Nation-state attackers are becoming more "brazen" in their targeting of critical infrastructure and the IT supply chain, and they are getting better at rapidly exploiting unpatched vulnerabilities, according to Microsoft’s recently released Defense Defense Report 2022.
The report shed light on how advancements in automation, cloud infrastructures and remote access technologies have allowed nation-state actors linked to China, Russia, Iran and North Korea to reach a wider set of targets, increase their activity and launch more sophisticated cyberattacks over the past year.
“Cybersecurity hygiene became even more critical as actors rapidly exploited unpatched vulnerabilities, used both sophisticated and brute force techniques to steal credentials, and obfuscated their operations by using open source or legitimate software,” said Tom Burt, corporate vice president of customer security and trust with Microsoft in the Friday report.
Nation-state groups’ targeting of critical infrastructure soared over the past year, with Microsoft detecting 40 percent of all nation-state attacks targeting critical infrastructure between July 2021 through June 2022, up from 20 percent between July 2020 to June 2021. In particular, threat actors focused on critical infrastructure companies across the IT, financial services, transportation and communications sectors, with companies in Israel, the UAE, Canada, Germany, India, Switzerland, and Japan among the most frequently targeted, according to Microsoft.
Researchers observed nation-state actors linked to Iran more aggressively targeting Israeli and U.S. critical infrastructure like port authorities. For instance, Iranian state actor Phosphorus has targeted high-profile U.S. and Israeli critical infrastructure between late 2021 and mid-2022, according to Microsoft.
“The likely aim was to provide Tehran with options to retaliate against the same sectors that senior IRGC officials blamed the United States and Israel for disrupting in Iran,” according to Microsoft. “We assess this activity is tied to statements in late October 2021 by IRGC General Gholamreza Jalali, head of Iran’s Passive Defense Organization, who echoed accusations from other influential figures within the regime that the United States and Israel conducted cyberattacks on Iran’s ports, railways, and fueling stations.”
At the same time, governments around the world (even beyond the steps highlighted in the Biden administration’s 2021 executive order in the U.S.) are starting to develop policies to better secure the operational technology (OT) devices that make up the backbone of critical infrastructure systems. Countries like Australia, the EU, the UK, Japan, Singapore and Chile are stepping up their security requirements for critical infrastructure and mandating the reporting of cyber incidents, for example.
Nation States Get Better at Exploiting Unpatched Flaws
Nation-state actors - in China in particular - are also getting quicker at exploiting unpatched flaws. According to Microsoft, it takes 14 days for an exploit to become available in the wild after a flaw has been publicly disclosed. At the same time, zero-day flaws are also prevalent. Six months into 2022, researchers with Google Project Zero said they detected 18 zero days that have been exploited in the wild, with half of those bugs existing as variants of vulnerabilities that were patched previously, some as long ago as 2013.
Chinese nation-state actors are “particularly proficient at discovering and developing zero-day exploits,” according to Microsoft. Overall, China linked nation-state attackers have increased their global targeting with more widespread attacks on smaller nations, which Microsoft researchers suggest is a way for China to leverage cyberespionage as part of its global economic and military influence.
The effectiveness of Chinese nation-state actors in exploiting unpatched flaws may be a result of China’s vulnerability reporting regulation, which went into effect in September 2021. The regulation, which requires the reporting of flaws to a government authority for review even before reporting them to the product vendor, has previously been called out as “troubling” by the U.S. Cyber Safety Review Board (CSRB).
“The increased use of zero days over the last year from China-based actors likely reflects the first full year of China’s vulnerability disclosure requirements for the Chinese security community and a major step in the use of zero-day exploits as a state priority,” according to Microsoft.
Finally, nation-state groups have been observed moving away from a focus on the software supply chain to instead target IT services providers. In October 2021, Microsoft researchers warned that attackers behind the SolarWinds intrusion targeted at least 140 technology service providers, and successfully compromised 14, for instance. The targeted companies included resellers and technology service providers across the U.S. and Europe, which assist end users in deploying, customizing and managing cloud services and other technologies. At the same time, an increasing number of Iranian nation-state groups - such as DEV-0228 and DEV-0198 - were observed compromising IT companies to gain access to their clients.
“This past year of activity demonstrates that threat actors like NOBELIUM and DEV-0228 are getting to know the landscape of an organization’s trusted relationships better than the organizations themselves,” said Microsoft. "This increased threat emphasizes the need for organizations to understand and harden the borders and entry points of their digital estates.”