New Microsoft Digital Defense Report calls upon critical infrastructure sector to focus on cyber resilience

Microsoft has published Thursday the fourth annual edition of the Microsoft Digital Defense Report disclosing a surge in cyberattacks, impacting 120 countries over the last year with nearly half of these attacks targeting NATO member states. It also identified that over 40 percent of these cyber attacks were leveled against government or private-sector organizations involved in building and maintaining critical infrastructure. 

The 131-page report also highlights a noteworthy shift in recent cyberattacks identifying that while headline-grabbing attacks from the past year were often focused on destruction or financial gain with ransomware, data shows the predominant motivation has swung back to a desire to steal information, covertly monitor communication, or to manipulate what people read.

“Russian intelligence agencies have refocused their cyberattacks on espionage activity in support of their war against Ukraine, while continuing destructive cyberattacks in Ukraine and broader espionage efforts,” Tom Burt, Microsoft’s corporate vice president for customer security and trust, detailed in a blog post. “Iranian efforts, once focused on taking down the networks of their targets, are also inclined today to amplify manipulative messages to further geopolitical goals or tap into data flowing through sensitive networks.”

Additionally, Burt pointed out that China has expanded its use of spying campaigns to gain intelligence to fuel its Belt and Road Initiative or regional politics, to spy on the U.S. including key facilities for the U.S. military, and to establish access to the networks of critical infrastructure entities. “North Korean actors have been trying to covertly steal secrets; they’ve targeted a company involved in submarine technology, while separately using cyberattacks to steal hundreds of millions in cryptocurrency.”

Burt also identified that while threat groups have significantly accelerated the pace of their attacks over the last year, built-in protections across Microsoft products have blocked tens of billions of malware threats, thwarted 237 billion brute-force password attack attempts, and mitigated 619,000 distributed denial of service (DDoS) attacks. These techniques were primarily aimed at disabling a server, service, or network by overwhelming it with a flood of internet traffic.

“Criminals are also looking to increase their anonymity and effectiveness, by using remote encryption to cover their traces more effectively as well as cloud-based tools such as virtual machines,” Burt wrote. “But stronger private and public partnerships mean that they are increasingly finding themselves in the crosshairs of law enforcement. For example, the ransomware operator known as Target was outed, and arrests and indictments were successfully made. But criminals continue to look for the points of easiest entry to systems and a continuous and accelerating effort is required to stay one step ahead of them.”

Covering trends between July 2022 and June 2023 across nation-state activity, cybercrime, and defense techniques, the Microsoft report revealed that while the U.S., Ukraine, and Israel continue to be most heavily attacked, the last year has seen an increase in the global scope of attacks. This is particularly the case in the Global South, especially Latin America and sub-Saharan Africa. Iran increased its operations in the Middle East. Organizations involved in policymaking and execution were among the most targeted, in line with the shift in focus to espionage.

“Both Russia and China are increasing the scope of their influence operations against a variety of diasporas. Russia aims to intimidate global Ukrainian communities and sow mistrust between war refugees and host communities in a range of countries, especially Poland and the Baltic states,” Burt wrote in the post. “By contrast, China deploys a vast network of coordinated accounts across dozens of platforms to spread covert propaganda. These directly target global Chinese-speaking and other communities, denigrating U.S. institutions, and promoting a positive image of China through hundreds of multilingual lifestyle influencers.”

He also pointed out that nation-state hackers are more frequently employing influence operations (IO) alongside cyber operations to spread favored propaganda narratives. “These aim to manipulate national and global opinion to undermine democratic institutions within perceived adversary nations – most dangerously in the contexts of armed conflicts and national elections. For example, following its invasion of Ukraine, Russia consistently timed its IO operations with military and cyberattacks. Similarly, in July and September 2022, Iran followed destructive cyberattacks on the Albanian government with a coordinated influence campaign which is still ongoing.”

Burt disclosed an increase overall in threat activity, with trends having been observed with the most active nation-state actors. Russian state actors expanded their Ukraine-related activities to target Kyiv’s allies, principally NATO members. “In April and May 2023, Microsoft observed a spike in activity against Western organizations, 46% of which were in NATO member states, particularly the United States, the United Kingdom, and Poland. Several Russian state actors posed as Western diplomats and Ukrainian officials, attempting account access. The goal was to obtain insights into Western foreign policy on Ukraine, defense plans and intentions, and war crimes investigations,” he added.

He also flagged China’s expanded and sophisticated activities reflecting its dual pursuits of global influence and intelligence collection. “Their targets are most commonly U.S. defense and critical infrastructure, nations bordering the South China Sea (especially Taiwan), and even China’s own strategic partners. In addition to the multiple sophisticated attacks on U.S. infrastructure detailed in the report, Microsoft has also seen China-based actors attack China’s Belt and Road Initiative partners such as Malaysia, Indonesia, and Kazakhstan.”

