Nation-Backed Hackers Targeted 10,000 Microsoft Customers

Microsoft says that it notified roughly 10,000 of its customers in the past year of being either targeted or compromised by nation-state sponsored threat groups.

"About 84% of these attacks targeted our enterprise customers, and about 16% targeted consumer personal email accounts," says Microsoft Corporate Vice President for Customer Security & Trust, Tom Burt.

These numbers show the reliance of nation-states on cyber attacks as the means for collection and extracting intelligence, as well as "influence geopolitics or achieve other objectives."

781 notifications issued through AccountGuard

Hacking groups from Iran, North Korea, and Russia were behind the vast majority of nation-state attacks against Microsoft customers over the past year, with the most notable activity coming from threat actors such as "Holmium and Mercury operating from Iran, Thallium operating from North Korea, and two actors operating from Russia we call Yttrium and Strontium."

The data collected by the Microsoft Threat Intelligence Center while analyzing these attacks has been added by Redmond within its own security products which help the company protect its customers from future advanced persistent threat (APT) group operations targeting its user base.

Microsoft also issued 781 notifications to organizations part of its free AccountGuard service after unearthing a number of attacks coordinated by APT groups and targeting democracy fundamental entities such political parties and campaigns, as well as democracy-focused think tanks and nongovernmental organizations (NGOs) from 26 countries across four continents.

Microsoft AccountGuard provides enrolled organizations with notifications of potential threats or nation-state actor compromise of O365 accounts and with guidance on security best practices for properly securing digital assets.

"This data shows that democracy-focused organizations in the United States should be particularly concerned as 95% of these attacks have targeted U.S.-based organizations," adds Burt. "By nature, these organizations are critical to society but have fewer resources to protect against cyberattacks than large enterprises."

Attacks against elections and democratic institutions

While monitoring nation-state backed cyber-espionage campaigns, Microsoft detected attacks targeting the 2016 U.S. presidential election and the last French presidential election, with U.S. senatorial candidates also being under siege in 2018 after being attacked by the Russian-backed Strontium hacking (aka Fancy Bear or APT28).

At the time, Microsoft’s Digital Crimes Unit (DCU) was able to take control of six Fancy Bear internet domains controlled by the threat group, thus partially disrupting its operations, with this technique also used twelve other times to take down another 84 APT28 domains.

A number of other cyber-espionage campaigns targeting European democratic institutions were also detected by Redmond's Threat Intelligence Center (MSTIC) and Digital Crimes Unit (DCU) between September and December 2018, with employees of the German Council on Foreign Relations, the Aspen Institutes in Europe and the German Marshall Fund being among some of the targeted individuals in these attacks.

This last series of European-focused nation-state backed cyber-attacks were also attributed to the Strontium hacking group and targeted more than 100 accounts of organization employees from Belgium, France, Germany, Poland, Romania, and Serbia.

"Consistent with campaigns against similar U.S.-based institutions, attackers in most cases create malicious URLs and spoofed email addresses that look legitimate. These spearphishing campaigns aim to gain access to employee credentials and deliver malware," said Burt in February.

Microsoft ElectionGuard demo
Microsoft ElectionGuard demo

Voting systems protection software development kit demoed

Microsoft also demoed the ElectionGuard free open-source software development kit (SDK) at the Aspen Security Forum in Aspen, Colorado, created through the company's Defending Democracy Program.

ElectionGuard can be used to secure voting machines from tampering and make voting more accessible and efficient in voting locations around the U.S. and other democratic nations around the globe.

Some of the benefits of using ElectionGuard to secure voting machines are that it will "enable end-to-end verification of elections, open results to third-party organizations for secure validation, and allow individual voters to confirm their votes were correctly counted."

Even though ElectionGuard can be used on both new and existing voting systems with hardware from a variety of manufacturers, Microsoft's demo "was built using a Microsoft Surface tablet in kiosk mode, an Xbox Adaptive Controller as an optional accessible input device, and a standard printer."

"As we head into the 2020 elections, given both the broad reliance on cyberattacks by nation-states and the use of cyberattacks to specifically target democratic processes, we anticipate that we will see attacks targeting U.S. election systems, political campaigns or NGOs that work closely with campaigns," added Burt.

Related Articles:

OpenAI blocks state-sponsored hackers from using ChatGPT

Diagram better — Microsoft Visio Pro 2021 is $25 through April 2nd

Windows 10 KB5035941 update released with lock screen widgets

Train to be a Microsoft-certified tech expert with 11 courses for $69.97

Microsoft to shut down 50 cloud services for Russian businesses