Microsoft report finds Russia dominant force behind cyberattacks in past year

Cyberattacks originating in Russia accounted for more than half of intrusions tracked by Microsoft since mid-2020, the company said in a report released Thursday.

The findings were detailed in Microsoft’s annual Digital Defense Report. The company said it tracked threat activity from a number of countries, but found that 58 percent of attacks reported by customers originated in Russia, followed by North Korea at 23 percent. 

“Over the past year, Russia-based activity groups have solidified their position as acute threats to the global digital ecosystem,” the report states. “They have also shown a high tolerance for collateral damage, which leaves anyone with connections to targets of interest vulnerable to opportunistic targeting.”

The report went on to say that more than 90 percent of the Russian-linked threat activity was carried out by a threat group Microsoft named “Nobelium,” which the company blamed in May for using a U.S. Agency for International Development email marketing account to target hundreds of organizations in two dozen countries, including government agencies.

Microsoft found that the U.S. was the most targeted nation by far, accounting for almost half of attacks between July 2020 and June 2021. By contrast, Ukraine was the second most targeted country, with 19 percent of threat activity aimed within its borders.

While Russia was prolific in the hacking space, according to Microsoft’s data, it mainly avoided targeting critical infrastructure groups, with only 2 percent of Russia’s attacks aimed at those key entities. By contrast, 13 percent of Chinese-linked threat activity was aimed at critical infrastructure, as was 9 percent of such activity linked to Iran. 

Government entities were seen as the main target for cyberattacks, with government being the most targeted sector, followed by nongovernmental organizations and think tanks. Microsoft found that 53 percent of Nobelium’s efforts were aimed at government entities.

“Over the past year, Russia-based groups have improved their rates of successful compromise and increasingly set their sights on government targets, a confluence of trends that could portend more high impact compromises in the year ahead,” the report warned.

The report comes after a 12-month period that saw multiple high-profile and damaging cyber incidents linked back to Russia.

These included the SolarWinds hack, first discovered in December, which allowed Russian government-linked hackers to infiltrate numerous federal agencies and around 100 private sector groups for much of 2020. President Biden levied sanctions against Russia in retaliation for the attack earlier this year.

Criminal groups based in Russia were also linked to the ransomware attacks in May on Colonial Pipeline, which provides around 45 percent of the East Coast’s fuel, and on meat producer JBSA USA. Both attacks temporarily crippled supply chains. 

Biden urged Russian President Vladimir Putin to crack down on these hacking groups during their in-person summit in Geneva earlier this year, but top U.S. officials have said there has been little evidence that Russia has taken action in the months since.

Updated at 1:16 p.m.