Professional Documents
Culture Documents
MDDR Final 2023 1004
MDDR Final 2023 1004
Defense Report
October 2023
Microsoft Threat Intelligence
1 Microsoft Digital Defense Report 2023 Chapter 1 Introduction
Contents
Chapter 1 Chapter 3 Chapter 6
Introduction Nation State Threats Collective Defense
Chapter 1
Introduction
About this report
Introduction 3
Sharing Microsoft’s
’ unique vantage point 5
The power of partnership in building 6
cyber resilience
Driving global progress through the 8
Cybersecurity Tech Accord
About this report 9
Threat actor map 11
3 Microsoft Digital Defense Report 2023 Chapter 1 Introduction
Securing our
future together
Introduction from Tom Burt
As the digital domain faces new and more Nation‑state actors were not alone in stepping up As we are seeing, Artificial Intelligence (AI)
threatening challenges, defenders are being driven their abuse of the digital ecosystem. Well‑resourced technologies are set to become a major focus
to innovate and collaborate more closely than ever. cybercriminal syndicates also continue to grow of regulators and industry. We will undoubtedly
For example, Russia’s use of cyberweapons as part and evolve, leveraging the cybercrime-as-a-service see attackers using AI as a tool to refine phishing
of its hybrid war against Ukraine sparked sustained ecosystem we highlighted last year. Ransomware‑as‑ messages, develop malware and enable other
collaboration between Microsoft and Ukrainian a-service and phishing-as-a-service are key threats abuses of technology. But AI will also be a critical
officials to successfully defend against most of to businesses and cybercriminals have conducted component of successful defense. For example,
these cyberweapons. business email compromise and other cybercrimes, in Ukraine we saw the first successful use of
largely undeterred by the increasing commitment AI technology to help defend against Russian
Russia is not alone in its use of destructive malware;
of global law enforcement resources. cyberattacks. In the coming years, innovation
we have also seen increased use of cyberweapons by
in AI‑powered cyber defense will help reverse
Iran to pressure the Albanian government and in its Many vendors are taking steps to improve the
the tide of cyberattacks.
ongoing conflict with Israel. At the same time, nation cybersecurity of their products and services,
states are becoming increasingly sophisticated and developing new tools to help customers better Advancing the promise of digital peace requires
aggressive in their cyber espionage efforts, led by defend against attackers. Governments across public‑private collaboration to ensure we are
highly capable Chinese actors focused on the Asia the globe are providing the public with more bringing to bear the best technological and
“As the digital domain Pacific region in particular. information about cyber threats and how to
counter them, like the effective alerts from the US
regulatory tools to combat cyber aggression.
We need more and deeper alliances in the
One recent example of the troubling increase in
faces new and more aggression and capability involves a Chinese actor,
Cybersecurity and Infrastructure Security Agency’s private sector and stronger partnerships
(CISA) Shields Up campaign. Governments are also between the private and public sectors.
threatening challenges, which Microsoft calls Volt Typhoon. It used inventive
tradecraft to infiltrate and pre‑position malware
imposing new legal and regulatory requirements for Enabling this collaboration can be challenging
defenders are being in the networks of a range of communications
cybersecurity. While many of these are beneficial,
they can impose counterproductive conditions—
but, when successful, it drives meaningful impact.
We must accelerate the move of critical computing
companies and other critical infrastructure
driven to innovate and organizations in Guam and the United States,
such as requiring overly rapid reporting of workloads to the cloud, where vendors’ security
cybersecurity incidents or establishing inconsistent innovations will be most impactful, and ensure AI
collaborate more closely deploying “living off the land” techniques to
or conflicting requirements across agencies or innovation provides defenders with the durable
evade detection.
than ever.” geographies. Close collaboration between the
public and private sectors to formulate, enforce, and
technological advantage over attackers that
it promises.
harmonize these requirements is crucial to improve
Tom Burt
global cybersecurity and foster innovation.
Corporate Vice President, Customer Security & Trust
5 Microsoft Digital Defense Report 2023 Chapter 1 Introduction
Sharing
As part of our longstanding commitment to create a safer world, Microsoft’s investments in security research,
innovation, and the global security community include:
15,000+
Cybersecurity is a defining challenge of our time. per second, synthesized using
sophisticated data analytics and AI
Organizations of every size across every industry 10,000+ engineers, researchers, data
algorithms to understand and protect
around the globe feel the urgency and pressure against digital threats and criminal scientists, cybersecurity experts,
partners in our
of protecting and defending against increasingly cyberactivity. threat hunters, geopolitical analysts,
investigators, and frontline responders
sophisticated attacks. across the globe.
While AI is transforming cybersecurity, using it to security ecosystem
stay ahead of threats requires massive amounts
of diverse data. Here at Microsoft, our more than
10,000 security experts analyze over 65 trillion
300+ 100,000+
15,000+ partners with specialized
solutions in our security ecosystem,
who increase cyber resilience for our
signals each day with the help of AI, and Microsoft threat actors customers.
protect against be compromised. This means constantly with hyperscale cloud because these
monitoring the environment for possible attack. capabilities are already built into the
‑
platform. Additionally, cloud-enabled
99% of attacks? 3 Use extended detection and response
(XDR) and antimalware: Implement
capabilities like XDR and MFA are
constantly updated with trillions of daily
How effective is MFA at deterring
software to detect and automatically block cyberattacks? A recent study based on
signals, providing dynamic protection
attacks and provide insights to the security real‑world attack data from Microsoft
that adjusts to the current
While we explore the many dimensions of the operations software. Monitoring insights Entra found that MFA reduces the risk
threat landscape.
cyber threat landscape, there is one crucial point from threat detection systems is essential of compromise by 99.2 percent.1
we must emphasize across them all: the vast to being able to respond to threats in a
majority of successful cyberattacks could be timely fashion.
thwarted by implementing a few fundamental Fundamentals
4 Keep up to date: Unpatched and out--
Enable multifactor
security hygiene practices. -
of-date systems are a key reason many of cyber hygiene
authentication (MFA)
By adhering to these minimum-security standards, organizations fall victim to an attack.
it is possible to protect against over 99 percent Ensure all systems are kept up to date
Apply Zero
99%
of attacks: including firmware, the operating system,
and applications. Trust principles
1 Enable multifactor authentication (MFA):
This protects against compromised user 5 Protect data: Knowing your important
passwords and helps to provide extra data, where it is located, and whether the Use extended detection and
resilience for identities. right defenses are implemented is crucial to response (XDR) and antimalware
implementing the appropriate protection.
Basic security hygiene
2 Apply Zero Trust principles:
still protects against
The cornerstone of any resilience plan Hyperscale cloud makes it easier to implement Keep up
99% of attacks.
is to limit the impact of an attack on an fundamental security practices by either enabling to date
organization. These principles are: them by default or abstracting the need for
customers to implement them. With software-as- ‑ ‑
– Explicitly verify. Ensure users and devices are in a Protect
‑ ‑
a-service (SaaS) and platform-as-a-service (PaaS)
good state before allowing access to resources. data
solutions, the cloud provider takes responsibility for
– Use least privilege access. Allow only the keeping up with patch management.
privilege that is needed for access to a resource
and no more. Outlier attacks on the bell curve make up just 1%
8 Microsoft Digital Defense Report 2023 Chapter 1 Introduction
Driving global progress The Accord has launched several initiatives, including
the Internet of Things (IoT) Security Resource Hub,
which aims to establish a strong global baseline for IoT
Tech Accord
mercenaries. The group also engages in extensive
consultations with governments, civil society, and
private sector partners, advocating for responsible
nation-state behavior and amplifying the technology
industry’s role in international cybersecurity.
Since its inception, the Cybersecurity The Cybersecurity Tech Accord has worked to
be the technology industry’s voice on matters of In the past year, the Cybersecurity Tech Accord
Tech Accord has witnessed remarkable has made strides in raising awareness of the
peace and security in cyberspace and to uphold
progress. As we mark its fifth anniversary, a commitment to protect users and customers escalating threats posed by some nation-state
actors. In particular, the group launched an Annual
we celebrate a groundbreaking everywhere from evolving cyber threats. At the
core of this historic initiative are four fundamental State of International Cybersecurity Thermometer,
commitment by 156 technology and which in 2023 reached a “boiling point,” largely due
security companies from around the
cybersecurity principles:
1 Better defense: We will protect all of our
to the widespread and unprecedented use of cyber In 2023, the
world to protect our customers from operations in the armed conflict in Ukraine.
Threat actor
Throughout this report, we refer to the five key groups Threat actor naming taxonomy Other definitions:
that Microsoft uses to characterize threat actors: In April, we announced that we have shifted to • Cyber-enabled influence operations:
descriptions
• Nation-state actors are cyber operators who a new threat actor naming taxonomy aligned to Operations that combine offensive computer
act on behalf of, or directed by, a nation/state- the theme of weather. The complexity, scale, and network operations with messaging and
aligned program, irrespective of whether the volume of threats is increasing, driving the need to amplification in a coordinated and manipulative
and naming goal is espionage, financial gain, or retribution. reimagine not only how Microsoft talks about threats
but also how we enable customers to understand
way to shift perceptions, behaviors, or
decisions by target audiences to further a
• Financially motivated actors are cyber
those threats quickly and with clarity. With the new group or nation’s interests and objectives.
campaigns/groups directed by a criminal
taxonomy, we intend to bring better context to
organization/person with the motivation of • NSN data: This data is based on aggregated
customers and security researchers that are already
financial gain which have not been associated nation‑state notifications (NSNs)—notices
confronted with an overwhelming amount of threat
with high confidence to a known non‑nation that we send to customers when they have
intelligence data. It will offer a more organized,
state or commercial entity. been targeted or compromised by a nation-
memorable, and easy way to reference adversary
state actor that is tracked by Microsoft.
• Cyber mercenaries or private sector groups so that organizations can better prioritize
Data overwhelmingly reflects activity
offensive actors refer to commercial actors that threats and protect themselves. Simply put, security
against Office 365, followed by Outlook and
are known/legitimate legal entities that create and professionals will instantly have an idea of the type
Hotmail. We count NSN data by number of
sell cyberweapons to customers who select targets of threat actor they are up against, just by reading
targeted organizations.
and operate the cyberweapons. the name.
• Events data: This data covers a broader
• Influence operations are manipulative
Additional information range of investigative observations of
information campaigns communicated online
nation‑state threat actor activity than NSNs.
or offline that are intended to shift perceptions, How Microsoft names threat actors | Microsoft
Activity captured in “events” ranges from
behaviors, or decisions by target audiences
reconnaissance and movement on network
to further a group or a nation’s interests
to data exfiltration or deletion.
and objectives.
• Groups in development is a temporary
designation given to an unknown, emerging, or
developing threat activity. This allows Microsoft
to track it as a discrete set of information until
we can reach high confidence about the origin
or identity of the actor behind the operation.
11 Microsoft Digital Defense Report 2023 Chapter 1 Introduction
Financially motivated
Denim Tsunami
Carmine Tsunami
Strawberry Tempest
12 Microsoft Digital Defense Report 2023 Chapter 2 The State of Cybercrime
Chapter 2
The State of Cybercrime
What we know about
cybercrime today
Key developments 13
Introduction 14
How the threat landscape is evolving 15
Ransomware and extortion 17
Phishing 27
Business email compromise 32
Identity attacks 34
Distributed denial of service attacks (DDoS) 38
Return on mitigation: Targeting investment 41
to increase resilience
13 Microsoft Digital Defense Report 2023 Chapter 2 The State of Cybercrime
Key 80-90%
of all successful ransomware
70% Human-operated
ransomware attacks
of organizations are up more than
developments
compromises originate through
unmanaged devices.
encountering human-
Find out more on page 18
operated ransomware 200%
A return on mitigation (ROM)
had fewer than
Cybercriminals are leveraging the
framework is helpful for 500 employees.
prioritization and may highlight
cybercrime-as-a-service
- - - ecosystem to actions requiring low effort
or resources but that have a
launch phishing, identity, and distributed
high impact.
denial of service (DDoS) attacks at scale.
Find out more
Simultaneously, they are increasingly Find out more on page 41 Find out more on page 18 on page 17
bypassing multifactor authentication
and other security measures to conduct Password based Last year marked a
targeted attacks.
attacks spiked significant shift in
Ransomware operators are shifting heavily toward
hands on keyboard attacks, using living-off-the-
- - -
in 2023 cybercriminal tactics
land techniques and remote encryption to conceal
with threat actors exploiting cloud computing resources such
their tracks, and exfiltrating data to add pressure
as virtual machines to launch DDoS attacks. When hundreds
to their ransom demands. And cybercriminals
of millions of requests per second originating from tens of
are improving their ability to impersonate or
thousands of devices constitute an attack, the cloud is our best
compromise legitimate third parties, making it even
defense, due to the scale needed to mitigate the largest attacks.
harder for users to identify fraud until it’s
’ too late.
While cybercriminals have remained As a result, attackers are finding themselves in the The result is that cybercriminals are looking for used in further criminal activity such as business
crosshairs of law enforcement. Many have been ways to increase their anonymity and effectiveness. email compromise.
hard at work, we are seeing public and
outed, including the Conti ransomware operator As human-operated ransomware attacks on small
private sectors come together to disrupt As you read this report, I encourage you to look
known as “Target” whose unmasking includes a and medium businesses increase, we have seen
for opportunities to improve your defensive
the technologies criminals use, hold $10 million reward for additional information, indicted more use of remote monitoring and management
security posture, identify areas where you may
(Yevgeniy Polyanin) or arrested (Yaroslav Vasinskyi) tools that leave behind less evidence. Many of these
them to account, and support the victims need investment, and explore ways to make
alleged to have deployed the Sodinokibi/REvil ransomware attacks attempt to compromise or gain
of cybercrime. training programs more effective. Consider your
ransomware to attack businesses and governments. access to unmanaged or bring-your-own devices
opportunities to engage in simulated cyberattacks
Governments are also looking beyond criminals to because they typically have fewer security controls
or tabletop exercises, invest in threat intelligence
As cybercriminals look for new ways to generate and defenses.
rescue victims, disrupt malicious technology, and and actor tracking in the cybercrime space, share
income, they have stayed focused on exploiting
seize and return money–as was seen in the case Attackers continue to look for the easiest method information with law enforcement, and take technical
weakness in humans and technology, staying
of the Hive ransomware. The private sector is an to gain unauthorized access to any system through or legal disruptive actions. We all have a part to play
ahead of security measures, and coordinating
essential partner in these efforts, whether through identity attacks such as traditional brute-force in fighting cybercrime, and I urge you to consider
to create sophisticated global networks that sell
criminal referrals and information sharing with law attempts, sophisticated password spray attempts what more you, your company, or your government
services. To combat them, public and private enforcement or through technical and legal action, across multiple countries and IP addresses, could do to help improve cyber resilience.
sector professionals and organizations are creating as seen in Microsoft and Fortra’s action to disrupt and adversary-in-the middle (AiTM) attacks.
strong partnerships that are disrupting criminal’s cracked, legacy copies of Cobalt Strike and abused Amy Hogan-Burney
Phishing is not going away, and attackers are using
technology, hold threat actors accountable, and Microsoft software see page 113. General Manager, Associate General Counsel,
both malware phishing to compromise devices
increase resilience to attacks. Cybersecurity Policy & Protection
and AiTM phishing to steal identities that can be
Op Cybersecurity Tech Accord principles
mapping index on page 124
15 Microsoft Digital Defense Report 2023 Chapter 2 The State of Cybercrime
notifications
permissions that are assigned to it.
identity included traditional brute-force
attempts, sophisticated password spray For more about ransomware
attempts across multiple countries and IP see page 17. C
addresses, and adversary-in-the middle
3 Targeted phishing attempts leading to A
(AiTM) attacks.
Managed extended detection and device or user compromise: We have
response (XDR) services, such as For more about identity attacks, observed both malware phishing with
see page 34. intent to compromise devices, and AiTM
Microsoft Defender Experts, are phishing attempting to steal identities.
2 Ransomware encounters: These are
invaluable resources for security defined in this report as any instance of
Defense evasion techniques included
operations centers to effectively detect phishing from compromised vendors and
ransomware activity or attempted attacks
abuse of legitimate services. B
and respond to critical incidents. that we have detected and prevented or
alerted on, throughout the various stages For more about phishing and
When we observe novel tactics, techniques, and of a ransomware attack. AiTM, see page 27. A 42% Successful C 25% Successful
identity attacks targeted phishing
procedures, human-directed attacks, or attack In addition to several ransomware variants 4 Business email compromise (BEC): attempts
progression, notifications are sent to our customers this year, we observed a unique large- Attackers used various methods including B 29% Ransomware D 4% Business email
encounters compromise (BEC)
to provide specific information regarding the scope, scale ransomware campaign targeting email conversation hijacking and mass
method of entry, and instructions for remediation. both endpoints and cloud architecture of spamming with malicious applications Telemetry sources: Microsoft Defender for
Endpoint, Microsoft Defender for Cloud Apps,
an organization. This was driven by the to commit financial fraud. They also sent
Pr Cybersecurity Tech Accord principles Microsoft Defender for Identity, Microsoft
threat actor we named Mango Sandstorm. phishing emails with harmful links and Defender for Office 365, Azure AD Identity
mapping index on page 124
This campaign included both on-premises attachments from the victim’s email Protection, Microsoft Defender Threat Intelligence
and cloud environments, and involved address to other users within the victim’s
privilege escalation and destruction organization. Since these phishing emails
Additional information
activities, including deletion of victim user were sent internally, multiple users fell
Detecting and mitigating a multi-stage AiTM
resources, and persistence using OAuth victim to the attack by clicking on the links
phishing and BEC campaign | Microsoft
applications. Attackers added a secret or within a short period of time.
certificate to an application in order to Raspberry Robin worm part of larger ecosystem
For more about BEC, see page 32. facilitating pre-ransomware activity | Microsoft
connect to Azure Active Directory (Azure
17 Microsoft Digital Defense Report 2023 Chapter 2 The State of Cybercrime
and extortion
a sharp increase in the use of remote encryption
during human-operated ransomware attacks. to three years old, with Zoho Java ManageEngine,
Instead of deploying malicious files on the victim Exchange, MOVEit, and PaperCut print management
device, encryption is done remotely, with the system software among the top applications exploited.
process performing the encryption, which renders
process-based remediation ineffective. On average,
New tactics
60 percent of human-operated ransomware attacks Actionable insights
to 123 tracked ransomware-as-a-service affiliates.
used remote encryption over the past year. This is
The number of affiliates grew by 12 percent in the To safeguard against these attacks:
a sign of attackers evolving to further minimize
and trends last year, setting up conditions for human-operated
ransomware attacks to continue to grow in 2024.
their footprint. 1 It is crucial to implement Zero Trust and
least privilege principles.
Initial attack vectors
2 The most efficient solutions are those
Microsoft’s telemetry indicates that Ransomware breaches per month The Microsoft Incident Response team responds that can instantly identify attackers by
per 100,000 organizations to incidents and helps customers secure their most
organizations faced an increased rate of utilizing signals from devices, users,
We observed an overall increase in successful sensitive, critical environments. Based on findings and the entire organization, and take
ransomware attacks compared to last during these engagements, the top three initial
ransomware attacks with a sharp decrease in automatic remedial measures across
year, with the number of human-operated March-April. access vectors were fairly evenly split, showing both managed and unmanaged devices.
ransomware attacks up more than 200 criminals are consistently exploiting the same
40 3 It is essential to have a seamless
35 vectors: external remote services, valid accounts, and
percent since September 2022. 30 public facing applications. method to restore encrypted files at the
25 organizational level.
20 We found that among external remote services,
The good news is, for organizations with a strong 15
security posture, the likelihood of an attack 10 adversaries primarily leveraged unsecured remote
succeeding is very low. Typically, an attack is
5 desktop protocol (RDP) and virtual private networks
0 Additional information
stopped in the pre-ransom phase, with on average (VPN). Threat actors attacking valid accounts, where
Sep 22
Jul 22
Aug 22
Oct 22
Nov 22
Dec 22
Jan 23
Feb 23
Mar 23
Apr 23
May 23
Jun 23
How automatic attack disruption works in
2 percent of attacks progressing to a successful the attacker somehow gained legitimate account
Microsoft 365 Defender | Microsoft
ransomware deployment. credentials, were most often able to log in via Citrix.
