Microsoft notified 10,000 victims of nation-state attacks

Most of the attacks came from state-sponsored hacking groups in Iran, North Korea, and Russia.
Written by Catalin Cimpanu, Contributor

Microsoft said that over the past year it notified nearly 10,000 users that they'd been targeted or compromised by nation-state hacking groups.

The company didn't just blast out random statistics, but also named names. Microsoft said most of the attacks came from state-sponsored hackers from Iran, North Korea, and Russia.

More precisely, the Iran attacks came from groups Microsoft calls Holmium and Mercury, the North Korean attacks came from a group called Thallium, and the Russian attacks came from groups called Yttrium and Strontium.

Who are some these groups?

Some of these codenames are new, but some describe years-old state-sponsored groups.

For example, according to this Google spreadsheet that keeps track of all the different nation-state hacking group names, Holium is the codename of Iran's APT33.

This is one of the most infamous cyber-espionage groups around, and is responsible for creating the dangerous Shamoon data-wiping malware. At the start of July, US Cyber Command published a security alert about new APT33 attacks aimed against US targets, and using an old Outlook vulnerability.

In addition, Strontium is the codename for APT28, also known as Fancy Bear. This group of Russian hackers is responsible for a long list of attacks in the last decade. They've targeted the White House, the Pentagon, NATO members, EU governments, they've breached the DNC, they've created the NotPetya ransomware and deployed it in Ukraine, and they've also set up the VPNFilter router botnet.

Microsoft has been engaged in a long battle against this group. Over the last summer, Microsoft took control over several domains operated by APT28, which the company said the group was using to target parties involved in the 2018 US midterm elections.

In February 2018, Microsoft exposed new APT28 attacks, this time targeting parties involved in the 2019 European Parliament election.

Nation-state hackers also targeted electoral entities

Microsoft said that around 84% of the nearly 10,000 nation-state attacks it detected targeted its enterprise customers, and only 16% of these attacks were aimed at home consumers and their personal email accounts.

Furthermore, Microsoft also said it detected nation-state attacks against political organizations involved in the electoral process.

These stats came from Microsoft's AccountGuard technology, a free security service the OS maker has been providing for nearly a year to political campaigns, parties, and democracy-focused nongovernmental organizations (NGOs) across 26 countries.

According to Tom Burt, Microsoft Corporate Vice President, Customer Security & Trust, Microsoft sent out 781 notifications to organizations enrolled in AccountGuard over the past year.

Around 95% of these 781 notifications were sent to US-based organizations, Burt said.

But besides revealing the extent of nation-state attacks, yesterday was also a big day for Microsoft. The company also demoed a new product, part of its Defending Democracy Program.

Called ElectionGuard, this is a free software kit for cryptographically securing voting machines. Microsoft only demoed ElectionGuard voting machines in Aspen, Colorado, but does not have plans to sell commercial voting machines. The OS maker plans to open-source the software behind them on GitHub, later this year, and has already partnered with some voting machine vendors to help them roll out more secure voting systems in the future.

The world's most famous and dangerous APT (state-developed) malware

Related government coverage:

Editorial standards