Nobelium hackers now attack a different part of the supply chain, Microsoft says

Nobelium

Microsoft revealed on Sunday that Russian nation-state hacker Nobelium is attacking a different part of the supply chain, including resellers and other technology service providers that customize, deploy and manage cloud services and other technologies on behalf of their customers. The recent activity is another indicator that Russia is trying to gain long-term, systematic access to a variety of points in the technology supply chain and establishes a mechanism for surveilling – now or in the future – targets of interest to the Russian government.

“These attacks have been a part of a larger wave of Nobelium activities this summer. In fact, between July 1 and October 19 this year, we informed 609 customers that they had been attacked 22,868 times by Nobelium, with a success rate in the low single digits,” ​​Tom Burt, Microsoft’s corporate vice president for customer security and trust, wrote in a company blog post. “By comparison, prior to July 1, 2021, we had notified customers about attacks from all nation-state actors 20,500 times over the past three years,” he added.

The U.S. administration has directly dealt with cybersecurity attacks coming from within Russia. U.S. President Joe Biden and Russian President Vladimir Putin discussed cybersecurity at their summit in Geneva, Switzerland in June, while the U.S. government has put international pressure on Russia to take action against both government-linked hackers and cyber criminals within its borders. But all those measures seem to have gone down the tubes in the light of Microsoft’s announcement that the same Russian hacking group behind last year’s SolarWinds hack has struck once again and continues to target organizations.

The attacks that the Redmond, Washington-based company observed in the recent campaign against resellers and service providers have not attempted to exploit any flaw or vulnerability in software, but rather used well-known techniques, like password spray and phishing, to steal legitimate credentials and gain privileged access. “We have learned enough about these new attacks, which began as early as May this year, that we can now provide actionable information which can be used to defend against this new approach,” according to the post.

Burt also wrote that Microsoft believes that “Nobelium ultimately hopes to piggyback on any direct access that resellers may have to their customers’ IT systems and more easily impersonate an organization’s trusted technology partner to gain access to their downstream customers.”

Microsoft began observing the latest campaign in May this year and has been notifying impacted partners and customers, while also developing new technical assistance and guidance for the reseller community. “We continue to investigate, but to date we believe as many as 14 of these resellers and service providers have been compromised. Fortunately, we have discovered this campaign during its early stages, and we are sharing these developments to help cloud service resellers, technology providers, and their customers take timely steps to help ensure Nobelium is not more successful,” Burt added.

Major cybersecurity events, like the SolarWinds attacks by Nobelium, on-premises Exchange Server attacks by Hafnium, and attacks by multiple other hackers have focused collective attention on securing supply chains, according to the Microsoft Digital Defense Report, published earlier this month.

In the same report, Microsoft pointed out that Russian-based activity groups have over the past year solidified their position as acute threats to the global digital ecosystem by demonstrating adaptability, persistence, a willingness to exploit trusted technical relationships, a facility with anonymization and open-source tools that make them increasingly difficult to detect and attribute. These attackers have also shown a high tolerance for collateral damage, which leaves anyone with connections to targets of interest vulnerable to opportunistic targeting, the report added.

“Nation-state actors and many cybercrime operations have focused efforts on exposing security vulnerabilities among their suppliers or discovering unpatched systems that organizations relied on for continuity of business during this unusual year. These recent events have demonstrated the increasing importance in maintaining current security updates in all deployed systems as the most effective way to protect against rapidly evolving threats,” according to the report.

Microsoft has also been coordinating with others in the security community to improve its knowledge of, and protections against Nobelium’s activity, and working closely with government agencies in the U.S. and Europe. “While we are clear-eyed that nation-states, including Russia, will not stop attacks like these overnight, we believe steps like the cybersecurity executive order in the U.S., and the greater coordination and information sharing we’ve seen between industry and government in the past two years, have put us all in a much better position to defend against them,” Brut wrote in the blog post.

Earlier this month, U.S. President Joe Biden said that he is “committed to strengthening our cybersecurity by hardening our critical infrastructure against cyberattacks, disrupting ransomware networks, working to establish and promote clear rules of the road for all nations in cyberspace, and making clear we will hold accountable those that threaten our security.”

Commenting on the Nobelium attacks, Demi Ben-Ari, CTO and co-founder of Panorays wrote in an emailed statement that when cybercriminals find an attack method that works, they stick with it.

“So it’s not surprising that the Nobelium threat group, which was responsible for the massive SolarWinds supply chain attack last year, is continuing to target downstream customers through their service providers in order to inflict maximum damage. Rather than exploiting vulnerabilities or security flaws, the group is now using methods such as credential stuffing, phishing and API abuse to gain access to systems,” he added.

Those who thought SolarWinds was a once-in-a-lifetime attack didn’t see the writing on the wall, Amit Yoran, chairman and CEO, Tenable, wrote in an emailed statement. “The cybercriminals behind the infamous breach are unsurprisingly at it again. This time, they’re targeting Microsoft cloud services resellers through an unsophisticated yet wide-scale attack. Once again, we’re not seeing super sophisticated, never-before-seen techniques behind a major cyberattack. It’s the basics that are still tripping organisations up,” he added.

The Nobelium attacks speak “directly to the gaping supply chain security issues that SolarWinds brought to attention — break just one chain link and you can bring down the entire fence,” Yoran added.

Microsoft also released on Sunday technical guidance that can help organizations protect themselves against the latest Nobelium activity that it has observed as the cyber attacker has honed its techniques as well as guidance for partners.

“These are just the immediate steps that we’ve taken and, in the coming months, we will be engaging closely with all of our technology partners to further improve security. We will make it easier for service providers of all sizes to access our most advanced services for managing secure log-in, identity and access management solutions for free or at a low cost,” the post added.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related