Reports Note Increasing Threat of Nation-State-Sponsored Cyber Attacks
A bevy of new cybersecurity reports point to the continuing problem of nation-state-sponsored threat actors.
The primary culprits have long been Russia, China, Iran, and North Korea, which all show up in recently published reports from Microsoft, IBM, Tenable, and Fortinet.
“Nation-state attacks have been undeterred, increasing in volume and aggression,” said Microsoft’s Tom Burt in an Oct. 15 article titled “Escalating Cyber Threats Demand Stronger Global Defense and Cooperation.”
Several other reports call out the same culprits, but Microsoft is leading the charge to call for the government to get involved in fighting cybersecurity threats by combining defensive strategies with strong deterrence.
“Once again, nation-state affiliated threat actors demonstrated that cyber operations — whether for espionage, destruction, or influence — play a persistent supporting role in broader geopolitical conflicts,” Burt said. “Also fueling the escalation in cyber attacks, we are seeing increasing evidence of the collusion of cybercrime gangs with nation-state groups sharing tools and techniques.”
Addressing the problem, Microsoft said, will require focusing and committing to cyber defense from individual users, corporate executives and government leaders.
Highlights of the report include:
- Russian threat actors appear to have outsourced some of their cyber espionage operations to criminal groups, especially operations targeting Ukraine. In June 2024, a suspected cyber crime group used commodity malware to compromise at least 50 Ukrainian military devices.
- Iranian nation-state actors used ransomware in a cyber-enabled influence operation, marketing stolen Israeli dating website data. They offered to remove specific individual profiles from their data repository for a fee.
- North Korea is getting into the ransomware game. A newly identified North Korean actor developed a custom ransomware variant called FakePenny, which it deployed at organizations in aerospace and defense after exfiltrating data from the impacted networks — demonstrating both intelligence gathering and monetization motivations.
That latter country was also mentioned in a report this month from IBM titled, “X-Force Cloud Threat Landscape Report 2024,” which noted, “Threat actors are increasingly leveraging trusted cloud-based services, such as Dropbox, OneDrive, and Google Drive, for command-and-control communications and malware distribution,” while adding, “North Korean state-sponsored groups, including APT43 and APT37, carried out multistage attacks against cloud-based services to distribute remote access trojans (RATs).”
While that report didn’t otherwise focus on foreign threats, it did provide these takeaways:
- Phishing is the leading initial access vector. Over the past two years, phishing has accounted for 33% of cloud-related incidents, with attackers often using phishing to harvest credentials through adversary-in-the-middle (AITM) attacks.
- Business E-mail Compromise (BEC) attacks go after credentials. BEC attacks, where attackers spoof e-mail accounts posing as someone within the victim organization or another trusted organization, accounted for 39% of incidents over the past two years. Threat actors commonly leverage harvested credentials from phishing attacks to take over e-mail accounts and conduct further malicious activities.
- Demand continues for cloud credentials on the dark web, despite market saturation. Gaining access via compromised cloud credentials was the second most common initial access vector at 28%, despite overall mentions of SaaS platforms on dark web marketplaces, which decreased by 20% compared to 2023.
