The decision among the four major nation-state cyber sponsors--China, Iran, North Korea and Russia--to target IT service providers to exploit victims downstream constitutes a "revolutionary change" in tactics, Microsoft said in a new report, pointing to the Russian orchestrated SolarWinds Orion attack and the China-based Exchange Server operation as critical examples.
In particular, attacks on IT service providers is part of a wider net Russia is casting that has seen Moscow-supported threat actors successfully execute cyber attacks at an alarming rate, Microsoft said in its Digital Defense Report. It suggests that cyber peril results not merely from the volume of arrays thrown at all manner of targets but the spiking number of successful infiltrations of a target’s defenses. Indeed, the study’s data show a jump in Russia-linked successful cyber operations from 21 percent in a 12-month look back ending June 2020 to 32 percent since then. Moreover, the percentage of attacks by Russian operatives on government organizations, primarily in the U.S., U.K. and Ukraine, ballooned from roughly three percent in the former period to 53 percent in the latter time frame.
The report comes after multiple high-profile and damaging cyber incidents orchestrated by Russia-backed agents in recent months. Remember, it was the Nobelium crew, a Kremlin-backed cyber syndicate, that was behind the SolarWinds assault and the Russia-linked DarkSide that executed the Colonial Pipeline ransomware hijack. More than 90 percent of the Russian-linked hit jobs were masterminded and executed by Nobelium, Microsoft said. To this point, Russian hackers have largely steered clear of infrastructure targets, the report said, but the Colonial Pipeline lock down may have been a template for what’s to come. The bottom line? “Russian threat actors will follow targets wherever they are, be it in the cloud or on-premises,” Microsoft said.
“Over the past year, Russia-based activity groups have solidified their position as acute threats to the global digital ecosystem by demonstrating adaptability, persistence, a willingness to exploit trusted technical relationships, and a facility with anonymization and open-source tools that make them increasingly difficult to detect and attribute,” Microsoft said. “They have also shown a high tolerance for collateral damage, which leaves anyone with connections to targets of interest vulnerable to opportunistic targeting.”
What does Russia want? Cyber espionage appears to be Moscow’s primary motivation, Microsoft said. One clue? Hackers have exfiltrated data but haven’t disrupted or destroyed anything using it.
While the vast majority of the report is dedicated to detailing and analyzing the state of cyber crime, nation state threats, supply chain threats, hybrid workforce security challenges, and the impact of disinformation campaigns, in many ways Microsoft saves the best for last, including trends, learnings and conclusions.
The report offers five cybersecurity “paradigm shifts'' that involve people and not just technology. Here they are:
- The rise of digital empathy. “In cybersecurity, means building tools that accommodate more diversity with respect to people and their ever-changing circumstances,
their diverse perspectives, and varied abilities.” - Zero trust is increasingly important. “As we look past the pandemic to a time when work forces and budgets rebound, Zero Trust will become the biggest area of investment for cybersecurity.”
- Diversity of data matters. A diverse set of products, services, and feeds allowed Microsoft to understand COVID-19-themed attacks in a broader context,” the vendor said.
- The resiliency of a business is tied to its cyber resilience. “A comprehensive approach to operational resilience must include cyber resilience.”
- A greater focus on integrated security. “To maximize the effectiveness of security organizations, tools must be fully integrated to improve efficacy and provide end-to-end visibility.”
Nine key learnings from the report:
- Employ basic cyber hygiene. Enabling multi-factor authentication, applying least privilege access, keeping up to date, using antimalware, and protecting data will defend against 98 percent of attacks.
- Adopt zero trust principles.
- Isolate legacy systems.
- Integrate cybersecurity into business decision making.
- Treat cyber as a business risk.
- Resilience includes cybersecurity.
- Build a third-party risk program.
- Invest in user training that educates and informs.
- Build security into productivity.
In conclusion: “For any new venture, consider the threat alongside the opportunity, and think about how you can manage risk for your entire organization,” Microsoft said. “This kind of thinking will require fundamental changes in the way we operate. We must consider risk as a whole and across the organization, rather than within siloes or individual viewpoints. We must look at where we need to change the way we work, and where we need to do the things we are already doing—but better.”
