The Gately Report: Black Hat Edition with Microsoft Security, More

Microsoft Security has its hands full around the clock as cybercriminals target the software giant more than most companies around the world.

Less than two weeks ago, a distributed-denial-of-service (DDoS) attack caused a massive Microsoft Azure cloud services outage. This occurred less than two weeks after the global IT outage that impacted 8.5 million Windows devices due to a CrowdStrike update.

At last week’s Black Hat USA 2024, we caught up with Microsoft Security’s Ann Johnson, deputy CISO, and Sherrod DeGrippo, director of threat intelligence strategy, to find out more about its efforts to fend off threat actors and attacks.

Johnson is responsible for all external engagement and communications for the Microsoft office of the CISO. DeGrippo works in Microsoft’s Threat Intelligence Center, monitoring the threat landscape and understanding what threat actors are doing moment by moment, whether they're crime-focused actors or nation-sponsored actors.

Microsoft's Ann Johnson

Scroll through our slideshow above for a Q&A with Microsoft Security’s Ann Johnson and Sherrod DeGrippo, and more from Black Hat USA.

Microsoft Security on Moonstone Sleet 

Meantime, also during Black Hat, Greg Schloemer, threat intelligence analyst at Microsoft Security, led a session profiling North Korea threat actor group Moonstone Sleet (formerly Storm-1789). It primarily targets defense and aerospace, education and software development companies.

Related:Black Hat USA: Ignore the 'Irresponsible Noise' About Election Security

We spoke with Schloemer about Moonstone Sleet.

Microsoft's Greg Schloemer

“High level, Moonstone Sleet is an actor that prioritizes both intelligence collection and financial revenue generation, and so it's of particular interest to us because typically we sort of think of those as two opposite ends of the spectrum,” he said. “This is an actor that's using a really diverse set of tactics, everything from phishing emails to making a malicious tank game, and they're using all of these tactics to support both of those objectives.”

From Microsoft Security’s perspective, Moonstone Sleet’s goal is twofold, Schloemer said.

“It's about generating revenue that is likely ultimately supporting North Korea's weapons of mass destruction program, or it's about intelligence collection, so stealing data and information that can help support their other strategic objectives like the weapons of mass destruction program,” he said.

North Korean Threat Actors Not Sophisticated

An interesting aspect of Moonstone Sleet is North Korean threat actors often are not especially sophisticated, Schloemer said.

“If you stack them up against a Russian or a Chinese threat actor, they often aren't rising to the same level of evasiveness and sophistication we see from those other regions, but they're effective,” he said. “They get the job done. And so we can talk about sophistication, but at the end of the day, if they're still getting what they're after, which is money or information, how much does that really matter now?”

Related:Black Hat USA: Crowdstrike-Microsoft Outage Lessons Learned

Microsoft Security publishes information on Moonshine Sleet not only to protect its customers, but to help its partners protect their customers as well, Schloemer said.

“Ultimately, the more we can all be safe, we benefit from that,” he said. “Our partners benefit from that. No one wins when we keep that information to ourselves.”