Every day, Microsoft customers face more than 600 million attacks from cybercriminals and nation states, from ransomware to phishing to identity attacks. Nation-state-affiliated threat actors have demonstrated once again that cyber operations—whether for espionage, destruction, or influence—play an enduring supporting role in broader geopolitical conflicts. Also fueling the escalation of cyberattacks is that we are seeing increasing evidence of collusion between cybercriminal gangs with groups of nation states that share tools and techniques.
We must find a way to stem the tide of this malicious cyber activity. This includes continuing to strengthen our digital domains to protect our networks, data and people at all levels. However, this challenge will not be met simply by implementing a checklist of cyber hygiene measures, but only through focusing on the fundamentals of cyber defense and their commitment from individual users to corporate executives and government officials.
These are some of the insights from the fifth annual Microsoft Digital Defense Reportwhich covers trends between July 2023 and June 2024.
State-affiliated actors are increasingly using cybercriminals and their tools.
Over the past year, Microsoft has observed nation-state actors conducting operations for financial gain, recruiting cybercriminals to gather intelligence, particularly on the Ukrainian military, and using the same information theft, command and control frameworks, and other tools popular with the cybercriminal community. Specifically:
- Russian threat actors appear to have outsourced some of their cyberespionage operations to criminal groups, particularly operations targeting Ukraine. In June 2024, a suspected cybercrime group used commodity malware to compromise at least 50 Ukrainian military installations.
- Iranian nation-state actors used ransomware in a cyber influence operation where they promoted stolen data from Israeli dating websites. They offered to remove specific individual profiles from their data store for a fee.
- North Korea is getting into the ransomware game. The newly identified North Korean actor developed his own variant of the ransomware, called FakePenny, which he deployed to aerospace and defense organizations after exfiltrating data from affected networks, demonstrating both an intelligence-gathering and monetization motive.
Nation-state activity was heavily concentrated around sites of active military conflict or regional tension
Aside from the United States and the United Kingdom, most of the nation-state cyber threat activity we observed centered around Israel, Ukraine, the United Arab Emirates, and Taiwan. In addition, Iran and Russia have used both the Russo-Ukraine war and the Israel-Hamas conflict to spread divisive and misleading messages through propaganda campaigns that extend their influence beyond the geographic boundaries of the conflict zones, demonstrating the globalized nature of hybrid warfare.
- About 75% of Russian targets have been in Ukraine or a NATO member state as Moscow seeks to gather information about Western policy on the war.
- Efforts by Chinese threat actors remain similar to the past few years in terms of geographic areas targeted—Taiwan is the focus, as well as countries in Southeast Asia—and the intensity of targeting by location.
- Iran has significantly targeted Israel, especially after the outbreak of war between Israel and Hamas. Iranian actors have continued to target the US and Gulf states, including the United Arab Emirates and Bahrain, in part because of their normalization of relations with Israel and Tehran’s view that both enable Israel’s war effort.
- Russia, Iran and China focus on US election
Russia, Iran, and China have all used ongoing geopolitical issues to stir up disagreements on sensitive domestic issues leading up to the U.S. election, in an effort to sway U.S. audiences to one side or candidate over the other, or to reduce trust in the election as a base. democracy. As we reported, Iran and Russia have been the most active and we expect this activity to accelerate further in the next two weeks before the US election.
Additionally, Microsoft has seen an increase in election-related homoglyph domains — or fake links — that deliver phishing and malware. We believe these domains are examples of both profit-driven cybercriminal activity and recognition by national threat actors in pursuit of political goals. We are currently tracking over 10,000 homoglyphs to detect possible spoofing. Our goal is to ensure that Microsoft does not host malicious infrastructure and to notify customers who may be victims of such phishing threats.
Financially motivated cybercrime and fraud remain an ongoing threat
While attacks on nation states continue to be a concern, so are financially motivated cyber attacks. Last year, Microsoft recorded:
- 2.75x year-on-year increase in ransomware attacks. Importantly, however, there has been a three-fold decrease in ransomware attacks that have reached the encryption stage. The most common initial access techniques continue to be social engineering – specifically email phishing, SMS phishing and voice phishing – but also identity compromise and exploitation of vulnerabilities in public applications or unpatched operating systems.
- Tech fraud to skyrocket 400% from 2022. In the past year, Microsoft has seen a significant increase in tech fraud traffic, with the daily frequency rising from 7,000 in 2023 to 100,000 in 2024. More than 70% of malicious infrastructure has been active for less than two hours, meaning they can be gone sooner , before they are even detected. This rapid turnaround underscores the need for more agile and effective cybersecurity measures.
Threat actors are experimenting with generative AI
Last year, we began to see threat actors—cybercriminals and nation-states alike—experimenting with artificial intelligence. Just as AI is increasingly being used to help humans be more effective, threat actors are learning how the power of AI can be used to target victims. In influence operations, China-aligned actors favor AI-generated imagery, while Russia-aligned actors use audio-focused AI across media. We have yet to see this content be effective in influencing audiences.
- But the story of AI and cybersecurity is also potentially optimistic. Although AI is still in its infancy, it has demonstrated its benefits to cybersecurity professionals by acting as a tool to help respond in a fraction of the time it would take a human to manually process large volumes of alerts, malicious code files, and corresponding impact analysis. . We continue to innovate our technology to find new ways AI can benefit and strengthen cybersecurity.
Cooperation remains essential to strengthening cyber security.
With more than 600 million attacks per day targeting Microsoft customers alone, there must be a countervailing pressure to reduce the overall number of online attacks. Effective deterrence can be achieved in two ways: denying intrusion or enforcing consequences for harmful behavior. Microsoft continues to contribute to reducing disruptions and is committed to taking steps to protect itself and its customers through our services Secure Future Initiative.
While the industry must do more to thwart attackers’ efforts through improved cybersecurity, this must be coupled with government measures to impose consequences that further deter the most damaging cyberattacks. Success can only be achieved by combining defense with deterrence. In recent years, much attention has been paid to the development of international norms of behavior in cyberspace. However, these norms still lack meaningful consequences for their violation, and the attacks of nation-states have not been deterred, their volume and aggressiveness are increasing. To change the playing field, it will require conscientiousness and commitment from both the public and private sectors so that attackers no longer have the upper hand.
Microsoft continues to share important threat information with the community, including our latest Cyber signals research focused on cyber risks in the education sector.
