Although they target a wide variety of organizations, nation-state attackers, especially those from Russia, are focusing most of their energy on going after government agencies, think tanks, and NGOs, and are finding more success with those attacks now than just a few months ago.
Data compiled by Microsoft’s Threat Intelligence Center (MSTIC) and Digital Crimes Unit (DCU) shows that the past year has been a busy one for many government-backed attack groups that the company tracks, particularly those from China and Russia. For most of these groups, the main goal is to establish long-term access to networks in government agencies, NGOs, technology providers, and other targets in order to gather information and steal intellectual property. They use a range of techniques for initial access, including phishing, credential harvesting, deploying malware, and exploiting vulnerabilities in popular applications. The tactics and techniques are not new, but they’re still effective. Microsoft’s data shows that attackers such as Nobelium from Russia are successfully compromising more of their targets in the last year than in the year before that.
Like other organizations with broad visibility into attack activity, Microsoft notifies customers when it detects attempts by government-backed actors to compromise their accounts. Lambert said Microsoft has sent more than 20,500 of those nation-state notifications (NSN) in the last three years, and more and more of that activity has focused on government and government-adjacent organizations. Of the nation-state backed attacks that Microsoft saw in the past year, 79 percent of them targeted government agencies or NGOs and think tanks. That targeting fits operational model and typical goals of most government-backed actors, not just for Russian groups, but also for those from China, North Korea, Iran, and other countries.
“Russia-based cyber attackers in particular have increasingly set their sights on government targets. Year-on-year comparisons of NSN data depict a marked increase in successful compromises, from a 21 percent success rate between July 2019 and June 2020, up to 32 percent since July 2020. In turn, the percentage of government organizations targeted by Russian threat actors exploded from roughly 3 percent last year, to 53 percent since July 2020,” John Lambert, distinguished engineer and vice president at the MSTIC, said.
“Russia-based NOBELIUM had more successful compromises as a result of their more targeted attack against software supply chains."
Though the Russian groups have been quite successful, the good news is that some of the tactics that they and other groups are employing are well-known and defenders understand how to identify and counter them. That does not always mean that security teams are always successful in defending against those techniques, but it does mean that those attacks can be identified.
“Rates of successful compromises varied widely among threat groups this year. Some, such as North Korea-based THALLIUM, had a low rate of successful compromise likely because their common tactic of large-scale spear-phishing campaigns has become easier to detect and deter as users become increasingly aware of these lures and organizations use security solutions to detect them more effectively,” Lambert said.
“Russia-based NOBELIUM, in contrast, had more successful compromises as a result of their more targeted attack against software supply chains coupled with more high-volume password spray campaigns in pursuit of credential theft.”
A good portion of the high-level attack groups such as Nobelium and Thallium have the ability to develop their own tools, exploits, and malware. But many of them also routinely buy tools from third-party vendors in the private sector.
“Though not nation-state actors themselves, private sector offensive actors (PSOAs) create and sell malicious cyber technologies to nation-state buyers. PSOA tools have been observed targeting dissidents, human rights defenders, journalists, and other private citizens,” Lambert said.