Iran, Turkey and both North and South Korea are bases for nation-state cyber attacks, Microsoft has claimed – as well as old favourite Russia.
While more than half of cyberattacks spotted by Redmond came from Russia, of more interest to the wider world is information from the US megacorp’s annual Digital Defence Report about lesser-known nation state cyber-attackers.
“After Russia, the largest volume of attacks we observed came from North Korea, Iran and China; South Korea, Turkey (a new entrant to our reporting) and Vietnam were also active but represent much less volume,” said MS in a post announcing its findings.
While the usual suspects of Russia, China and North Korea are highlighted in the report, Vietnam’s APT32 was highlighted by Microsoft’s infosec people for targeting “human rights and civil organisations.”
The Vietnam-linked group has a track record of not only spying on these but also “foreign corporations with a vested interest in Vietnam’s manufacturing, consumer products, and hospitality sectors”, according to Thailand’s CERT.
“In the last year, espionage, and more specifically, intelligence collection, has been a far more common goal than destructive attacks,” said Microsoft in its report, focusing on state threats to cyber security in general rather than Vietnam specifically. “While nations other than Iran mostly refrained from destructive attacks, they did continue to compromise victims that would be prime candidates for destructive attacks if tensions increased to the point where governments made strategic decisions to escalate cyber warfare.”
Alongside Vietnam as a newer entrant to the ranks of state-backed threats was Turkey, singled out for hacking Middle Eastern and Balkans telcos. Threat group UNC1326 (aka SeaTurtle) was previously reported on in depth by Cisco Talos in 2019, which pointed out that SeaTurtle was targeting “national security organisations in the Middle East and North Africa” that wanted to gain “persistent access to sensitive networks and systems.”
Microsoft said SeaTurtle was “most heavily focused on countries of strategic interest to Turkey including Armenia, Cyprus, Greece, Iraq, and Syria,” scanning for exploitable remote code vulnerabilities in its targets’ networks.
Aside from the state-backed threats, the Microsoft report noted that ransomware criminals were most likely to target retail, financial services, government and healthcare orgs, with the US being their number one target nation. The next unluckiest countries as far as ransomware was concerned were China, Japan, Germany and the United Arab Emirates.
“Fewer than 20 per cent of our customers are using strong authentication features like multifactor authentication,” groaned Redmond in its closing remarks, noting that offering MFA “for free” wasn’t spurring companies and other organisations into enabling it.
If they did, Microsoft thinks its security customers would “be protected from over 99 per cent of the attacks we see today.” Something worth thinking about next time your users are moaning about password policies. ®