Telemetry sources: Microsoft Security Graph, Automatically disrupt adversary-in-the-middle
Approximately 40 percent of the ransomware Microsoft Defender for Endpoint, Microsoft Defender attacks with XDR | Microsoft
for Cloud Apps, Microsoft Defender for Identity,
encounters we detected in June were human-
Microsoft Defender for Office 365, Azure AD Identity
driven. Most of these attacks can be attributed Protection, Microsoft Defender Threat Intelligence
18 Microsoft Digital Defense Report 2023 Chapter 2 The State of Cybercrime
Ransomware
70%
Organization size
Pre-ransom notifications by industry
Despite the notoriety of high-profile attacks
targeting
S
last year, the primary victims of ransomware Q
R
A
attacks this year were small and medium size P
organizations. Between July and September 2022, of organizations encountering
O
around 70 percent of organizations encountering human-operated ransomware N
human-operated ransomware had fewer than had fewer than 500 employees. M
Unmanaged devices
500 employees. L
Most human-operated ransomware B
K
attacks attempt to compromise or gain Industries
J
While the critical infrastructure sectors experienced
access to unmanaged or bring-your-
the most ransomware encounters this year, I
own devices (personal devices used cybercriminals have broadly attacked all sectors. C
to access work-related systems and Attackers leveraged new techniques as pre-cursors H
to ransomware to establish the foothold within
information). These typically have fewer G D
the victim organization before exfiltration and F E
security controls and defenses. We have ransom. As seen in the distribution of pre-ransom
80-90%
observed that 80 to 90 percent of all notifications sent by Microsoft Defender Experts A Discrete K Power & Utilities
Manufacturing
compromises originate from unmanaged to our customers, education and manufacturing
B Higher L Media &
sectors were key targets. For example, threat Education Entertainment
devices. Ransomware operators are also actors targeted a critical remote code execution C Real Estate M Health Provider
increasingly exploiting vulnerabilities vulnerability found in PaperCut server, which is used of all compromises originate Professional
D N Water & Sewage
in less common software, making it by educational organizations. from unmanaged devices. Services
E Consumer Goods O Automotive
more difficult to predict and defend & Mobility
Retailers Capital Markets
against their attacks. This reinforces F P
I Insurance S Telecommunications
J
Gov Ops &
Infrastructure
Source: Microsoft Defender Experts notifications
19 Microsoft Digital Defense Report 2023 Chapter 2 The State of Cybercrime
Hive
Blackcat
DJVU/Stop
Darkbit
Fargo
Royal
Eight
Mazenote
cartel
Skylock
Phobos
Mokop
Cuba
Basta
Magniber
Doppelpaymer
BlackMatter
Rorschach
Vice Society
Dharma
Regional footprints
Countries targeted by the top four ransomware variants
The geographical distribution of the Microsoft
The regional presence of ransomware was an indication of targeted attack and encryption by the threat actors.
Defender Experts notifications reveals that the
top ransomware variants had varying regional
footprints. This reflects the targeted nature of
France United States Finland United States United States Ethiopia Greece
attacks by their operators.
Israel Luxembourg
C
Korea Albania Puerto Rico
United States
Colombia
Canada Italy
Finland
Denmark Sweden
A B D
monitoring and
system-level privileges. Threat actors can also abuse Exposures (CVEs)
RMM software to copy files to a clipboard and
exfiltrate data using a file transfer web service. Teclib GLPI CVE-2022-35914
of cybercriminals:
traditional and new legal approaches to disrupt the Based on the work of the DCU and its NCFTA
Given the complexity and global nature of
financial flows of the cybercrime ecosystem. Here’s partners however, the company decides to
ransomware attacks and other cybercrime activity,
what that might look like: coordinate payment with law enforcement. After the
a hypothetical Microsoft identifies a suspected ransomware attack
victim pays, law enforcement tracks the funds and
works with cryptocurrency exchanges to freeze the
this collaborative approach is necessary to disrupt
the finances of criminals, at scale. Microsoft and
case study
and proactively contacts the impacted customer. the DCU are leading efforts with partners and
cryptocurrency before the ransomware group can
The customer confirms its files were encrypted and will continue to develop technology and legal
withdraw it.
that it received a ransom demand to be paid to a approaches to bring threat actors to justice.
cryptocurrency wallet. Microsoft works with the
victim on incident response while the DCU analyzes
One of the best ways to deter the attacker and their virtual wallet. Using tools
cybercriminals is to hit them where it provided by industry partners who specialize in
analyzing cryptocurrency transactions, the DCU
hurts: in their wallets. The Microsoft
identifies more of the threat actor’s wallets and
Digital Crimes Unit (DCU) has been doing technical details of their communications.
that through a holistic strategy which With the victim’s permission, Microsoft uses its
places financial disruption at the core of membership in the National Cyber Forensics and
its investigations. Training Alliance (NCFTA)—a non-profit organization
that unites industry and government partners to
combat cybercrime—to share this information
quickly and securely. The group confirms the actor
is a known ransomware group and provides details
including other wallets and infrastructure the
cybercriminals use.
ransomware trends
ransomware actor to be obfuscated, cashed out, for collective defense. AI can also be
and reinvested. used to expedite the time to detect
business model The laundering process spans cryptocurrency and respond to ransomware attacks.
companies, virtual asset service providers (VASPs), 2 Modernize mindset: Organizations
peer-to-peer and cryptocurrency exchanges, As of May 2023, 92 percent of the RTF should understand the benefits of
mixers, merchant services, and dark net markets, recommendations for combatting ransomware innovations in the public cloud, which
among other entities. IST found that previously had been actioned in some way, with 50 percent includes hyper-scalability cybersecurity
One recommendation of the un-leveraged information is produced as a ransom experiencing significant progress, including capabilities, to protect digital platforms
Ransomware Task Force (RTF), of payment moves through the chain. This information through legislation and policy adoption.1 Just as from cybercriminals and nation-
which Microsoft is a part, is to disrupt can be accessed and potentially shared by a range defenders are innovating, however, ransomware state attackers.
of entities including, but not limited to, antivirus operators are too. As a result, Microsoft is
the ransomware business model and vendors, cloud service providers, hosting providers,
3 Modernize approach: Cybersecurity
focused on understanding how ransomware can no longer be seen as a technical
decrease criminal profits. In pursuit cryptocurrency exchanges, and tooling providers. activity may develop over the next few years to problem; for greater resilience it must
of this goal, the Institute of Security Efforts coordinated by the RTF and NCFTA, among proactively counter it. Going forward, we expect be seen as an organizational risk
others, can also use this information to add friction cyber criminals will seek to leverage automation,
and Technology (IST) mapped the by leaders in the organization and
to–and potentially disrupt–the ransomware payment AI, and hyperscale cloud systems to scale and
ransomware payment ecosystem managed accordingly.
ecosystem. The ultimate goal is to disincentivize to maximize the profitability of ransomware
in 2022. the use of ransomware by making it harder for attacks. Organizations looking to minimize their 4 Modernize approach: Legacy
ransomware operators to successfully collect on vulnerabilities to these approaches must respond technology and siloed standalone
their attacks. by modernizing their organizational skills, mindset, security products are not efficient
approach, and technology. or effective at defending against
sophisticated cyber attackers.
Additional information Organizations should invest in
Mapping the Ransomware Ecosystem | Institute integrated cybersecurity platforms
for Security and Technology that share signals across the digital
The Ransomware Task Force (RTF) unites key backbone to provide end-to-end
stakeholders across industry, government, and visibility and inform defenders across
civil society an organization’s surface attack area.
25 Microsoft Digital Defense Report 2023 Chapter 2 The State of Cybercrime
Resiliency State?
financial gain by threat actors. streamlined requirements that ensure resiliency and
against ransomware performance are not compromised.
In last year’s report, we introduced our two-pillar
Our approach aims to ensure that our internal
approach to ransomware, with dedicated initiatives The five foundations of the
products, services, and teams—including those
to support our enterprise and our customers. ransomware elimination journey
supporting our customers—will be best positioned
This year, our efforts resulted in three key outcomes:
Microsoft’s mission to keep ourselves to defend against ransomware attacks today and in We have identified five foundational principles which
and our customers safe from • Continuous improvement for business the future. we believe every enterprise should implement to
continuity and recovery: We emphasized defend against ransomware. When fully implemented,
ransomware continually evolves and the role of employees in our defense strategy
To optimize resilience, we conducted an internal
the Foundational Five provide proven defenses
assessment using the National Institute of Standards
grows. A resilient defense is particularly through tabletop exercises and rigorous across identity, data, and endpoints. While we
and Technology’s published framework for managing
important as ransomware operators simulations to verify our protective capabilities, make exclusive use of our first-party products, the
the risk of ransomware (NIST.IR.8374). Based on the
supported by training for excellence in incident Foundational Five are solution-agnostic if they are
increasingly shift toward hands- response preparedness.
results, and in conjunction with data and observations
properly implemented and fully enabled.
of real-world human-operated ransomware, we have
on-keyboard attacks that enable
• Advanced evaluation of ransomware-specific established a comprehensive set of requirements
sophisticated cybercriminals to seek The Foundational Five
controls: Integrating new methodologies, we across different technology domains to defend
out and exploit vulnerabilities. developed a ransomware-specific technology against ransomware attacks. We call this our Optimal 1. Modern authentication with phish-
evaluation program to ensure controls meet Ransomware Resiliency State (ORRS). resistant credentials
the requirements of our enterprise. 2. Least Privileged Access applied to the
Op Cybersecurity Tech Accord principles Integrating what we have learned from our Zero
mapping index on page 124 • Improved feedback loops: We streamlined Trust journey, ORRS consists of 40+ requirements entire technology stack
engagement between our security operating that span myriad aspects of the security landscape, 3. Threat- and risk-free environments
center and the product groups that build the from policy and governance to infrastructure and
4. Posture management for compliance and
security tools that Microsoft and its customers data. The requirements are platform agnostic
the health of devices, services, and assets
rely on. This provided richer insights with more to ensure compatibility with any device that we
actionable data and improved our ransomware mandate and include employee training, and 5. Automatic cloud backup and file-syncing
protection and detection capabilities in the ensuring business continuity and data accessibility. for user and business-critical data
products and services we used.
Pr Op Em Cybersecurity Tech Accord principles Pr Em Cybersecurity Tech Accord principles
mapping index on page 124 mapping index on page 124
26 Microsoft Digital Defense Report 2023 Chapter 2 The State of Cybercrime
phishing attacks
privileged access without repeated authentication. 4 Phishing site 3 Website returns
proxies the MFA an MFA screen
During an AiTM phishing attack, a reverse proxy screen to the user
server is set up between the target and a legitimate
login page. Reverse proxy servers sit between a
5 User inputs 6 Phishing site
client, such as a web browser, and a web server,
Adversary-in-the-middle (AiTM) is the additional proxies request to
forwarding information and requests between authentication the actual website
a longstanding technique used by the client and the server. Reverse proxies are used
threat actors to obtain credentials, legitimately for increasing security and performance
but can also be used for malicious purposes such as
8 Phishing site 7 Website returns
session cookies or personal data, or to redirects the user a session cookie
AiTM attacks. The target unwittingly submits their to another page
distribute malware. credentials through the proxy, which triggers an
MFA prompt on their mobile device. After the user
We have consistently observed a daily influx of inputs the authentication code, the proxy continues
high-volume AiTM phishing campaigns, with some to deceive them by presenting subsequent MFA
instances involving millions of phishing emails sent screens, relaying the user’s input and allowing
within a 24-hour period. This trend of high-volume the attacker to access the account without the Malicious proxy server
campaigns first appeared in September 2021 and we user’s knowledge. TLS session TLS session
saw a significant surge in mid-July 2022, indicating
an effort to bypass MFA on a massive scale.
Unlike traditional phishing attacks, revoking and
28 Microsoft Digital Defense Report 2023 Chapter 2 The State of Cybercrime
In AiTM, the target is presented a replica or imitation While other kits–such as Evilginx2, Modlishka, and AiTM domains growing as attacks become more common
login page, as in traditional phishing methods. Muraena–have been available for free in open The number of domains that we tracked leading to AiTM phishing pages grew consistently
However, a separate server controlled by the threat sources for years, they lack the service and support throughout the last 12 months
actor or phishing service is used to submit the stolen offered by paid-for kits. As a result, the addition
credentials to the legitimate login service, triggering of AiTM phish kits to phishing-as-a-service has
an MFA prompt. The phishing infrastructure then supplied advanced phishing capabilities to a wider
displays a copy of an MFA screen to the target. range of threat actors, reduced entry barriers, and
This is distinct from AiTM over reverse proxy, as no enabled more effective attacks.
HTTP packets are proxied between the target and
Caffeine, EvilProxy, and NakedPages each have
the login service.
hundreds of customers. These cyber criminals pay
Microsoft tracks multiple threat actor groups monthly license fees ranging from $200 to $1,000 10000
associated with prominent AiTM phishing kits USD and carry out daily phishing campaigns.
and services and one prolific threat actor using Because so many threat actors use these services, 8000
multiple AiTM phishing services to carry out high it is impractical to attribute campaigns to specific
volume phishing campaigns. These prominent actors. Instead, we track these phishing services,
6000
AiTM Domains
kits/services are known as Caffeine (attributed to block phishing activity from them, and work
Storm-0867), EvilProxy (attributed to Storm-0835), to provide effective detection and defense
and NakedPages (attributed to Storm-1101). We have for customers. 4000
also observed AiTM phishing campaigns linked to
tracked but unidentified kits or services. 2000
Jun 22
Jul 22
Oct 22
Feb 23
Mar 23
Aug 22
Sep 22
Nov 22
Jan 23
Dec 22
Apr 23
May 23
Jun 23
$200-$1000
Monthly licensing fees paid by cybercriminals
to carry out daily phishing campaigns.
redirects in phish
Defender Experts include OneNote attachments, 15M
Count of URL
URLs leading users to download OneNote 10M
attachments, and PDFs containing URLs that led
to OneNote malware downloading. 5M
Phishing campaigns continue to improve in Using data from Microsoft Defender for Office 365,
• OAuth device code phishing. The attacker 0
we observe trends in file entities that are commonly
Jun 23
May 23
Feb 23
Dec 22
Nov 22
Apr 23
Mar 23
Jan 23
sophistication, including leveraging genuine generates a user code, then creates a phishing email used in phishing attacks. HTML files are often used
services or websites and tailoring phishing with it and a link to provide the code. This allows the for creating fake web pages that trick users into
attacker to sign-in on behalf of the user. divulging personal information. PDF files can exploit
links for individual users. By simulating user Source: Microsoft Defender for Office 365
• Other targeted phishing attempts. Our experts a user’s trust by embedding malicious links or using
interaction in virtual machines, we can social engineering tactics to persuade users to Malicious actors can use URL shorteners in tandem
also observed targeted phishing attempts in which
analyze untrusted files and URLs to assess attackers identified user-specific details through open attachments that execute malware. URLs are with URL redirectors to send users to harmful
websites or deceptive phishing pages.
their safety. The main goal is to deliver social engineering, then created tailored phishing commonly used to deceive users into visiting
campaigns using look-alike domains to which the fraudulent websites. Use of URL shorteners spiked in March, but
speedy and accurate verdicts on content.
users have subscribed, with contents matching This year, we observed major attack patterns remained constant overall.
the users’ interests. This significantly increases the involving URLs with open redirectors and open
Examples of what we’re seeing in real-time analysis:
success rate of a compromise attempt. shorteners being dominant attack vectors. Prevalence of URL shorteners
• Emails sent from trusted third parties.
Attackers send phishing emails to all the URL open redirectors are vulnerabilities found in web 250
applications that enable attackers to manipulate URLs
in phish (thousands)
on the email thread with specially crafted to redirect unsuspecting users to malicious websites.
150
messages and a malicious URL. Here, they may be victim to phishing attacks, data
10,000
100
breaches, account takeovers, or malware infections.
• Emails with legitimate URLs. Attackers host 50
phishing URLs on legitimate cloud service providers 0
such as Adobe, Dropbox, Google, and Microsoft. In April-June 2023 we alerted users of
Nov 22
Dec 22
Jan 23
Feb 23
Mar 23
Apr 23
May 23
Jun 23
approximately 10,000 password entries
After multiple redirects, victims are led to the per month into malicious sites.
final landing page, which steals credentials or
downloads malicious payloads onto their machine. Source: Enhanced Phishing Protection with Microsoft Source: Microsoft Defender for Office 365
Given these are popular services, it is difficult to Defender SmartScreen, across third-party browsers
distinguish malicious links from genuine ones. running on Windows 11
30 Microsoft Digital Defense Report 2023 Chapter 2 The State of Cybercrime
simulations
them to measure their click susceptibility.
Humans remain the primary risk vector in social
engineering attacks. At the same time, phishing Phish simulation training findings show users vulnerable to drive-by URLs
attack mechanisms are constantly evolving, and bad
actors create new tactics. Users often click on links A Link attachment
4% A A 3%
Phishing campaigns continue to improve and attachments by habit and without conscious B
B
6%
B Link to malware file
7% C 2%
in sophistication, including leveraging consideration of their actions, thereby opening the
C OAuth consent grant 2% C D
door to cybercrime. Three factors explain why users
genuine services or websites and D
remain a key vulnerability: D Credential harvesting
tailoring phishing links for individual
1 As threat tactics rapidly evolve, technical E Drive-by URL
users. By simulating user interaction systems will not be able to completely
F Attachment malware
in virtual machines, we can analyze prevent social engineering attacks
untrusted files and URLs to assess their and human behavior will persist as a
vulnerability for attackers to manipulate.
safety. The main goal is to deliver speedy Looking at
While security awareness programs,
6.7M
2
and accurate verdicts on content.
designed to help users identify social
How video-based trainings alone fall short To truly tackle the issue of phishing, it’s important Inaction is better than clicking, but reporting is Employees must also know how to recognize
Most enterprise phishing awareness programs to recognize that every user is unique and has their the best action to take. and respond to evolving phishing techniques.
prioritize meeting training compliance requirements own behavioral tendencies. Our phishing awareness Reporting phishing attempts is crucial to prevent Additionally, emphasis should be placed on
over delivering effective behavior change programs. programs go beyond generic, one-size-fits-all cyberattacks. Users can help security teams strengthening organizational resiliency, such as
They operate under the misguided assumption that training and instead provide tailored and context- identify and block malicious emails, websites, and through Zero Trust strategies which isolate and
periodic exposure to simulated phishing attacks, aware engagement models that can be implemented other threats. However, only 11.3 percent of users contain the potential impacts of phishing.
accompanied by a brief educational encounter at scale. We understand that each user requires a who receive phishing emails report them, despite
(typically in the form of a narrated video with limited personalized learning experience based on their 89 percent refraining from clicking on links or
interactive elements), will equip users to be able to unique behaviors and profile, such as job function, opening attachments.
Additional information
identify and avoid advanced and evolving phishing security posture, and past actions. For example,
Administrators can use awareness campaigns, Attack Simulation Training: New insights
attempts. However, these programs have proven to our phish simulations are tailored to each user’s
teaching guides, and rewards to raise awareness into targeted user behavior
be fundamentally flawed. performance based on telemetry from previous
of phishing campaigns and encourage consistent
simulations sent. Providing personalized learning Simulate a phishing attack with Attack
Although tens of millions of computer users have reporting behavior. There is a genuine opportunity for simulation training | Microsoft Learn
experiences based on each individual’s unique
taken phishing training, we have found that phish organizations to prioritize enhancing user reporting
behaviors and profile can enable organizations to
clicking behavior is reduced by employing video- consistency, as current rates fall short of potential.
make a real impact in reducing phish susceptibility. Actionable insights
based training by about three percent, at best.
User responses to phish attempts
This number has remained remarkably stable over To safeguard against these attacks:
still insufficient
the years. Based on this data, we conclude that Percentage of clicks on phish simulations 1 Shift phishing training programs away
video-based training is not an effective way to Link-clicking behavior by users has remained Read 44.6% from being compliance oriented to more
reduce an organization’s phish susceptibility. relatively unchanged despite the widespread
No action 33.3% proactive, behavior change focused.
Tailored approaches are needed implementation of security awareness training
Reported 11.3% 2 Develop tailored and context-aware
programs, and increased sophistication of phish.
The security awareness and training industry is Email link education models that treat users
clicked 7.8%
beginning to adopt objective behavioral measures and Credential as distinct individuals and can be
10% 2.3%
contextual experiences that prioritize behavior change supplied
implemented at scale.
8%
over information delivery. This involves tailoring the Attachment 0.8%
6% opened
approach to individual users. We believe this approach 0% 25% 50% 3 Teach users that reporting is a gold
4%
holds the greatest potential for reducing behavioral standard behavior in protecting
2% Over the past six months, we found users reported
risk against modern social engineering attacks. 0% phishing attempts only 11.3% of the time. While no their enterprise.
Mar 23
Jan 23
Feb 23
Apr 23
May 23
Oct 22
Dec 22
Sep 22
Nov 22
Aug 22
Jul 22
Jun 22
Under this approach, organizations must embrace a action is better than clicking, reporting phishing
attempts would be best to help security teams 4 Treat phishing education programs
new perspective regarding the involvement of their identify incoming threats. as part of a broader Zero Trust
users in thwarting attacks and conduct innovative Source: Microsoft Defender for Office 365 attack Source: Microsoft Defender for Office 365 attack organizational resiliency strategy.
experimentation with user engagement strategies. simulation training data simulation training data
32 Microsoft Digital Defense Report 2023 Chapter 2 The State of Cybercrime
attack activity
email compromise
through innovative breakthroughs, threat actors are
adapting their social engineering techniques and
use of technology to carry out more sophisticated
Financial fraud. Microsoft Defender Experts have and costly BEC attacks. The success of these attacks
observed attackers creating domain impersonations is largely due to the growing targeting of cloud-
to deceive users into thinking they are engaging based infrastructure, exploitation of trusted business
with legitimate third parties for financial transactions. relationships, and development of more specialized
In some cases, attackers compromise the third party skills by the threat actors. Microsoft’s Digital Crimes
Business email compromise (BEC) is The scam is frequently carried out when a threat
and respond on the same email thread to request Unit (DCU) believes that increased intelligence
actor compromises legitimate business email
a sophisticated scam which targets money transfers. These attacks are challenging sharing across the public and private sectors will
accounts through social engineering or computer
businesses and individuals performing intrusion techniques to conduct unauthorized
to detect as they originate from genuine third- enable a faster and more impactful response against
party emails. the threat actors behind these attacks.
transfers of funds. funds transfers to accounts under their own control.
The incidence of BEC attacks has skyrocketed, Lateral movement through internal phishing.
