Microsoft Digital Defense Report: Nation-State Threats and Cyber Mercenaries

We Keep you Connected

Microsoft Digital Defense Report: Nation-State Threats and Cyber Mercenaries

Every year, Microsoft releases the “Microsoft Digital Defense Report” as a way to illuminate the evolving digital threat landscape and help the cyber community understand today’s most pressing threats. Backed by intelligence from trillions of daily security signals, this year’s report focuses on five key topics: cybercrime, nation-state threats, devices and infrastructure, cyber-influence operations, and cyber resiliency.
In this article, we break down part three of the report on nation-state threats and the rise of cyber mercenaries. Read on to learn how you can better protect your organization from this growing trend.
Nation-state threats took center stage in 2022 with the launch of Russia’s cyber war on Ukraine. This behavior has continued into 2023. We’re also seeing nation-state actors elsewhere increase activity and leverage advancements in automation, cloud infrastructure, and remote access technologies to attack a wider set of targets. More specifically, here are three core nation-state threat trends that emerged in 2022.
In 2022, we saw nation-state cyber threat groups move from exploiting the software supply chain to exploiting the IT services supply chain. These actors often targeted cloud solutions and managed services providers to reach downstream customers in government, policy, and critical infrastructure sectors, such as what we saw in the Nobelium attacks. Over half (53%) of nation-state attacks targeted the IT sector, nongovernmental organizations (NGOs), think tanks, and the education sector.
As organizations work to collectively strengthen their cybersecurity posture, nation-state actors are pursuing new and unique tactics to deliver attacks and evade detection. One prime example is the identification and exploitation of zero-day vulnerabilities. Zero-day vulnerabilities are a security weakness that, for whatever reason, have gone undiscovered. While these attacks start by targeting a limited set of organizations, they are often quickly adopted into the larger threat actor ecosystem. It takes only 14 days, on average, for an exploit to be available in the wild after a vulnerability is publicly disclosed.
Private-sector offensive actors are growing increasingly common. Also known as cyber mercenaries, these entities develop and sell tools, techniques, and services to clients — often governments — to break into networks and Internet-connected devices. While often an asset for nation-state actors, cyber mercenaries endanger dissidents, human rights defenders, journalists, civil society advocates, and other private citizens by providing advanced surveillance-as-a-service capabilities. Rather than being developed for defense and intelligence agencies, these capabilities are offered as commercial products for companies and individuals.
The sophistication and agility of nation-state attacks is only going to continue to grow and evolve. It’s up to organizations to stay informed of these trends and evolve their defenses in parallel.
Know your risks and react accordingly: Nation-state groups’ cyber targeting spanned the globe in 2022, with a particularly heavy focus on US and British enterprises. It’s important to stay up to date on the latest attack vectors and target areas of key nation-state groups so that you can identify and protect potential high-value data targets, at-risk technologies, information, and business operations that might align with their strategic priorities.
Protect your downstream clients: The IT supply chain can act as a gateway to the digital ecosystem. That’s why organizations must understand and harden the borders and entry points of their digital estates, and IT service providers must rigorously monitor their own cybersecurity health. Start by reviewing and auditing upstream and downstream service provider relationships and delegated privilege access to minimize unnecessary permissions. Remove access for any partner relationships that look unfamiliar or have not yet been audited. From there, you can implement multifactor authentication and conditional access policies that make it harder for malicious actors to capture privileged accounts or spread throughout a network.
Prioritize patching of zero-day vulnerabilities: Even organizations that are not a target of nation-state attacks have a limited window to patch zero-day vulnerabilities, so don’t wait for the patch management cycle to deploy. Once discovered, organizations have, on average, 120 days before a vulnerability is available in automated vulnerability scanning and exploitation tools. We also recommend documenting and cataloging all enterprise hardware and software assets to determine risk and decide when to act on patches.
Read more: Key Cybercrime Trends (Part 1) and Trends In Device and Infrastructure Attacks (Part 2)
Copyright © 2023 Informa PLC Informa UK Limited is a company registered in England and Wales with company number 1072954 whose registered office is 5 Howick Place, London, SW1P 1WG.