Microsoft: Nation-state activity blurring with cybercrime

Nation-state threat activity has blurred with financially motivated cybercrime as countries like Russia and Iran increasingly leverage cybercriminals and their tools, Microsoft said in its fifth annual "Digital Defense Report."

The report, published Tuesday, covers cyber and information security trends observed by Microsoft between July 2023 and June 2024. Although a large portion of the report covers nation state threats, researchers also cover issues such as fraud, generative AI and ransomware, among others. In the latter case, Microsoft observed a 2.75x increase year over year in human-operated ransomware-linked encounters, but a sharp decline in attacks reaching the encryption phase.

Although this statistic supports the idea that defenders are getting better, Microsoft also says that "Despite efforts by law enforcement and partners in the public and private sector, the complexity, speed, impact and severity of cybercrime is escalating."

The report highlighted state-sponsored actors as well as their increasing use of tools and tactics of financially motivated cybercriminals -- including the criminals themselves at times -- to conduct threat activity. Microsoft's report described it as a "blurring" of lines between nation-state activity and cybercrime.

"Microsoft observed nation-state threat actors conduct operations for financial gain, enlist cybercriminals to collect intelligence on the Ukrainian military, and make use of the same infostealers, command and control frameworks, and other tools favored by the cybercriminal community," the report read.

Russia, for example, has integrated commodity malware such as the Xworm and Remcos remote access Trojans (RAT) into its cyber arsenal and outsourced "some cyberespionage operations" to otherwise independent cybercriminals. "In June 2024, Storm-2049 (UAC-0184) used Xworm and Remcos RAT --commodity malware associated with criminal activity -- to compromise at least 50 Ukrainian military devices," Microsoft said.

The company similarly saw Aqua Blizzard, a state-sponsored group connected to Russia's Federal Security Service, gained persistent access on 34 compromised Ukrainian devices and later "hand-off" the devices to a cybercriminal gang tracked as Storm-0593. The gang deployed Cobalt Strike beacons as part of its activities. The report noted that said beacons were configured with a domain that Microsoft assessed "Storm-0593 registered and used in a previous spear-phishing campaign against Ukrainian military machines last year, suggesting a pattern by Storm-0593 of supporting state intelligence collection objectives."

Additionally, Microsoft observed Iran conducting financially motivated offensive cyber operations. While this isn't strictly new behavior, the tech giant suggests Iran's latest activities differ from previous behavior, which skewed more toward destructive attacks and less toward financially motivated ransomware. In one example, an Islamic Revolutionary Guard Corps group tracked as Cotton Sandstorm was observed selling stolen Israeli dating website data and offering "to remove specific individual profiles from their data repository for a fee," the report read.

Similarly, CISA warned in August of Iranian APT Pioneer Kitten conducting ransomware attacks and acting as access brokers.

North Korea, a country long known for using state actors to fill its national coffers, is estimated to have stolen over $3 billion in cryptocurrency since 2017, according to the UN. But in addition to its known penchant for cryptocurrency theft, Microsoft said it identified in May a new state-sponsored North Korean-backed ransomware actor it tracks as Moonstone Sleet.

"Moonstone Sleet, a new North Korean actor identified in May 2024, developed a custom ransomware variant called FakePenny which it deployed at organizations in aerospace and defense after exfiltrating data from the impacted networks," Microsoft said. "This behavior suggests the actor had objectives for both intelligence gathering and monetization of its access."

In addition to the growing overlap with cybercrime, Microsoft warned that nation-state threat activity is intensifying. "The pace of nation-state sponsored cyberattacks has escalated to the point that there is now effectively constant combat in cyberspace without any meaningful consequences to the attacker," the report stated.

Deterrence, Microsoft said, requires a combination of technological and geopolitical solutions with an end goal of denying intrusions and/or imposing consequences. Though denying intrusions will almost certainly fall on the shoulders of companies, "enforcing international rules with deterrent consequences must fall on governments."

Microsoft made several suggestions to Microsoft under three pillars: strengthening international norms and diplomacy, sharpening government attributions of malicious activity, and imposing deterrent circumstances.

Although the latter two pillars are self-explanatory, the first is more novel and ambitious. To strengthen international norms and diplomacy, Microsoft advises governments to introduce new norms in government forums such as the U.N. to establish cloud and information and communications technology supply chains as critical infrastructure off-limits for targeting, to embrace inclusive diplomatic processes, and to consider establishing bilateral agreements to curb state-backed cyber threat activity.

Alexander Culafi is a senior information security news writer and podcast host for TechTarget Editorial.