Government agencies targeted by cyber espionage from Russia, Iran and China

The US and UK continue to experience increasing cyber espionage cases from both Russian and Iranian state sponsored hackers.
18 October 2021

(Photo by Saul LOEB / AFP FILES / AFP)

  • Over half of all cyberattacks from nation-states have come from Russia
  • The US is the most targeted country, receiving more than triple the ransomware attacks compared to other countries
  • Hacker group with alleged ties to the Iranian government has been trying to steal information from aerospace and telecommunication companies in the Middle East, US, Europe, and Russia

Cyber espionage attacks are an ongoing concern for governments and businesses all around the world. While organizations might face cyber espionage from competitors hoping to steal information or destabilize their operations, attacks on governments are of greater concern.

One of the biggest cyber-espionage cases in recent times was the massive supply chain attack on SolarWinds. According to CNN reports, Russian hackers who were behind the 2020 breach of US federal agencies continue to try and infiltrate US and European government networks.

hence, it is not surprising that Microsoft’s Digital Defense report stated that over half (58%) of all cyberattacks from nation-states have come from Russia. In fact, Microsoft reported that attacks from Russian nation-state actors are increasingly effective, jumping from a 21% successful compromise rate in 2020 to a 32% rate this year.

Government agencies continue to be the main targets in cyber espionage, for information gathering. The top three countries targeted by Russian nation-state actors were the United States, Ukraine, and the UK.  Apart from Russia, the largest volume of attacks Microsoft observed came from North Korea, Iran, and China — with South Korea, Turkey, and Vietnam also active but representing much less volume.

Forget the money, cyber espionage is all about gathering information

For Microsoft Corporate Vice President for customer security and trust Tom Burt, cybercrime — especially ransomware — remains a serious and growing plague as evidenced in this year’s report. But while nation-state actors mostly target victims with useful data, cybercriminals target victims with money.

“Cybercrime attacks on critical infrastructures – such as the ransomware attack on Colonial Pipeline – often steal the headlines. However, the top five industries targeted in the past year based on ransomware engagements by our Detection and Response Team (DART) are consumer retail (13%), financial services (12%), manufacturing (12%), government (11%) and healthcare (9%).

The United States is by far the most targeted country, receiving more than triple the ransomware attacks of the next most targeted nation. The U.S. is followed by China, Japan, Germany, and the United Arab Emirates,” Burt wrote in a blogpost.


Interestingly, Burt pointed out that while China is not unique in its goal of information collection, it has been notable that several Chinese actors have used a range of previously unidentified vulnerabilities. China is also using its intelligence-gathering resources for a variety of purposes.

Burt highlighted Chinese actor, CHROMIUM, which has been targeting entities in India, Malaysia, Mongolia, Pakistan, and Thailand to glean social, economic, and political intelligence about its neighboring countries. Another Chinese actor, NICKEL, has targeted government foreign ministries in Central and South America and Europe.

“As China’s influence shifts with the country’s Belt and Road Initiative, we expect these actors will continue to use cyber intelligence gathering for insight into investments, negotiations, and influence. Finally, Chinese actors are remarkably persistent; even after we disclosed China’s attempts to conduct intelligence collection against individuals involved in the 2020 election, its actor ZIRCONIUM continued its activity during Election Day,” explained Burt.

He added that Microsoft has notified customers 20,500 times about attempts by cyber-espionage attackers to breach their systems in the past three years.

The rise of new state-sponsored hackers 

Around the same time, Bloomberg reported that a newly discover hacking group with alleged ties to the Iranian government has been trying to steal information from aerospace and telecommunication companies in the Middle East, US, Europe, and Russia.

In a report by Cybereason Inc, the hacking group MalKamak camouflaged its activities via file storage service Dropbox to orchestrate hacking operations. The use of Dropbox concealed the hackers’ activity as it made the network traffic of uploads and downloads from compromised computers, seem legitimate.

The campaign dubbed ‘Operation GhostShell’ aimed to steal sensitive information about critical assets, organizations’ infrastructure, and technology. During the investigation, Cybereason’s Nocturnus Team uncovered a previously undocumented and stealthy Remote Access Trojan (RAT) dubbed ShellClient which was employed as the primary espionage tool.

The Nocturnus Team found evidence that the ShellClient RAT has been under ongoing development since at least 2018, with several iterations that introduced new functionalities, while it evaded antivirus tools and managed to remain undetected and publicly unknown.

With increasing cyber espionage problems, governments, agencies are doing the most they can to deal with these attacks. However, unlike ransomware cases, state-sponsored cyber espionage may not be that easy to tackle. The US may have had several conversations with Russia such as the Biden-Putin Summit on dealing with ransomware but are nowhere close to dealing with espionage cases.

The reality is, cyber espionage will not end anytime soon. With the costs of cyberattacks only increasing, all countries and businesses can do are to be fully prepared to deal with such events in the future.