Ukraine, Israel, South Korea top list of most-targeted countries for cyberattacks

Jason Macuray
More than 120 countries faced cyberattacks over the last year, with Ukraine, Israel, South Korea and Taiwan topping the list of the most targeted countries, according to a new report from Microsoft.

More than 120 countries faced cyberattacks over the last year, with Ukraine, Israel, South Korea and Taiwan topping the list of the most targeted countries, according to a new report from Microsoft.

The findings are part of Microsoft’s Digital Defense Report 2023 — which used troves of the company’s data to track cybersecurity trends between July 2022 and June 2023.

The report breaks down nation-state attacks from the governments of four countries: Russia, China, Iran and North Korea. Smaller sections are dedicated to hackers based in the Palestinian Territories and mercenary hackers hired by other nations.

The incidents ranged from damaging cyberattacks to ones involving espionage, information theft or the spread of mis- and disinformation.

“At times, nearly half of these attacks targeted NATO member states, and more than 40% were leveled against government or private-sector organizations involved in building and maintaining critical infrastructure,” said Microsoft’s Tom Burt.

“While headline-grabbing attacks from the past year were often focused on destruction or financial gain with ransomware, data shows the predominant motivation has swung back to a desire to steal information, covertly monitor communication, or to manipulate what people read.”

Microsoft researchers said that pivoting to espionage campaigns often allows for nation-state hackers to achieve longer-term goals.

Microsoft said Russia has continued destructive cyberattacks on Ukraine but has also refocused its efforts on expanding its espionage efforts while China has done the reverse — continuing its prolific, unmatched espionage and data theft campaigns while expanding its arsenal to include the potential for destructive attacks.

Broken down by country, the tech giant laid out how the hacking campaigns of the Russia, China, Iran and North Korea governments have evolved over the last year.


Targeted Ukrainian communities across the world with influence operations designed to turn host communities against refugees of the war, particularly in Poland and Baltic states.
Inundated Ukraine and NATO members with constant phishing campaigns. In April and May 2023, Microsoft said it observed a spike in activity against Western organizations, 46% of which were in NATO member states, particularly the United States, the United Kingdom, and Poland.
Ran campaigns involving Russian state actors posing as Western diplomats and Ukrainian officials, attempting to gain account access for insights into Western foreign policy on Ukraine, defense plans and intentions and war crimes investigations.
Continued to exploit zero-days in Microsoft products — like one that affected the Outlook email platform — to attack government organizations in Ukraine as well as the defense industrial base, transportation, and education sectors in NATO countries.
Launched destructive attacks using the Prestige ransomware against Poland in October and November. Since then, Microsoft has not seen any ransomware-style attacks from Russian state actors against governments.

Microsoft noted that the destructive attacks launched by Russia at the beginning of the invasion of Ukraine tapered off. Almost 50% of destructive Russian attacks Microsoft observed against Ukrainian networks occurred in the first six weeks of the war.


Targeted Chinese-speaking communities around the world with influence operations criticizing U.S. institutions.
Upped the ante against U.S. military targets, giving them the option for destructive actions against critical infrastructure around U.S. bases in Guam and other places in the country. Microsoft said Fortinet devices were compromised to give Chinese hackers wide access to U.S. military systems.
Stepped up its espionage attacks against countries across the South China Sea including Taiwan and large nations in Southeast Asia.
Targeted countries widely considered as partners. Microsoft witnessed attacks against China’s Belt and Road Initiative partners such as Malaysia, Indonesia, and Kazakhstan.
Maintained a group dedicated specifically to attacks on Taiwanese critical infrastructure and defense, gathering information on targets and vulnerabilities that could be leveraged during a physical conflict.


Vastly improved its cyber capabilities, demonstrating an increased ability to move laterally from intrusions of on-premises systems to cloud-based systems.
Used new custom tools that provide them with wider, longstanding access to the systems of geopolitical rivals.
Showed an increased penchant for destructive cyberattacks, like those witnessed in Albania last year.
Widened disinformation networks to counter recent protests, “foment Shi’ite unrest in Gulf Arab countries,” and “counter the normalization of Arab-Israeli ties.”
Expanded its espionage attack surface to countries across Latin America, Africa and Asia.
Coordinated more on cyber operations with Russia.
Increased exploitation of remote monitoring and management tools to retain access to compromised environments.
Targeted employees of telecommunications and government organizations in the Middle East.

North Korea

Continued to steal millions worth of cryptocurrency.
Evolved its capabilities significantly to achieve previously unseen forms of attacks, in one instance using one supply chain attack to enable another supply chain compromise. Microsoft said it was the first time it had seen any hackers do something like that.
Expanded its targets to include organizations in the maritime and shipbuilding sector. The country’s hackers also compromised defense firms in Brazil, Czechia, Finland, Italy, Norway and Poland.
Increasingly targeted allies like Russia. Microsoft saw North Korean hackers attacking Russian nuclear energy, defense industry, and government entities, “likely for intelligence collection.”

‘Collective defense’

Overall, the “scale and nature of threats outlined in the Microsoft Digital Defense Report can appear dispiriting.” Burt said. “But huge strides are being made on the technology front to defeat these attackers and at the same time, strong partnerships are being forged that transcend borders, industries, and the private-public divide.”

Burt also noted that 2024 is a big election year around the world. “Keeping elections safe and democratic institutions strong is a cornerstone of our collective defense,” he said.

The report also includes dozens of insights on the danger of vulnerabilities in operational technology (OT). Microsoft corroborated reports from the U.S. Intelligence Community warning that China and Russia are both capable of disrupting critical infrastructure services.

Microsoft researchers were also alarmed by the widespread use of firms selling spyware and digital forensics technology. They cite a Carnegie Endowment for International Peace report that identified at least 74 governments contracting with these kinds of firms.

Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Jonathan Greig is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.


Leave a Reply

Your email address will not be published. Required fields are marked *

Previous Post

Maintainers warn of vulnerability affecting foundational open-source tool

Next Post

UK opposition leader targeted by AI-generated fake audio smear

Related Posts

North Korea’s Lazarus Group Deploys New Kaolin RAT via Fake Job Lures

The North Korea-linked threat actor known as Lazarus Group employed its time-tested fabricated job lures to deliver a new remote access trojan called Kaolin RAT as part of attacks targeting specific individuals in the Asia region in summer 2023. The malware could, "aside from standard RAT functionality, change the last write timestamp of a selected file and load any received DLL
Read More