The New Domain (and Threat) of the Cyberattacks: Russia

Stefania Rinaldi
The New Domain (and Threat) of the Cyberattacks: Russia
Source: ZDNet

On September 29, 2020, for the first time, Microsoft published their annual report “Digital Defense Report”, which deals with cybersecurity tendencies of the previous year. This report has a cautious tone for the cyber future and warns of future dangers, in particularly from Russia against the United States.


In the report, Microsoft examined the cyber trends of 2019 and declared “threat actors have rapidly increased in sophistication over the past year, using techniques that make them harder to spot and that threaten even the savviest targets”. In particular, Microsoft focused on nation-state actors, as they have become increasingly notable in the cyber world and have been played a more prominent role in the sphere. In the report, the organization believes that nation-states use cyber-attacks and have specific targets that match up with their own political goals. Following the research, Microsoft listed the most prominent and influential hacker groups backed by governments in the map below.

The New Domain (and Threat) of the Cyberattacks: Russia
Sample of nation state actors and their activities. Source: Microsoft

According to the research of cyber activity between July 2019 and June 2020, Russia particularly stands out in the list of government-based hackers with 52%, followed by Iran with 25%, China with 12% and North Korea and other minor governments with 11%. Furthermore, the number one target country is the United States with 69%, followed by the United Kingdom with 19%, Canada with 5%, South Korea with 4%, and lastly Saudi Arabia with 3%. In particular, Microsoft has examined specific activity groups of nation-state actors and has been analysed their impact in society. Below, the report shows the top six society sectors that have been targeted by nation-state actors, in this case especially by Russia.

Firstly, 32% if nation-state actors have been targeted non-governmental organisations, such as “advocacy groups, human rights organisations, non-profit organisations, and think tanks focused on public policy, international affairs and security”. In this sector, the Russian hacker group STRONTIUM, also known as Fancy Bear, have undertaken three quarters of hacker activity, especially against sporting organisations.

The New Domain (and Threat) of the Cyberattacks: Russia
First diagram: Country of activity origin for nation state actor hackers. Second diagram: Top 5 targeted geographic regions by nation state actors. Source: Microsoft.

The second most targeted sector is professional services at 31%. In this section, the report detected that the Russian group STRONTIUM once again “attempted to compromise consulting firms and government contractors, specifically U.S. defense contractors and large public affairs, corporate legal, IT, media, and physical security consultancies operating in the United States, Europe, and the Middle East”.  

The third most targeted sector is governmental organisations with 13%. Microsoft identified the Chinese hacker group NICKEL to have been the most aggressive hacking group here, launching attacks against several foreign ministries in eleven countries in Latin America and Europe. At second place in this category is the Russian group YTTRIUM, also known as Cozy Bear, which has infiltrated the diplomatic missions of multiple European countries.

Coming in fourth place for the society sector target lists are international organisations at 10%. Here, the Iranian group MERCURY, also known as Muddy Water, have become prominent in their activities against organisations working with refugees. The North Korean group THALLIUM, also named as Kimsuky, have attempted to infiltrate organisations working on regional developments in Africa. Lastly, the South Korean group DUBNIUM and the Iranian group PHOSPHORUS, also called Charming Kitten, have been involved in hacking global health organisations.

In the fifth place, Microsoft put information technology firms with 7%. In this sector, the organisation detected the two most active groups. The first is the Chinese group MANGANESE, also known as Keyhole Panda, which attempted to endanger IT companies based in the US. The second group is the Iranian group MERCURY, which attacked network technology providers based in the Middle East.

The final sector to be targeted is higher education at 7%. In fact, Microsoft identified the groups STRONTIUM, PHOSPORUS, BARIUM (Chinese group under the name of Apt41), THALLIUM, and ZINK (North Korean group under the name of Lazarus) as the most active in this area. These groups have hacked several universities around the world, as they “often house cutting-edge research initiatives that might be of interest to nation state actors”.

Overall, Microsoft have detected and identified various hacker groups predominantly from Russia, China, and Iran that have interfered in society and have become a more serious threat, despite Microsoft being incapable of identifying the specific objectives of the hacking activity of the nation-state actors.


The New Domain (and Threat) of the Cyberattacks: Russia
President-elect Joe Biden and incumbent President Donald Trump. Source: BBC.

In addition to this hacking information, Microsoft examined the role of these groups and their threat against major current events. As such, Microsoft have warned that groups backed mostly by Russia, as well also by China and Iran, are trying to intrude and interfere with people and groups that are linked to the US presidential election of 2020, from both Donald Trump’s and Joe Biden’s campaigns. In particular, the Russian group STRONTIUM has attacked around 200 political organisations, and the Chinese group ZIRCONIUM has “attacked high-profile individuals associated with the election, including people associated with the Joe Biden for President Campaign and prominent leaders in the international affairs community.”

Lastly, the Iranian group PHOSPHORUS has attempted to discover the identity of customers of Microsoft email accounts and has subsequently attacked 241 of them. These specific customers were linked to the US presidential campaign, officials of the US government, political reporters, as well as influential Iranian expats.

Although the new data is worrying, the Russian threat is not new. In fact, during the presidential campaign of 2016 between Donald Trump and Hillary Clinton, the Russian government allegedly interfered in the election. Russian hackers allegedly breached the campaign led by Hillary Clinton, as well as the Democratic Congressional Campaign Committee and also the Democratic National Committee. Moreover, it appears that they tried to also publish fake political news on the internet, in order to damage the Clinton’s election hopes. This breach was investigated by the CIA, FBI, and the National Security Agency, who stated that “President Vladimir Putin ordered the effort […] with the dual aims of damaging Hillary Clinton’s presidential campaign and undermining the US democratic process”. Subsequently, the FBI have warned that Russia are actively hindering the current US presidential election to malign Joe Biden.

Interestingly enough, the publishing of Microsoft’s report revealed that Russia is the number one nation-state hacker against the US. This follows the announcement of Russian President Vladimir Putin on September 25 and his willingness to collaborate with the US in the field of cyber security. In particular, President Putin would “agree on a comprehensive program of practical measures to reboot [the] relations in the field of security in the use of information and communication technologies”, as well as “to exchange […] guarantees of non-intervention into internal affairs of each other, including into electoral processes”.

Even though President Putin is aiming to establish a Russia-US cyber security collaboration, his announcement clearly clashes with Microsoft’s data, showing that Russia is the number one nation-state hacker and that most of Russia’s actions are aimed to breach US organisations. As such, given precedents and the new threats, Microsoft advises that, “more federal funding is needed in the US so states can better protect their election infrastructure”, as well as “encourag[ing] state and local election authorities in the U.S. to harden their operations and prepare for potential attacks”. This has a significant warning tone, especially as the US presidential election have taken place on November 3rd.

  • In what ways will the Microsoft report affect the relation between the US and Russia?
  • What consequences will Russia be facing if found out that they have been interfering in the current US presidential election, especially after President Putin’s announcement for Russia-US cyber security collaboration?
  • In what ways can the US improve its cyber security and guarantee no hacking activity from Russia, China, and Iran?

Further Reading

BBC News. Russia, China and Iran hackers target Trump and Biden, Microsoft says.

Business Insider. Russia is responsible for most nation-state cyberattacks, followed by Iran, North Korea, and China, according to a new Microsoft report.

Government Technology. Microsoft: Most Nation-State Hack Attempts Come from Russia.

Leave a Reply

Your email address will not be published. Required fields are marked *

The New Domain (and Threa…

by Stefania Rinaldi time to read: 5 min