The past year has seen some Iranian state actors increase the complexity of their attacks, Burt added. “Iran has not only targeted Western countries it believes are fomenting unrest within Iran, but it has also expanded its geographical reach to include more Asian, African, and Latin American countries. On the IO front, Iran has pushed narratives that seek to bolster Palestinian resistance, sow panic among Israeli citizens, foment Shi’ite unrest in Gulf Arab countries, and counter the normalization of Arab-Israeli ties. Iran has also made efforts to increase the coordination of its activities with Russia.”

Burt also said that North Korea has increased the sophistication of its cyber operations in the last year, especially in cryptocurrency theft and supply-chain attacks. “Additionally, North Korea is using spear-phishing emails and LinkedIn profiles to target Korean peninsula experts around the world to gather intelligence. Despite the recent meeting between Putin and Kim Jong-Un, North Korea is targeting Russia, especially for nuclear energy, defense, and government policy intelligence collection.”

Another interesting detail that Burt reported on was that Microsoft’s telemetry indicates that organizations saw human-operated ransomware attacks increase 200 percent since September 2022. “These attacks are generally a ‘hands-on keyboard’ type of attack rather than an automated one, typically targeting a whole organization with customized ransom demands. Attackers are also evolving attacks to minimize their footprint, with 60% using remote encryption, thereby rendering process-based remediation ineffective.”

He added that these attacks are also notable for how they attempt to gain access to unmanaged or bring-your-own devices. “More than 80% of all compromises we observed originate from such unmanaged devices. Ransomware operators are increasingly exploiting vulnerabilities in less common software, making it more difficult to predict and defend against attacks. Ransomware criminals also threaten disclosure of stolen information to pressure victims and extract payment.” 

Since November 2022, Microsoft has observed a doubling of potential data exfiltration instances after threat actors compromised an environment. “But not all data theft is associated with ransomware; it can also be for credential harvesting or nation-state espionage.”

MFA is the increasingly common authentication method that requires users to provide two or more ‘factors’ of identification to gain access to a website or application – such as a password along with facial recognition or a one-time passcode, the report identified. “While deploying MFA is one of the easiest and most effective defenses organizations can deploy against attacks, reducing the risk of compromise by 99.2%, threat actors are increasingly taking advantage of ‘MFA fatigue’ to bombard users with MFA notifications in the hope they will finally accept and provide access.”

Microsoft has observed approximately 6,000 MFA fatigue attempts per day over the past year. “Additionally, the first quarter of 2023 saw a dramatic tenfold surge in password-based attacks against cloud identities, especially in the education sector, from around 3 billion per month to over 30 billion – an average of 4,000 password attacks per second targeting Microsoft cloud identities this year.”

Burt noted that the scale and nature of threats outlined in the Microsoft Digital Defense Report can appear dispiriting. But huge strides are being made on the technology front to defeat these attackers and at the same time, strong partnerships are being forged that transcend borders, industries, and the private-public divide. He also recognizes that these partnerships are having ever greater success in keeping us all safe and this is why it is vital we continue to broaden and deepen them. 

“Advancing the promise of digital peace requires public‑private collaboration to ensure we are bringing to bear the best technological and regulatory tools to combat cyber aggression. We need more and deeper alliances in the private sector and stronger partnerships between the private and public sectors,” according to Burt. “Enabling this collaboration can be challenging but, when successful, it drives meaningful impact. We must accelerate the move of critical computing workloads to the cloud, where vendors’ security innovations will be most impactful, and ensure AI innovation provides defenders with the durable technological advantage over attackers that it promises.”

To better address the cyber challenges, the report focuses on the power of partnerships in building cyber resilience. “Partnerships across the technology community are an absolute necessity to ensure organizations of all types and sizes, in every industry and region, can protect themselves. This means working together to push the boundaries of innovation, ensuring technical integration of products in the security space, and addressing the end‑to‑end security needs of customers.” 

Non‑profit, academia, and research organizations play a crucial role in advancing cybersecurity. By collaborating with industry partners, they bridge the gap between theoretical knowledge and practical application. Academic institutions contribute to cybersecurity research, develop innovative technologies, and educate the next generation of cybersecurity professionals. Collaborative research projects and initiatives between academia, non‑profits, and industry promote innovation and help tackle emerging cyber threats effectively.

The Microsoft report determined that it is essential that stakeholders recognize their shared responsibility and actively engage in partnerships that enhance cybersecurity. “History has already shown that by working together, we can build a safer digital future for individuals, organizations, and nations—but there is so much more to be done.”

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.