Nation-state threat actors have ramped up cooperation with cybercriminals in the past year to advance their political and military goals, according to Microsoft’s Digital Defense Report 2024.
The use of cybercriminals by nation-states has served a variety of purposes, including to collect intelligence, conduct operations for financial gain, and to make use of tools favored by these financially-motivated groups, such as infostealers and command and control frameworks.
Examples of this collaboration include:
- Russia appears to have outsourced some of its cyberespionage operations to criminal groups, especially operations targeting Ukraine. This includes cybercriminal group Storm-2049 using Xworm and Remcos RAT – commodity malware associated with criminal activity – to compromise at least 50 Ukrainian military devices in June 2024
- Iranian nation state actors used ransomware attacks for financial gain from some of their offensive cyber operations. For example, a cyber-enabled influence operation run by an Islamic Revolutionary Guard Corps (IRGC) group tracked as Cotton Sandstorm marketed stolen Israeli dating website data through two of its cyber personas between September 2023 and February 2024
- North Korea appears to be conducting ransomware operations for both intelligence gathering and monetization of its access. Moonstone Sleet, a new North Korean actor identified in May 2024, developed a custom ransomware variant called FakePenny which it deployed at organizations in aerospace and defense after exfiltrating data from the impacted networks
This coordination between financially motivated cybercrime and state-sponsored activity has also enabled cybercriminal groups to access and learn new tools and techniques, the tech giant said.
The report highlighted trends observed in the period July 2023 to June 2024.
Nation-State Activity Heavily Concentrated
The report found that nation-state cyber activity has been concentrated around sites of active military conflict or regional tension.
Microsoft observed that 75% of Russian nation-state attacks targeted Ukraine or a NATO member state.
The focus of these attacks were European and North American government agencies and think tanks, likely for intelligence collection related to the war in Ukraine.
China’s geographic targeting remained similar to the last few years, with North America, Taiwan and other countries in Southeast Asia making up 72% of its cyber activity targets.
China-based cyber actors Raspberry Typhoon, Flax Typhoon and Granite Typhoon have intensively targeted entities associated with IT, military, and government interests around the South China Sea.
Iran has placed a significant focus on Israel in the past year, making up 50% of its activity from October 2023 to June 2024, following the outbreak of the Israel-Hamas conflict.
Iranian actors continued to target the US and Gulf countries, including the UAE and Bahrain, in part because of their normalization of ties with Israel and Tehran’s perception that they are both enabling Israel’s war efforts, Microsoft reported.
No tags.
