Microsoft: Nation-state cyber espionage on rise in 2023

Microsoft’s latest Digital Defence Report outlines how nation-state cyber activity has largely moved from destructive attacks to espionage and intelligence gathering

Sebastian Klovig Skelton,
Senior reporter

Published: 05 Oct 2023 16:48

The bulk of nation-state cyber activity has pivoted away from high-volume destructive attacks towards espionage and influence operations, Microsoft stated in its latest annual Digital Defense Report.

Published on 5 October 2023, the report noted that while headline-grabbing attacks from the past year were often focused on destruction or financial gain with ransomware, the data shows the primary motivation behind nation-state-led cyber attacks has swung back to a desire to steal information, covertly monitor communication or manipulate what people read.

“While the impact of destructive attacks is felt more immediately, persistent and stealthy espionage operations pose a long-term threat to the integrity of government, private industry and critical sector networks,” it said, adding that “threat actors globally acted to increase their collection capacity against foreign and defence policy organisations, technology firms and critical infrastructure organisations”.

It further added, for example, that nearly half of all destructive Russian attacks observed against Ukraine occurred in the first six weeks of the conflict, with Russia-affiliated threat actors now much more likely to conduct phishing campaigns, credential theft, data exfiltration and other espionage-related actions.

It also noted that Iran, China and North Korea had all expanded their use of cyber spying campaigns to gain intelligence on their geopolitical rivals. For example, while Russian state actors were increasingly targeting organisations in Nato member states, Chinese state actors were most commonly targeting US defence and critical infrastructure, as well as nations bordering the South China Sea.

In the case of North Korea, Microsoft said it was increasingly targeting Russia for nuclear energy, defence and government policy intelligence collection. All actors, it added, were demonstrating increased sophistication in their cyber operations.

State-sponsored attacks on critical national infrastructure (CNI) have also risen, but only marginally. While last year’s Digital Defense Report noted that 40% of all attacks had targeted CNI, the latest report said it was 41% over the past year.

However, there was no mention in the report of cyber operations being conducted by any North American or European state actors.

Speaking in advance of the report’s publication, Tom Burt, Microsoft corporate vice-president of customer security and trust, said the reason for their lack of inclusion has several components.

“One is our belief … that the volume of bad activity coming from North American or western actors is quite a bit a bit less – we don’t see as much activity,” he said. “That could also be because their tradecraft is better. When you can’t see the activity, it’s speculation whether there is activity and you’re not seeing it, or there just isn’t as much activity.

“But as a general rule, our view from over the last several years has been that there’s just less of that activity … from actors operating from the west.”

Cyber crime and AI

On the current state of cyber crime generally, Microsoft noted that criminals were increasingly leveraging the cyber crime-as-a-service ecosystem to launch phishing, identity and distributed denial of service (DDoS) attacks at scale.

Of these, password-based attacks saw the biggest increase, with a 10-fold spike on the same period last year “from three billion per month to over 30 billion. This translates to an average of 4,000 password attacks per second targeting Microsoft cloud identities”.

The attacks were particularly prevalent in the education sector, which Microsoft said could be explained by the “low security posture” of many organisations.

“Many of these organisations have not enabled MFA [multi-factor authentication] for their users, leaving them vulnerable to phishing, credential stuffing and brute-force attacks,” it said.

The report also looked at the role artificial intelligence (AI), and in particular large language models (LLMs), can play in cyber defence.

“AI can help by automating and augmenting many aspects of cyber security, such as threat detection, response, analysis and prediction,” it said. “AI can also enable new capabilities and opportunities, such as using LLMs to general natural language insights and recommendations from complex data, helping make junior analysts more effective and giving them new opportunities to learn.”

However, AI and LLMs are not without their cyber security risks, with Microsoft noting that as more and more apps move to be LLM-based, they will have an increased attack surface that means they will be vulnerable to both deliberate and inadvertent misalignments through, for example, command injection or prompt extraction attacks.

However, Microsoft noted that the recency of developments in AI and LLMs means the detection and prevention of attacks involving these technologies remains an open and active research question.

It added that AI was generally being used by every type of actor to refine both their attacks and defences.

“The growth of autonomous apps that combine LLMs with low- or no-code platforms also significantly increase the security risk for organisations,” it said. “To build collective resilience against these emerging threats and to safeguard our ecosystem, it is crucial for organisations to collaborate, innovate, and share knowledge and best practice.”

Read more on Artificial intelligence, automation and robotics

NCSC warns over possible AI prompt injection attacks