News
Bevy of Reports Call Out Russia, China, Iran and North Korea Threat Actors
A bevy of recent cybersecurity reports point to the continuing problem of nation-state-sponsored threat actors, though Microsoft seems much more adamant about the issue, leading the calls for action on the part of industry and government.
The primary culprits have long been Russia, China, Iran and North Korea, who all show up in recently published reports from Microsoft, IBM, Tenable and Fortinet.
"Nation-state attacks have been undeterred, increasing in volume and aggression," said Microsoft's Tom Burt in an Oct. 15 article titled "Escalating Cyber Threats Demand Stronger Global Defense and Cooperation."
As mentioned, several other reports call out the same culprits, but Microsoft is leading the charge to call for the government to get involved in fighting cybersecurity threats by combining defensive strategies with strong deterrence.
"Once again, nation-state affiliated threat actors demonstrated that cyber operations -- whether for espionage, destruction, or influence -- play a persistent supporting role in broader geopolitical conflicts," Burt said. "Also fueling the escalation in cyberattacks, we are seeing increasing evidence of the collusion of cybercrime gangs with nation-state groups sharing tools and techniques."
Addressing the problem, Microsoft said, will require focusing and committing to cyber defense from individual users, corporate executives and government leaders.
Highlights of the report include:
- Russian threat actors appear to have outsourced some of their cyberespionage operations to criminal groups, especially operations targeting Ukraine. In June 2024, a suspected cybercrime group used commodity malware to compromise at least 50 Ukrainian military devices.
- Iranian nation-state actors used ransomware in a cyber-enabled influence operation, marketing stolen Israeli dating website data. They offered to remove specific individual profiles from their data repository for a fee.
- North Korea is getting into the ransomware game. A newly-identified North Korean actor developed a custom ransomware variant called FakePenny, which it deployed at organizations in aerospace and defense after exfiltrating data from the impacted networks -- demonstrating both intelligence gathering and monetization motivations.
That latter country was also mentioned in a report this month from IBM titled, "X-Force Cloud Threat Landscape Report 2024," which noted "Threat actors are increasingly leveraging trusted cloud-based services, such as Dropbox, OneDrive and Google Drive, for command-and-control communications and malware distribution" while adding, "North Korean state-sponsored groups, including APT43 and APT37, carried out multistage attacks against cloud-based services to distribute remote access trojans (RATs)."
While that report didn't otherwise focus on foreign threats, it did provide these takeaways:
- Phishing is the leading initial access vector. Over the past two years, phishing has accounted for 33% of cloud-related incidents, with attackers often using phishing to harvest credentials through adversary-in-the-middle (AITM) attacks.
- Business Email Compromise (BEC) attacks go after credentials. BEC attacks, where attackers spoof email accounts posing as someone within the victim organization or another trusted organization, accounted for 39% of incidents over the past two years. Threat actors commonly leverage harvested credentials from phishing attacks to take over email accounts and conduct further malicious activities.
- Continued demand for cloud credentials on the dark web, despite market saturation. Gaining access via compromised cloud credentials was the second most common initial access vector at 28%, despite overall mentions of SaaS platforms on dark web marketplaces, which decreased by 20% compared to 2023.
Tenable, meanwhile, just published its Cloud Risk Report 2024, which calls out North Korea and Russia. It discusses a Windows kernel elevation of privilege vulnerability, saying, "The exploitation activity was orchestrated by the North Korea-based Lazarus Group, with the end goal of establishing a kernel read/write primitive."
The company also noted Microsoft itself was the victim of foreign-sponsored bad guys: "Midnight Blizzard, a Russian state-sponsored actor also known as NOBELIUM, hacked the tech giant's corporate email systems."
Otherwise, just last week Fortinet published "Burning Zero Days: Suspected Nation-State Adversary Targets Ivanti CSA," which followed an August report from the Cybersecurity and Infrastructure Security Agency (CISA) titled, "Iran-based Cyber Actors Enabling Ransomware Attacks on US Organizations."
That latter government article said: [T]hese Iran-based cyber actors are associated with the Government of Iran (GOI) and -- separate from the ransomware activity -- conduct computer network exploitation activity in support of the GOI (such as intrusions enabling the theft of sensitive technical data against organizations in Israel and Azerbaijan)."
While those are ordinary, run-of-the-mill cyberattacks seeking data or ransom, the upcoming election in the U.S. provides unique opportunities for foreign actors to influence matters.
"Russia, Iran, and China have all used ongoing geopolitical matters to drive discord on sensitive domestic issues leading up to the U.S. election, seeking to sway audiences in the U.S. to one party or candidate over another, or to degrade confidence in elections as a foundation of democracy," Microsoft said. "As we've reported, Iran and Russia have been the most active, and we expect this activity to continue to accelerate over the next two weeks ahead of the U.S. election."
Stay tuned to see how the government and industry respond to Microsoft's calls for action, as the stakes have apparently never been higher.
About the Author
David Ramel is an editor and writer at Converge 360.