Never mind Russia: Turkey and Vietnam are Microsoft's new state-backed hacker threats du jour

It isn't just the big dogs preparing to bite, warns Redmond


Iran, Turkey and both North and South Korea are bases for nation-state cyber attacks, Microsoft has claimed – as well as old favourite Russia.

While more than half of cyberattacks spotted by Redmond came from Russia, of more interest to the wider world is information from the US megacorp's annual Digital Defence Report about lesser-known nation state cyber-attackers.

"After Russia, the largest volume of attacks we observed came from North Korea, Iran and China; South Korea, Turkey (a new entrant to our reporting) and Vietnam were also active but represent much less volume," said MS in a post announcing its findings.

While the usual suspects of Russia, China and North Korea are highlighted in the report, Vietnam's APT32 was highlighted by Microsoft's infosec people for targeting "human rights and civil organisations."

The Vietnam-linked group has a track record of not only spying on these but also "foreign corporations with a vested interest in Vietnam's manufacturing, consumer products, and hospitality sectors", according to Thailand's CERT.

"In the last year, espionage, and more specifically, intelligence collection, has been a far more common goal than destructive attacks," said Microsoft in its report, focusing on state threats to cyber security in general rather than Vietnam specifically. "While nations other than Iran mostly refrained from destructive attacks, they did continue to compromise victims that would be prime candidates for destructive attacks if tensions increased to the point where governments made strategic decisions to escalate cyber warfare."

Alongside Vietnam as a newer entrant to the ranks of state-backed threats was Turkey, singled out for hacking Middle Eastern and Balkans telcos. Threat group UNC1326 (aka SeaTurtle) was previously reported on in depth by Cisco Talos in 2019, which pointed out that SeaTurtle was targeting "national security organisations in the Middle East and North Africa" that wanted to gain "persistent access to sensitive networks and systems."

Microsoft said SeaTurtle was "most heavily focused on countries of strategic interest to Turkey including Armenia, Cyprus, Greece, Iraq, and Syria," scanning for exploitable remote code vulnerabilities in its targets' networks.

Aside from the state-backed threats, the Microsoft report noted that ransomware criminals were most likely to target retail, financial services, government and healthcare orgs, with the US being their number one target nation. The next unluckiest countries as far as ransomware was concerned were China, Japan, Germany and the United Arab Emirates.

"Fewer than 20 per cent of our customers are using strong authentication features like multifactor authentication," groaned Redmond in its closing remarks, noting that offering MFA "for free" wasn't spurring companies and other organisations into enabling it.

If they did, Microsoft thinks its security customers would "be protected from over 99 per cent of the attacks we see today." Something worth thinking about next time your users are moaning about password policies. ®


Other stories you might like

  • Ransomware encrypts files, demands three good deeds to restore data
    Shut up and take ... poor kids to KFC?

    In what is either a creepy, weird spin on Robin Hood or something from a Black Mirror episode, we're told a ransomware gang is encrypting data and then forcing each victim to perform three good deeds before they can download a decryption tool.

    The so-called GoodWill ransomware group, first identified by CloudSEK's threat intel team, doesn't appear to be motivated by money. Instead, it is claimed, they require victims to do things such as donate blankets to homeless people, or take needy kids to Pizza Hut, and then document these activities on social media in photos or videos.

    "As the threat group's name suggests, the operators are allegedly interested in promoting social justice rather than conventional financial reasons," according to a CloudSEK analysis of the gang. 

    Continue reading
  • Microsoft Azure to spin up AMD MI200 GPU clusters for 'large scale' AI training
    Windows giant carries a PyTorch for chip designer and its rival Nvidia

    Microsoft Build Microsoft Azure on Thursday revealed it will use AMD's top-tier MI200 Instinct GPUs to perform “large-scale” AI training in the cloud.

    “Azure will be the first public cloud to deploy clusters of AMD's flagship MI200 GPUs for large-scale AI training,” Microsoft CTO Kevin Scott said during the company’s Build conference this week. “We've already started testing these clusters using some of our own AI workloads with great performance.”

    AMD launched its MI200-series GPUs at its Accelerated Datacenter event last fall. The GPUs are based on AMD’s CDNA2 architecture and pack 58 billion transistors and up to 128GB of high-bandwidth memory into a dual-die package.

    Continue reading
  • New York City rips out last city-owned public payphones
    Y'know, those large cellphones fixed in place that you share with everyone and have to put coins in. Y'know, those metal disks representing...

    New York City this week ripped out its last municipally-owned payphones from Times Square to make room for Wi-Fi kiosks from city infrastructure project LinkNYC.

    "NYC's last free-standing payphones were removed today; they'll be replaced with a Link, boosting accessibility and connectivity across the city," LinkNYC said via Twitter.

    Manhattan Borough President Mark Levine said, "Truly the end of an era but also, hopefully, the start of a new one with more equity in technology access!"

    Continue reading
  • Cheers ransomware hits VMware ESXi systems
    Now we can say extortionware has jumped the shark

    Another ransomware strain is targeting VMware ESXi servers, which have been the focus of extortionists and other miscreants in recent months.

    ESXi, a bare-metal hypervisor used by a broad range of organizations throughout the world, has become the target of such ransomware families as LockBit, Hive, and RansomEXX. The ubiquitous use of the technology, and the size of some companies that use it has made it an efficient way for crooks to infect large numbers of virtualized systems and connected devices and equipment, according to researchers with Trend Micro.

    "ESXi is widely used in enterprise settings for server virtualization," Trend Micro noted in a write-up this week. "It is therefore a popular target for ransomware attacks … Compromising ESXi servers has been a scheme used by some notorious cybercriminal groups because it is a means to swiftly spread the ransomware to many devices."

    Continue reading
  • Twitter founder Dorsey beats hasty retweet from the board
    As shareholders sue the social network amid Elon Musk's takeover scramble

    Twitter has officially entered the post-Dorsey age: its founder and two-time CEO's board term expired Wednesday, marking the first time the social media company hasn't had him around in some capacity.

    Jack Dorsey announced his resignation as Twitter chief exec in November 2021, and passed the baton to Parag Agrawal while remaining on the board. Now that board term has ended, and Dorsey has stepped down as expected. Agrawal has taken Dorsey's board seat; Salesforce co-CEO Bret Taylor has assumed the role of Twitter's board chair. 

    In his resignation announcement, Dorsey – who co-founded and is CEO of Block (formerly Square) – said having founders leading the companies they created can be severely limiting for an organization and can serve as a single point of failure. "I believe it's critical a company can stand on its own, free of its founder's influence or direction," Dorsey said. He didn't respond to a request for further comment today. 

    Continue reading

Biting the hand that feeds IT © 1998–2022