Russia accounted for the majority of state-sponsored attacks over the past year, with the SolarWinds attackers dominating threat activity, according to Microsoft data.
The firm’s Digital Defense Report 2021 covers the period from July 2020 to June 2021 and details state and cybercrime activity.
Kremlin-backed raids accounted for 58% of all nation-state attacks during the period, with Nobelium (aka APT29, Cozy Bear) generating the vast majority (92%) of notifications Microsoft made to customers about attacks.
The threat group was responsible for the notorious and highly sophisticated SolarWinds campaign, which compromised at least nine US government departments.
Worryingly, Microsoft claimed that Russian state-backed attacks are increasingly successful: compromise rates jumped from 21% to 31% year on year.
They’re mainly focused on intelligence gathering from government agencies in the US, UK and Ukraine.
After Russia, the largest volume of attacks came from North Korea (23%), Iran (11%), and China (8%). It’s not always about cyber espionage: Iran has ramped up destructive attacks against Israel, while North Korea continues to generate funds by targeting cryptocurrency companies, according to Microsoft.
China appears more traditional in its intelligence-gathering activities. However, it has used a range of previously unidentified vulnerabilities to achieve these ends, particularly the Hafnium attacks on Exchange servers earlier this year.
Chinese threat groups also have a range of strategic goals but tend to focus on gleaning social, economic and political intelligence about strategic adversaries and neighboring countries.
Microsoft said it had notified customers 20,500 times about nation-state breach attempts over the past three years.
“To be clear, Microsoft does not observe every global cyber-attack. For example, we have limited visibility into attacks targeting on-premises systems that organizations manage themselves, like the Exchange Server attacks earlier this year, and attacks targeting customers of other technology providers,” it added.
“We believe sharing the data we do have on these threats is helpful to customers, policymakers and the broader security community, and we invite others to share what they’re seeing with their visibility.”