Cybersecurity insights from industry experts.

Microsoft Digital Defense Report: Nation-State Threats and Cyber Mercenaries

In part three of this three-part series, Microsoft dissects these twinned threats and what organizations can do to reduce or eliminate their risk.

Microsoft Security, Microsoft

May 17, 2023

4 Min Read
3D rendering of Neural network - Big data, nation-state attack and cybersecurity concept
Source: Wirestock Inc. via Alamy Stock Photo

Every year, Microsoft releases the "Microsoft Digital Defense Report" as a way to illuminate the evolving digital threat landscape and help the cyber community understand today's most pressing threats. Backed by intelligence from trillions of daily security signals, this year's report focuses on five key topics: cybercrime, nation-state threats, devices and infrastructure, cyber-influence operations, and cyber resiliency.

In this article, we break down part three of the report on nation-state threats and the rise of cyber mercenaries. Read on to learn how you can better protect your organization from this growing trend.

Nation-state threats took center stage in 2022 with the launch of Russia's cyber war on Ukraine. This behavior has continued into 2023. We're also seeing nation-state actors elsewhere increase activity and leverage advancements in automation, cloud infrastructure, and remote access technologies to attack a wider set of targets. More specifically, here are three core nation-state threat trends that emerged in 2022.

Increased Focus on IT Supply Chains

In 2022, we saw nation-state cyber threat groups move from exploiting the software supply chain to exploiting the IT services supply chain. These actors often targeted cloud solutions and managed services providers to reach downstream customers in government, policy, and critical infrastructure sectors, such as what we saw in the Nobelium attacks. Over half (53%) of nation-state attacks targeted the IT sector, nongovernmental organizations (NGOs), think tanks, and the education sector.

Emergence of Zero-Day Exploits

As organizations work to collectively strengthen their cybersecurity posture, nation-state actors are pursuing new and unique tactics to deliver attacks and evade detection. One prime example is the identification and exploitation of zero-day vulnerabilities. Zero-day vulnerabilities are a security weakness that, for whatever reason, have gone undiscovered. While these attacks start by targeting a limited set of organizations, they are often quickly adopted into the larger threat actor ecosystem. It takes only 14 days, on average, for an exploit to be available in the wild after a vulnerability is publicly disclosed.

Cyber Mercenaries On the Rise

Private-sector offensive actors are growing increasingly common. Also known as cyber mercenaries, these entities develop and sell tools, techniques, and services to clients — often governments — to break into networks and Internet-connected devices. While often an asset for nation-state actors, cyber mercenaries endanger dissidents, human rights defenders, journalists, civil society advocates, and other private citizens by providing advanced surveillance-as-a-service capabilities. Rather than being developed for defense and intelligence agencies, these capabilities are offered as commercial products for companies and individuals.

Responding To Nation-State Threats

The sophistication and agility of nation-state attacks is only going to continue to grow and evolve. It's up to organizations to stay informed of these trends and evolve their defenses in parallel.

  • Know your risks and react accordingly: Nation-state groups' cyber targeting spanned the globe in 2022, with a particularly heavy focus on US and British enterprises. It's important to stay up to date on the latest attack vectors and target areas of key nation-state groups so that you can identify and protect potential high-value data targets, at-risk technologies, information, and business operations that might align with their strategic priorities.

  • Protect your downstream clients: The IT supply chain can act as a gateway to the digital ecosystem. That's why organizations must understand and harden the borders and entry points of their digital estates, and IT service providers must rigorously monitor their own cybersecurity health. Start by reviewing and auditing upstream and downstream service provider relationships and delegated privilege access to minimize unnecessary permissions. Remove access for any partner relationships that look unfamiliar or have not yet been audited. From there, you can implement multifactor authentication and conditional access policies that make it harder for malicious actors to capture privileged accounts or spread throughout a network.

  • Prioritize patching of zero-day vulnerabilities: Even organizations that are not a target of nation-state attacks have a limited window to patch zero-day vulnerabilities, so don't wait for the patch management cycle to deploy. Once discovered, organizations have, on average, 120 days before a vulnerability is available in automated vulnerability scanning and exploitation tools. We also recommend documenting and cataloging all enterprise hardware and software assets to determine risk and decide when to act on patches.

Read more about the Microsoft Digital Defense Report: Key Cybercrime Trends (Part 1) and Trends In Device and Infrastructure Attacks (Part 2)

Read more Partner Perspectives from Microsoft Security.

Read more about:

Partner Perspectives

About the Author(s)

Microsoft Security


Protect it all with Microsoft Security.

Microsoft offers simplified, comprehensive protection and expertise that eliminates security gaps so you can innovate and grow in a changing world. Our integrated security, compliance, and identity solutions work across platforms and cloud environments, providing protection without compromising productivity.

We help customers simplify the complex by prioritizing risks with unified management tools and strategic guidance created to maximize the human expertise inside your company. Our unparalleled AI is informed by trillions of signals so you can detect threats quickly, respond effectively, and fortify your security posture to stay ahead of ever-evolving threats.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights