Escalating cyberthreats demand stronger global defence and cooperation

Microsoft customers face more than 600 million cybercriminal and nation-state attacks every day, ranging from ransomware to phishing to identity attacks. Once again, nation-state-affiliated threat actors demonstrated that cyber operations — whether for espionage, destruction or influence — play a persistent supporting role in broader geopolitical conflicts. Also fuelling the escalation in cyber attacks, we are seeing increasing evidence of the collusion of cybercrime gangs with nation-state groups sharing tools and techniques.

We must find a way to stem the tide of this malicious cyber activity. That includes continuing to harden our digital domains to protect our networks, data and people at all levels. However, this challenge will not be accomplished solely by executing a checklist of cyber hygiene measures but only through a focus on and commitment to the foundations of cyber defence from the individual user to the corporate executive and to government leaders.

Below are some of the insights from the fifth annual Microsoft Digital Defense Report, which covers trends between July 2023 and June 2024.

State-affiliated actors increasingly using cybercriminals and their tools

Over the last year, Microsoft observed nation-state actors conduct operations for financial gain, enlist cybercriminals to collect intelligence, particularly on the Ukrainian military, and make use of the same infostealers, command and control frameworks, and other tools favoured by the cybercriminal community. Specifically:

• Russian threat actors appear to have outsourced some of their cyber-espionage operations to criminal groups, especially operations targeting Ukraine. In June 2024, a suspected cybercrime group used commodity malware to compromise at least 50 Ukrainian military devices.
• Iranian nation-state actors used ransomware in a cyber-enabled influence operation, marketing stolen Israeli dating website data. They offered to remove specific individual profiles from their data repository for a fee.
• A newly identified North Korean actor developed a custom ransomware variant called FakePenny, which it deployed at organisations in aerospace and defence after exfiltrating data from the impacted networks — demonstrating both intelligence gathering and monetisation motivations.

Nation-state activity was heavily concentrated around sites of active military conflict or regional tension

Aside from the United States and the United Kingdom, most of the nation-state-affiliated cyberthreat activity Microsoft observed was concentrated around Israel, Ukraine, the United Arab Emirates and Taiwan. In addition, Iran and Russia have used both the Russia–Ukraine war and the Israel–Hamas conflict to spread divisive and misleading messages through propaganda campaigns that extend their influence beyond the geographical boundaries of the conflict zones, demonstrating the globalised nature of hybrid warfare.

• Approximately 75% of Russian targets were in Ukraine or a NATO member state, as Moscow seeks to collect intelligence on the West’s policies on the war.
• Chinese threat actors’ targeting efforts remain similar to the last few years in terms of geographies targeted — Taiwan being a focus, as well as countries within South-East Asia — and intensity of targeting per location.
• Iran placed significant focus on Israel, especially after the outbreak of the Israel–Hamas war. Iranian actors continued to target the US and Gulf countries, including the UAE and Bahrain, in part because of their normalisation of ties with Israel and Tehran’s perception that they are both enabling Israel’s war efforts.

Example of Iran’s targeting shift following the start of the Israel-Hamas conflict. For a larger image click here.

Russia, Iran and China focus in on the US election

Russia, Iran and China have all used ongoing geopolitical matters to drive discord on sensitive US domestic issues leading up to the US election, seeking to sway audiences to one party or candidate over another, or to degrade confidence in elections as a foundation of democracy. Iran and Russia have been the most active, and Microsoft expects this activity to continue to accelerate over the next two weeks ahead of the US election.

In addition, Microsoft has observed a surge in election-related homoglyph domains — or spoofed links — delivering phishing and malware payloads. Microsoft believes these domains are examples both of cybercriminal activity driven by profit and of reconnaissance by nation-state threat actors in pursuit of political goals. At present, Microsoft is monitoring over 10,000 homoglyphs to detect possible impersonations. The objective is to ensure Microsoft is not hosting malicious infrastructure and inform customers who might be victims of such impersonation threats.

Financially motivated cybercrime and fraud remain a persistent threat

While nation-state attacks continue to be a concern, so are financially motivated cyber attacks. In the past year Microsoft observed:

• A 2.75-times increase year-on-year in ransomware attacks. Importantly, however, there was a threefold decrease in ransom attacks reaching the encryption stage: the most prevalent initial access techniques continue to be social engineering — specifically email phishing, SMS phishing and voice phishing — but also identity compromise and exploiting vulnerabilities in public-facing applications or unpatched operating systems.
• Tech scams skyrocketed 400% since 2022. In the past year, Microsoft observed a significant uptick in tech scam traffic with daily frequency surging from 7000 in 2023 to 100,000 in 2024. Over 70% of malicious infrastructure was active for less than two hours, meaning they may be gone before they’re even detected. This rapid turnover rate underscores the need for more agile and effective cybersecurity measures.

Threat actors are experimenting with generative AI

Last year, we started to see threat actors — both cybercriminals and nation-states — experimenting with AI. Just as AI is increasingly used to help people be more efficient, threat actors are learning how they can use AI efficiencies to target victims. With influence operations, China-affiliated actors favour AI-generated imagery, while Russia-affiliated actors use audio-focused AI across mediums. So far, Microsoft has not observed this content being effective in swaying audiences.

Nation-state adversarial use of AI in influence operations. For a larger image click here.

But the story of AI and cybersecurity is also a potentially optimistic one. While still in its early days, AI has shown its benefits to cybersecurity professionals by acting as a tool to help respond in a fraction of the time it would take a person to manually process a multitude of alerts, malicious code files and corresponding impact analyses.

Collaboration remains crucial to strengthening cybersecurity

With more than 600 million attacks per day targeting Microsoft customers alone, there must be countervailing pressure to reduce the overall number of attacks online. Effective deterrence can be achieved in two ways: by denial of intrusions or by imposing consequences for malicious behaviour. Microsoft continues to do its part to reduce intrusions and has committed to taking steps to protect itself and its customers through the Secure Future Initiative.

While the IT industry must do more to deny the efforts of attackers via better cybersecurity, this needs to be paired with government action to impose consequences that further discourage the most harmful cyber attacks. Success can only be achieved by combining defence with deterrence. In recent years, a great deal of attention has been given to the development of international norms of conduct in cyberspace. However, those norms so far lack meaningful consequence for their violation, and nation-state attacks have been undeterred, increasing in volume and aggression. To shift the playing field, it will take conscientiousness and commitment by both the public and private sectors so that attackers no longer have the advantage.

Top image credit: iStock.com/Arkadiusz Warguła