From Russian Olympic cyberattacks to billion-dollar North Korean malware, how one tech giant monitors nation-sponsored hackers everywhere on earth.
When the Pentagon recently awarded Microsoft a $billion contract to transform and host the US military's cloud computing systems, the mountain of money came with an implicit challenge: Can Microsoft keep the Pentagon's systems secure against some of the most well-resourced, persistent, and sophisticated hackers on earth?
"They're under assualt every hour of the day," says james Lewis, vice president at the Center for Strategic and International Studies.
Microsoft's latest win over cloud rival Amazon for the ultra-lucrative military contact means that an intelligence -gathering apparatus among the most important in the world is based in the woods outside Seattle. These kinds of national security responsibilities once sat almost exclusively in Washington, DC.
Now in this corner of Washington state, dozens of engineers and intelligence analysts are dedicated to whatching and stopping ghd government-sponsored hackers proliferating around the world.
Members of the so-called MSTIC(Microsoft Threat Intelligence Center) team are threat-focused: one group is responsible for Russian hackers code-named Strontium, another watches North Korean hackers code-named Zinc, and yet another tracks Iranian hackers code-named Hollium. MSTIC tracks over 70 code-named goverment-sponsored threat groups and many more that are unnamed.
The rain started just before I arrived on a typical fall day in Redmond, Washington. It kept coming down for my entire visit. Microsoft headquarters is as vast and labyrinthine as any goverment installation, withh hundreds of buildings and thousands of employees. I'd come to meet the Microsoft team that tracks the world's most dangerous hackers.
New targets
Beginning in August, MSTIC spotted what's known as a password spraying campaign. Hackers took around 27,00 educated guesses at passwords for accounts associated with an American presidentail campaign, government officials, journalist, and high-profile Iranians living outside Iran. Four accounts were compromised in this attack.
Analysts at MSTIC identified the compromised iin part by tracking infrastructure Microsoft says it knows is controlled exclusively by the Iranian hacking group Phosphorus.
"Once we understand their infrastructure - we have an IP address we know is theirs that they use for malicious purposes - we can start looking at DNS records, domains created, platform traffic," Dallman says. "When they turn around and start using that infrastructure in this kind of attack, we see it because we're already tracking that as a known indicator fo that actor's behavior."
After doing considerable reconnaissance work, Phosphorus tried to exploit the account recovery process by using target's real phone numbers. MSTIC has spotted Phosphorus and other government-sponsored hackers, including Russia's Fancy Bear, repeatedly using that tactic to try to phish two-factor authentication codes for high-value targets.