Beijing-backed hackers caused a crisis after hacking Exchange email servers this year with flaws Microsoft didn’t know about, but Microsoft says Russian hackers are far more prolific than those from China, or any other nation.
“During the past year, 58% of all cyberattacks observed by Microsoft from nation-states have come from Russia,” Tom Burt, Microsoft corporate vice president said in a blogpost detailing government-backed hacking over the past year.
The US and UK blamed the Russian Foreign Intelligence Service (SVR) for the huge software supply chain attack on US enterprise software vendor, SolarWinds, which affected 18,000 customers including top tech firms and US government agencies. Microsoft, which was also compromised by the hack, calls this group of hackers Nobelium; others call it APT28.
Microsoft’s Burt warned that the past year showed Kremlin-backed hackers are becoming “increasingly effective”, with their attacks becoming more successful and driven by spying and intelligence campaigns. Many Russian-attributed attacks targeted enterprise virtual private network (VPN) software.
“Russian nation-state actors are increasingly targeting government agencies for intelligence gathering, which jumped from 3% of their targets a year ago to 53% — largely agencies involved in foreign policy, national security or defense,” he explained.
Russia’s hacking is primarily motivated by the nation’s politics, with the top targets being the United States, Ukraine and the UK, according to Microsoft.
But other usual suspects also feature in Microsoft’s 2021 Digital Defense Report, including Iran and North Korea. A new entrant is Turkey, which has a developed taste for trojans. Notably absent from Microsoft’s report is work carried about by Israeli cyber teams. Israel is home to NSO Group, infamous for exploits targeting iPhones.
Russian state-based hacking was mostly focused on Ukraine. Meanwhile, Israel was targeted increasingly by Iranian hackers.
“Russia-based NOBELIUM raised the number of Ukrainian customers impacted from six last fiscal year to more than 1,200 this year by heavily targeting Ukrainian government interests involved in rallying support against a build-up of Russian troops along Ukraine’s border,” Microsoft notes in its Digital Defense Report.
“This year marked a near quadrupling in targeting of Israeli entities, a result exclusively of Iranian actors, who focused on Israel as tensions sharply escalated between the adversaries.”
Public sector agencies under fire from hackers are mostly “ministries of foreign affairs and other global government entities involved in international affairs”, according to Microsoft, while phishing attacks seeking to capture credentials affect consumer and enterprise accounts.
Russian hackers have evolved supply chain attacks over the past decade. The biggest supply chain attack before SolarWinds was NotPetya in 2017, which spread through a little-known Ukrainian accounting software package and cost industrial giants billions in losses.
Software supply chain attacks work because they’re carried out via updates from trusted software vendors, including security companies. SolarWinds may not be a household name, but it’s big in enterprise IT.
Now, nearly every major US cybersecurity company is rallying behind US president Jo Biden’s cybersecurity order, which attempts to push the idea that even trusted networks can’t be trusted.
However, critical infrastructure is the real change in the targets selected by Russian hackers. Biden reportedly told Russian president Vladimir Putin that critical infrastructure should be “off limits”, although this is a tricky position for the US when it’s widely known that the world’s most capable hackers work at the National Security Agency, which developed Stuxnet to target Iran’s uranium enrichment equipment. Microsoft’s top execs have previously criticised the NSA for hoarding zero-day exploits.
“From July 2020 to June 2021, critical infrastructures were not the focal point according to the NSN information that was tracked. China-based threat actors displayed the most interest and Russia-based threat actors accounted for the least in targeting entities in the critical infrastructure sector,” Microsoft notes in its report.
“Russian NOBELIUM’s cyber operations are a perfect example of displaying Russia’s interest in conducting operation for access and intelligence collection versus targeting a critical infrastructure for potential disruption operations.”