On February 23, 2022, the cybersecurity world entered a new age, the age of the hybrid war, as Russia launched both physical and digital attacks against Ukraine. This year’s Microsoft Digital Defense Report provides new detail on these attacks and on increasing cyber aggression coming from authoritarian leaders around the world.
During the past year, cyberattacks targeting critical infrastructure jumped from comprising 20% of all nation-state attacks Microsoft detected to 40%. This spike was due, in large part, to Russia’s goal of damaging Ukrainian infrastructure, and aggressive espionage targeting of Ukraine’s allies, including the United States. Russia also accelerated its attempts to compromise IT firms as a way to disrupt or gain intelligence from those firms’ government agency customers in NATO member countries. 90% of Russian attacks we detected over the past year targeted NATO member states, and 48% of these attacks targeted IT firms based in NATO countries.
Russia was not alone in pairing political and physical aggression with cyberattacks.
- Iranian actors escalated bold attacks following a transition of presidential power. They launched destructive attacks targeting Israel, and ransomware and hack-and-leak operations beyond regional adversaries to U.S. and EU victims, including U.S. critical infrastructure targets like port authorities. In at least one case, Microsoft detected an attack disguised as a ransomware attack that was intended to erase Israeli data. In another, an Iranian actor executed an attack that set off emergency rocket sirens in Israel.
- As North Korea embarked on its most aggressive period of missile testing in the first half of 2022, one of its actors launched a series of attacks to steal technology from aerospace companies and researchers around the world. Another North Korean actor worked to gain access to global news organizations that report on the country, and to Christian groups. And yet a third actor continued attempts, often without success, to break into cryptocurrency firms to steal funds in support of the country’s struggling economy.
- China increased its espionage and information stealing cyberattacks as it attempted to exert more regional influence in Southeast Asia and counter growing interest from the U.S. In February and March, one Chinese actor targeted 100 accounts affiliated with a prominent intergovernmental organization in Southeast Asia just as the organization announced a meeting between the U.S. government and regional leaders. Just after China and the Solomon Islands signed a military agreement, Microsoft detected malware from a Chinese actor on the systems of the Solomon Islands government. China also used its cyber capabilities in campaigns targeting nations across the global south, including Namibia, Mauritius, and Trinidad and Tobago, among others.
Many of the attacks coming from China are powered by its ability to find and compile “zero-day vulnerabilities” – unique unpatched holes in software not previously known to the security community. China’s collection of these vulnerabilities appears to have increased on the heels of a new law requiring entities in China to report vulnerabilities they discover to the government before sharing them with others.
While it’s tempting to focus on nation-state attacks as the most interesting cyberactivity from the past year, it would be a mistake to overlook other threats, particularly cybercrime, which impacts more users in the digital ecosystem than nation-state activity.
Cybercriminals continue to act as sophisticated profit enterprises
Cybercrime continues to rise as the industrialization of the cybercrime economy lowers the skill barrier to entry by providing greater access to tools and infrastructure. In the last year alone, the number of estimated password attacks per second increased by 74%. Many of these attacks fueled ransomware attacks, leading to ransom demands that more than doubled. However, these attacks were not spread evenly across all regions. In North America and Europe, we observed a drop in the overall number of ransomware cases reported to our response teams compared to 2021. At the same time, cases reported in Latin America increased. We also observed a steady year-over-year increase in phishing emails. While Covid-19 themes were less prevalent than in 2020, the war in Ukraine became a new phishing lure starting in early March 2022. Microsoft researchers observed a staggering increase of emails impersonating legitimate organizations soliciting cryptocurrency donations in Bitcoin and Ethereum, allegedly to support Ukrainian citizens.
Foreign actors are using highly effective techniques – often mirroring cyberattacks – to enable propaganda influence to erode trust and impact public opinion – domestically and internationally
Influence operations is a new section to our report this year as a result of our new investments in analysis and data science addressing this threat. We observed how Russia has worked hard to convince its citizens, and the citizens of many other countries, that its invasion of Ukraine was justified – while also sowing propaganda to discredit Covid-19 vaccines in the West while promoting their effectiveness at home. We also observed an increasing overlap between these operations and cyberattacks. In particular, influence operations use a familiar three-step approach:
- Cyber influence operations pre-position false narratives in the public domain like attackers pre-position malware within an organization’s computer network.
- A coordinated campaign is launched – often at the time most beneficial to achieve the goals of the actor – to propagate narratives through government-backed and influenced media outlets and social media channels.
- A nation state-controlled media and proxies amplify narratives inside targeted audiences.
This three-step approach was applied in late 2021, for example, to support the Russian false narrative around purported bioweapons and biolabs in Ukraine. In addition to Russia, we have observed other nations, including China and Iran, deploying propaganda operations to extend their global influence on a range of issues.
Good cyber hygiene practices remain the best defense while the cloud provides the best physical and logical security against cyberattacks
This year’s report includes even more recommendations for how people and organizations can protect themselves from attacks. The biggest thing people can do is pay attention to the basics – enabling multi-factor authentication, applying security patches, being intentional about who has privileged access to systems, and deploying modern security solutions from any leading provider. The average enterprise has 3,500 connected devices that are not protected by basic endpoint protections, and attackers take advantage. It’s also critical to detect attacks early. In many cases, the outcome of a cyberattack is determined long before the attack begins. Attackers use vulnerable environments to gain initial access, conduct surveillance and wreak havoc by lateral movement and encryption or exfiltration. Finally, as this year’s report explores, we can’t ignore the human aspect. We have a shortage of security professionals – a problem that needs to be addressed by the private sector and governments alike – and organizations need to make security a part of their culture.