The cybercrime group behind the SolarWinds hack remains focused on the global IT supply chain, says Microsoft, with 140 resellers and service providers targeted since May.
The Russian-backed hacking group responsible for the SolarWinds attack has been targeting more companies with the goal of disrupting the worldwide IT supply chain. In a blog post published Monday, Microsoft cautioned of new attacks by Nobelium, revealing that it notified 140 resellers and technology service providers targeted by the group. As part of an ongoing investigation, Microsoft said it believes as many as 14 of these organizations have been compromised since May.
SEE: Incident response policy (TechRepublic Premium)
Known for an attack last year that exploited a security flaw in network monitoring software from SolarWinds, Nobelium has lately been targeting a different segment, specifically resellers and other service providers that manage cloud services and other technologies for customers.
The group’s likely goal is to obtain direct access that resellers have to the IT systems of their customers. If successful, Nobelium would then have a way to impersonate a technology provider and attack its downstream customers.
“These attacks have been a part of a larger wave of Nobelium activities this summer,” Microsoft said. “In fact, between July 1 and October 19 this year, we informed 609 customers that they had been attacked 22,868 times by Nobelium, with a success rate in the low single digits. By comparison, prior to July 1, 2021, we had notified customers about attacks from all nation-state actors 20,500 times over the past three years.”
Identified as part of Russia’s SVR foreign intelligence service, Nobelium is just one of the players in the Kremlin’s efforts to gain access to organizations in the technology supply chain to conduct surveillance. The so-called cyber cold war has been heating up in recent years as nation states and groups operating on their behalf have launched attacks designed to not only spy on but destabilize rival governments. The U.S. hasn’t been shy about pointing the finger at Russia and China as two of the main perpetrators behind several key incidents.
The 2020 SolarWinds hack took advantage of a security vulnerability in the firm’s Orion networking monitor platform. By exploiting this flaw, the attackers were able to monitor internal emails at the U.S. Treasury and Commerce departments and compromise other government agencies and private sector companies around the world, all of whom used the Orion product. Initially, the culprit was publicly identified as a Russian-backed group; eventually the U.S. and other entities placed the blame specifically on Nobelium.
To carry out the latest incidents outlined by Microsoft on Monday, Nobelium employed such techniques as phishing campaigns and password spraying, a brute-force tactic through which hackers use automated tools to try to obtain the passwords of a large number of accounts in one shot. This trick relies on the inclination of people to use weak passwords or reuse their passwords across multiple sites.
“Nobelium is a truly persistent adversary,” said Jake Williams, co-founder and CTO at BreachQuest. “Often organizations fail to fully remediate incidents, leaving the threat actor access to the network after the remediation is considered complete. Nobelium is one of the best in the threat actor ecosystem at remaining undetected after a remediation attempt. This is not a DIY project for most organizations and will likely require professional assistance to be successful due to the variety of tools and tradecraft used.”
In another blog post published Monday, Microsoft issued warnings to cloud service providers, organizations that rely on elevated privileges and downstream customers, all of whom could be vulnerable to attacks from Nobelium.
The company said that it discovered the group targeting privileged accounts of service providers to move laterally in cloud environments and gain access to downstream customers. Noting that Nobelium didn’t exploit a security vulnerability this time as it did in the SolarWinds hack, Microsoft said the group’s more recent tactics have included supply chain attacks, token theft, API abuse, and spear phishing.
“When cybercriminals find an attack method that works, they stick with it,” said Panorays CTO and co-founder Demi Ben-Ari. “So it’s not surprising that the Nobelium threat group, which was responsible for the massive SolarWinds supply chain attack last year, is continuing to target downstream customers through their service providers in order to inflict maximum damage.”
In its blog post, Microsoft issued several specific recommendations for cloud providers and their customers, such as enabling multi-factor authentication, checking activity logs and removing delegated administrative privileges when no longer needed. Microsoft’s recommendations are thorough but also time-consuming to implement. That type of effort poses challenges for many organizations.
“Implementation of some of the recommended mitigation measures, such as reviewing, hardening and monitoring all tenant administrator accounts, reviewing service provider permissions and reviewing auditing logs, should be table stakes for security in any larger organization,” Williams said. “However, the reality is that most organizations are resource strapped. This makes complying with these recommendations difficult for more organizations.”
But even organizations lacking in time, resources or staff can better secure and protect themselves with some core cyber hygiene practices.
“The good news is that organizations can help prevent these kinds of attacks by implementing security best practices including enabling MFA and minimizing access privileges,” Ben-Ari said. “To accomplish this rapidly and effectively, however, it’s crucial to have a robust and automated third-party security management program in place to assess supply chain partners, close cyber gaps and continuously monitor for any issues.”