Microsoft Reveals Alarming Rise in Criminals Colluding With Governments

Key Takeaways

• Microsoft has published its annual Digital Defense Report.
• In 2024, the line between nation-state actors and criminal groups has become increasingly blurred.
• State-backed activity originating from North Korea, Iran, Russia, and China uses a variety of criminal tools and tactics.

Cyberattacks have traditionally originated from criminal groups, usually motivated by money or nation-state actors, who target rivals as a form of modern espionage.

However, according to Microsoft’s 2024 Digital Defense Report, the line between the two threats has become increasingly blurred, with both adversaries sharing tools and techniques.

Russian and North Korean Threat Actors

As explored in the report, state-sponsored actors are now leveraging criminal tactics and tools to advance national interests. 

North Korean and Russian state-backed groups, for instance, have adopted malware developed by criminal organizations and often share the same motives as independent hackers.

Microsoft’s research shows that 54% of North Korean cyber attacks are directed at North America. IT is the most targeted sector, accounting for 44% of attacks.

Lazarus, Jade Sleet, Saphire Sleet

North Korean hacker groups like Lazarus are responsible for a number of high-profile crypto thefts, the proceeds of which are used to secure funding for state coffers. 

The White House believes these funds finance more than half of North Korea’s missile and nuclear programs. 

Major North Korean cyber groups such as Jade Sleet and Sapphire Sleet have been particularly active in targeting cryptocurrency organizations. 

Meanwhile, the rise of groups like Moonstone Sleet, which uses ransomware to target aerospace and defense sectors, illustrates how North Korea is merging espionage with financially motivated cyber activities.

Iranian Cyber Operations Target Israel

Another country that has long been associated with malicious cyber activity is Iran. However, the state’s tactics and who it targets have evolved in the past year.

Microsoft observed that since the outbreak of the  Israel-Hamas war in October 2023, Iran has significantly intensified its attacks against Israeli individuals and organizations.

From just 10% in the three months before the conflict erupted, in the following nine months, around half of all cyber attacks originating from Iran targeted Israel.

Iranian groups also expanded their “cyber-enabled influence operations” beyond Israel, seeking to undermine support for the country, Microsoft reported.

An Iranian cyber unit known as Shahid Kaveh was responsible for defacing a water controller in Pennsylvania, leaving a message that Israeli-made systems are legal targets.

Russian Spy Tactics

As highlighted in the 2024 Digital Defense Report, Russia continues to leverage cyber espionage to advance its military and political goals, particularly in its ongoing war with Ukraine. 

In 2024, Russia has increasingly relied on criminal groups to conduct espionage. For example, the report claims that the Federal Security Service (FSB)- affiliated Aqua Blizzard gave access to compromised Ukrainian devices to the cybercriminal group Invisimole.

Russian tactics have also become increasingly reckless, mirroring the viral threat of worm-type malware that can potentially cause unintended damage to global computer networks.

State-backed groups like Secret Blizzard and Seashell Blizzard have been observed using the Amadey botnet , a network of infected devices that first emerged in 2018. While the identity of Amaday’s creator is unknown, paid access to the botnet is often advertised on Russian hacker sites.

China’s Expanding Cyber War

China’s cyber operations in 2024 have been characterized by extensive intelligence-gathering campaigns, mainly targeting the IT and military sectors in the South China Sea. 

Chinese actors, such as Raspberry Typhoon and Granite Typhoon, aggressively target Taiwan. However, they have also increasingly pursued intelligence from government and military entities in the Philippines, Indonesia, and Malaysia. 

This expansion of Chinese cyber activities illustrates the growing reach of its cyberwarfare capabilities, with a clear focus on gathering military intelligence and potentially disrupting adversary operations.