Microsoft has shed light on some of the more infamous state actors that have targeted organisations and agencies around the world over the last 12 months.
According to Microsoft, by targeting IT service providers, hacking groups based in China, Russia, North Korea and Iran hope to create domino effects to cascade down to individual users.
The vast majority of these attacks by nation-state actors, at almost 80 per cent, have been directed towards government agencies, think tanks and non-government organisations (NGO), Microsoft claimed in its 2021 Microsoft Digital Defense Report.
Codenamed by Microsoft, the tech giant highlighted the Russia-based Nobelium, the China-backed Nickel, North Korea-supported Thallium and Iran's Phosphorus as the most active groups attacking the global government sector, particularly government entities involved in international affairs.
While each of the nations may have threat actors that go after similar targets and utilise similar techniques, each nation and group has its own style.
For example, Russia's Nobelium typically focuses its efforts on software supply chain attacks.
This was seen during its SolarWinds hack, which John Lambert, distinguished engineer and vice president at the Microsoft Threat Intelligence Centre, wrote in a blog post that while it only exploited 100 organisations, its backdoor malware was pushed to about 18,000 entities around the world.
Microsoft also recently flagged Nobelium as a potential threat against cloud service providers and resellers after it employed password spray and phishing attacks to attack third-party providers and provide a set-up for future hacks.
In addition to Nickel, China’s Hafnium was prominent during the first quarter of 2021 as it attacked on-premises versions of Microsoft Exchange Server.
“Hafnium operates primarily from leased virtual private servers in the United States and targets entities across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks and NGOs,” Lambert wrote.
Iran focused its efforts against its regional rivals in the last year with ransomware attacks, particularly against Israeli logistic companies related to maritime transportation.
Rubidium, thought to be responsible for the Pay2Key and N3tw0rm ransomware attacks against Israel, was flagged by Microsoft as a threat actor of particular concern.
“Despite Tehran’s less aggressive approach toward the United States in the wake of last year’s election, United States entities remained Iranian threat actors’ top target, comprising nearly half of the NSNs [nation-state notifications] Microsoft delivered to cloud-service customers,” Lambert said.
North Korea meanwhile has garnered a reputation for focusing on consumer accounts in the hopes of gaining diplomatic or geopolitical intelligence. As an example, its Zinc and Cerium state actors were behind attacks against pharmaceutical companies and vaccine researchers, with Lambert hypothesising it could have been an attempt to speed up the country’s own vaccine research.
Meanwhile Thallium had a “low rate of successful compromise” with a large-scale spear-phishing operation, its usual strategy, as such attacks are becoming easier to detect and defend against.
In addition, North Korea has also continued its attacks on financial companies to try and steal cryptocurrency and intellectual property.