Microsoft: State-backed hackers grow in sophistication, aggressiveness

Hackers from countries like Iran are increasingly pairing their hacking operations with information operations pushing propaganda.
Iranian flag waving with cityscape on background in Tehran, Iran. (Sir Francis Canker Photography/Getty Images)

Iranian cyber operations targeting Western entities are growing more sophisticated and effective as part of an overall shift among state-backed hacking groups toward espionage, researchers with Microsoft said Thursday.

In a report published Thursday describing the global cybersecurity landscape, Microsoft researchers conclude that state-backed cyber operations are broadly becoming more advanced and aggressive and are increasingly pairing campaigns to breach computer systems with information operations to spread propaganda.

The company’s findings on Iran illustrate this trend. Over the last year, Iranian cyber operators stepped up their work, particularly in the Global South, with enhanced offensive cyber capabilities and a comingling of rudimentary operations with multi-pronged influence campaigns to achieve geopolitical effects. Tehran views these tools as a way to respond to perceived efforts to foment unrest inside Iran, Microsoft’s researchers conclude.

“They seem to be more intentional and focused in their targeting than we’ve seen before,” Sherrod DeGrippo, Microsoft’s director of threat intelligence strategy, said of Iranian improvements in cyber operations targeting and utilizing cloud computing systems and featuring bespoke software implants. “They’re getting better at leveraging vulnerabilities, they’re getting better at focused, real cyber operations, so we see them evolving.”


Thursday’s sprawling 131-page report from Microsoft, its fourth annual Digital Defense Report, surveys and collates broad themes in the cyber operations and cybercrime ecosystems and how those trends are effecting government and private organizations around the world. The report describes trends in nation-state activity, cybercrime, threats to critical infrastructure and internet connected devices around the world, supply chain vulnerabilities and the importance of collective defense.

To describe that landscape, the report relies on what Tom Burt, Microsoft’s corporate vice president for customer security and trust, described in a call ahead of its release as the company’s “unique vantage point” — the ubiquity of Microsoft software around the world.

The report concludes that government-sponsored spying and influence operations have proliferated over the last year and shifted in important ways, away from noisy high-profile cyberattacks and toward espionage. “The predominant motivation has swung back to a desire to steal information, covertly monitor communication, or to manipulate what people read,” Burt wrote in a blog post accompanying the report’s release.

That conclusion aligns with recent reporting from Ukraine’s top cyber defense agency, which has said that while destructive Russian cyber attacks continue, their networks are seeing more espionage and intelligence gathering, particularly against law enforcement targets.

Nation-state activity remains “most pronounced against the U.S., Ukraine, and Israel, and pervasive throughout Europe,” the Microsoft report reads. But operations increased in the Middle East as a result of more Iranian operations across a range of sectors, the researchers said, particularly against education, government, information technology and communications targets. Countries in the Global South, particularly Latin America and sub-Saharan Africa, have seen a particular increase in attacks, Burt said.


The report also highlights a sharp rise in human-operated ransomware incidents — up more than 200%, according to the company’s data — which make up just one slice of a cybercrime ecosystem that’s evolving toward “more effective and damaging attacks, which often take place at scale,” the company wrote in the report.

Dwell time, or the time between a system being breached and that breach being detected, has decreased, but attackers are getting more adept at pivoting within systems, exfiltrating files, encrypting and ransoming the organization, DeGrippo said. “The ransomware activity now is so fast, it’s like the blink of an eye,” she added.

To disrupt the financial and technological systems underpinning cybercrime, Microsoft is increasingly collaborating with law enforcement agencies around the world and carrying out domain seizures to disrupt criminal groups. The company has in recent months cracked down on illicit copies of Cobalt Strike, a security testing application, alongside Fortra, the company that produces it, and has worked with the U.S. government to identify and deter Chinese targeting of facilities in Guam.

“While we have a long way to go, as detailed in the report, we have had some early successes in doing this work and we will continue to focus on it whenever we can in collaboration with law enforcement and others in the private sector to increase the impact of these disruptions,” Burt said.

The report also highlights the proliferation of private contractors and firms who supply governments and others with spyware and offensive cyber capabilities. Citing a March 2023 report from the Carnegie Endowment for International Peace, the researchers note that 74 governments have contracted firms to access spyware and digital forensics technology.


From spyware to private-sector malware developers, examples abound and could muddy an already complicated geopolitical picture. “Attribution is going to become harder and more important as these kinds of threat actors come online,” DeGrippo said.

Latest Podcasts