Expanded abuse of cloud-based infrastructure
reaching an astonishing count of over 156,000 daily After compromising identities with AiTM, many threat
attempts between April 2022 to April 2023.2 The agility and power of cloud services that
actors then launch internal phishing campaigns.
benefit customers have also been weaponized by
Microsoft Defender Experts have witnessed large-
In 2022, the Federal Bureau of Investigation (FBI) cybercriminals. For instance, the DCU has observed
scale internal phishing campaigns targeting over
Internet Crime Complaint Center recorded adjusted threat actors abuse the portability of domain
8,000 recipients. Since these emails are internal
losses of over USD 2.7 billion for 21,832 BEC names and power of Microsoft 365 services (such
and sent from legitimate senders, it increases the
complaints filed.3 as resiliency, orchestration, control, and scale) in
likelihood that users will be duped by the scam.
multiple stages of BEC attacks, from reconnaissance
Mass spam mailing activity. This attack aims to to phishing to payment fraud. The use of
disrupt users through a denial-of-service strategy. impersonation domains, known as homoglyph
Attackers subscribe the victim user’s email address domains, is also still prevalent. These allow BEC
156,000 daily
to multiple lists, forums, message boards, and attackers to tailor email communication for social
newsletters, resulting in the victim receiving an engineering. Homoglyph domains are often
overwhelming number of emails, sometimes ported from third-party registrars and configured
exceeding 1000 per minute. When this occurs, the with M365 mail services to create mailboxes that
BEC attempts observed April 2022-April 2023
victim is distracted and frustrated, often unable impersonate legitimate key accounting employees.
to notice legitimate warning or authentication
messages in their overwhelmed inbox.
33 Microsoft Digital Defense Report 2023 Chapter 2 The State of Cybercrime
Exploitation of trusted business relationships: Intelligence sharing builds resilience Other types of BEC attacks BEC threat actor roles
Vendor email compromise Intelligence sharing improves our collective • Direct Email Compromise (DEC)—compromised • Coordinator—responsible for selecting
BEC attacks are evolving past simple email account ability to identify and respond to BEC attacks, email accounts are used to socially engineer victims such as companies, suppliers and
compromise rooted in social engineering tactics helping to increase resilience in the face of these in-house or third-party accounting roles to wire employees. The role includes building or
that circumvent payment controls by exploiting threats. Mapping out malicious infrastructure funds to the attacker’s bank account or change procuring phishing capabilities to gain email
supplier business relationships. A more successful and developing threat actor intelligence gives payment information for an existing account. access to understand payment procedures,
type of attack is called Vendor Email Compromise stakeholders a better understanding of the tools, copy invoices and hijack email threads.
• Vendor Email Compromise (VEC)—social
(VEC). VEC occurs when a company’s suppliers are techniques and procedures used by cybercriminals.
engineering of an existing supplier relationship • Email broker—responsible for carrying out
targeted and exploited by threat actors who hijack This enables more holistic disruption of their
by hijacking a payment-related email and phishing attacks to gain access to mailboxes
email threads from the company’s compromised supply chain and coordinated role structure.
impersonating company employees to for email collection and email forwarding
email accounts and use them to change payment Threat intelligence also improves investigation
convince a supplier to redirect outstanding rules and for covering the tracks of
information for an upcoming transaction. prioritization and informs the targeting and
payment to an illicit bank account. compromised activity.
The hijacked email threads are often copied to disruption of the more advanced and prolific
criminal networks. • False Invoice Scam—a mass social engineering • Infrastructure admin—responsible for
attacker-managed mailboxes created with homoglyph
scam that exploits well-known business brands procuring and configuring cloud services,
domains and used in illicit communication. We are supporting the Cybercrime Atlas
to convince companies to pay fake invoices. managing domain names, creating mailboxes
Initiative that brings together global leaders
Threat actors are up-skilling and managing licenses.
to fight cybercrime. For more about this • Attorney Impersonation—the exploitation of
The structure of organized criminal networks initiative, please see page 111. trusted relationships with large, well-known • Email operator—responsible for social
perpetrating BEC attacks is also evolving, along with law firms to increase credibility with executives engineering via email communication with
the skills of the threat actors who make up these of small companies and start-ups to complete the invoice fraud target, making language
organizations. BEC criminal networks predominantly payment of outstanding invoices, particularly skills highly valued.
originate from Africa and range from a hierarchical prior to significant events like initial public
• Money launderer—individual or network of
organization with top-down command, such as the offerings. Payment redirection to an illicit
individuals with specialized skills or expertise
Black Axe group,⁴ to loosely organized networks bank account occurs once an agreement on
in placing, moving and laundering funds.
managed regionally, commonly known as “zones.” payments terms is reached.
This role can include managing networks
Many zone actors move to industrialized countries for
of money mules who establish fraudulent
technical education and work experience, then use
banking accounts that BEC actors use for
their new knowledge to carry out more sophisticated
payment fraud.
attacks, such as VEC. DCU has observed some zones
are organized by roles and use specialized skills to
Additional information
improve the efficacy of their attacks. In these instances,
Stop BEC attacks with XDR
threat actors may be involved in one or more roles.
34 Microsoft Digital Defense Report 2023 Chapter 2 The State of Cybercrime
The first quarter of 2023 saw a dramatic According to Microsoft Entra data, the number of
attempted attacks increased more than tenfold
surge in password-based attacks
compared to the same period in 2022, from around
against cloud identities, especially in the 3 billion per month to over 30 billion. This translates
education sector. to an average of 4,000 password attacks per second
50
targeting Microsoft cloud identities this year.
One of the main reasons password attacks are
40
so prevalent is the low security posture of many
organizations, especially in the education sector.
Many of these organizations have not enabled MFA 30
for their users, leaving them vulnerable to phishing,
Billions
credential stuffing, and brute force attacks. 20
10
May 23
Nov 22
May 22
Apr 23
Nov 20
Apr 22
Dec 22
Sep 22
Dec 20
Aug 22
Oct 22
Jun 23
Sep 20
Jun 22
Mar 23
Aug 20
Oct 20
Mar 22
Feb 23
Jun 20
We blocked an average
Feb 22
Jan 23
Jan 22
Jul 22
Jul 20
Nov 21
May 21
Apr 21
Dec 21
Sep 21
Aug 21
Oct 21
Jun 21
Mar 21
Feb 21
Jan 21
Jul 21
of 4,000 password
attacks per second over
the past year.
Source: Microsoft Entra data
35 Microsoft Digital Defense Report 2023 Chapter 2 The State of Cybercrime
is a threat
account and asks them to enter the OTP for “security Approximately 6,000 MFA fatigue attempts about common social engineering
verification.” The entered password is then sent back were observed per day by the end of June 2023. tactics to recognize and avoid
to the cybercriminal, granting them access to the In response, we have developed and implemented interactions with OTP bots.
victim’s account. protections against anomalous passwordless sign-in
While robocalls are a common method used by OTP As MFA has gained increased importance, for all customers. We strongly advise customers to
bots, email phishing for authentication codes is also particularly in passwordless sign-in, attackers have thoroughly review and validate MFA/passwordless
employed. The cybercriminal must act quickly once adapted–trying to circumvent security protections sign-in prompts before approving them.
the victim enters their login credentials and OTP on by sending MFA or passwordless sign-in prompts
the phishing web page due to the short lifespan of
one-time authentication passwords.
to potential victims. The aim is to trick them into
accidentally approving requests through what’s
Approximately 6,000 MFA
called MFA fatigue, or MFA bombing. Once the fatigue attempts were
victim does so, the attacker gains full access to
customer’s account and may modify the MFA observed per day.
settings, allowing them to sign in at any time.
36 Microsoft Digital Defense Report 2023 Chapter 2 The State of Cybercrime
Token replay
Token replay attacks consistently growing since early 2022
Developing
immunity with
90,000
remains a 80,000
May 23
Jun 23
Mar 23
Jan 23
Feb 23
May 22
Dec 22
Apr 23
Jul 21
Aug 21
Apr 22
Jun 21
Sep 21
Oct 21
Nov 21
Sep 22
Oct 22
Nov 22
Jun 22
Jul 22
Aug 22
Dec 21
Jan 22
Feb 22
Mar 22
phishing, or MFA fatigue to launch additional transitioning to use exclusively phishing-resistant
attacks. The number of token replay attacks has credentials that are immune to various attacks.
doubled since last year, with an average of 11 While technologies like Hello for Business and FIDO2
Source: Azure Active Directory Identity Protection data
detections per 100,000 active users in Azure Active hardware security keys offer phishing resistance,
Directory Identity Protection. Although token replay their widespread deployment across complex
constitutes less than three percent of all identity Actionable insights Additional information environments presents challenges. Microsoft Entra
compromises, the consistent year-on-year increase What are risk detections in Azure Active ID’s Conditional Access policies enforce the use of
Relying on MFA alone does not effectively
in detections indicates that cybercriminals continue Directory Identity Protection | Microsoft phishing-resistant credentials, including Hello for
mitigate against this type of attack.
to view it as an effective attack method. Business, FIDO2 hardware security keys, certificates,
We recommend the following:
and Passkey. This is crucial for users in high-risk roles
1 Consider implementing risk-based or with access to sensitive resources. This is
and token protection policies in a practical step that can increase defense against
Conditional Access. even “successful” phishing attacks.
2 Monitor systems for signs of
token replay. Additional information
3 Use non-phishable credentials which Phishing-resistant authentication methods
| Microsoft
bind the token to the legitimate user’s
device, such as Windows Hello for Conditional Access authentication strength
Business and FIDO⁵ keys. | Microsoft
37 Microsoft Digital Defense Report 2023 Chapter 2 The State of Cybercrime
For many years, VPNs have been used to enable Source: Enhanced Phishing Protection
secure remote access to company resources through with Microsoft Defender SmartScreen
encrypted tunnels. However, like any technology,
ensuring compliance with an organization’s Actionable insights
security strategy requires proper configuration
1 Use a unique password for each site.
and alignment with a modern secure architecture,
such as Zero Trust. Due to VPNs’ widespread use 2 Secure your devices and accounts with
in corporate networks and their accessibility from multifactor authentication.
the internet, they have become common targets
Through our compromise recovery engagements,
for attacks, often due to misconfigurations, such as
insufficient monitoring of user accounts and devices. we found that almost half of VPN accounts lacked
Almost half of VPN
In a typical corporate setup, users are assigned adequate MFA. Enabling MFA for these individual accounts lacked
separate VPN accounts with restricted access to the accounts is a crucial part of any VPN risk mitigation
internal network. strategy. Other essential steps to secure these adequate MFA.
accounts include implementing conditional access,
monitoring, and integrating security automation, if
abuse of these accounts is detected.
Additional information
Create and use strong passwords | Microsoft
38 Microsoft Digital Defense Report 2023 Chapter 2 The State of Cybercrime
attacks per day in the past year. attacks to exploit vulnerabilities in internet resources.
2,000
1,500 These services pose a significant risk to The number of DDoS-for-
In the previous year, we amplified our globally cybersecurity, serving as a powerful tool for
distributed mitigation capacity to handle and
1,000
cybercriminals. In today’s world, where we rely hire platforms continues
500
neutralize DDoS attacks at rates of up to 90
Terabits of data per second (Tbps). To put this into 0
heavily on online services, DDoS attacks can render
platforms such as business productivity and gaming
to rise, with 20 percent
Jul
Aug
Jan
Jun
having emerged in the
Sep
Feb
Dec
Nov
Apr
May
Oct
Mar
perspective, some of the largest attacks covered inaccessible. Additionally, these attacks can be used
by the press in last years were in the range of — FY22 (July 2021-June 2022) in triple-extortion human operated ransomware
several Tbps. — FY23 (July 2022-June 2023) attacks to force victims to make payments, past year alone.
Source: Microsoft Global DDoS Mitigation Operations
39 Microsoft Digital Defense Report 2023 Chapter 2 The State of Cybercrime
cyberattacks: the the leading wave of the attack until patterns can be
identified, spurious traffic diverted, and legitimate sector as a target The US Cybersecurity and Infrastructure Security
Agency has collaborated with the FBI to develop
global distribution of the cloud, closer proximity is not very high, at around 100,000 packets per
second 99 percent of the time, there Additional information
helps to block attacks closest to the sources.
was a significant spike of 14 million packets per KillNet and affiliate hacktivist groups targeting
Last year marked a significant shift in healthcare with DDoS attacks | Microsoft
second at its peak, with the attack intensity reaching
cybercriminal tactics, with threat actors a peak of almost 100 attacks per day in June. KillNet, Understanding and responding to distributed
exploiting cloud computing resources a group that the US Department of Health and denial of service attacks | CISA
such as virtual machines to launch Human Services has assessed to be pro-Russia HC3 provides tips for maintaining IoT security in
hacktivists, has been launching waves of DDoS healthcare | Health IT Security
DDoS attacks.
Jul 22
Aug 22
Sep 22
Oct 22
Nov 22
Feb 23
Mar 23
Dec 22
Jan 23
Apr 23
May 23
Jun 23
0
followed at 15 percent.
Microsoft Digital Crimes Unit Source: Microsoft Global DDoS Mitigation Operations tracking healthcare applications in Azure
40 Microsoft Digital Defense Report 2023 Chapter 2 The State of Cybercrime
TCP attacks as the Attacks increase in Two-year comparison of top 10 most attacked regions
East Asia
Korea
Australia
India
United States
Japan
Germany
Europe
United Kingdom
Others
occupied most of the attack spectrum, comprising 51 attacked country last year, is now fifth.
percent of attacks while TCP was only 45 percent.
The predominance of UDP-led attacks in previous Additional information
years, particularly targeting gaming applications, What is a DDoS attack? | Microsoft Security
can be linked to the ripple effects of the COVID-19 FY22 FY23
pandemic. The enforced quarantines and lockdowns
led to a surge in gaming’s popularity, rendering
these services a lucrative target for attackers.
Targeting investment
of implementation
Return on Mitigation score Type Percentage of users potentially impacted Score
2–5
Medium
Lower
Medium impact (Up to 50% users impacted)
Engagement distribution (%) by major tactic Score Potential ease of implementation Score
During Microsoft Incident Response While the goal of all mitigations is to make
environments more resilient to cyberattacks, 50 – 100 3 Easy to implement (20 hours or less) 1
engagements, customer environments
customers may not always have the resources
have been found to lack mitigations to implement all of them, and a return on 25 – 49 2 Medium (20 – 40 hours) 2
that range from the simple to the mitigation framework is helpful for prioritization. 0 – 24 1 Harder (40+ hours) 3
Generally speaking, the lower the resources
more complex. We have calculated ROM values using a formula multiplying the weighted impact of the solution or
and effort involved, the higher the return on
mitigation (ROM). As an example of a high return, mitigation by a weighted value of the solution in terms of effectiveness (security value), and factored in the
consider a simple solution to implement context- effort involved in implementing the solution. The higher the ROM score, the lower the resources and effort
based MFA protection. This solution is highly involved in implementing the solution for the impact and value provided.
effective in preventing initial access (high security The percentage of environments missing each of the mitigations across all the environments reviewed
value) but very simple to implement (low effort). during incident response engagements is also included.
When implemented, this solution effectively prevents
initial access by providing more context around the
authentication attempt, such as geographic location
and the application used. The additional context
can be combined with requiring the user to enter
a number (number matching) to complete MFA to
further improve sign-in security.
42 Microsoft Digital Defense Report 2023 Chapter 2 The State of Cybercrime
Return on mitigation: Targeting investment to increase resilience continued Higher ROM H Medium ROM M Lower ROM L
Additional information
Windows LAPS overview | Microsoft Learn
45 Microsoft Digital Defense Report 2023 Chapter 3 Nation State Threats
Chapter 3
Nation State Threats
How has the threat
landscape changed?
Key developments 46
Introduction 47
Russia 54
China 60
Iran 65
North Korea 70
Palestinian threat actors 73
The emerging threat posed 74
by cyber mercenaries
46 Microsoft Digital Defense Report 2023 Chapter 3 Nation State Threats
cyber espionage.
50%
activities in the past year pivoted away from high-
volume destructive attacks in favor of espionage
campaigns. While the impact of destructive attacks
is felt more immediately, persistent and stealthy
of destructive Russian attacks we
espionage operations pose a long-term threat to the observed against Ukrainian networks occurred
integrity of government, private industry, and critical in the first six weeks of the war.
sector networks.
Russian and Iranian state-sponsored actors that Later, in October and November 2022, Russian
employed destructive attacks most frequently, state actor Seashell Blizzard added destructive
changed the frequency of their destructive ransomware to its toolkit, deploying Prestige
operations over the past year. At the same time, ransomware against a Polish entity, and Prestige
threat actors globally acted to increase their and Sullivan ransomware against Ukrainian
organizations.1 The actor demonstrated consistent Israel
collection capacity against foreign and defense
policy organizations, technology firms, and critical testing and development of the Sullivan payload,
infrastructure organizations. but Microsoft has not observed subsequent
ransomware-style attacks from this threat actor.2
The high-volume of destructive attacks that
dominated the early stages of Russia’s invasion of What Microsoft observed most often from Seashell
Ukraine tapered off. Nearly 50 percent of destructive Blizzard and other Russia-affiliate threat actors
Russian attacks we observed against Ukrainian were phishing and password spray campaigns,
networks occurred in the first six weeks of the war. credential theft, lateral movement through networks,
data exfiltration, and other actions associated
with gaining and retaining access to targets for Microsoft Threat Intelligence observed state-sponsored cyber threat activity against organizations in
intelligence collection. more than 120 countries and territories this year. Data destruction represented a small fraction of the
Please see ‘About this Report’ on page 9 observed activity, which was predominantly reconnaissance, initial access and various other actions on
for relevant definitions used in this chapter. For more about Russian state actors’ activity, network, and data exfiltration.
see page 54.5
49 Microsoft Digital Defense Report 2023 Chapter 3 Nation State Threats
Actors associated with the Iranian government have organizations including in the communications, Diamond Sleet, a North Korean threat actor known
also conducted fewer destructive cyberattacks. Most targeted sectors globally utility, transportation, government, and information for its destructive attack targeting Sony Pictures in
Groups like Cotton Sandstorm adopted a new tactic State-sponsored threat groups target broadly technology sectors.4 To evade detection, it used 2014, was observed targeting and compromising
of cyber-enabled influence operations (see page 68), as part of their intelligence collection. legitimate accounts, living-off-the-land binaries, nuclear energy organizations globally in the spring
often using less time- and resource-intensive Critical infrastructure sectors (highlighted) and SOHO routers for network communications. of 2023. In the fall of 2022, Diamond Sleet was also
disruptive defacements and DDoS attacks. Since June comprised 41% of the NSNs sent in FY2023. Meanwhile, Russian state actor Forest Blizzard observed compromising maritime entities, with a
2022, we have observed an increased pace in Iran’s exploited a zero-day vulnerability in Outlook to steal focus on submarine technologies. Diamond Sleet is
use of these types of influence operations, focused A data from defense industrial base and transportation known to conduct persistent and stealthy espionage
on manipulative messaging and amplification with L sector organizations within NATO member states.5 operations likely to collect information of high
an underlying influence narrative.3 The rise of these importance to the North Korean regime.
operations corresponded with a decline in what was
previously a spike in Iranian destructive cyberattacks
Actionable insights
using ransomware as a guise from 2020 to mid-2022. K B
Critical infrastructure targeting remains robust 1 Organizations should look at their attack 4 Review and audit upstream and downstream
J surface through the lens of the attacker, service provider relationships and delegated
across the board, increasing again in the last year,
I prioritizing their security response based privilege accesses to minimize unnecessary
with threat actors employing stealthier techniques
to establish persistence and evade detection in H on the organization’s external attack permissions. Remove access for any partner
C
these sensitive networks. surface. Identify and protect high-value relationships that look unfamiliar or have not
G
data targets and at-risk technologies, yet been audited.
Volt Typhoon, a Chinese state-affiliated actor, has F information, and business operations
targeted critical infrastructure organizations in Guam D 5 Enable logging and review all
E which might align with the strategic
and elsewhere in the United States. Active since authentication activity for remote
priorities of nation-state groups.
mid-2021, the group conducted a campaign to access infrastructure and virtual private
A 16% Education G 5% Transportation 2 Enable cloud protections to provide networks (VPNs), with a focus on
infiltrate networks within US critical infrastructure
identification and mitigation of known and accounts configured with single factor
B 12% Government H 4% Defense Industry
novel threats to your network at scale. authentication, to confirm authenticity
41%
C 11% Think tanks I 3% Energy and investigate anomalous activity.
and NGOs 3 Use the strongest form of FIDO compliant
D 11% IT J
2% Manufacturing multifactor authentication (MFA) combined 6 Enable MFA for all accounts (including
Infrastructure with hardening the attack surface service accounts) and ensure MFA is
5% Other Critical
of the threat notifications Microsoft sent to E 6% Communications K
Infrastructure
around tokens. enforced for all remote connectivity.
online services customers between July 2022
and June 2023 went to critical infrastructure F 5% Finance L 20% Other 7 Use passwordless solutions to
organizations. secure accounts.
Source: Microsoft Threat Intelligence NSN data.
