Nation-state influence operations are an increasingly dangerous aspect of the geopolitical landscape. Today, amid ongoing conflicts in Eastern Europe, South Asia, and the Middle East, threat analysts play a crucial role in helping governments protect their infrastructure and, ultimately, their people. Analysts for the Microsoft Threat Analysis Center (MTAC) detect and track nation-state threats, not just to Microsoft and its customers, but to governments worldwide. How do they do it? Here are five key things to understand.
1. We follow actors, but not the red-carpet kind.
For MTAC, the word “actor” does not refer to an individual. It’s a term used to characterize a collection of threats that indicate a coordinated network, which ultimately points to a cyber influence operation. MTAC analysts identify an actor when they see a set of activities that use the same techniques and the same infrastructure—which could be social media accounts, websites, or blogs—to put out a consistent message to a specific target audience.
2. We analyze impact, not output.
People often think about cyber influence threats in terms of fake accounts and manipulative pieces of content. MTAC analysts are less concerned with individual outputs than they are with finding the most impactful activity, which is defined by three things:
- Scale is the reach of the content: the number of clicks; how many people see it. Scale is important, but only if there are stakes involved.
- Stakes are there when a politically sensitive topic is released at a politically sensitive time and, crucially, fed to a target audience that’s reliant on that information.
- Stickiness is about how long content persists in the world. How often does it jump from platform to platform? How often does it get reworked and reshared?
By this definition of impact, MTAC estimates that only about 5% of actors are responsible for 95% of the impact.
3. We look for the known knowns.
The best way to identify a new threat is to pay attention to what you already know. It’s the exception rather than the rule for MTAC analysts to encounter an actor they haven’t seen before. After all, these are people trying to get a job done. If they’re successful, they stick with what works. Analysts often see a threat and have a very good idea of who might be behind it, because the actor has a distinct set of tactics that they repeat again and again. During the 2024 US election, MTAC analysts were able to look at a piece of content and, based on the known knowns, be quite sure who was responsible in a matter of minutes.
4. We speak their language.
MTAC analysts come from diverse backgrounds—academia, journalism, think tanks, government. But the one thing they all have in common is that they speak at least one language other than English. That’s crucial: To find an adversary, analysts need to work in their language, and understand context and nuance. The MTAC team collectively speaks at least 16 languages, covering most of Europe, all of Latin America, a good portion of Africa, the Asia-Pacific, and nearly the entire Middle East.
5. We watch for outsourcing.
Many nation-state actors are actually private-sector businesses. Running an influence operation requires skills that governments don’t have, like audience analysis and online marketing. Many of the most persistent actors MTAC tracks are private companies working on behalf of governments, and they’re often better at the job than past actors who have been “in house.”
