day vulnerabilities between July 2021 and June 2022.
According to Microsoft, China-backed threat actors have been especially proficient at finding and discovering zero-day exploits recently. The company attributed the trend to a new China regulation that went into effect in September 2021; it requires organizations in the country to report any vulnerabilities they discover to a Chinese government authority for review before disclosing the information with anyone else.
Examples of zero-day threats that fall into this category include CVE-2021-35211, a remote code execution flaw in SolarWinds Serv-U software that was widely exploited before being patched in July 2021; CVE-2021-40539, a critical authentication bypass vulnerability in Zoho ManageEngine ADSelfService Plus, patched last September; and CVE-2022-26134, a vulnerability in Atlassian Confluence Workspaces that a Chinese threat actor was actively exploiting before a patch become available in June.
“This new regulation might enable elements in the Chinese government to stockpile reported vulnerabilities toward weaponizing them,” Microsoft warned, adding that this should be viewed as a major step in the use of zero-day exploits as a state priority.
.