50 Microsoft Digital Defense Report 2023 Chapter 3 Nation State Threats
Increased • Iran: Iranian state actors have increasingly • North Korea: In early 2023, Ruby Sleet • Other adversarial cyber advancements:
sophistication
migrated their cyber targeting and showed increasing sophistication by Iranian partners and proxies also
operations to focus on attacks that utilizing a stolen legitimate certificate of demonstrated consistent improvements in
enhances threat
allow them to move from on-premises an IT security solutions provider to sign cyber operations since 2022, as highlighted
into cloud environments, representing malicious files used to target organizations. in our 2022 report’s disclosure of Plaid
a tangible increase in the maturity of In March, Citrine Sleet conducted a supply Rain’s (POLONIUM) abuse of cloud services
Additional information
Please see our mitigation and protection guidance
in this article published in May 2023:
Volt Typhoon targets US critical infrastructure
with living-off-the-land techniques | Microsoft
Security Blog
CSA Living off the Land.PDF | defense.gov
51 Microsoft Digital Defense Report 2023 Chapter 3 Nation State Threats
expanding their
A breakdown of operations by region reflects the priority targets of the threat actors. Ukraine is the top European target per volume of observed activity, driven by Russian state
actors’ invasion-related operations. Israel remains by far the most-targeted country in the Middle East and North Africa region as a result of Iran’s extensive focus there. North Korean
and Chinese state actors drove South Korea and Taiwan to the first and second most targeted geographies in the Asia-Pacific.
global target set Europe Middle East and North Africa Asia-Pacific
J A
Nation-state actors’ cyber operations grew K
increasingly global in scope this past year, K
I
particularly expanding in the Global South to A A
more parts of Latin America and sub-Saharan H
Africa. While cyber operations remained most J
pronounced against the US, Ukraine, and Israel, G B
and pervasive throughout Europe, operations I
F
increased in the Middle East owing to Iranian J
actors. Organizations involved in the policymaking I H
E
and implementation ecosystem were among H
G G
the most targeted, in line with many groups’ B D C
F F
espionage-focused remits. E C B
D C E D
B 11% United Kingdom H 3% Netherlands B 12% United Arab Emirates H 4% Egypt B 15% Taiwan H 5% Indonesia
A I A
A
K I
B
B
J G
I H B
F
H
G
C
G C
F E
F
D E D C
E D
A 17% Think tanks/NGOs G 4% Transportation A 19% Education G 4% Energy A 22% Education G 6% Think tanks/NGOs
Russia
Given the body of Ukraine-focused reporting
we have released since July 2022, this section
provides an opportunity to dive deeper into
Russian state cyber operations outside of the active
Threat actor naming
military conflict zone.
taxonomy: Blizzard
Russian state-sponsored threat actors used diverse
means—from phishing campaigns to zero-days—
Russian state actors expanded the to gain initial access to devices and networks in
industries across NATO member states, while malign
scope of their Ukraine war-related
influence actors sought to intimidate the Ukrainian
cyber and influence operations to diaspora and encourage protest movements across
target Kyiv’s allies. This was in addition Europe. The expansion of Russia’s war-related
to the numerous destructive wiper and targeting suggests that any government, policy, or
critical infrastructure organization located within a
cyberespionage operations targeting country that provides Ukraine with political, military,
Ukrainian government and critical civilian or humanitarian support is at risk of compromise.
infrastructure that we have publicly
reported over the last year.8 Actionable insights
For more information on threat actor 1 Protect user identities with MFA
naming taxonomy, see pages 10-11. protection tools and reinforcing least
privilege access.
2 Keep systems up to date; patch early
and often.
3 Deploy antimalware, endpoint
Ukraine-focused reporting released detection and response, and identity
since July 2022 protection solutions.
Is Russia regrouping for renewed cyberwar? |
Mar 15, 2023 4 Enable investigations and recovery
Preparing for a Russian cyber offensive against with backups, logging, and an incident
Ukraine this winter | Dec 3, 2022 response plan.
55 Microsoft Digital Defense Report 2023 Chapter 3 Nation State Threats
Russia continued
36%
at which time roughly 46 percent of observed E 9% Intergovernmental J 10% Other
external communication attempts, be organizations
network intrusions were directed against
cautious about what they share, and
organizations within NATO member states,
never share their account information or of observed network intrusions were directed
particularly the United States, United Kingdom,
authorize sign-in requests over chat. against organizations within NATO member
and Poland. states, particularly the United States,
5 Allow only known devices that United Kingdom, and Poland.
adhere to Microsoft’s recommended
security baselines. Source: Microsoft Threat Intelligence Source: Microsoft Threat Intelligence nation
state notifications
56 Microsoft Digital Defense Report 2023 Chapter 3 Nation State Threats
Russia continued
Threat actors are phishing for insights Star Blizzard impersonated a high-level former Separately, Forest Blizzard exploited Exchange Web
US official to send mails to US diplomatic personnel Actionable insights
Russian state actors including Midnight Blizzard, Services in cloud and hybrid environments to steal
that formerly served in Ukraine. In May, Midnight data from email accounts at energy, defense, and 1 Track changes made to a mailbox by
Star Blizzard, and Aqua Blizzard launched
Blizzard sent emails from Poland-themed email air transportation organizations based in countries a user.
phishing campaigns posing as Western diplomats
addresses to dozens of accounts at 12 international that provide logistics or tactical support to Ukraine.
and Ukrainian officials to gain access to accounts 2 Monitor and alert on suspicious
organizations including NATO, as well as diplomatic Employing advanced post-compromise techniques,
that might contain insights into Western foreign permissions changes made by users
representatives of several NATO member states. the actors positioned themselves to access any
policy on Ukraine, defense plans and intentions, and administrators.
This campaign was one of many that the threat account of interest in a targeted environment.
or war crimes investigations. Aqua Blizzard actors
actor conducted this year targeting diplomatic They used Exchange PowerShell to obtain 3 Apply patches when they become
also masqueraded as Ukrainian defense and
entities involved in Ukraine policy. persistent access to targeted mail items of interest available to protect devices
legal officials to target Western and Ukrainian
humanitarian and judicial organizations, then used by modifying folder permissions for a mailbox. from targeting.
Forest Blizzard using zero-day vulnerabilities
the html smuggling technique to bypass email to target sensitive sectors The operators also configured users’ application
4 Add users to the Protected Users group,
detections and evade automated defenses. impersonation roles to gain access to any item
Main Intelligence Directorate (GRU)-affiliated actor, which provides additional credential
in a folder or to perform additional actions while
Forest Blizzard’s compromise of operational and protections beyond disabling NTLM and
authenticating as a different user.
strategic level targets likely represents a means should be used for high-value accounts,
by which Russian leadership can gain situational such as domain administrators,
awareness supporting a range of military and when possible.
foreign policy objectives. Aqua Blizzard actors
In addition to conducting phishing campaigns,
Forest Blizzard has used an Outlook zero-day
masqueraded as Additional information
vulnerability, CVE-2023-23397, throughout 2022 Ukrainian defense and Mailbox auditing | Microsoft
and into 2023 to access government organizations Administrator audit logging | Microsoft
in Ukraine, as well as NATO member-states’ defense legal officials to target Protected users group | Microsoft
Russia continued
Cyber and influence Russian advanced persistent threat (APT) activities overlap with influence
operations campaigns
Hacktivist personas: State actors:
operations continue
IC Info Center SB Seashell Blizzard
Many of the overlapping data theft, deletion, and leak operations detailed SP Solntsepek CB Cadet Blizzard
in the timeline were focused on Ukrainian media, transportation, and R Readovka
to converge civilian services organizations. The messaging from the malign influence
campaigns often highlighted the alleged involvement of the targeted civilian
FCA
CAR
Free Civilian Army
Cyber Army of Russia
organizations in supporting Ukrainian military operations.
Russia continued
targets Ukraine, Poland, and Real world and digital campaigns converged on Poland, where fliers with a QR code
posted throughout Polish cities and attachments in mass email campaigns led to the
Baltic states
same document demanding the PII of Ukrainian refugees. Polish civilians received the
same message from multiple angles, which likely reinforced its perception as legitimate.
Russia-affiliated threat groups engaging in influence The campaign, which was first observed around mid-
campaigns continue to try to sow distrust between January 2023, leveraged email dissemination and
Ukrainian populations and European partners who inauthentic documents to spread a narrative that
support Kyiv—both governmental and civilian. government officials may seek forced repatriation
of Ukrainians or conscript European citizens for
One of the more prominent cyber-enabled influence
the war in Ukraine. Populations in NATO member
campaigns targeting populations outside of Ukraine
states Poland, Latvia, and Lithuania were the
involved a series of operations showing similar
primary targets.
TTPs as those used by Storm-0257 (a threat group
Real world convergence
Microsoft assesses as most similar to Ghostwriter Microsoft’s investigation uncovered that one of the
and UNC1151). The campaign appeared aimed at documents distributed via email was also tied to
diminishing trust between the Ukrainian diaspora a physical flyer posted in Poland, demonstrating
and refugees, Polish, Lithuanian, and Latvian that the campaign bridged the digital and physical
populations, and their governments. worlds. The Polish-language, pro-Russia website Real world messaging
Dziennik Polityczny, Belarusian state television,
and a network of sockpuppet accounts posing as
Lithuanian citizens on social media served to further Digital world messaging
amplify the messages.
Russia continued
Influence operations aim to stoke As Russia seeks to turn support for Ukraine into
a point of conflict between Western populations
Russian state-sponsored
influence actors
antiwar sentiment in Europe
and their governments, protests are a useful
instrument by virtue of their dual role as a
tactic to exert influence and a desired result of helped organize
influence operations.
pro-Russian, antiwar
Russian state-sponsored influence actors,
organizations, and outlets have helped amplify, protests across Europe.
support, and even organize pro-Russian, antiwar
Stop Killing Donbass Map of Truth protests across Europe. For example, Russia’s ruling
party, United Russia, has nurtured ties with figures “Map of Truth” was an on-the-ground operation
Protest movement targeting Western Summer 2022 campaign targeting connected to Storm-1099, a large-scale and ongoing
and groups within Italy’s pro-Russia, anti-Ukraine
European military aid to Ukraine Western European military aid
since September 2022 to Ukraine war movement,11 while the Kremlin has tried to network of inauthentic digital activity that was
influence and steer protests in Germany and forge first disrupted by a US social media company in
Audience France, Germany, Italy, Spain, Belgium France, Germany, Italy, Spain, an antiwar political coalition.12 September 2022.13
United Kingdom
Pro-Russian influence operators have specifically The transition from Map of Truth to Stop Killing
Imagery Donbass underscores the persistence and flexibility
aimed to disrupt Western military support to Ukraine
by encouraging European citizens to demonstrate of these influence campaigns, despite repeated
against military assistance. Western attempts to obstruct and dismantle such
activities and their online assets.
Targeted We assess with moderate confidence that a protest
protests initiative out of Western Europe called “Stop
Additional information
Killing Donbass” is a continuation of an earlier
Russia’s African coup strategy | Microsoft On the Issues
Western protest initiative known as the “Map of Truth.” Both
Extending our vital technology support for Ukraine |
influencers in initiatives tried to convince Europeans that Western
Microsoft On the Issues
Occupied military aid to Ukraine helps Kyiv kill innocent
Ukraine noncombatants, particularly children, and the two
Preparing for a Russian cyber offensive against
Ukraine this winter | Microsoft On the IssuesOn
Obscure share striking similarities in TTPs, intended audience, the Issues
amplification involved individuals, and connections to a cluster of Cadet Blizzard emerges as a novel and distinct
obscure websites. Russian threat actor | Microsoft Security Blog
Microsoft threat intelligence Microsoft confidential
Ongoing Russian cyberattacks targeting Ukraine |
Source: Microsoft Threat Intelligence Center investigations Microsoft On the Issues
60 Microsoft Digital Defense Report 2023 Chapter 3 Nation State Threats
China Sea
taxonomy: Typhoon sea attributed to Chinese state-
sponsored hacking groups, July
2022 - June 2023. While China
Chinese state-sponsored cyber activity around the continues to be most focused on Philippines
Chinese state-sponsored campaigns
South China Sea reflects Beijing’s strategic goals in Taiwan, it is also interested in the
reflect the Chinese Communist Party’s the region and heightened tensions around Taiwan. plans, intentions, and capabilities Vietnam
(CCP) dual pursuit of global influence Much of the targeting appears to be for intelligence of its neighbors.
and intelligence collection. collection purposes. The primary Chinese threat
groups in the region are Raspberry Typhoon South
Cyber threat groups continue to carry out and Flax Typhoon. Raspberry Typhoon targets China Sea
sophisticated worldwide campaigns targeting Association of Southeast Asian Nations government 70+ Malaysia
US defense and critical infrastructure, nations ministries, military entities, and corporate Brunei
30+
bordering the South China Sea, and even China’s entities associated with critical infrastructure,
particularly telecommunications. 20+
strategic partners. Some Chinese cyber activity may Singapore Indonesia
also indicate possible avenues of response in the Raspberry Typhoon conducts intelligence collection <20
event of a future geopolitical crisis. CCP influence using sophisticated spear-phishing campaigns
operations targeted global Chinese-speaking to land its malware. Since January, the group has Source: Microsoft Threat Analysis Center investigations
diaspora populations, leveraged coordinated persistently targeted ministry-level entities relating
inauthentic behavior on social media to denigrate to trade, intelligence, and finance.
US institutions, and promoted a positive image Actionable insights
of China through multilingual lifestyle influencers. Flax Typhoon targets Taiwanese critical infrastructure
including IT and medical related entities, its 1 Harden credential storage and processes on devices.
For more information on threat actor defense sector, including contractors that work 2 Restrict admin mode for remote desktop protocol.
naming, see pages 10-11. with the US government, and media entities.
3 Remove PowerShell from systems when not needed. If needed, consider restricting PowerShell
Flax Typhoon frequently gathers information about
execution policy to administrators only.
its targets, finds vulnerabilities, and then leverages
a custom VPN solution to gain access and maintain 4 To protect systems against certain malware infections that use scheduled tasks, mark scheduled
persistence in victim networks. These attacks are tasks that start programs in the system’s temporary folder %TEMP% as unsafe.
likely for intelligence collection.
61 Microsoft Digital Defense Report 2023 Chapter 3 Nation State Threats
China continued
US defense industrial
US critical infrastructure saw substantial targeting by
Chinese targeting of US sectors
Chinese threat actors. The most active of these, Volt Actionable insights
Chinese state-sponsored threat actors were Typhoon, targeted communications infrastructure
base and critical broadly interested in US military capabilities and
its policymaking during this reporting period.
on Guam, likely because it is a key strategic and
logistical hub for US military operations in the Pacific
1 Detecting activity that uses normal sign-
in channels and system binaries requires
infrastructure targeted K
and houses a US Navy and Air Force base.15
Microsoft has tracked Volt Typhoon conducting 2
behavioral monitoring.
Enforce strong multifactor
J
critical infrastructure targeting since 2021, authentication (MFA) policies
I A
including against transportation, utilities, using hardware security keys or
Multiple Chinese threat groups including Circle H Microsoft Authenticator.
medical infrastructure, and telecommunications
Typhoon, Volt Typhoon, and Mulberry Typhoon G infrastructure. These attacks, which often use 3 To prevent unauthorized access, use
targeted the US defense industrial base with different
unobtrusive techniques and originate from passwordless sign-in, set expiration
infrastructure and capabilities. Communications
F compromised Fortinet devices, include many critical dates for passwords, and deactivate
infrastructure and defense contractors were among
infrastructure targets that do not have obvious unused accounts.
the most frequent targets. These threat groups
B intelligence collection benefits, such as utilities and
demonstrated capabilities in resource development, 4 Learn more about securing operational
E transportation entities. These campaigns may be
data collection, initial access, and credential access. technology and industrial control
intended to provide China with the capability to
Circle Typhoon primarily targeted IT entities and systems beginning on page 103.
disrupt critical infrastructure and communication
US-based defense contractors with VPN appliances,
D between the United States and Asia during a
while Mulberry Typhoon targeted a zero-day exploit C
geopolitical crisis.
in US DIB devices for CVE-2022-27518.14
B 16% IT H 3% Manufacturing
China continued
China continued
global reach
preferred narratives. One such campaign targeted a
Spain-based NGO and deployed over 1,800 accounts
with messaging in new languages such as Dutch,
Greek, Indonesian, Swedish, and Turkish, and posting
on new platforms like Fandango, Rotten Tomatoes,
China continues to improve its influence Medium, and Chess.com. This campaign was first
campaigns, operating at a scale unmatched by observed in January 2022 and is still active.
other malign influence actors. Chinese-affiliated
covert propaganda campaigns deploy thousands In online news media, another digital media
of accounts across dozens of websites spreading campaign comprises over 50 Chinese-language
memes, videos, and articles in multiple languages. news websites that support the CCP’s stated goal
of being the authoritative voice of Chinese media
worldwide. Based on technical indicators, website
CCP-aligned influence operations have been detected on many platforms and many languages.
Content samples from a February 2023 campaign discussing the Nord Stream pipeline explosions Source: Microsoft Threat Analysis Center investigations
reposted identical articles in multiple languages across many websites.
Platforms Languages registration information, duplicate articles, and Purporting to be independent news providers,
promoted narratives, these websites bear the these websites frequently re-publish the same
Croatian Mandarin
hallmarks of a United Front Work Department (UFWD) Chinese state media articles, often claiming to be
Dutch Norwegian media strategy targeting the Chinese diaspora the original source of the content. While the sites
English Slovakian globally. More than 30 sites leverage the same broadly cover international news and publish generic
French Spanish
application programming interface (API) and content Chinese state media-sourced coverage, politically
management system, developed by a “wholly-owned sensitive subjects—such as COVID-19 and Chinese
German Swedish
subsidiary” of China News Service, the UFWD’s media dissidents—overwhelmingly align with the CCP’s
Greek Thai agency.16 Records from China’s Ministry of Industry preferred narratives.
Indonesian Turkish and Information Technology reveal that this UFWD-
Italian Uyghur affiliated tech company and another have registered
at least 14 news sites in this network.17
64 Microsoft Digital Defense Report 2023 Chapter 3 Nation State Threats
China continued
New techniques are being Chinese state media influencers breakdown by language grouping
Israel
=most
targeted
country
66 Microsoft Digital Defense Report 2023 Chapter 3 Nation State Threats
Iran continued
cyber capabilities
Arc—a platform that allows users to manage stay a step ahead of defenders, requiring defenders and government organizations in, or with ties
resources deployed both within and outside of to identify new tools, develop and deploy to, countries in the Middle East. The group
Azure through the same control plane. corresponding signatures or detections, and keep used remote monitoring and management
pace with actors’ evolving arsenal of options. tools to retain access to compromised
• The TTPs observed in Peach Sandstorm’s
Iranian state actors used increasingly sophisticated intrusions represent a significant increase in • Between late 2022 and June 2023, we observed environments. In at least one case, they used
tradecraft, enhancing operations in cloud the maturity of its capabilities, growth that is Mint Sandstorm using MischiefTut, a custom a custom credential stealer to siphon users’
environments, rolling out an increasing number of especially notable following a two-year period backdoor implemented in PowerShell with a credentials.
custom implants, and becoming faster at exploiting during which we observed very little activity set of basic capabilities.23 MischiefTut can run • In June, Pumpkin Sandstorm used the
newly released vulnerabilities. linked to these operators. reconnaissance commands, write outputs to custom dropper BellaCiao to deliver tools to
Regular use of custom tooling a text file, and download additional tools on a organizations. Because BellaCiao can be used
Migrating components of targeting and
compromised system. to deliver various tools, post-compromise
operations to the cloud We observed Iranian state actors regularly using
activity varies based on the operators’
We have observed multiple Iranian state actors custom tools in their operations. These tools
decisions. In at least one intrusion, we observed
migrating components of their targeting and provided capabilities in establishing persistence,
operators stealing credentials from an infected
operations to the cloud. system. We assess that known BellaCiao
GoldenSAML attack chain
• In February, destructive operations enabled samples have been specifically configured
In a golden SAML attack, an adversary will steal private keys from a target’s on-premises Active Directory to target specific organizations located in
by Mango Sandstorm, a group linked to Iran’s
Federated Services (ADFS) server to mint a Security Assertion Markup Language (SAML) token trusted by Afghanistan, Austria, Azerbaijan, Canada,
Ministry of Intelligence and Security, impacted
a target’s Office 365 environment.22 Egypt, France, Greece, India, Italy, Lebanon,
both on-premises and cloud environments.
Prior to the attack, Iranian state actors moved the Philippines, and the United Kingdom.
laterally from an on-premises to a cloud On-Prem AD Peach Sandstorm Company Cloud
environment by manipulating the Azure FS server is presents Environment
compromised SAML token
Active Directory Connect agent using stolen
credentials of highly privileged accounts.21
• In March, Islamic Revolutionary Guard Corps
(IRGC)-linked Peach Sandstorm conducted a
GoldenSAML attack to leverage a compromise SAML signing key is stolen to mint
of an on-premises network to pivot to the a valid, signed SAML response
victim’s cloud environment to exfiltrate data.
