2023 Threat Intelligence Year in Review: Key Insights and Developments

Originally published by Microsoft Security.

It has been an incredible year for Microsoft Threat Intelligence. The sheer volume of threats and attacks revealed through the more than 65 trillion signals we monitor daily has given us many inflection points, especially as we notice a shift in how threat actors are scaling and leveraging nation state support. The last year has presented more attacks than ever before, and the attack chains are getting more complex with every passing day. Dwell times have shortened. Tactics, techniques, and procedures (TTPs) have evolved to become nimbler and more evasive in nature. Looking back at the details of these incidents helps us see the patterns so we can determine how to respond to new threats and anticipate in which direction they may move next. Our review of the TPPs from 2023 aims to provide a comprehensive overview of the threat intelligence landscape through what we observed in incidents around the world. Here are some of the highlights that both John Lambert and I would like to share with you along with some video snippets taken from our discussion at Ignite 2023.

Sherrod DeGrippo,
Microsoft Director of Threat Intelligence Strategy

Naming Taxonomy Refresher

In 2023, Microsoft shifted to a new, weather-themed threat actor naming taxonomy that (1) better matches the increasing complexity, scale, and volume of modern threats and (2) provides a more organized, memorable, and easy way to reference adversary groups.[1]

Microsoft categorizes threat actors into five key groups:

In our new taxonomy, a weather event or family name represents one of the above categories. Threat actors within the same weather family are given an adjective to distinguish different groups, except for groups in development, which are given four-digit numbers.

2023 trends for threat tactics, techniques, and procedures (TTPs)

Avoiding custom tools and malware

Threat actor groups emphasizing stealth have selectively avoided the use of custom malware. Instead, they use tools and processes existing on their victim’s device to obscure themselves alongside other threat actors using similar methods to launch attacks.[2]

Microsoft Corporate Vice President and Security Fellow John Lambert briefly comments on how threat actors avoid showy custom tools to achieve stealth. Watch the video below:

Combining cyber and influence operations (IO)

Over the summer, Microsoft observed certain nation state actors combining the methods of cyber operations and influence operations (IO) into a new hybrid we have named “cyber-enabled influence operations.” This new tactic helps actors boost, exaggerate, or compensate for shortcomings in their network access or cyberattack capabilities.[3] Cyber methods include tactics like data theft, defacement, DDoS, and ransomware in combination with influence methods like data leaks, sockpuppets, impersonating victims, social media, and SMS/email communication.

Compromising small office/home office (SOHO) network edge devices

Threat actors are assembling covert networks from SOHO network edge devices, even using programs to assist with locating vulnerable endpoints around the world. This technique complicates attribution, making attacks appear from virtually anywhere.[4]

In this short video, Microsoft’s John Lambert elaborates on why threat actors find SOHO network edge devices such attractive targets. Watch the video below:

Gaining initial access through diverse means

In Ukraine and elsewhere, Microsoft Threat Intelligence researchers have observed threat actors gaining initial access to targets using a diverse toolkit. Common tactics and techniques have included the exploitation of internet-facing applications, backdoored pirated software, and spear phishing.[5]

Impersonating victims to add credibility

An increasing trend in cyber enabled influence operations involves the impersonation of purported victim organizations, or leading figures in those organizations, to add credibility to the effects of the cyberattack or compromise.[6]

Rapid adoption of publicly disclosed POCs for initial access and persistence

Microsoft has increasingly observed certain nation state subgroups adopting publicly disclosed proof-of-concept (POC) code shortly after it is released to exploit vulnerabilities in internet-facing applications.[7]

The figure below illustrates two attack chains favored by a nation state subgroup Microsoft has observed. In both chains, attackers use Impacket to move laterally.

SMS messaging to contact a target audience

Microsoft observed multiple actors attempting to use bulk SMS messaging to enhance the amplification and psychological effects of their cyber-influence operations.[8]

The figure below presents two side-by-side SMS messages from threat actors posing as an Israeli sports network. The message on the left contains a link to a defaced Sport5 webpage. The message on the right wars, “If you like your life do not travel to our countries.”

Social media operations increase effective audience engagement

Covert influence operations have now begun to successfully engage with target audiences on social media to a greater extent than previously observed, representing higher levels of sophistication and cultivation of online IO assets.[9]

Below is a Black Lives Matter graphic that was initially uploaded by a nation-state group’s automated account. Seven hours later, it was re-uploaded by an account impersonating a US conservative voter.

Specialization within the ransomware economy

Ransomware operators in 2023 have trended toward specialization, choosing to focus on a small range of capabilities and services. This specialization has a splintering effect, spreading components of a ransomware attack across multiple providers in a complex underground economy. In response, Microsoft Threat Intelligence tracks providers individually, noting which traffic in initial access and then other services.[10]

In a video segment taken from Ignite, Microsoft Threat intelligence Director of Threat Intelligence Strategy Sherrod DeGrippo describes the current state of the ransomware service economy. Watch the video below:

Steady use of custom tooling

While some groups are actively avoiding custom malware for stealth purposes (see “Avoiding custom tools and malware” above), others have shifted away from publicly available tools and simple scripts in favor of bespoke approaches requiring more sophisticated tradecraft.[11]

Targeting Infrastructure

Though infrastructure organizations—water treatment facilities, maritime operations, transportation organizations—don’t have the kind of valuable data that attracts most cyber espionage due to a lack of intelligence value, they do offer disruption value.[12]

Microsoft’s John Lambert briefly presents the cyber espionage paradox: a target that seemingly doesn’t have data. Watch the video below:

As you can see from the details of the 11 items from 2023 we just reviewed, the threat landscape continuously evolves, and the sophistication and frequency of cyberattacks continues to rise. There is no doubt that the 300+ threat actors we track will always try something new and combine it with the tried and true TTPs. That is what we love about these threat actors as we analyze them and understand their personas, we can predict their next moves. And now with Generative AI, we can do this faster and will be better at evicting attackers earlier.

With that said, let’s move forward into 2024.

To get Threat Intelligence news and information you can digest in the drive-thru, check out The Microsoft Threat Intelligence Podcast hosted by Sherrod DeGrippo.

[1] https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/
[2] https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/
[3] https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/
[4] https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/
[5] A year of Russian hybrid warfare in Ukraine. Page 14
[6] Iran turning to cyber-enabled influence operations for greater effect. Page 11.
[7] https://www.microsoft.com/en-us/security/blog/2023/04/18/nation-state-threat-actor-mint-sandstorm-refines-tradecraft-to-attack-high-value-targets/
[8] Iran turning to cyber-enabled influence operations for greater effect. Page 11.
[9] Digital threats from East Asia increase in breadth and effectiveness. Page 6
[10] A Year in Intel: Highlights from Microsoft’s Global Stand Against APTs
[11] Iran turning to cyber-enabled influence operations for greater effect. Page 12.
[12] A Year in Intel: Highlights from Microsoft’s Global Stand Against APTs