• United States



Nation-State Threats and the Rise of Cyber Mercenaries: Exploring the Microsoft Digital Defense Report

Feb 01, 20235 mins

This article explores the top trends in nation-state threats as identified in the Microsoft Digital Defense Report. These trends may be alarming, but the good news is that companies have a number of tools at their disposal.

istock 1211443622
Credit: istock/DKosig

To illuminate the evolving digital threat landscape and help the cyber community understand today’s most pressing threats, we released our annual Microsoft Digital Defense Report. This year’s report focuses on five key topics: cybercrime, nation-state threats, devices and infrastructure, cyber-influence operations, and cyber resiliency. With intelligence from 43 trillion daily security signals, organizations can leverage the findings presented in this report to strengthen their cyber defenses.

Today, we’re breaking down the report with an overview of the top three trends covered in section three on nation-state threats. Keep reading to learn more about this topic and for more information, download the full Microsoft Digital Defense Report.

Trend 1: Increased focus on IT supply chains

There has been a shift among nation-state cyber threat groups from exploiting the software supply chain to exploiting the IT services supply chain. Often, these actors will target cloud solutions and managed services providers to reach downstream customers in government, policy, and critical infrastructure sectors. In total, 53% of nation-state attacks targeted the IT sector, NGOs, think tanks, and the education sector.

The most notable example of this trend is the NOBELIUM attacks, in which Russia-aligned groups attempted to compromise and leverage privileged accounts at cloud solutions and other managed services providers to access U.S. and European government and policy customers. Between July 2021 and June 2022, 90% of notifications about Russian threat activity went to customers based in NATO member states. These attacks primarily targeted IT, think tanks and NGOs, and government sectors, suggesting a strategy of pursuing multiple means of initial access to these targets.

We’ve seen other groups use similar tactics. POLONIUM, a Lebanon-based actor, collaborated with Iranian state groups on IT supply chain techniques to compromise and steal access to Israeli defense and legal organizations. This trend highlights how important it is for organizations to harden their digital estate borders and entry points. It also underscores the importance of rigorously monitoring of IT service provider cybersecurity health to guard against these types of downstream attacks.

Trend 2: Emergence of zero-day exploits

Nation-state actors are pursuing new and unique tactics to deliver attacks and evade detection in response to strengthening cybersecurity postures. Identifying and exploiting zero-day vulnerabilities is a key tactic in this effort.

Simply put, zero-day vulnerabilities are a security weakness that, for whatever reason, has gone undiscovered. While zero-day vulnerability attacks tend to target a limited set of organizations initially, they are often quickly adopted into the larger threat actor ecosystem. This kicks off a race for threat actors to exploit the vulnerability as widely as possible before their potential targets install patches. On average, it only takes 14 days for an exploit to be available in the wild after a vulnerability is publicly disclosed.

Many organizations assume that they are less likely to be victims of zero-day exploit attacks if vulnerability management is integral to their network security. However, the commoditization of exploits is leading them to come at a much faster rate. Zero-day exploits are often discovered by other actors and reused broadly in a short time period, leaving unpatched systems at risk. Even organizations that are not a target of nation-state threat actors have a limited period to patch zero-day vulnerabilities before they’re potentially exploited.

Trend 3: Rise of cyber mercenaries

Finally, we have seen a growing industry of private sector offensive actors. Also known as cyber mercenaries, these entities develop and sell tools, techniques, and services to clients—often governments—to break into networks and internet-connected devices.

While often an asset for nation-state actors, cyber mercenaries endanger dissidents, human rights defenders, journalists, civil society advocates, and other private citizens by providing advanced “surveillance as a service” capabilities. These offensive surveillance capabilities are offered as commercial products for companies and individuals to use rather than highly classified capabilities created by defense and intelligence agencies. This creates a potentially devastating impact.

When a cyber mercenary exploits a vulnerability, they put the entire computing ecosystem at risk. When vulnerabilities are identified publicly, companies are in a race against time to release protections before broad-based attacks ensue. On average, it only takes 120 days before a zero-day vulnerability is uploaded to automated vulnerability scanning and exploitation tools like Metasploit—opening impacted companies up for mass exploitation. This is a dangerous and difficult cycle for both software suppliers (who must expediently develop patches) and consumers of products (who must implement the patches immediately).

These trends may be alarming, but companies have a number of tools at their disposal. When dealing with IT supply chain attacks, for example, organizations should review and audit their upstream and downstream service provider relationships and delegated privilege accesses to minimize unnecessary permissions. We recommend removing access for any partner relationships that look unfamiliar or have not yet been audited. To counter the threat of cyber mercenaries, however, we recommend implementing transparency and oversight requirements for surveillance as a service, particularly in procurement. In general, go back to the basics. Simple foundational security practices like multifactor authentication (MFA) or not opening digital attachments from unknown individuals can protect against 98% of attacks.

Download the full Microsoft Digital Defense Report for a closer look at today’s cyber threat landscape and for even more details, check out our recent webinar, “Build cyber resilience by leveraging Microsoft experts’ digital defense learnings.”

Explore more threat intelligence insights on Microsoft Security Insider.