In the past year, cyberattacks have touched 120 countries, fueled by government-sponsored spying and with influence operations (IO) also rising. At times, nearly half of these attacks targeted NATO member states, and more than 40% were leveled against government or private-sector organizations involved in building and maintaining critical infrastructure. While headline-grabbing attacks from the past year were often focused on destruction or financial gain with ransomware, data shows the predominant motivation has swung back to a desire to steal information, covertly monitor communication, or to manipulate what people read. For example:
These are some of the insights from the fourth annual Microsoft Digital Defense Report, which covers trends between July 2022 and June 2023 across nation-state activity, cybercrime, and defense techniques.
More countries, sectors under attack
While the U.S., Ukraine, and Israel continue to be most heavily attacked, the last year has seen an increase in the global scope of attacks. This is particularly the case in the Global South, especially Latin America and sub-Saharan Africa. Iran increased its operations in the Middle East. Organizations involved in policymaking and execution were among the most targeted, in line with the shift in focus to espionage.
Russia and China increase focus on diaspora communities
Both Russia and China are increasing the scope of their influence operations against a variety of diasporas. Russia aims to intimidate global Ukrainian communities and sow mistrust between war refugees and host communities in a range of countries, especially Poland and the Baltic states. By contrast, China deploys a vast network of coordinated accounts across dozens of platforms to spread covert propaganda. These directly target global Chinese-speaking and other communities, denigrating U.S. institutions, and promoting a positive image of China through hundreds of multilingual lifestyle influencers.
Convergence of influence operations with cyberattacks
Nation state actors are more frequently employing IO alongside cyber operations to spread favored propaganda narratives. These aim to manipulate national and global opinion to undermine democratic institutions within perceived adversary nations – most dangerously in the contexts of armed conflicts and national elections. For example, following its invasion of Ukraine, Russia consistently timed its IO operations with military and cyberattacks. Similarly, in July and September 2022, Iran followed destructive cyberattacks on the Albanian government with a coordinated influence campaign which is still ongoing.
Trends by nation state
While there has been an increase overall in threat activity, trends have been observed with the most active nation state actors.
AI creates new threats – and new opportunities for defense
Attackers are already using AI as a weapon to refine phishing messages and improve influence operations with synthetic imagery. But AI will also be crucial for successful defense, automating, and augmenting aspects of cybersecurity such as threat detection, response, analysis, and prediction. AI can also enable large language models (LLMs) to generate natural language insights and recommendations from complex data, helping make analysts more effective and responsive.
We are already seeing AI-powered cyber-defense reversing the tide of cyberattacks; in Ukraine, for example, AI has helped defend against Russia.
As transformative AI reshapes many aspects of society, we must engage in Responsible AI practices crucial for maintaining user trust and privacy, and for creating long-term benefits. Generative AI models require us to evolve cybersecurity practices and threat models to address new challenges, such as the creation of realistic content – including text, images, video, and audio – that can be used by threat actors to spread misinformation or create malicious code. To stay ahead of these emerging threats, we remain committed to ensuring that all our AI products and services are developed and used in a manner that upholds our AI principles.
The state of cybercrime
The game of cat and mouse between cybercriminals and defenders continues to evolve. While threat groups have significantly accelerated the pace of their attacks over the last year, built-in protections across Microsoft products have blocked tens of billions of malware threats, thwarted 237 billion brute-force password attack attempts, and mitigated 619,000 distributed denial of service (DDoS) attacks that aim to disable a server, service, or network by overwhelming it with a flood of internet traffic.
Criminals are also looking to increase their anonymity and effectiveness, by using remote encryption to cover their traces more effectively as well as cloud-based tools such as virtual machines. But stronger private and public partnerships mean that they are increasingly finding themselves in the crosshairs of law enforcement. For example, the ransomware operator known as Target was outed, and arrests and indictments were successfully made. But criminals continue to look for the points of easiest entry to systems and a continuous and accelerating effort is required to stay one step ahead of them.
Ransomware attacks increase in sophistication and speed
Microsoft’s telemetry indicates organizations saw human-operated ransomware attacks increase 200% since September 2022. These attacks are generally a “hands on keyboard” type of attack rather than an automated one, typically targeting a whole organization with customized ransom demands.
Attackers are also evolving attacks to minimize their footprint, with 60% using remote encryption, thereby rendering process-based remediation ineffective.
These attacks are also notable for how they attempt to gain access to unmanaged or bring-your-own devices. More than 80% of all compromises we observed originate from such unmanaged devices. Ransomware operators are increasingly exploiting vulnerabilities in less common software, making it more difficult to predict and defend against attacks.
Ransomware criminals also threaten disclosure of stolen information to pressure victims and extract payment. Since November 2022, we have observed a doubling of potential data exfiltration instances after threat actors compromised an environment. But not all data theft is associated with ransomware; it can also be for credential harvesting or nation-state espionage.
Password-based and Multifactor Authentication (MFA) fatigue attacks skyrocket
MFA is the increasingly common authentication method that requires users to provide two or more “factors” of identification to gain access to a website or application – such as a password along with facial recognition or a one-time passcode. While deploying MFA is one of the easiest and most effective defenses organizations can deploy against attacks, reducing the risk of compromise by 99.2%, threat actors are increasingly taking advantage of “MFA fatigue” to bombard users with MFA notifications in the hope they will finally accept and provide access.
Microsoft has observed approximately 6,000 MFA fatigue attempts per day over the past year. Additionally, the first quarter of 2023 saw a dramatic tenfold surge in password-based attacks against cloud identities, especially in the education sector, from around 3 billion per month to over 30 billion – an average of 4,000 password attacks per second targeting Microsoft cloud identities this year.
The only secure defense will be a collective defense
The scale and nature of threats outlined in the Microsoft Digital Defense Report can appear dispiriting. But huge strides are being made on the technology front to defeat these attackers and at the same time, strong partnerships are being forged that transcend borders, industries, and the private-public divide. These partnerships are having ever greater success in keeping us all safe and this is why it is vital we continue to broaden and deepen them. Some 75% of eligible citizens in democratic nations have the opportunity to vote in the next year and a half. Keeping elections safe and democratic institutions strong is a cornerstone of our collective defense.
For more threat intelligence insights and guidance, visit Microsoft Security Insider.