Source: Microsoft Threat Analysis Center investigations
67 Microsoft Digital Defense Report 2023 Chapter 3 Nation State Threats
Iran continued
cyber-enabled
Iranian state actor, Mint Sandstorm, rapidly 1 Harden internet-facing assets and other state-sponsored groups supplemented basic
weaponizing N-day vulnerabilities in common identify and secure perimeter systems cyberattacks with a new playbook: leveraging cyber-
enabled influence operations to fuel geopolitical
influence operations
enterprise applications.24 An N-day vulnerability that attackers might use to access
is a flaw in software for which an official patch or your network. change in alignment with Tehran’s objectives.
security update has been released. Until 2023, In the second half of 2022, Iranian groups increased
2 Secure internet-facing remote desktop
this subgroup—which we assess is linked to the the pace of operations in which they amplify
protocol services behind a multifactor
intelligence arm of the IRGC—was slow to adopt low sophistication cyberattacks with multi-pronged
authentication gateway. If you don’t
exploits for recently-disclosed vulnerabilities influence operations. Iranian groups’ use of a
have an MFA gateway, enable network-
with publicly reported proof of concept (POC) repeatable playbook and low-effort cyberattacks—
level authentication and ensure
code, often taking several weeks to successfully requiring little to no access to a victim network-
that server machines have strong,
weaponize exploits for vulnerabilities like Proxyshell enabled them to quickly replicate their operations,
randomized local admin passwords.
and Log4Shell. Beginning this year, we observed a shifting from one victim to the next.
notable decrease in the time it took to adopt and 3 Keep backups so you can recover data
affected by destructive attacks. Iran’s cyber-enabled influence operations have
incorporate public POCs. Mint Sandstorm operators
pushed narratives that seek to bolster Palestinian
exploited vulnerabilities in applications such as 4 Treat identity servers as critical resistance, sow panic among Israeli citizens, foment
Zoho ManageEngine, Aspera Faspex, and Adobe infrastructure, protecting them with Shi’ite unrest in Gulf Arab countries, and counter the
ColdFusion within days of their initial disclosure. the same protections you would apply normalization of Arab-Israeli ties.
to a domain controller or other critical
Additional information security infrastructure. While specific narratives varied, the underlying goal
Microsoft Defender External Attack Surface was often the same. Tehran likely sought to retaliate
Management | Microsoft against what it perceived were efforts by foreign
Move Active Directory Federation Services actors to foment unrest in Iran, including highly
apps to Azure AD | Microsoft sophisticated cyberattacks in 2021 and 2022 by a
group called Predatory Sparrow against Iran’s steel
factories, state broadcasts, gas stations, and trains.25
68 Microsoft Digital Defense Report 2023 Chapter 3 Nation State Threats
Iran continued
Iran continued
Pivoting towards
These agreements enable the two countries
to support each other on controversial issues. Outsourcing influence operations
the East
For example, while Iran has declared its “neutrality”
regarding the conflict in Ukraine, Iranian state media to engage international audiences
has largely defended Russia’s position, including
the verbatim use of Russian disinformation such
as accusations of the United States establishing
Iranian and Russian state media outlets have a Iran has increasingly outsourced influence Sabereen News, which posts primarily on Telegram
offensive biolabs in Ukraine. Additionally, PressTV
history of cooperation, including multiple formal operations to proxy outlets and journalists who to an Iraqi audience, is another Iran-backed outlet
has embedded a reporter with Russian troops in
memorandums of understanding and media present themselves as independent. In addition to run from abroad. The outlet is run by Iraq’s Iran-
the Russian-occupied Donetsk region of Ukraine.
cooperation agreements. Coordination between operating numerous state-run outlets targeting backed PMUs and was reportedly created by
Multiple Iranian Islamic Republic of Iran Broadcasting
Iranian and Russian state media increased after foreign audiences in English, Arabic, and other Iran’s Islamic Radios and Televisions Union—the
media officials contribute to Russian state media,
the Russian invasion of Ukraine, leading to a languages, Tehran heavily supports pro-Iranian “propaganda arm” of Iran’s IRGC Quds Force.
including Sputnik’s Persian language website.
convergence of narratives relating to the invasion media outlets abroad that can more easily connect The outlet largely focuses on local Iraqi issues but
and Iranian protest movements in 2022. to international audiences. has also promoted Russian propaganda and has
claimed to conduct cyber operations against foreign
In October 2022, a leak of thousands of emails Iran also uses its militant proxy and partner
and domestic targets.
from Iran’s English-language news outlet, PressTV,28 Coordination between organizations like Hezbollah in Lebanon and
revealed Iranian state media executives’ travel to the Iraqi Popular Mobilization Units (PMUs) to
Moscow in 2019 to establish media cooperation Iranian and Russian disseminate Iran-aligned propaganda via their
agreements. It also revealed correspondence
between Russian and Iranian state media officials
state media increased affiliated outlets. For example, Al-Mayadeen, a
popular Lebanon-based multilingual news outlet,
to coordinate messaging in September 2020, and after the Russian claims to be funded by independent businessmen;
sharing of content and correspondents since at however, the outlet maintains close leadership and
least 2020. invasion of Ukraine. business ties to Iranian and Hezbollah figures.
70 Microsoft Digital Defense Report 2023 Chapter 3 Nation State Threats
North Korea Cyber actors help Countries most targeted by North Korean state-sponsored threat actors
Japan
United States
South Korea
United Kingdom
Australia
Switzerland
Denmark
Italy
Belgium
France
Germany
South Africa
Sweden
Türkiye
Other
capabilities to improve their own, and steal
cryptocurrency to fund the state.
North Korean actors continued to steal North Korean actors are employing new techniques Actionable insights
cryptocurrency with greater sophistication, and to exploit victims. Diamond Sleet weaponized
1 Educate end users about preventing
conducted the first supply chain attack Microsoft legitimate open-source software including PDF
malware infections, such as ignoring or
has observed among these groups. In January 2023, readers and Virtual Network Computing (VNC)
deleting unsolicited and unexpected
the Federal Bureau of Investigation (FBI) publicly clients to conduct attacks.33 After Microsoft Threat
emails or attachments sent through
attributed the June 2022 heist of $100 million in Intelligence published a blog revealing these TTPs in
instant messaging applications or
cryptocurrency from Harmony’s Horizon Bridge to September 2022, it shifted to develop new malware
social networks.
North Korean cyber actors. Microsoft attributed this approaches in its weaponized software malware.
activity to Jade Sleet, which we estimate has stolen 2 Review all authentication activity for
Emerald Sleet continues to send frequent spear-
approximately $1 billion in cryptocurrency so far.31 remote access infrastructure, with a
phishing emails to Korean Peninsula experts around
As mentioned earlier in the chapter (see page 47), particular focus on accounts configured
the world for intelligence collection. In many
Microsoft attributed the March 2023 3CX supply with single factor authentication, to
Actionable insights instances, we found that Emerald Sleet impersonates
chain attack—which leveraged a prior supply chain confirm authenticity and investigate any
reputable academic institutions and NGOs to lure
compromise of a US-based financial technology 1 Patch vulnerabilities as early as possible. anomalous activity.
victims into replying with insights and commentary
company in 2022—to Citrine Sleet. This was the about foreign policies related to North Korea 3 Educate end users about protecting
2 Block the malicious C2 domains in your
first time we have observed an activity group using rather than deploying malicious files or links to personal and business information
environment and investigate for any
an existing supply chain compromise to conduct malicious websites. in social media, filtering unsolicited
connections to them.
another supply chain attack.32 communication, identifying lures in
3 Encourage end users to practice good In addition to email, North Korean actors conduct
spear-phishing email and watering
credential hygiene. phishing via social media on platforms like
holes, and reporting reconnaissance
LinkedIn. Sapphire Sleet created fake LinkedIn
attempts and other suspicious activity.
profiles masquerading as financial investors to lure
72 Microsoft Digital Defense Report 2023 Chapter 3 Nation State Threats
Most targeted sectors by North Korea Targeting defense North Korea targeting of national
defense industries
Targeting Russian
companies, especially entities for
North Korea is particularly interested in spying
on institutions and individuals that study North
Korea itself. A
L O
K
A N
J B
I M
We observed greater overlaps in the industries While North Korea provides materiel support
H L
targeted by North Korean threat actors. Three North for Russia’s war in Ukraine in exchange for food,
G Korean threat actors—Ruby Sleet, Diamond Sleet, K North Korean cyber actors are also targeting
and Sapphire Sleet—targeted organizations in the J C Russian nuclear energy, defense industry, and
F maritime and shipbuilding sector from November government entities, likely for intelligence
I
2022 to January 2023. collection.34 In May 2023, Diamond Sleet used a
E H trojanized VNC client to compromise a Russian
B Ruby Sleet and Diamond Sleet even targeted the D
G nuclear energy organization. In March 2023, Ruby
same organizations within these sectors. We had E
F Sleet compromised a Russian aerospace research
D not previously observed this level of industry and
institute, while Onyx Sleet compromised a device
targeting overlaps, suggesting maritime technology
C belonging to a Russian university, and an attacker
research was a high collection priority for the North A 14% Russia I 3% Brazil
account likely attributed to Opal Sleet sent phishing
Korean government.
A 23% Think tanks/ G 4% Media B 10% United States J 3% Czechia emails to accounts belonging to Russian diplomatic
NGOs
We observed a second instance of shared targeting government entities. North Korean threat actors
3% Defense C 10% Israel K 3% Finland
B 22% Education H when Ruby Sleet and Diamond Sleet compromised
Industry may be capitalizing on the opportunity to conduct
two arms manufacturing companies based in D 9% Germany L 3% France intelligence collection on Russian entities while
C 11% Government I 2% Manufacturing
Germany and Israel from November 2022 to January Russia is distracted by the war.
E 7% India M 3% Italy
D 9% Finance J 2% Transportation 2023. This suggests the North Korean government
is assigning multiple cyber groups to meet high- F 6% Africa N 3% Poland
E 6% Inter-Government K 1% Food,
priority collection requirements to improve the
Organization Agriculture
G 6% South Korea O 3% Norway
country’s military capabilities. Since January 2023,
F 5% IT L 12% Other
Diamond Sleet has also compromised defense firms H 4% Türkiye P 13% Other
in Brazil, Czechia, Finland, Italy, Norway, and Poland.
Source: Microsoft Threat Intelligence nation Source: Microsoft Threat Intelligence nation
state notifications state notifications
73 Microsoft Digital Defense Report 2023 Chapter 3 Nation State Threats
Palestinian
We observed Storm-1133 attempting to compromise
third party organizations with public ties to Israeli
targets of interest. Storm-1133 demonstrated new
threat actors
techniques to evade detection while continuing
to send tailored phishing messages on social
media. Throughout 2023, we observed Storm-1133
attempting to deliver backdoors, including a
configuration that allows the group to dynamically
In early 2023, we observed a wave of
update the C2 infrastructure hosted on Google
activity from a Gaza-based group that Drive. This technique enables operators to stay a
we track as Storm-1133 targeting Israeli step ahead of certain static network-based defenses.
Storm-1133 also used newly created LinkedIn
private sector energy, defense, and
profiles—masquerading as Israeli human resources
telecommunications organizations. managers, project coordinators, and software
developers to conduct reconnaissance, contact and
We assess this group works to further the interests send malware to employees at Israeli defense, space,
of Hamas, a Sunni militant group that is the de facto and technology organizations throughout 2023.
governing authority in the Gaza Strip,35 as activity
attributed to it has largely affected organizations
perceived as hostile to Hamas.
Targets have included organizations in the Israeli
energy and defense sectors and entities loyal to
Fatah, the dominant Palestinian political faction in
the West Bank,36 which were historically targets of
Hamas cyberattacks.37
by cyber mercenaries
cyber mercenary tracked by Microsoft as Denim cybersecurity by committing to rules that restrict the
Tsunami, has also recently shut down. use of cyber mercenaries and increase accountability
We believe it is critical to work with others to address and oversight for both providers and their clients.
this emerging threat. Others in the technology We were pleased to see the Biden Administration
Cyberspace is an increasingly contested
150+ industry have seen additional actors, employed by take first steps with its Executive Order to Prohibit
area for conflict and strategic rivalries these and other governments, try to undermine the US Government Use of Commercial Spyware that
among states. However, the development security of the online environment. This is why we Poses Risks to National Security and the follow-on
have partnered with the over 150 companies that Guiding Principles on Government Use of Surveillance
and maintenance of offensive cyber companies partnering to collectively push back
on the cyber mercenary market make up the Cybersecurity Tech Accord, as well as Technologies supported by 44 Summit for Democracy
capabilities is costly and labor-intensive, Google and Apple, to collectively push back on the participating states. Similarly, in Europe, comprehensive
demanding skills many countries lack cyber mercenary market by committing to a set of investigations and set of recommendations by the
European Parliament should be heeded.
or cannot maintain. Microsoft tracks cyber mercenary actors located all industry principles40 aimed at limiting the threats
over the globe. An important goal in Microsoft publicly posed by these groups (see page 124).
This has led to the emergence of cyber mercenaries discussing our research is to have a material impact on
As the technology industry builds and maintains
or private sector offensive actors—commercial the cyber mercenary landscape, and there have been
the majority of what we consider “cyberspace,”
actors that are known/legitimate legal entities that several notable recent developments. We publicly
we as an industry have a responsibility to curb the
create and sell cyberweapons to customers, often identified a threat actor we refer to as Carmine
harm caused by cyber mercenaries. At a high level,
but not always governments, who select targets Tsunami and which we believe was an Israeli company,
signatories commit to:
QuaDream. Together with security researchers from
and operate the cyberweapons.
CitizenLab, we tracked the software suite it sold that – Take steps to counter cyber mercenaries’ use of Additional information
While the employment of cyber mercenaries may seem consisted of exploits, malware, and infrastructure products and services to harm people. Britain sounds alarm on spyware, mercenary
attractive to some countries as a means of adding to designed to exfiltrate data from mobile devices. – Identify ways to actively counter the cyber
hacking market | Reuters
their arsenal, the unchecked expansion of the mercenary CitizenLab identified at least five civil society victims, mercenary market. Executive Order on Prohibition on Use by the
marketplace threatens to severely destabilize the including journalists, political opposition figures, and a United States Government of Commercial
– Invest in cybersecurity awareness of customers, Spyware that Poses Risks to National Security |
broader online environment. The Carnegie Endowment non-government organization (NGO) worker, in North users and the general public. The White House
for International Peace has identified at least 74 America, Central Asia, Southeast Asia, Europe, and
– Protect customers and users by maintaining the Guiding Principles on Government Use of
governments that have contracted firms to gain spyware the Middle East.39 Furthermore, it was able to identify
integrity and security of products and services. Surveillance Technologies | US Department of State
and digital forensics technology.38 The explosive growth operator locations for QuaDream systems around the
– Develop processes for handling valid legal Spyware: MEPs sound alarm on threat to democracy
of this market poses a real threat to democracy and the world, including: Bulgaria, Czechia, Hungary, Ghana, and demand reforms | European Parliament
requests for information.
overall stability and security of the online environment. Israel, Mexico, Romania, Singapore, the United Arab
75 Microsoft Digital Defense Report 2023 Chapter 4 Critical Cybersecurity Challenges
Chapter 4
Critical Cybersecurity
Challenges
Charting a path forward
Key developments 76
Introduction 77
The state of IoT and OT security 78
Improving global critical infrastructure resilience 86
Innovating for supply chain resilience 90
76 Microsoft Digital Defense Report 2023 Chapter 4 Critical Cybersecurity Challenges
46% 15 15
Attacks targeting open
Key Of the 78% of IoT devices We discovered
source software have
We discovered
grown on average
developments with known vulnerabilities on
customer networks, 46% cannot
15 new zero-day
vulnerabilities in the
15 new zero-day
742%
vulnerabilities in the
be patched. CODESYS runtime, CODESYS
since 2019.runtime,
7
Growing attacks on the highly highlighting the significant risks
vulnerable intersection of information associated with not addressing supply
46%
chain vulnerabilities to ensure the
technology and operational technology security of critical infrastructure
32%
(IT-OT) emphasize the importance of and systems.
a comprehensive defense strategy that
covers the entire business ecosystem.
The imperative for holistic Gone are the days when organizations can rely
on isolated efforts at defense within their own
environments. Today’s attacks on the intersection
Past attacks on critical infrastructure were
predominantly attributed to nation-state actors,
given the complexity involved and limited commercial
and OT security
The role of Chief Information Security
Officer (CISO) has undergone a remarkable
transformation as it expands beyond the
traditional focus on securing information
and users. Today, CISOs are entrusted with
protecting all aspects of the connected business,
IoT/OT security has undergone significant This transformation brought about new security including digital assets and cyber-physical and
guidelines, heavily influenced by the Purdue model operational domains. The CISO’s responsibility
changes. Initially, systems were air-
aimed at mitigating the risks associated with extends to safeguarding critical infrastructure,
gapped, specialized, and isolated, which increased interconnectedness.1 IoT/OT systems, and ensuring the continuity of
made them less attractive targets for In recent years, there has been a notable move
operational processes. This expanded role reflects
the growing recognition that cybersecurity must
attacks. However, as industrial systems towards centralized security in response to
address the holistic protection of the entire
started to connect with enterprise IT the growing complexity and diversity of assets
business. In an era where the convergence
within organizations.
systems, the approach shifted towards of the digital and physical realms demands
This shift in approach acknowledges that OT is comprehensive security strategies and a deep
greater network connectivity.
just one component of a broader ecosystem of understanding of the cyber-physical landscape,
unmanaged devices, encompassing IoT, OT, building the CISO plays a pivotal role in the organization’s
management systems, and internet of medical things resilience and success.
device technologies.
This recognition has paved the way for the
development of new categories of IoT/OT security
solutions such as deception, supply chain security,
firmware analysis, and managed security services.
These emerging solutions aim to address the
evolving challenges and threats posed by
the interconnected nature of these devices,
ensuring comprehensive protection across the
entire ecosystem.
79 Microsoft Digital Defense Report 2023 Chapter 4 Critical Cybersecurity Challenges
compromise
Total devices with
CVEs that cannot
be patched
(firmware no 46%
longer supported)
Total vulnerable
OT and industrial control system devices devices with CVEs 32%
that customers
are frequently left unpatched and could patch
exposed, making them easy targets for
Not vulnerable: 22%
hackers. Patching these systems can be
Total devices
challenging for organizations, as updates with no CVEs
15%
may need to be postponed to avoid Microsoft Defender for IoT actively monitors critical
Pr Cybersecurity Tech Accord principles
Total devices
infrastructure device security to stay ahead of
disrupting operations. that customers 7% mapping index page 124
have patched emerging threats. However, recent data reveals that
78% of devices on customer networks have known
Additionally, some OT devices lack patches for Actionable insights
vulnerabilities that threat actors can exploit, and 46%
vulnerabilities, often due to discontinued support. Source: Microsoft Defender for IoT sensors
of these devices cannot be patched. 1 Gain deeper visibility into IoT/OT devices
Hackers can exploit vulnerable OT devices by using
internet search tools to find ports used for remote Some OT devices still use unsupported operating and prioritize them based on their risk
•
management and gain unauthorized access, often systems, such as Windows 2000, which are no to the enterprise if compromised.
Reduce the attack surface by eliminating
25%
using default credentials. longer receiving security patches from Microsoft. 2
Twenty-five percent of OT devices on customer unnecessary internet connections, open
•
networks use unsupported systems, making ports, and restricting remote access
them more susceptible to cyberattacks due to a using VPN services.
It is vitally important to know of OT devices on customer networks use
lack of essential updates and protection against
unsupported operating systems, making them 3 Ensure devices are robust by applying
the status of your devices and more susceptible to cyberattacks due to a lack evolving threats. This allows threat actors to exploit patches, changing default passwords,
of essential updates and protection against
•
to take steps to protect them evolving threats.
known vulnerabilities in unsupported OT devices, and modifying default SSH ports.
posing significant risks to critical infrastructure and
from potential attacks. industrial processes.
80 Microsoft Digital Defense Report 2023 Chapter 4 Critical Cybersecurity Challenges
deployment leaves learning algorithms to analyze manufacturer and More than 60 percent of devices are on firmware versions that expose the devices to eight or more
industry disclosures and identify CVEs (publicly disclosed exploitable CVEs, even when some patches have been available for over five years.
systems vulnerable
cybersecurity vulnerabilities) present in firmware.2
Percent of devices on current firmware Percent of devices if using latest firmware
We found a significant lag between the availability of
versions, by number of exploitable CVEs versions, by number of exploitable CVEs
security fixes in firmware and their deployment onto
the OT network. Although many of the PLC models Better
showed a marked reduction in high confidence
Balancing robust cyber hygiene with
exploitable CVEs from older versions to the newest 4% 0 40%
uninterrupted operations in industrial versions, over 60 percent of devices were still running
2% 1
and critical infrastructure environments is older versions of the firmware with eight or more
17% 2 12%
complex. One of the key challenges lies in exploitable CVEs. If the latest version of the firmware
available for these PLC models were to be deployed, 1% 3
effectively managing timely patch updates the number of devices with no known exploitable 4% 4 2%
while maintaining peak system performance. CVEs would increase from four to 40 percent. 0.5% 5
This delicate equilibrium demands There are valid reasons for the delay in some devices 2% 6
careful consideration, as overlooking the receiving patches. Unlike traditional IT devices with 8% 7 28%
regular “patch Tuesday” updates, OT devices have
importance of cyber hygiene can leave 18% 8 18%
years-long patch cycles. It is not as simple as rebooting
vital systems vulnerable to malicious actors a PLC on the spot, especially when it manages a
15% 9
seeking to exploit weaknesses. process that requires high availability. However, most 3% 10
facilities typically have annual or bi-annual maintenance 11% 11
To examine how this balance is managed across a outage windows that will allow for patching. 12
variety of programmable logic controllers (PLCs), 14% 13
we started by using Defender for IoT’s on-premises
Deploying the latest firmware versions available for 0.2% 14
network sensors to identify OT assets on a network, these PLC models could increase the percentage of
including vendor, model, and firmware version. devices with no known exploitable CVEs from Worse
Our focus was on a collection of widely used PLCs
Number of Exploitable CVEs
4-40%
within the Defender for IoT customer base to
determine the distribution of firmware versions
deployed on the devices. To investigate device Source: Microsoft Defender for IoT and aDolus Technology
81 Microsoft Digital Defense Report 2023 Chapter 4 Critical Cybersecurity Challenges
Call to action
More than 50 percent of devices use firmware versions exposing them to more than 10 CVEs even though
because only specific versions of firmware have
firmware significantly reducing exploitable CVEs has been available for more than 10 years
the necessary certifications. As an example, SIL2
Safety Certification can be legally required when
a PLC is used to control a hazardous process, but
not every firmware release for a given model has
SIL2 certification.
