Microsoft said on Wednesday that it has notified almost 10,000 customers in the past year that they’re being targeted by nation-sponsored hackers.
According to a post from Microsoft Corporate Vice President of Customer Security & Trust Tom Burt, about 84% of the attacks targeted customers that were large, “enterprise” organizations such as corporations. The remaining 16% of attacks targeted consumer email accounts. Burt said some of the 10,000 customers were successfully compromised while others were only targeted, but he didn’t provide figures.
“This data demonstrates the significant extent to which nation-states continue to rely on cyberattacks as a tool to gain intelligence, influence geopolitics, or achieve other objectives,” Burt wrote. Microsoft presented the figures Wednesday at the Aspen Security Forum.
Burt said Microsoft has seen “extensive” activity from five specific groups sponsored by Iran, North Korea, and Russia. Microsoft has given one Iranian group the name Holmium while security firm FireEye dubs the offenders APT33. FireEye said the group targets organizations primarily headquartered in the United States, Saudi Arabia, and South Korea. Targets tend to be involved in both military and commercial aviation and petrochemical-focused energy.
Microsoft identified another of the five groups as Strontium, a Russian outfit that’s better known as Fancy Bear or APT28. Security firm CrowdStrike has said Fancy Bear has operated since 2008 and is believed to be working for the GRU, or Russia’s military intelligence service. Fancy Bear was one of two Russian-sponsored groups that hacked the Democratic National Committee ahead of the 2016 presidential election. Strontium has also been linked to intrusions into the World Anti-Doping Agency in 2016, the German Bundestag, and France’s TV5Monde TV station, among many others.
Burt identified the three other nation-sponsored groups as Yttrium (a Russian outfit that Microsoft caught targeting US think tanks and non-governmental organizations in December), Iran-based Mercury, and Thallium of North Korea.
Burt also said that, since launching its AccountGuard platform for protecting democratic elections last August, the company has made 781 notifications of nation-sponsored attacks targeting organizations that make use of the technology. The vast majority of the attacks—95 percent, Burt said—were based in the US. He said the figures give a good indication of what to expect in the near future.
“As we head into the 2020 elections,” he said, “given both the broad reliance on cyberattacks by nation-states and the use of cyberattacks to specifically target democratic processes, we anticipate that we will see attacks targeting US election systems, political campaigns, or NGOs that work closely with campaigns.”