Reports Note Increasing Threat of Nation-State-Sponsored Cyber Attacks

A bevy of new cybersecurity reports point to the continuing problem of nation-state-sponsored threat actors. The primary culprits have long been Russia, China, Iran, and North Korea, which all show up in recently published reports from Microsoft, IBM, Tenable, and Fortinet.

Adversarial Use of AI in Influence Operations
[Click on image for larger view.] Adversarial Use of AI in Influence Operations (source: Microsoft).

"Nation-state attacks have been undeterred, increasing in volume and aggression," said Microsoft's Tom Burt in an Oct. 15 article titled "Escalating Cyber Threats Demand Stronger Global Defense and Cooperation."

Several other reports call out the same culprits, but Microsoft is leading the charge to call for the government to get involved in fighting cybersecurity threats by combining defensive strategies with strong deterrence.

"Once again, nation-state affiliated threat actors demonstrated that cyber operations — whether for espionage, destruction, or influence — play a persistent supporting role in broader geopolitical conflicts," Burt said. "Also fueling the escalation in cyber attacks, we are seeing increasing evidence of the collusion of cybercrime gangs with nation-state groups sharing tools and techniques."

Addressing the problem, Microsoft said, will require focusing and committing to cyber defense from individual users, corporate executives and government leaders.

Highlights of the report include:

  • Russian threat actors appear to have outsourced some of their cyber espionage operations to criminal groups, especially operations targeting Ukraine. In June 2024, a suspected cyber crime group used commodity malware to compromise at least 50 Ukrainian military devices.
  • Iranian nation-state actors used ransomware in a cyber-enabled influence operation, marketing stolen Israeli dating website data. They offered to remove specific individual profiles from their data repository for a fee.
  • North Korea is getting into the ransomware game. A newly identified North Korean actor developed a custom ransomware variant called FakePenny, which it deployed at organizations in aerospace and defense after exfiltrating data from the impacted networks — demonstrating both intelligence gathering and monetization motivations.

That latter country was also mentioned in a report this month from IBM titled, "X-Force Cloud Threat Landscape Report 2024," which noted, "Threat actors are increasingly leveraging trusted cloud-based services, such as Dropbox, OneDrive, and Google Drive, for command-and-control communications and malware distribution," while adding, "North Korean state-sponsored groups, including APT43 and APT37, carried out multistage attacks against cloud-based services to distribute remote access trojans (RATs)."

While that report didn't otherwise focus on foreign threats, it did provide these takeaways:

  • Phishing is the leading initial access vector. Over the past two years, phishing has accounted for 33% of cloud-related incidents, with attackers often using phishing to harvest credentials through adversary-in-the-middle (AITM) attacks.
  • Business E-mail Compromise (BEC) attacks go after credentials. BEC attacks, where attackers spoof e-mail accounts posing as someone within the victim organization or another trusted organization, accounted for 39% of incidents over the past two years. Threat actors commonly leverage harvested credentials from phishing attacks to take over e-mail accounts and conduct further malicious activities.
  • Demand continues for cloud credentials on the dark web, despite market saturation. Gaining access via compromised cloud credentials was the second most common initial access vector at 28%, despite overall mentions of SaaS platforms on dark web marketplaces, which decreased by 20% compared to 2023.

Tenable, meanwhile, just published its Cloud Risk Report 2024, which calls out North Korea and Russia. It discusses a Windows kernel elevation of privilege vulnerability, saying, "The exploitation activity was orchestrated by the North Korea-based Lazarus Group, with the end goal of establishing a kernel read/write primitive."

The company also noted Microsoft itself was the victim of foreign-sponsored bad guys: "Midnight Blizzard, a Russian state-sponsored actor also known as NOBELIUM, hacked the tech giant's corporate email systems."

Otherwise, just last week Fortinet published "Burning Zero Days: Suspected Nation-State Adversary Targets Ivanti CSA," which followed an August report from the Cybersecurity and Infrastructure Security Agency (CISA) titled, "Iran-based Cyber Actors Enabling Ransomware Attacks on US Organizations."

That latter government article said: [T]hese Iran-based cyber actors are associated with the Government of Iran (GOI) and — separate from the ransomware activity — conduct computer network exploitation activity in support of the GOI (such as intrusions enabling the theft of sensitive technical data against organizations in Israel and Azerbaijan)."

While those are ordinary, run-of-the-mill cyber attacks seeking data or ransom, the upcoming election in the U.S. provides unique opportunities for foreign actors to influence matters.

"Russia, Iran, and China have all used ongoing geopolitical matters to drive discord on sensitive domestic issues leading up to the U.S. election, seeking to sway audiences in the U.S. to one party or candidate over another, or to degrade confidence in elections as a foundation of democracy," Microsoft said. "As we've reported, Iran and Russia have been the most active, and we expect this activity to continue to accelerate over the next two weeks ahead of the U.S. election."

Featured

  • computer with a red warning icon on its screen, surrounded by digital grids, glowing neural network patterns, and a holographic brain

    Report Highlights Security Risks of Open Source AI

    In these days of rampant ransomware and other cybersecurity exploits, security is paramount to both proprietary and open source AI approaches — and here the open source movement might be susceptible to some inherent drawbacks, such as use of possibly insecure code from unknown sources.

  • The AI Show

    Register for Free to Attend the World's Greatest Show for All Things AI in EDU

    The AI Show @ ASU+GSV, held April 5–7, 2025, at the San Diego Convention Center, is a free event designed to help educators, students, and parents navigate AI's role in education. Featuring hands-on workshops, AI-powered networking, live demos from 125+ EdTech exhibitors, and keynote speakers like Colin Kaepernick and Stevie Van Zandt, the event offers practical insights into AI-driven teaching, learning, and career opportunities. Attendees will gain actionable strategies to integrate AI into classrooms while exploring innovations that promote equity, accessibility, and student success.

  • a professional worker in business casual attire interacting with a large screen displaying a generative AI interface in a modern office

    Study: Generative AI Could Inhibit Critical Thinking

    A new study on how knowledge workers engage in critical thinking found that workers with higher confidence in generative AI technology tend to employ less critical thinking to AI-generated outputs than workers with higher confidence in personal skills.

  • university building with classical columns and a triangular roof displayed on a computer screen, surrounded by minimalist tech elements like circuit lines and abstract digital shapes

    Pima Community College Launches New Portal for a Unified Digital Campus Experience

    Arizona's Pima Community College is elevating the digital campus experience for students, faculty, and staff with a new portal built on the Pathify digital engagement platform.