Cybersecurity is a deeply nuanced field, demanding that security practitioners work around the clock to unearth meaningful, timely insights from an ever-growing pool of disparate data signals. At Microsoft alone, we synthesize 65 trillion signals every day across all types of devices, apps, platforms, and endpoints in order to understand our current threat landscape.
However, viewing this data in isolation is not enough. Security teams must also consider the broader geopolitical context from which these security signals emerged. After all, if security practitioners hope to uncover the “why” behind criminal activity, they must first examine the confluence of cyber threat and geopolitical intelligence analysis. This strategic analysis of nation-state cyber threat activity is also critical for preparing and protecting vulnerable audiences who may become the target of future attacks.
For example, during the run-up to Russia’s full-scale invasion of Ukraine in 2022, the Microsoft Threat Intelligence team identified Ukrainian customers at risk for cyberattacks in the event of conflict escalation. This analysis was based on likely sectors that a nation at war would target to weaken its adversary, as well as the locations of unpatched and vulnerable systems. Establishing that monitoring practice and tipping off Ukrainian partners to vulnerabilities in advance helped threat-hunting teams harden vulnerabilities, spot anomalous activity, and push product protections faster.
So, what does this geopolitical analysis look like today?
Contextualized threat intelligence in action: A Russia-Ukraine case study
Microsoft’s threat intelligence and data science teams have long been involved with Russia’s war on Ukraine, partnering closely with our allies to lend support to Ukraine’s digital defense since the start of Russia’s invasion.
Recently, Microsoft has observed a rapid evolution of digital warfare tactics on the battlefields of Ukraine, where cyberattacks and malign influence campaigns converge as parts of a broader warfighting strategy. In particular, non-state actors like cyber volunteers, hacktivists, and the private sector have taken an increasingly active role in the conflict. Russia-affiliated cyber and influence actors have also been known to leverage cyber activity, use propaganda to promote Kremlin-aligned narratives within target audiences, and stoke divisions within European populations.
Below are five key tactics that Microsoft has observed throughout the course of Russia’s war on Ukraine:
- Intensifying computer network operations (CNO): Russia’s CNO activity includes destructive and espionage-focused operations that, at times, support influence aims. Microsoft believes this activity is likely to intensify, with much of Russia’s CNO efforts focused on Ukraine and diplomatic and military organizations in NATO member states. Ukraine’s neighbors and private-sector firms that are directly or indirectly involved in Ukraine’s military supply chain are also likely to be at risk.
- Weaponizing pacifism and mobilizing nationalism: Russia’s propaganda campaigns attempt to amplify domestic discontent about war costs and stoke fears about World War III across European nations across the political spectrum. These narratives often allege that support for Ukraine benefits the political elite and harms the interests of local populations.
- Exploiting divisions and demonizing refugees: Russia remains committed to influence operations that pit NATO member states against one another. Hungary has been a frequent target of such efforts, as have Poland and Germany. We’ve also seen Russia attempt to undermine solidarity with Ukraine by demonizing refugees and playing upon complex historical, ethnic, and cultural grievances.
- Targeting diaspora communities: Using forgeries and other inauthentic or manipulated material, Russia-affiliated influence actors have broadly promoted the narrative that European governments cannot be trusted. These actors will often spread false narratives claiming that Ukrainians will be forcibly extradited to fight in the war.
- Increasing hacktivist operations: Microsoft and others have observed purported hacktivist groups conducting, or claiming to have conducted, DDoS attacks, cyber intrusions, and data theft against perceived adversaries. These nonstate entities support Russia’s efforts to project power online. Some of these groups are linked to cyber threat actors like Seashell Blizzard and Cadet Blizzard, suggesting they also offer a measure of plausible deniability for cyberattacks.
Microsoft’s work with Ukraine has only served to underline the importance of new partnerships between public and private entities. By hunting for threat activity, writing code to fortify security products, and raising awareness of threat trends, the collective security community can harden defenses not just for Ukraine, but for networks worldwide. After all, think tanks, educational institutions, and consultancies are among the most frequently targeted sectors of the economy.
Visit Microsoft Security Insider to learn more about the latest cybersecurity threats at home and abroad.