Skip to main content
Microsoft Security
picture of a group of people in a meeting discussing some graphs
ISSUE 1 - Cyber Signals

Threat Briefing

Nation-state actors redouble efforts to simply grab identity building blocks

February 9, 2022

Cyberattacks by nation-state actors are on the rise. Despite their vast resources, these adversaries often rely on simple tactics to steal easily guessed passwords. By so doing, they can gain fast and easy access to customer accounts. In the case of enterprise attacks, penetrating an organization’s network allows nation-state actors to gain a foothold they can use to move either vertically, across similar users and resources, or horizontally, gaining access to more valuable credentials and resources.

Spear-phishing, social engineering attacks, and large-scale password sprays are basic nation-state actor tactics used to steal or guess passwords. Microsoft gains insight into attackers’ tradecraft and successes by observing what tactics and techniques they invest in and find success with. If user credentials are poorly managed or left vulnerable without crucial safeguards like multi-factor authentication (MFA) and passwordless features, nation-states will keep using the same simple tactics.

The need to enforce MFA adoption or go passwordless cannot be overstated, because the simplicity and low cost of identity-focused attacks make them convenient and effective for actors. While MFA is not the only identity and access management tool organizations should use, it can provide a powerful deterrent to attacks.

Abusing credentials is a fixture of NOBELIUM, a nation-state adversary linked to Russia. However, other adversaries, such as Iran-linked DEV 0343 rely on password sprays too. Activity from DEV-0343 has been observed across defense companies producing military-grade radars, drone technology, satellite systems, and emergency response communication systems. Further activity has targeted regional ports of entry in the Persian Gulf, and several maritime and cargo transportation companies with a business focus in the Middle East.

Iran: Most targeted countries (July 2020-June 2021)

Graphic representing the most targeted countries from July 2020 to June 2021 by Iran


Organization should:

Enable multi-factor authentication: By so doing, they mitigate the risk of passwords falling into the wrong hands. Even better, eliminate passwords altogether by using passwordless MFA.

Audit account privileges: Privileged-access accounts, if hijacked, become a powerful weapon attackers can use to gain greater access to networks and resources. Security teams should audit access privileges frequently, using the principle of least-privilege granted to enable employees to get jobs done.

Review, harden, and monitor all tenant administrator accounts: Security teams should thoroughly review all tenant administrator users or accounts tied to delegated administrative privileges to verify the authenticity of users and activities. They should then disable or remove any unused delegated administrative privileges.

Establish and enforce a security baseline to reduce risk: Nation-states play the long game and have the funding, will, and scale to develop new attack strategies and techniques. Every network-hardening initiative delayed due to bandwidth or bureaucracy works in their favor. Security teams should prioritize implementing zero-trust practices like MFA and passwordless upgrades. They can begin with privileged accounts to gain protection quickly, then expand in incremental and continuous phases.

Download Cyber Signals

left arrow

Security Snapshot

Defending Attacks

right arrow