Microsoft: Hacking Groups Shift to New TargetsReport Finds Hackers Targeting Think Tanks, Human Rights Groups, Healthcare Organizations
Over the last year, nation-state hackers, including those with links to the Russian government, have shifted from targeting critical infrastructure to focusing on think tanks, human rights groups and nongovernment organizations in an attempt to influence public policy, according to Microsoft.
Meanwhile, the COVID-19 pandemic led more hackers to target healthcare organizations around the world that are involved in research and vaccine development, according to Microsoft's annual Digital Defense Report released Tuesday.
The report offers a snapshot of how nation-state hacking efforts, along with cybercrime and digital fraud, have evolved over the last 12 months. Microsoft notes that, in the last two years, the company has sent out 13,000 notifications to customers who have been targeted by nation-states.
The majority of these nation-state attacks originate in Russia, with Iran, China and North Korea also ranking high, according to Microsoft.
The U.S. was the most frequent target of these nation-state campaigns, accounting for nearly 70% of the attacks Microsoft tracked, followed by the U.K., Canada, South Korea and Saudi Arabia.
And while critical infrastructure remains a tempting target for sophisticated hacking groups backed by governments, Microsoft notes that organizations that are deemed noncritical are increasingly the focus of these campaigns.
"In fact, 90% of our nation-state notifications in the past year have been to organizations that do not operate critical infrastructure," Tom Burt, corporate vice president of customer security and trust at Microsoft, writes in a blog post. "Common targets have included nongovernmental organizations, advocacy groups, human rights organizations and think tanks focused on public policy, international affairs or security. This trend may suggest nation-state actors have been targeting those involved in public policy and geopolitics, especially those who might help shape official government policies."
Attacks Related to COVID-19
Since the start of the COVID-19 pandemic, nation-state actors have increasingly targeted research and healthcare organizations to gather data.
"Microsoft observed 16 different nation-state actors either targeting customers involved in the global COVID-19 response efforts or using the crisis in themed lures to expand their credential theft and malware delivery tactics," Burt notes. "These COVID-themed attacks targeted prominent governmental health care organizations in efforts to perform reconnaissance on their networks or people. Academic and commercial organizations involved in vaccine research were also targeted."
The Microsoft report notes that phishing attacks increased significantly at the start of the pandemic, targeting victims' credentials. In the past several months, the number of COVID-19-themed campaigns has decreased, the company notes (see: COVID-19-Themed Phishing Campaigns Diminish).
In July, a U.S. federal court issued an injunction that gave Microsoft permission to seize control of several malicious domains being used to operate a COVID-19-themed phishing scam (see: Microsoft Seizes Domains Used for COVID-19 Phishing Scam).
The report notes that China-linked hacking groups were among those targeting healthcare and research institutions since March (see: DOJ: Chinese Hackers Targeted COVID-19 Vaccine Research).
"As the COVID-19 pandemic unfolded, China-based nation-state threat actors targeted medical research institutions in the United States and Asia, highlighting competition for medical innovations as another potential motive for proprietary information theft," according to the report.
Types of Attacks
Microsoft notes that the most common attack techniques used by nation-state actors in the past year are reconnaissance, credential harvesting malware and VPN exploits.
Threat actors are showing clear preferences for certain techniques, with notable shifts toward credential harvesting and ransomware, as well as an increasing focus on internet of things devices, the report states.
"IoT threats are constantly expanding and evolving. The first half of 2020 saw an approximate 35% increase in total attack volume compared to the second half of 2019," according to the report.
In 2019, Microsoft blocked over 13 billion malicious and suspicious emails, out of which more than 1 billion were URLs created to launch phishing attacks. The software giant also notes that ransomware is the most common driver of the company's incident response reports from October 2019 through July.
Increase in DDoS Attacks
Microsoft notes an increase in distributed denial-of-service attacks following the COVID-19 outbreak.
"The company mitigated 600 to 1,000 unique DDoS attacks every day in March, or approximately 50% more than pre-COVID-19 levels," the company states.
DDoS services are widely available for sale on the dark web, with fees based on the defenses of the sites being attacked, the type of DDoS attack and the bandwidth needed to conduct the attack, according to Microsoft.
In May, the average price of a one-day DDoS attack service was $134, with some services offered for as little as $15 and the most expensive listed at $416, the report states.