57% The significance of maintaining a
comprehensive OT patch management system
of devices on legacy cannot be overstated. While strides have been
Considering these limitations, we looked at firmware are exploitable to a
high number of CVEs (>10) made to identify and address vulnerabilities
how long security patches have been available.
within devices powering manufacturing lines
Many were released years ago, including patched Firmware released in December 2012
Number of CVEs significantly reduces exploitable CVEs and critical infrastructure, this is insufficient.
versions that were fully safety certified. A significant
from ~11 down to ~2 Achieving true resilience necessitates the
number of devices running vulnerable firmware 14
implementation of a holistic approach to OT risk
have had patches available for more than eight
12 management which encompasses asset visibility,
years. Even with the unique constraints of the OT
patch levels, vulnerability monitoring, and the
environment, these delays underscore the need 10
availability of updates.
for industry to decrease the time between security
8
patch release and deployment. Though the prospect of interrupting essential
6 processes or requiring recertification may
Actionable insights be daunting, the potential consequences of
4
leaving exploitable vulnerabilities unchecked
•1 Implement robust network monitoring 2 pose a far greater risk, potentially jeopardizing
within OT environments, paying attention lives and wreaking havoc on critical systems.
0
to abnormal behavior that may indicate v1.0 v1.1 v1.2 v1.3 v1.4 v1.5 v1.6 v1.7 v1.8 v1.9 v1.10 v2.0 v2.1 v2.2 v2.3 v2.4 v2.5 v2.6 v2.7 v3.0 v3.1 v3.2 v3.3 v3.4 v3.5 v3.6 Organizations must recognize the imperative
malicious activity. nature of a robust OT patch management
Additional examples
system as an essential component of their
•2 Use firmware scanning tools to identify and Device Percent of devices on legacy Last firmware release date Delay in firmware update overall cybersecurity strategy.
mitigate potential security weaknesses in firmware exploitable to a high significantly reducing
high-risk devices. number of CVEs (>10) exploitable CVEs (<3)
Device A 56% December 2012 ~10.5 years
•3 Adopt IoT management in the cloud to
Device B 48% December 2012 ~10.5 years
benefit from standard governance models,
reliable patching, broad monitoring, and Device C 55% August 2014 ~8.7 years
continued security investment.
Source: Microsoft Defender for IoT and aDolus Technology
82 Microsoft Digital Defense Report 2023 Chapter 4 Critical Cybersecurity Challenges
gapped networks
organizations to detect and manage these unknown
and unmanaged assets. This helps ensure that
networks remain secure and up to date, reducing
the risk of malicious attacks. Asset profiling enables
end-to-end discovery of assets by analyzing network
As organizations implement digital signals to identify and categorize network assets, the
transformation programs, it’s crucial information collected about them, and the types of
assets they represent.
to monitor and discover inventory in
networks that were previously thought A vast collection of classifiers allows for high-fidelity
categorization in the cloud, including servers,
to be air gapped. workstations, mobile devices, and embedded IoT/
OT devices.
This is because air gaps are no longer enough to
protect networks from malicious attacks, as attackers Properly classifying assets enables organizations
can use various methods to gain access. Therefore, to monitor and analyze potential security risks.
organizations must extend their monitoring and Any vulnerability or misconfiguration in an asset can
inventory discovery beyond air-gapped networks to create an entry point for attackers, making it critical
ensure their networks are secure and up to date with to protect an organization’s networks.
the latest technologies and security protocols.
83 Microsoft Digital Defense Report 2023 Chapter 4 Critical Cybersecurity Challenges
OT networks often lack key security measures and •4 Proactively conduct incident response
are directly connected to the network, making measures for OT networks.
them an easy target for attackers. This can lead to
•5 Influence IoT/OT device security by
significant disruption of critical infrastructure, as
requiring vendors to adopt secure
even one disconnected component can impact
development lifecycle best practices.
manufacturing lines and operations managed by
A software bill of materials (SBOM) is
PLCs. A vulnerable version of CODESYS could enable
a way that vendors can provide more
threat actors to shut down operations of critical
information about the third-party
infrastructure through a denial-of-service attack.
components contained in their software
Remote code execution could create a backdoor
and hardware.
for devices, allowing attackers to tamper with
operations, cause a controller to run dangerously,
500+
or steal critical information.
manufacturers supporting
architectures spread across
millions of devices worldwide
85 Microsoft Digital Defense Report 2023 Chapter 4 Critical Cybersecurity Challenges
unified front •
sharing data.
Platforms enabling real-time
communication and collaboration.
• Processes and frameworks such as incident
Bringing OT and IT security teams
response playbooks and knowledge
together creates a unified front against sharing protocols.
evolving threats, maximizing resources
Converged SOCs offer these benefits:
while pinpointing vulnerabilities.
1 Improved collaboration: Develop your team’s
A converged security operations center (SOC) ability to identify and respond to threats using
combines the strengths of two teams, resulting in a both IT and OT skills, allowing you to gain a
streamlined, cost-effective approach to enterprise deeper understanding of their potential impacts.
security. OT and IT security teams can work together 2 Greater visibility: You can gain an understanding
to build cohesion through tabletop exercises that of your organization’s vulnerabilities on both
establish common goals and performance indicators. the business and industrial side. Afterward, take
In the last year, customer security teams have proactive steps to prevent a breach.
made great strides in developing tools and 3 Streamlined response: Reduce response times
strategies to share knowledge between defenders. by eliminating incidents being transferred
These advancements have enhanced teams’ between IT and OT teams. A quick and effective
preparedness and effectiveness in responding to response to security incidents will minimize the
security threats. potential damage.
4 Strengthened compliance: Make sure all areas
of the business comply with industry regulations
and standards by sharing knowledge and
expertise easily.
Additional information
Better together webinar with Microsoft Sentinel
and Microsoft Defender for IoT | Microsoft
86 Microsoft Digital Defense Report 2023 Chapter 4 Critical Cybersecurity Challenges
infrastructure resilience
delivering better services at lower costs across government and critical infrastructure
and powering critical infrastructure such organizations within a country to ensure resilience.
as electricity, finance, and transportation. This facilitation can be done through
But as we have seen, the digitalization implementation of a National SOC, which
would act as the central orchestration entity
of our world has brought new risks as providing an early warning system against
sophisticated, dangerous cyber actors nation-state and cybercriminal campaigns
seek to exploit key vulnerabilities. targeting a country’s critical government
and critical infrastructure entities.
The US Intelligence Community has warned that
China and Russia are both capable of disrupting It is of paramount
critical infrastructure services,4 and Microsoft has
identified campaigns that support these goals. importance to share
In May, we warned that Chinese hackers were trying
to gain access to US critical infrastructure as part of
security signals and
prepositioning an ability to disrupt communication threat intelligence
in case of a future geopolitical crisis.5
across government and
To learn more, see page 112.
critical infrastructure
In November, we assessed that Russian state organizations within
actors were likely behind the Prestige ransomware
attacks on transportation and logistics companies a country to ensure
in Ukraine and Poland.6
resilience.
For more about these attacks, see page 48.
Pa Op Cybersecurity Tech Accord principles
mapping index on page 124
87 Microsoft Digital Defense Report 2023 Chapter 4 Critical Cybersecurity Challenges
for critical
requirements, where noncompliance could protecting consumers’ privacy, and reducing the
result in losing access to a market segment risk of monetary fraud. Cybersecurity requirements
or financial penalties. in the Radio Equipment Directive are likely to
infrastructure be overshadowed by the proposed EU Cyber
Resilience Act (CRA), anticipated to be finalized
These requirements will
resilience create significant market
in 2024. Microsoft believes the CRA could have
serious implications for product cybersecurity,
similar to how the EU General Data Protection
pressure on IoT and OT Regulation promulgated privacy requirements.
The CRA envisions mandatory essential
device manufacturers The UK Product Security and Telecommunications cybersecurity requirements for nearly all connected
Additional information to adopt cybersecurity Infrastructure Bill empowers government ministers products with digital elements to be sold in the
to specify security requirements for consumer European Union, including hardware, standalone
The UK Product Security and Telecommunications
Infrastructure | Product Security | UK Government
best practices. connectable products with which businesses software, and associated remote data processing.
Commission strengthens cybersecurity of wireless involved in making the products available to UK Requirements are structured to improve security
devices and products | European Commission In the United States, the Biden administration consumers must comply. Draft security requirements throughout the lifecycle of products, including
Biden-Harris Administration Announces announced a voluntary cyber labeling program for connectable products have been published, design, development, and support. The CRA
Cybersecurity Labeling Program for Smart Devices for smart devices to protect American consumers and the UK’s consumer connectable products includes conformity assessment and product
to Protect American Consumers | The White House intended to be “up and running” in 2024. security regime will come into effect on April 29, security labeling through the application of the
IR 8425 Profile of the IoT Core Baseline for The program will evaluate products against criteria 2024. The security requirements mandate that European CE marking system.
Consumer IoT Products | NIST NIST develops, such as the consumer IoT core manufacturers stop using default passwords in
National Cybersecurity Strategy Implementation baseline profile NIST IR 8425 published in September products, establish a vulnerability disclosure policy,
Plan | The White House 2022 and requirements for consumer grade routers and provide transparency about the minimum
Adopting guidance from the US National to be completed by the end of 2023. The US National length of time that the product will receive security
Cybersecurity Strategy to secure the Internet of Cybersecurity Strategy Implementation Plan set a updates. While US and UK efforts are focused
Things | Microsoft
completion date prior to November 2023 for the on consumer products, we believe they will drive
New EU cybersecurity rules ensure more
Federal Acquisition Regulatory Council to propose improved security in the OT market as well.
secure hardware and software products
| European Commission
Federal Acquisition Regulation requirements for
procurement of IoT devices by US federal agencies.
90 Microsoft Digital Defense Report 2023 Chapter 4 Critical Cybersecurity Challenges
Innovating for supply Microsoft’s We also invest in finding vulnerable code across
our products and services. CodeQL is a powerful
chain risk at the supply chain security see page 95. We prioritize security in every aspect of our products
and services to ensure resilience. The Microsoft Security
Our approach has significantly reduced the feedback
loop when new vulnerabilities are discovered,
speed of regulation
We also work internationally to lobby for rules
Development Lifecycle (SDL), introduced in 2004, is providing actionable results to developers within
and norms that would prohibit nation states from
designed to identify and minimize risks throughout hours. When these CodeQL rules mature or require
engaging in indiscriminate supply chain attacks that
the product lifecycle, meet compliance requirements, urgent release, as in the case of Solorigate,9 we
put millions of customers at risk.
and deliver reliable solutions to our customers.8 open-source them and incorporate them into the
Innovation for securing the software supply chain CodeQL product to benefit all users.
Since 2020, software supply chain security attacks— We have evolved the SDL to adapt to cloud
is crucial for keeping businesses and networks safe.
such as Solarwinds, Log4j, Codecov and Kaseya— computing, AI/ML advancements, the changing
Recent cybersecurity incidents highlight the software While automation plays a vital role, we also prioritize
have affected over 490 million known customers threat landscape, and regulatory demands like US
supply chain’s extensive attack surface, which includes developer security training, threat modelling,
and exposed over 100,000 malicious open source Executive Order 14028 (“Improving the Nation’s
source code, developer machines, source control and specialized reviews in areas like AI/ML and
packages. With an average yearly increase of 742 Cybersecurity”). Our latest SDL updates focus on
systems, dependencies, build servers, and the release cryptography. These efforts provide knowledge
percent in attacks since 2019, this number will only simplicity, automation, and providing developers
pipeline. As government mandates and industry which feeds back into our SDL guidance and
continue to rise.7 with further guidance and guardrails.
regulations emerge to address these risks, software automation, allowing us to scale while ensuring
Microsoft has taken proactive and collaborative producers and engineers play a pivotal role in We leverage enforcement mechanisms within our security. We also share knowledge externally
measures such as supplier audits to address the top tackling the compliance challenge while maintaining development and cloud platforms to impose SDL through published guidance, open-sourced tools,
three supply chain threats: ransomware, phishing, their efficiency. Leveraging automation presents an requirements early in the development lifecycle. and new features in our developer and cloud
and malware. By working together with suppliers opportunity to fulfill these obligations at a reduced For example, we scan code for potential exposure platforms to foster a more collaborative and
and investing in education and awareness training, cost and lower impact on engineers. of sensitive information before it is committed to resilient environment for all.
our goal is to prevent future attacks and ensure swift version control and ensure that code is reviewed
recovery in case of a breach. Em Pa Cybersecurity Tech Accord principles by someone other than the author before Pr Em Cybersecurity Tech Accord principles
Op mapping index on page 124 being committed. mapping index on page 124
91 Microsoft Digital Defense Report 2023 Chapter 4 Critical Cybersecurity Challenges
Additional information
83,000
unique packages used more than
Embrace proactive security with Zero Trust | Microsoft 13 million times in our products
Managed identities for Azure resources | Microsoft
92 Microsoft Digital Defense Report 2023 Chapter 4 Critical Cybersecurity Challenges
Software bills of materials NuGet plans to support SBOM generation natively Tracking conformance with standards This drives us to continuously evaluate our security
Microsoft is an advocate for software bills of within its ecosystem so that every future NuGet and regulations posture through our SDL continuous assurance
materials (SBOMs), which provide software package would have an SBOM,11 and GitHub now Industry collaboration and public-private approach rather than assessing compliance at a
transparency to customers. SBOMs enable allows exporting SBOMs from repositories. partnerships are crucial for advancing global single point in time like other audits. We employ
organizations to manage their supply chain supply chain cybersecurity. We are committed to automated tools like static analyzers, web scanners,
Organizations should prepare now for consuming
risk for the software that’s deployed across meeting international standards, certifications, and and open-source scanners to assess our code
and managing SBOMs from their suppliers. Most,
their enterprise. technology sector regulations, and we keep a close and development infrastructure and use manual
if not all, Software Composition Analysis (SCA)
eye on our compliance by investing in automated attestations for non-automated requirements.
tools can produce SBOMs today, so commercial
tracking and monitoring tools. By analyzing assessment results from different
Since 2019, we have software suppliers should have the capability to
produce and share SBOMs. When the next incident
perspectives, we can identify trends and intervene
To make sure our products meet diverse and at
contributed to cross- such as Log4j occurs, having an SBOM for the times conflicting requirements, we align them with
when necessary. This approach helps us prepare for
new requirements by introducing draft requirements
software deployed across your enterprise enables
industry working groups, you to answer the questions “Am I affected?” and
our SDL framework.
that generate reports without alerting developers.
the ecosystem
ISRG, and OpenSSL. These engagements often consume OSS is arguably the most important software industry.
include the appointment of a security champion aspect of any organization’s software supply chain. Microsoft had been operating its OSS security
to drive improvements within the organization’s
We recently published and contributed the Secure and governance program for many years as part
projects and embed security in their culture
Supply Chain Consumption Framework (S2C2F) of the Microsoft SDL, but expanded its scope to
and processes.
Sharing guidance through partnerships to the OpenSSF, making it available for any include a holistic view of supply chain security
The “Omega” aspect leverages technology and development team or organization to adopt. It is in 2019, now called the S2C2F.
As a co-founding member of the Open Source
security experts to scale vulnerability detection a set of requirements focused on improving the
Security Foundation (OpenSSF), Microsoft is We continue to maintain the framework within
across the top 10,000 critical open-source projects. security around how developers consume OSS into
investing in initiatives to enhance the security of the the Supply Chain Integrity working group in
We use static analysis tools like CodeQL to the developer workflow.
entire open-source ecosystem. OpenSSF Alpha- collaboration with the OpenSSF community.
identify and efficiently triage critical vulnerabilities.
Omega began in February 2022 and is funded by Since the S2C2F is a consumption-focused
Responsible disclosure, often accompanied by fixes,
Microsoft, Google, and Amazon Web Services. framework, it can be used in addition to existing
is then shared with the maintainers.
It aims to safeguard society by engaging directly secure development practices. The S2C2F
with open-source maintainers and conducting requirements have also been organized into
expert analysis to improve the security of open- a maturity model, enabling organizations
source software. to prioritize what requirements they should
implement first. We encourage you to consider
incorporating the S2C2F requirements into
Em Pa Cybersecurity Tech Accord principles
mapping index on page 124
your organization’s security strategy.
96%
of software contains some
open-source components.
94 Microsoft Digital Defense Report 2023 Chapter 4 Critical Cybersecurity Challenges
24m
Securing software at the (open) source
GitHub is the home of OSS and hosts a community
of more than 100 million users. With the rise of
open-source vulnerabilities like Log4Shell, it has vulnerabilities remediated by developers14
become clear that a vulnerability anywhere can
become a vulnerability everywhere, and increasing
resilience needs to be a collective goal. To combat
this, GitHub puts advanced security capabilities into
the hands of developers to keep vulnerabilities,
private keys and other secrets, and malicious code
from impacting the software that powers the
modern world.
94%
businesses in the United States How GitHub secures the software supply chain SBOMs. Comprehensive and up to date SBOMs
While developers want to focus on writing code, use open-source components15 Code Scanning: Powered by the CodeQL static help organizations comply with regulations, meet
security testing and remediation tasks can disrupt analysis engine and CredScan, GitHub Code RFI/RFP requirements, and satisfy software supply
their workflow and make the software development Scanning helps developers quickly identify and chain concerns to address customer objections and
lifecycle less predictable and more expensive. fix insecure code patterns that are associated close business.
GitHub’s solution is to make supply chain security
61%
with security vulnerabilities. Advisory Database: As the industry’s biggest issuer
tools easy and convenient for developers to use
Secret Scanning: Keep tokens, private keys, of open source software CVEs, GitHub maintains a
as they code, building best practices into the daily
and other secrets from leaking into the open- comprehensive Advisory Database with knowledge
workflow. In addition to our commercial GitHub
of businesses have been impacted by source software ecosystem. GitHub provides about vulnerabilities and malware drawn from
Advanced Security offerings, we make these
supply chain attacks in the past year16 security advisories reported on GitHub, the National
capabilities available free of charge to open-source free secret scanning and push protection
features for public repositories. Vulnerability Database, and contributions from
developers, because OSS is a part of everyone’s
GitHub’s 100 million community members. A team
supply chain. Dependabot: GitHub’s dependency management of security experts reviews advisories for validity
tool alerts developers to vulnerable and out-of-
12,404
and provides the contextual information needed
Em Cybersecurity Tech Accord principles date dependencies and suggests remediation steps for remediation.
mapping index on page 125 so developers can quickly fix issues and get back
to coding. Platform Security: Developers can protect against
expert-reviewed security advisories 17 unauthorized access to repositories and packages
SBOMs: GitHub helps development teams comply with two-factor authentication (2FA) for both GitHub
with regulatory and customer requirements and npm user accounts.
with native tools to ingest, generate, and export
95 Microsoft Digital Defense Report 2023 Chapter 4 Critical Cybersecurity Challenges
Chapter 5
Innovating for Security
and Resilience
Defending with AI
Key developments 97
Introduction 98
Using the power of AI for cybersecurity 100
Working together to shape responsible AI 106
97 Microsoft Digital Defense Report 2023 Chapter 5 Innovating for Security and Resilience
Find out more on page 101 Find out more on page 104
98 Microsoft Digital Defense Report 2023 Chapter 5 Innovating for Security and Resilience
Responding with
breakthrough innovation
Introduction from Bret Arsenault
In the last few months, the world has There has been significant growth in the threat
landscape as more attackers use increasingly
witnessed a wave of innovation as
sophisticated techniques to compromise an ever-
organizations apply advanced AI to new growing footprint of services, devices, and users.
technologies and use cases. Our industry All combined, this creates a larger attack surface
and threat potential than we have ever dealt with
is facing a paradigm shift and taking
before. At Microsoft, we have seen a 23 percent
a massive leap forward as technology annual rise in the cases processed by the Microsoft
advances incredibly quickly and makes Security Response Center and Security Operations
daily headlines. Center teams.
While human ingenuity and expertise will always
The security industry has been focused on be a precious and irreplaceable component of
managing increased risks and innovating to adapt to cyber defense, technology has the potential to
the fast pace of change. We continue to hear from augment these unique capabilities with the skill sets,
our peers, partners, and customers that security has processing speeds, and rapid learning of modern AI.
never been more critical to the resilience of business Technology can work alongside us, detect hidden
and society. patterns and behaviors, and inform a response at
machine speed with the latest and most advanced
security practices.
