This content is sponsored by Microsoft Federal.
According to the Microsoft Digital Defense Report, June 2020 to June 2021 was a big year for nation-state cyberattacks against the United States. Incidents like the SolarWinds attack brought new focus to the security of the supply chain and highlighted the need to respond to new techniques used by nation-states to compromise the digital security of federal agencies and contractors.
“I think the biggest take-away from me is that the main adversaries of the United States – Russia, China, Iran, and North Korea – are not deterred in their mission to collect intelligence from the US Federal government, think tanks, NGOs, and policy and law firms. The demand for intelligence from US targets only grows,” said Rick Wagner, president of Microsoft Federal. “The attacks are widespread, affecting many different industries.”
This year’s activity saw Russia move into the “most active attacker” position, which had been held by North Korea in our previous report. China and Iran were also active attackers this year, although Microsoft noted two new entrants into the nation-state category, identifying attacks from actors in Vietnam and Turkey in this year’s Report.
“While the tools and techniques may change, the goals of nation-state actors remained constant: collecting as much intelligence as possible from governments, think tanks, NGOs, policy firms, and other relevant entities to benefit the government attackers,” said Cristin Goodwin, Microsoft’s associate general counsel and general manager of the digital security unit. “This is much more traditional nation-state activity because you tend to see nation states targeting where they can gain information. These are intelligence operations.”
So what can agencies, contractors, and other government-adjacent organizations do to protect themselves from this kind of concerted effort?
“When we think about the protection of the digital estate, your corporation, your enterprise, your organization, your network, one of the most important things to think about is zero trust,” Goodwin said. “Multi-factor authentication, least privileged access and assume breach should be at the foundation of how companies or organizations think about their information security plans.”
That aligns with recent guidance from the Biden administration, especially the cybersecurity executive order (EO) released in May. The EO required all federal agencies to develop a strategy for multi-factor authentication and for adopting a zero trust architecture.
But basic cyber hygiene is just as important, Goodwin said. Things like patching and updating devices, infrastructure and applications can significantly reduce a nation-state’s ability to compromise a network.
“One of the statistics I always reflect on from the Microsoft Security Response Center is that 99% of the time when a computer was compromised, a patch was available, but it wasn’t installed. Nation-states know this,” Goodwin said. “They take advantage of low hanging fruit as they would take advantage of a password that is in an IoT device that is in the manual and isn’t reset when it comes into your network. Paying attention to those small things. That’s where nation-states really excelled. So take the easy stuff off the table.”
Educating employees is also extremely important. Nation-state compromises often begin with social engineering, spoofing, phishing, and password spraying. When employees are trained to recognize the signs of these kinds of attacks, they’re less likely to fall victim to one.
And none of these is a one-and-done effort; these processes need to be continually repeated for agencies and organizations to stay ahead of attackers.
“This space is a continuous lifecycle. Nation-states are constantly evolving their tactics and their techniques in order to be able to stay state of the art and find new ways to defeat defenses. So that lifecycle approach is really essential to an organization’s ability to withstand the advanced persistent threat that comes from a nation-state actor,” Goodwin said. “Stay vigilant. There’s a reason why we call these groups advanced persistent threats. Apply defense in depth, both to your digital state and to your digital person.”