99 Microsoft Digital Defense Report 2023 Chapter 5 Innovating for Security and Resilience
Experiences based on large language models, like At Microsoft, we are developing first- and third- We will also deploy Security CoPilot—our new AI
ChatGPT, have taken the world by storm in the last party solutions for our ever-increasing number of powered incident response assistant—across our We have defined three priority areas
year. This is in part because they can draw upon a enterprise, government, and consumer customers incident response teams, so that we can both gain
in which we will invest to ensure that
vast store of data, leveraging the massive computing and partners. We have seen developer activity the benefit of AI in addressing security incidents,
power available today in the cloud. But what I double in the last three years, and it is up by and so we can improve this valuable new capability we embed SD3.
think is more exciting is the real, tangible impact over 31 percent in the last year alone. This trend by providing our development teams with feedback
that technology like this can drive. AI, together will accelerate as developers adopt AI powered based on our real-world experience. Be Secure by Design and address the
with the power of cloud and machine learning, has development tools like GitHub Copilot. This will technical debt. Bring systems up to current
Based on actions needed to meet the growing
enormous potential. Much like we led the charge on require a commensurate increase in threat models, standards and levels of inspection and security.
threat landscape, our approach for the next year will
password spray detection, two-factor authentication code reviews, compliance attestations, and app/ Address the need for security training for
focus on bringing to bear AI in combating threats
enforcement, and managed device health, we have infrastructure assurance to secure resilience. developers, threat modeling for all services,
while also embracing the three SDL principles of
an opportunity to demonstrate how responsible complete Code QL and Network Security.
An important contribution we can make is to Secure by Design, Secure by Default, and Secure
AI has the potential to positively transform the Create efficiency in current systems.
continue to evolve our Security Development in Deployment (SD3). While it may sound simple,
security landscape. Unify critical tools and systems, including
Lifecycle (SDL) rules and engineering compliance. this will require all of us to prioritize and collaborate
This will ensure continued focus on secure to successfully execute across everything we do, the numerous Identity systems, SOC/IR,
engineering practices. every day. case management, and risk management.
Create common tooling and mechanisms to
We recently simplified, updated, and automated Bret Arsenault
ensure compliance with Secure by Default and
our SDL and Operational Security Assurance Chief Information Security Officer
Secure in Deployment.
requirements into a single standard. We will increase
our compliance with the modernized SDL through Future-proof the company, focusing on
enhanced training, automation, and reporting. AI. We need to invest resources in how we
identify the new risks (Secure by Design) and
operate the environments (Secure by Default
and Secure in Deployment). We will leverage
AI to improve security operations and define
$10.5 trillion
The cost of cybercrime is projected to
hit an annual $10.5 trillion by 2025.1
101 Microsoft Digital Defense Report 2023 Chapter 5 Innovating for Security and Resilience
Harnessing large
Security testing and validation: LLMs can automate
and enhance security testing and validation
activities such as penetration testing, vulnerability
language models scanning, code analysis, and configuration auditing.
They generate and execute test cases, evaluate and
Lowering the
Fortunately, the use of LLMs in cybersecurity
operations is not limited to large organizations
with abundant resources. These models have been
entry bar for using trained on vast amounts of data, giving them a pre-
existing understanding of cybersecurity.
How Microsoft is
To demonstrate the potential of this technology Chatbot for developer support LLMs for cloud datacenter security
in addressing complex challenges and driving We have created a chatbot to support Microsoft’s Industrial control systems (ICS) are crucial
innovation, here are some examples to show
using large language
developers in accessing compliance information and for ensuring security and efficiency in cloud
how we’ve chosen to use LLMs internally to guidelines for security standards and regulations. datacenters. They are used to automate and
improve security and efficiency in various areas of This helps them integrate security into their code optimize processes, reduce human error, and
Defending
The challenges will be further complicated by the
fact that, in the future, it is likely there will be more
than one platform and multiple paradigms, such
the increasing as Microsoft’s Semantic Kernel, LangChain, and
AutoGPT. This will require organizations to include
language models
sensitive information or harm the security and
for the attacker to distinguish whether the
privacy promises made to customers overall? With
model has output the real system prompt
LLMs, both benign and adversarial usage can
or just a convincing artificially-generated In the security community, red teaming is
produce potentially harmful outputs. This can take
example prompt. a technique used to test the effectiveness many forms, including harmful content such as hate
Vulnerability reports submitted to • Command injection attacks are a central of how an organization would respond speech, incitement or glorification of violence, or
Microsoft provide valuable insights concern, especially in cases where these
to a genuine cyberattack. It is a double- code with vulnerabilities.
could affect other users of the system.
into emerging security trends, blind exercise in which dedicated In the new era of AI, Microsoft has routinely used red
Comprehensive detection and prevention of
especially in fast-changing areas like teaming to find failures in production systems before
command injection vulnerabilities remains an security operators role-play as real- deploying them in products like Bing Chat and Azure
AI. Focusing specifically on LLMs, open research and development question.
world adversaries to attain a specific OpenAI service.
some of our key learnings from recent goal via scoped tactics, techniques,
Em Cybersecurity Tech Accord principles
vulnerability reports include: mapping index on page 125. and procedures (TTPs). The point of
Pr Cybersecurity Tech Accord principles
mapping index on page 125.
the exercise is to provide a realistic
• Attacks against LLMs may look significantly Please see the section about Responsible
different from typical software security attacks. assessment of an organization’s ability
AI on page 106.
For instance, when the attacker can control to prevent, detect, and respond to a
the text that is fed into the LLM, the process of
particular group of attacker TTPs. Additional information
developing attacks usually involves searching
for a well-crafted natural language sentence to Microsoft AI Red Team building future of safer AI
Red teaming as an essential practice in the | Microsoft
input into the model.
responsible development of Microsoft’s systems and Introduction to red teaming large language models
features using LLMs. Red teaming with AI systems | Microsoft
is a little different from traditional cybersecurity red Failure Modes in Machine Learning—Security
teaming.3 The set-up is similar; in the AI context, the documentation | Microsoft
106 Microsoft Digital Defense Report 2023 Chapter 5 Innovating for Security and Resilience
to shape responsible AI
| Microsoft
AI threats, vulnerabilities, and responsible use.
The Coalition for Content Provenance and
We now need policies which more specifically
Authenticity – an overview | C2PA
address AI security risks at the US federal level.
How UNESCO and Microsoft are partnering to
The use of generative AI to enhance cyber exploits
advance responsible AI | UNESCO
is under review at CISA as policymakers consider the
Meta and Microsoft join the Framework for Collective
need for additional guardrails to prevent abuse of AI. Action on Synthetic Media | Partnership on AI
As transformative AI technology Simultaneously, we are working with industry
How Microsoft Build brings AI tools to the forefront
partners to develop standards and technologies
promises to reshape many aspects of Pr Pa Em Cybersecurity Tech Accord principles
for developers | Microsoft
that enable transparent and verifiable information mapping index on page 125.
society, we must work towards a future of about the origin and authenticity of digital content
Commitments to advance safe, secure, and
trustworthy AI | Microsoft
responsible AI by design. Responsible AI to enhance trust online. This includes using For more about AI in cybersecurity,
please see pages 100–105. How do we best govern AI? | Microsoft
advanced detection mechanisms to identify and
practices are crucial for maintaining user National AI strategies and policies | OECD
mitigate potential risks associated with malicious
trust and privacy, and for creating long- content generation. Launch of the Frontier Model Forum | Microsoft
term benefits to society. Across the globe, the appetite for regulatory
guidance on the responsible development and
At the same time, the evolution of AI technology, use of AI is growing, with many countries drafting
such as generative AI models, requires us to also documentation offering guidance for managing
evolve cybersecurity practices and threat models emerging risks associated with AI technologies.
to address new challenges. Generative AI models Previous iterations of AI roadmaps and risk
can create realistic content—including text, images, management frameworks include the European
video, and audio—which can be used by threat Union AI Act and the United States National
actors to spread misinformation or create malicious Institute of Standards and Technology AI Risk
code. To stay ahead of emerging security threats, Management Framework.
we must invest in research and development too.
Microsoft is committed to ensuring that all our AI
products and services are developed and used in
a manner that upholds our AI principles.
107 Microsoft Digital Defense Report 2023 Chapter 5 Innovating for Security and Resilience
2014
SGP
LVA SVN AUS
HRV FRA KSA NGR NOR SVN
URY UAE
ESP BEL DEN PRT ITA
GER GER TUR
NZL USA MAU USA ESP
HUN EST BUL UKR
IND KOR
BRA LAT
LTH IRE SRB BEL
MLT
KOR CRI
THL
BRA
CHN
FRA
EU EGY RWA
EU
PRT NOR
VNM JPN
EU
EU ARG VNM
LUX NOR
FRA ISL HUN GBR KOR ESP USA
SWE TUN FRA
SGP GBR
TUR ESP USA NZL GRE TUR
BEL CHN
ZAF ESP
AUT CRI
EU CHL USA AUS
CHN
ESP CHN
PRT
CAN BRA AUS BRA
MEX
COL
2022
IRE China
SGP CHN
2016 GBR RUS CYP THL
USA COL CHL
KOR SLV SGP AUS
MLT IND
ROM DEN JPN
COL LAT SWI NED GBR CHN
EST TUN EST NOR CHN
GER MEX THA JPN KOR
USA SWE KOR VNM HUN FIN ICE EU
UAE JPN ARG COL
AUS G7
IND EU GBR FIN
ESP BRA NOR IND SGP
KEN LTU GBR GER NED
PRT IND JPN SRB NZL FRA
UAE NED CAN
AUT FIN RUS IND CRI ESP
NOR SGP AUS FRA UN
DEN BRA
ROU KSA MOR USA URY
DEN TUR SWI CZH
SGP
TUR POL
Active policies by entity and year of implementation. Source: OECD AI Policy Observatory (OECD.AI) and Microsoft internal tracking for 2023, January-June.
108 Microsoft Digital Defense Report 2023 Chapter 6 Collective Defense
Chapter 6
Collective Defense
Collective Defense
The fragmented cybersecurity Fewer than
Key landscape means we are not making
the most of the vast amount of threat 15%
developments intelligence and data that is available. of NGOs have cybersecurity
experts on their staff.
The new Cybercrime Atlas will maximize global data collection while
ensuring intelligence is thoroughly cleansed, enriched, and vetted The CyberPeace Institute is providing critical support
by experts from diverse industries. and assistance to humanitarian organizations.
By forging strong partnerships that
transcend borders, industries, and the
Find out more on page 111 Find out more on page 121
public-private divide, we are creating a
united front against cybercrime.
75%
A ground-breaking lawsuit aimed at ending
the illicit use of Cobalt Strike shows the power
As cyberthreats evolve, productive of uniting efforts to identify and take down
relationships across a spectrum of criminal infrastructure. of eligible citizens in democratic
stakeholders will be essential to improve
threat intelligence, drive resilience, and
nations have the opportunity to vote
contribute to mitigation guidance. in the next year and a half. We must
ensure that strong cyber defenses
keep elections safe.
Find out more on page 113 Find out more on page 118
110 Microsoft Digital Defense Report 2023 Chapter 6 Collective Defense
and collaboration
changing digital landscape. Robust partnerships with
we’re working together in new ways to bolster our
educational institutions, nonprofit organizations,
customers’ digital defense capabilities, reduce their
governments, and other businesses are central to
cyber risks, and further collaborative projects, such
our collective defense efforts and skill-building
as documenting evidence of cultural heritage site
resources that can enable people to adapt amidst
destruction in Ukraine. As part of our commitment
constantly shifting challenges. As the threat
to defending democracy, Microsoft’s non-partisan
landscape evolves, we look forward to continuing
Introduction from Teresa Hutson Across the globe, Microsoft works closely with our election protection efforts extend globally through
these and other collective defense engagements
customers and partners to provide security guidance work with organizations like the International
with valued partners.
and tools to improve cyber resilience and protect Foundation for Election Systems, to help weave
the integrity of digital services, especially in the face far-reaching networks that enable the sharing of Teresa Hutson
As technology continues to play an of ever-evolving threats. For example, the Microsoft Corporate Vice President, Technology for
best practices. Our partnerships to protect elections
increasingly important role in our lives, Threat Analysis Center released a report highlighting span work with nonprofits including the National Fundamental Rights
it brings both great opportunities and the increase in Russia’s espionage attacks and their Democratic Institute, International Republican
development of new forms of ransomware in March Institute, and Freedom House. These are just a few Pr Em Cybersecurity Tech Accord principles
significant risks to our fundamental rights 2023, and Microsoft announced its investigation of mapping index on page 125.
of the many ways in which Microsoft is working
and ability to engage in society. an Iranian cyberattack against Albania’s government cooperatively with leading organizations on
in September 2022. Cybercriminals and threat actors innovative solutions to best meet the challenges
Though threats to the information ecosystem
When we develop technology, we must be are constantly innovating their strategies to leverage facing our world today. We are proud to collaborate
have always existed, the tactics adversaries deploy
thoughtful, champion access to critical services, technological advancements—but so are we. with other leading technology companies and
in the digital age are constantly evolving. As a
and build equity into our solutions. At Microsoft, as Working together and providing industry-leading cross-sector partners to advance open-source
founding member of the Coalition for Content
we work to create a future for everyone, we have solutions are core to our collective defense efforts. security, curb cybercrime, safeguard democracy, and
Provenance and Authenticity, Microsoft has
a responsibility to support people’s digital safety strengthen media content.
In this chapter, we offer insights into our collective helped develop technical standards for certifying
and defend against the challenges presented by
defense strategies, including support for the World Microsoft remains committed to supporting a the source and history of media content to help
technologically enabled bad actors. We also need
Economic Forum’s Cybercrime Atlas initiative healthy information ecosystem and addressing combat deepfakes and increase public trust in the
to uphold human rights, close divides, and partner
and engagement in the Open Source Security evolving threats within the digital spaces in which media they see.
on collaborative initiatives protecting people and
Foundation. We also highlight strategic partnerships
systems’ digital security.
111 Microsoft Digital Defense Report 2023 Chapter 6 Collective Defense
and collaboration
companies such as Microsoft, Fortinet, PayPal,
that is used to facilitate large scale criminal activity
and Santander Group. It brings together a diverse
beyond individual domains or internal protocols (IPs).
community of over 40 private and public sector
Some examples are money mule organizers (recruited
members to centralize knowledge sharing,
by fraudsters to assist in moving and transferring
collaboration, and research on cybercrime.
illegally obtained funds), “bulletproof” hosting
Pa Cybersecurity Tech Accord principles
providers (internet hosting services that are resilient to
complaints of illicit activities), cryptocurrency wallets,
There is a vast amount of threat The current landscape of cybercrime mapping index on page 125.
bank accounts, and communication channels.
intelligence and data available, but intelligence is made up of a patchwork The Cybercrime Atlas focuses on cyber-enabled and
Microsoft is proud to be supporting the Cybercrime
the current fragmented cybersecurity of research efforts. It is complicated cyber-dependent crimes of many types, including
Atlas initiative. We look forward to working with the
business email compromise, credit card fraud, malware,
landscape means we are not making the by limited cooperation among WEF on driving intelligence collection, facilitating
and ransomware. It leverages open-source intelligence
most of it. That is all about to change stakeholders, and by cross-border sharing processes, and supporting operations and
and adopts a global collaborative approach to gather
disruptions. Disrupting global cybercriminals requires
with the Cybercrime Atlas. It is leveraging complexities and challenges posed by human-vetted intelligence from sectors such as finance,
a global effort with robust, trusted relationships and
technology, telecommunications, cybersecurity, and
open-source intelligence and a global different jurisdictions. collaboration across public and private organizations
cloud providers.
collaboration to shape action, policy, and industries, and we encourage companies around
The goal is to disrupt cybercriminals by providing the world to consider joining the Cybercrime Atlas.
and regulation. intelligence that facilitates actions by law enforcement
and the private sector, leading to arrests and the
dismantling of criminal infrastructures. The initiative Additional information
creates additional value by offering evidence-based Forum-hosted Cybercrime Initiative to Boost
recommendations for policy and regulation changes. Coordination between Private Sector and Law
Enforcement | World Economic Forum
112 Microsoft Digital Defense Report 2023 Chapter 6 Collective Defense
Determining Top 10 countries hosting cracked versions of Cobalt Strike Leveraging civil laws
cracked versions for disruption
2000
Additional information
Stopping cybercriminals from abusing security
tools | Microsoft
Source: Digital Crimes Unit investigations
116 Microsoft Digital Defense Report 2023 Chapter 6 Collective Defense
•••
mitigation efforts against emerging threats. and are being worked on side by side under the
OpenSSF Supply Chain Integrity Working Group.
Pr Em Pa Cybersecurity Tech Accord principles
mapping index on page 125.
117 Microsoft Digital Defense Report 2023 Chapter 6 Collective Defense
Strengthening media content During the 2023 Biden Summit for Democracy,
Microsoft and TruePic showcased a pilot project
aimed at documenting and protecting evidence
••
increase public trust in the media they see. accountability for crimes committed during wartime.
130,000
and robust democratic processes. Microsoft proactively engages in efforts to support establish the Election Cyber Readiness Network.
This network brings together election management
Safeguarding the cyber election and safeguard its partners in the election space.
Additionally, we provide reactive support—both bodies from across Europe and major tech companies
space, engaging voters, and teaming in the United States to share best practices, technical
technical and otherwise—for elections commissions, existing voters assisted in
up with nonprofits to secure election political parties, and related vendors during a pre- registration checking and knowledge, and threat analysis. We also partner with
management systems all help to protect defined election period. election sign up reminders nonprofits including the National Democratic Institute,
International Republican Institute, Carter Center, and
the integrity and resilience of democratic In preparation for the 2024 US presidential election, Freedom House to protect elections and build societal
•••
processes globally. our Democracy Forward team is leading an internal resilience in areas critical to democratic processes.
initiative to survey customers in the election
management sector, including election management Pr Op Pa Cybersecurity Tech Accord principles
bodies, political entities, and service providers. mapping index on page 125.
Over 75 percent of
eligible citizens living
The aim is to connect them with Microsoft’s free
offerings designed to enhance the sector’s resilience
and security. We will prioritize cloud and productivity
1,000 Additional information
The next frontier in elections: Microsoft supports the
in democratic nations workloads, providing special support during critical
election periods.
individuals recruited by Microsoft
and LinkedIn to be poll workers
Council of State Governments’ Election Technology
Initiative | Microsoft On the Issues
within the next year The Democracy Forward team leverages Microsoft’s
in their communities
Democracy Forward: Our approach to protecting
diversity shortage the demand for cybersecurity jobs is projected to in training women and directing them toward
••
reach 3.5 million by 2025, a staggering 350 percent employment opportunities.
increase over eight years. The lack of diversity
within the current global cybersecurity workforce Em Pa Cybersecurity Tech Accord principles
exacerbates the challenge.3 With women comprising mapping index on page 125.
only 25 percent of the workforce, promoting
inclusivity is crucial.
35%
B
professionals and the need for AI skills B
••
A
C
pose significant challenges in today’s C
•
A
C
•
B
rapidly evolving digital landscape.
A
•
B B
•
institutions, nonprofit organizations, over the past year
•
B A
•-•
governments, and businesses are crucial
•
Past year growth by country
to develop localized cybersecurity B
A
• •
A
••
market needs. B 30-40%
B
•
B
C 20-30% B
•
B
D 10-20%
B
Source: LinkedIn
120 Microsoft Digital Defense Report 2023 Chapter 6 Collective Defense
How we are addressing the digital talent and diversity shortage continued
In collaboration with over 20 nonprofit organizations, Grant Challenge, conducted in partnership with data.
Global gender disparity in cybersecurity professionals A Female Male
we have already trained over 400,000 individuals in org, the Microsoft AI for Good Lab, and GitHub,
2023 Percentage of Cybersecurity Professionals by Gender
cybersecurity skills worldwide. Leveraging platforms supports organizations in training and empowering
like Microsoft Learn and LinkedIn Learning, the workforce to use generative AI. The program
Chile A II B participants have earned valuable security training prioritizes fair and community-led implementations
Brazil A II B
certificates in courses covering various topics, of generative AI, particularly with historically
Germany A II B
including systems administration and network marginalized populations.
Belgium A B
security. Meanwhile, the rise of AI presents immense
Denmark A B As part of the Skills for Jobs program, Microsoft
potential for empowering workers globally.
Poland A B is committed to bringing digital skills to people
Sweden A B To fully harness AI’s potential, however, it is essential worldwide, ensuring their active participation in the
Switzerland A B to ensure individuals possess the necessary AI digital economy. This new effort in AI skills training
Argentina A B skills. According to the Organisation for Economic represents the next step in that campaign, building
Japan A B Cooperation and Development (OECD), there is a on technology innovation and addressing emerging
Mexico A B significant gender disparity in the field of AI, with skill gaps.
Norway A II B women representing four percent of AI professionals
Columbia A B globally.4 The WEF names AI skills as a top priority 28 countries in which Microsoft has expanded
Israel A B for companies’ training strategies. its cybersecurity skills initiative
Spain A B
To address these issues, Microsoft has launched the 20 nonprofit collaborators
France A II B
United Kingdom A II B
AI Skills Initiative aimed at providing people and
400,000 individuals trained worldwide
New Zealand A II B communities worldwide with the tools to leverage
United States A II B the power of AI effectively.
Australia A B The Microsoft AI Skills Initiative includes new,
Canada A B free coursework developed in collaboration
Indonesia A B with LinkedIn. Notably, we introduced the first Additional information
India A B AI Skills Challenge | Microsoft
Professional Certificate on Generative AI in the online
Ireland A B The world needs cybersecurity experts | Microsoft
learning market. This coursework enables workers to
Romania A B Closing the cybersecurity skills gap | Microsoft
learn introductory AI concepts, including responsible
South Africa A II B AI frameworks, and receive a Career Essentials 2.5 million-plus cybersecurity jobs are open and
••
Italy AII B certificate upon completion. The Generative AI Skills
women can fill them | Microsoft
Demographics of AI professionals by gender
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Em Pa Cybersecurity Tech Accord principles (The Organisation for Economic Co-operation
mapping index on page 125. and Development)
Note: Gender disparity data unavailable for South Korea – Source: LinkedIn
121 Microsoft Digital Defense Report 2023 Chapter 6 Collective Defense
•••
actionable threat intelligence that can be shared with
the community and helps scale protections beyond
a single entity. Pr Op Em Cybersecurity Tech Accord principles
mapping index on page 125.
122 Microsoft Digital Defense Report 2023 Chapter 6 Collective Defense
Building cybersecurity
capacity through the
Cyber Development Goals
This report highlights the latest While the role of technology is prioritized in
international discussions around sustainable
cyberthreat trends and showcases the
development, cybersecurity is often overlooked,
innovative technologies that are being despite its crucial role in maintaining a safe and
used to address them. But to secure secure digital ecosystem. Microsoft has partnered
with the Swedish Ministry for Foreign Affairs,
long-term resilience, defenses must be
the Global Forum on Cyber Expertise, and the
leveraged across the globe, particularly International Telecommunication Union in a project
in low- and middle-income countries that that aims to secure the adoption of universal
lack sufficient cybersecurity. To achieve cybersecurity goals and targets—the Cyber
Development Goals. Inspired by the United Nations Throughout 2023, we convened experts to create Microsoft is investing in concrete efforts to improve
this, we must integrate cybersecurity Sustainable Development Goals (SDGs), the objective a multistakeholder community dedicated to global cybersecurity resilience. We have launched
capacity building into global sustainable is to establish essential technical, legal, and policy promoting cybersecurity capacity building for a several initiatives focused on raising awareness,
frameworks to help all countries implement global safe and secure digital transformation worldwide. fostering information and expertise exchange on
development efforts.
••
cybersecurity norms. Key initiatives include supporting the development effective policies and approaches to cybersecurity.
of national cybersecurity strategies, establishing One example is our partnership with the Swedish
Em Pa Cybersecurity Tech Accord principles computer security incident response teams or Ministry for Foreign Affairs in Africa, which seeks
mapping index on page 125. emergency response teams, building technical and to improve the overall cybersecurity posture of
forensic expertise, enhancing critical infrastructure the continent. This sharing of information is crucial
The project will mobilize global resources and resilience, and developing frameworks for among different countries and regions, as well as
facilitate international cooperation to strengthen incident response. between and across the public and private sectors.
cybersecurity capacity building efforts.
123 Microsoft Digital Defense Report 2023 Appendix Additional information
Appendix
Additional information
• ••
Page Principle Explanation Page Principle Explanation
•
Microsoft partnered with Fortra to In May, we warned that Chinese hackers
Principles mapping index 14 Op 86 Pa Op
•
disrupt a criminal infrastructure that was were trying to gain access to US critical
based on abuse of legitimate software. infrastructure as part of prepositioning
•••
an ability to disrupt communication in
Pr We will protect all of our users and We will oppose cyberattacks on innocent 16 Microsoft Defender Experts send attack case of a future geopolitical crisis.
Op Pr
••
customers everywhere. citizens and enterprises from anywhere. progression notifications to customers
along with instructions for remediation. 90 Em Pa 1. By working together with suppliers
We will strive to protect all our users and We will protect against tampering with and and investing in education and
23 Op Pa Microsoft and the DCU are leading awareness training, our goal is to
customers from cyberattacks—whether exploitation of technology products and efforts with partners and will continue
Op
an individual, organization or government services during their development, design, prevent future attacks and ensure swift
to develop technology and legal recovery in case of a breach.
irrespective of their technical acumen, culture distribution, and use.
•
approaches to bring threat actors
or location, or the motives of the attacker, to justice. 2. In collaboration with international
whether criminal or geopolitical. We will not help governments launch
cyberattacks against innocent citizens and partners, we are exploring the use
25 Op The approach of our Ransomware of emerging technologies in AI to
We will design, develop, and deliver products enterprises from anywhere.
Elimination Program is to deter or revolutionize the security landscape.
and services that prioritize security, privacy,
counter ransomware attacks by
integrity and reliability, and in turn reduce
••
removing opportunities for financial 3. We also work internationally to
the likelihood, frequency, exploitability, lobby for rules and norms that would
gain by threat actors.
and severity of vulnerabilities.
•
prohibit nation states from engaging in
••
25 Integrating what we have learned from indiscriminate supply chain attacks that
• •
Pr Op
our Zero Trust journey, we introduce put millions of customers at risk.
Em the “Optimal Ransomware Resiliency
State” consisting of 40+ requirements 90 Pr Em The Microsoft Security Development
••
that span myriad aspects of the Lifecycle (SDL), introduced in 2004, is
Em We will help empower users, customers We will partner with each other designed to identify and minimize risks
Pa security landscape.
and developers to strengthen and with likeminded groups to throughout the product lifecycle, meet
••
cybersecurity protection. enhance cybersecurity. 25 Pr Em We identified five foundational compliance requirements, and deliver
principles which we believe every reliable solutions to our customers
We will provide our users, customers and the We will work with each other and will establish enterprise should implement to defend
wider developer ecosystem with information formal and informal partnerships with industry, against ransomware. The Foundational 91 Pr Em To encourage collaboration, Microsoft
and tools that enable them to understand civil society, and security researchers, across Five are solution-agnostic. has created an environment that allows
current and future threats and protect proprietary and open-source technologies to developers to choose the best open
••
themselves against them. source for their needs, without outdated
improve technical collaboration, coordinated Chapter 3 pre-approved lists or manual reviews.
•
vulnerability disclosure, and threat sharing, as
We will support civil society, governments,
well as to minimize the levels of malicious code Page Principle Explanation As a co-founding member of the Open
and international organizations in their efforts 93 Em Pa
being introduced into cyberspace. Source Security Foundation (OpenSSF),
to advance security in cyberspace and to 47 Microsoft mitigated an attack by China-
Op
Microsoft is investing in initiatives to
•
build cybersecurity capacity in developed We will encourage global information sharing based actor Storm-0558.
and emerging economies alike. and civilian efforts to identify, prevent, detect, enhance the security of the entire open-
respond to, and recover from cyberattacks and source ecosystem.
ensure flexible responses to security of the wider 79 Pr Microsoft Defender for IoT actively
global technology ecosystem. monitors critical infrastructure
device security to stay ahead of
emerging threats.
For more on our principles mapping, see pages 8-9.
125 Microsoft Digital Defense Report 2023 Appendix Additional information
• •• ••
Cyber Tech Accord principles mapping index continued
•
Pr
Em
Pa 1. Microsoft is committed to ensuring
that all our AI products and services are
developed and used in a manner that
upholds our AI principles.
115
••
Op Pa We are working closely with
counterparts worldwide to identify
local laws and regulations that could
facilitate the disabling of malicious
120 Em Pa 1. In collaboration with over 20
nonprofit organizations, we have
already trained over 400,000 individuals
in cybersecurity skills worldwide.
• ••
any development team or organization C2 infrastructure.
2. We are working with industry 2. The Microsoft AI Skills Initiative
•
to adopt.
partners to develop standards and 116 We recognize the importance of includes new, free coursework
••
Pr Em
94 Em Microsoft makes supply chain security technologies that enable transparent ensuring the safety and security of developed in collaboration
tools available at no charge to open- and verifiable information about our customers, and have joined forces with LinkedIn.
•
Pa
•
source developers. the origin and authenticity of digital to advance open-source security,
content to enhance trust online. which is crucial for constructing and 121 Pr Op We augmented our existing security
program for nonprofits by providing
••
95 In May 2023, we released our Voluntary upholding the digital infrastructure that
Pa
underpins society. Em the CyberPeace Institute with additional
Commitments to Advance Responsible
••
threat intelligence tailored to the
AI Innovation.
117 As a founding member of the unique needs of this community.
Pr Pa
Chapter 6 Coalition for Content Provenance and
••
Authenticity (C2PA) Microsoft has 122 Em Pa Microsoft has partnered with the
been developing technical standards Swedish Ministry for Foreign Affairs, the
Page Principle Explanation
Chapter 5 for certifying the source and history Global Forum on Cyber Expertise, and
•
110 Pr Em Microsoft works closely with our of media content to help combat the International Telecommunication
Page Principle Explanation customers and partners to provide Union in a project that aims to secure
•••
deepfakes and increase public trust in
security guidance and tools to improve the media they see. the adoption of universal cybersecurity
101 Across Microsoft, researchers and
•
Pr cyber resilience and protect the goals and targets—the Cyber
applied scientists are experimenting
integrity of digital services. 118 1. Microsoft proactively engages in Development Goals.
•
with and exploring scenarios to Pr Op
enhance cyber defense. efforts to support and safeguard its
111 Pa The World Economic Forum (WEF) has partners in the election space.
Pa
launched the Cybercrime Atlas initiative
102 With a robust LLM-powered solution,
Em with support from companies such 2. Microsoft extends its election
cybersecurity analysts can increase
••
as Microsoft, Fortinet, PayPal, and protection efforts globally,
productivity with automated scans
••
Santander Group. collaborating with a network
and anomaly detection, pattern
•
of partners.
••
identification, and root cause 112 We have developed a community
Op Em
evidence discovery. of strategic partnerships with threat 119 1. To tackle the talent shortage and
Em Pa
Pa intelligence organizations as we aim promote diversity, Microsoft has
103 To demonstrate the potential of
•••
Pr Em to more fully understand and defend expanded its cybersecurity skills
modern AI in addressing complex
against common adversaries. initiative to 28 countries, with a special
challenges and driving innovation, we
focus on empowering women.
share some examples of how we’ve 113 Microsoft, in collaboration with
Pr Op
•
chosen to use LLMs internally to Fortra LLC and Health-ISAC, has filed 2. Strategic partnerships with
improve security and efficiency. Pa a lawsuit in the United States aiming organizations like Women in
to disrupt infrastructure and malware Cybersecurity and the Kosciuszko
105 We share key findings from vulnerability Institute in Poland are instrumental in
Em using cracked versions of Cobalt
•
reports with insights into emerging training women and directing them
Strike or violating Microsoft’s terms
security trends in AI. toward employment opportunities.
of use regarding malicious use of its
In the new era of AI, Microsoft has copyrighted APIs.
105 Pr
routinely used red teaming to find
failures in production systems before
deploying them in products like Bing
Chat and Azure OpenAI service.
126 Microsoft Digital Defense Report 2023 Appendix Additional information
Experiences + Devices Microsoft Security Digital Security & Resilience is the organization Microsoft Threat Intelligence Center (MSTIC)
led by our Microsoft CISO, and is dedicated to is a team dedicated to identifying, tracking,
Devices Supply Chain Security teams drive Azure Security is responsible for continuously
enabling Microsoft to build the most trusted devices and collecting intelligence related to the most
and implements end-to-end security across the improving the built-in security posture of Azure at
and services, while keeping our company and sophisticated adversaries impacting Microsoft
Microsoft Devices supply chain lifecycle. all layers: the datacenter, physical infrastructure, and
customers protected. customers, including nation-state threats, malware,
cloud products and services.
Microsoft Customer and Partner Solutions and phishing.
Identity and Network Access safeguards Microsoft
Customer Ready Intelligence Team includes
Customer Success security teams collaborate with Entra ID and Microsoft consumer accounts from Strategic Intelligence and Investigation delivers
specialized analysts responsible for producing
customers to expedite security transformation unauthorized access, account takeover, and abuse. vital threat analysis on demand. Seasoned analysts
and publishing readable threat intelligence
and modernization by sharing best practices, The team delivers Microsoft Entra ID Protection, use diverse data sets to provide strategic
content and detections on the threats that most
lessons learned, and guidance. They compile Conditional Access, multifactor authentication, and insights to empower timely decision-making
impact customers.
and structure Microsoft’s and customers’ best the Microsoft Authenticator app, as well as a host of about cyberthreats.
practices and lessons learned into reference Cyber Physical Systems Research consists of enterprise and consumer account defense systems.
domain-expert researchers who specialize in They also ensure security and defense of the Office of the Chief Financial Officer
strategies, architectures, plans, and more to facilitate
the process. reverse-engineering of IoT/OT malware, protocols identity platforms. Enterprise Risk Management works across
and firmware. The team hunts for IoT/OT threats to business units to prioritize risk discussions with
Enterprise Mobility is a team that facilitates the Microsoft Defender Experts is Microsoft’s
uncover malicious trends and campaigns. Microsoft’s senior leadership, and connects multiple
delivery of modern workplace and management largest global organization of product-focused
Cyber Defense Operations Center (CDOC) security researchers, applied scientists, and threat operational risk teams, manages our enterprise
solutions to ensure data security across cloud and
is a fusion center that brings together incident intelligence analysts. risk framework, and facilitates internal security
on-premises environments. Endpoint Manager
responders, data scientists, and security engineers assessment using the NIST Cybersecurity Framework.
offers a range of services and tools for managing Microsoft Defender Threat Intelligence produces
and monitoring mobile devices, desktop computers, from across services, products, and devices groups
tactical intelligence through analysis of Microsoft’s Office of the Chief Technology Officer
virtual machines, embedded devices, and servers, to provide around-the-clock protection against
extensive external telemetry collection, charting the Microsoft AI, Ethics and Effects in Engineering
utilized by both Microsoft and customers. threats to our corporate infrastructure and the cloud
threat landscape as it evolves to discover previously and Research is an advisory board at Microsoft
infrastructure that customers use.
Security Service Line (SSL) is an organization unknown threat infrastructure, and adding context with the mission of ensuring new technologies are
of security experts with deep technical and Customer Security Policy and Assurance is a to threat actor activity and campaigns. developed and fielded in a responsible manner.
industry skills who provide incident response, team driving continuous improvement of customer
Microsoft Security Response Center (MSRC) and
threat intelligence, and cyber resilience services to security in Microsoft products and online services, Strategy and Ventures
Identity and Security Operations are dedicated
customers. The SSL maintains strategic partnerships working with engineering and security teams to
to creating a secure, defensible environment to Microsoft Security Business Development Team:
with security organizations, governments, and many ensure compliance and transparency.
protect Microsoft’s most valuable assets while A team that oversees and drives Microsoft’s long-
internal Microsoft groups. simultaneously maximizing the abilities of our users term investment, partnership, and growth strategy
to design, build, and deliver great services. for security, compliance, identity, management,
and privacy.
128 Microsoft Digital Defense Report 2023 Appendix Additional information
Footnotes Chapter 3
Page
48
Footnote
1 https://www.microsoft.com/en-us/
59
59
11 https://pagellapolitica.it/articoli/amedeo-
avondet-fratelli-italia-russia
12 https://www.washingtonpost.com/
world/2023/04/21/germany-russia-
67
68
25 https://www.reuters.com/world/middle-east/
hackers-breach-iran-rail-network-disrupt-
service-2021-07-09/
26 https://blogs.microsoft.com/on-the-
security/blog/2022/10/14/new- interference-afd-wagenknecht/ issues/2023/02/03/dtac-charlie-hebdo-hack-
prestige-ransomware-impacts- iran-neptunium/
Chapter 1 organizations-in-ukraine-and-poland/ ; 59 13 https://apnews.com/article/russia-ukraine-
https://www.welivesecurity.com/2022/11/28/ technology-social-media-misinformation- 68 27 https://www.microsoft.com/en-us/security/
Page Footnote ransomboggs-new-ransomware-ukraine/ 05d147b128c48bfa23705409448b7bbc blog/2022/09/08/microsoft-investigates-
iranian-attacks-against-the-albanian-
7 1 https://arxiv.org/abs/2305.00945 48 2 https://query.prod.cms.rt.microsoft.com/cms/ 61 14 https://support.citrix.com/article/CTX474995/ government/
api/am/binary/RW10mGC citrix-adc-and-citrix-gateway-security-
9 2 https://www.cisa.gov/topics/critical-
bulletin-for-cve202227518 69 28 We conducted an in-depth review of the
infrastructure-security-and-resilience 49 3 https://query.prod.cms.rt.microsoft.com/cms/ reports, which did not reveal signs of
api/am/binary/RW13xRJ 61 15 https://www.microsoft.com/en-us/security/ inauthentic material and we were able
blog/2023/05/24/volt-typhoon-targets-us- to verify the authenticity of some of the
Chapter 2 49 4 https://www.microsoft.com/en-us/security/ critical-infrastructure-with-living-off-the-
blog/2023/05/24/volt-typhoon-targets-us- leaked details.
land-techniques/
Page Footnote critical-infrastructure-with-living-off-the- 70 29 https://www.theguardian.com/world/2023/
land-techniques/ 63 16 https://archive.ph/GWW0D/image jan/01/kim-jong-un-north-korea-exponentially-
24 1 Ransomware Task Force Gaining increase-nuclear-warhead-production
Ground—May 2023 Progress Report 49 5 https://www.microsoft.com/en-us/security/ 63 17 https://archive.ph/oAn4j
(securityandtechnology.org) blog/2023/03/24/guidance-for-investigating- https://en.yna.co.kr/view/
64 18 https://about.fb.com/news/2022/09/
attacks-using-cve-2023-23397/ AEN20230406000800325?section=nk/nk
32 2 Microsoft Threat Intelligence Cyber Signals removing-coordinated-inauthentic-behavior-
report, May 2023 50 6 www.mandiant.com/resources/blog/3cx- from-china-and-russia/ 70 30 nknews.org/pro/cybercrime-funds-half-of-
software-supply-chain-compromise north-koreas-missile-program-us-official-says
32 3 https://www.ic3.gov/Media/PDF/ 64 19 https://archive.ph/QXvtw
AnnualReport/2022_IC3Report.pdf 53 7 Microsoft Threat Intelligence, “Iran turning 71 31 https://www.fbi.gov/news/press-releases/
64 20 miburo.substack.com/p/csm-influencer-ops-1;
to cyber-enabled influence operations for fbi-confirms-lazarus-group-cyber-actors-
33 4 https://www.bbc.com/news/world- miburo.substack.com/p/chinese-state-
greater effect,” query.prod.cms.rt.microsoft. responsible-for-harmonys-horizon-bridge-
africa-59614595 medias-global-influencer; These statistics
com/cms/api/am/binary/RW13xRJ; currency-theft
reflect data as of April 2023.
Microsoft Threat Intelligence, “Microsoft
36 5 FIDO Alliance—Open Authentication 71 32 https://www.mandiant.com/resources/
investigates Iranian attacks against the 66 21 https://www.microsoft.com/en-us/security/
Standards More Secure than Passwords blog/3cx-software-supply-chain-compromise
Albanian government.” blog/2023/04/07/mercury-and-dev-1084-
38 6 FBI seized domains linked to 48 DDoS-for-hire destructive-attack-on-hybrid-environment/ 71 33 https://www.microsoft.com/en-us/security/
54 8 https://blogs.microsoft.com/on-the-
service platforms (bleepingcomputer.com) blog/2022/09/29/zinc-weaponizing-open-
issues/2023/03/15/russia-ukraine- 66 22 https://www.cyberark.com/resources/
source-software/
cyberwarfare-threat-intelligence-center/ threat-research-blog/golden-saml-newly-
discovered-attack-technique-forges- 72 34 https://apnews.com/article/russia-ukraine-
56 9 https://msrc.microsoft.com/update-guide/
authentication-to-cloud-apps business-north-korea-e6a068d91bc9828ecad
vulnerability/CVE-2023-23397
fb67c929a4162
66 23 Nation-state threat actor Mint Sandstorm
57 10 https://www.microsoft.com/en-us/security/ https://www.nknews.org/2023/05/russia-sent-
refines tradecraft to attack high-value targets
blog/2023/06/14/cadet-blizzard-emerges-as- over-1k-tons-of-wheat-flour-to-north-korea-
| Microsoft Security Blog
a-novel-and-distinct-russian-threat-actor/ state-agency-says/
67 24 https://www.microsoft.com/en-us/security/
blog/2023/04/18/nation-state-threat-actor-
mint-sandstorm-refines-tradecraft-to-attack-
high-value-targets/
129 Microsoft Digital Defense Report 2023 Appendix Additional information
Footnotes continued
Chapter 4 94 15 https://www.infosecurity-magazine.com/
news/software-supply-chain-attacks-hit/
Page Footnote 94 16 https://www.infosecurity-magazine.com/
78 1 Microsoft Defender for IoT and your network news/software-supply-chain-attacks-hit/
architecture—Microsoft Defender for IoT | 94 17 https://github.com/advisories, 31 May 2023
Microsoft Learn
80 2 https://adolus.com/ Chapter 5
84 3 https://www.microsoft.com/en-us/security/ Page Footnote
blog/2023/08/10/multiple-high-severity-
vulnerabilities-in-codesys-v3-sdk-could-lead- 100 1 Cybercrime To Cost The World $10.5 Trillion
to-rce-or-dos/ Annually By 2025 (cybersecurityventures.com)
86 4 2023 Annual Threat Assessment of the U.S. 100 2 Gartner Top Security and Risk Trends in 2022
Intelligence Community (odni.gov)
105 3 https://blogs.microsoft.com/on-the-
86 5 Volt Typhoon targets US critical infrastructure issues/2023/05/25/how-do-we-best-govern-ai/
with living-off-the-land techniques | Microsoft
Security Blog
86 6 New “Prestige” ransomware impacts
organizations in Ukraine and Poland |
Microsoft Security Blog
II Microsoft
Microsoft Digital
Defense Report
Building and improving
cyber resilience
October 2023
Microsoft Threat Intelligence