Nobelium, the Russian nation-state actor which was behind the infamous SolarWinds cyber-attack that targeted several United States government agencies and firms like Microsoft, is now targeting the global IT supply chain, Microsoft said in a blogpost.
Tom Burt, Corporate Vice President of Customer Security and Trust at Microsoft said that Nobelium has been trying to replicate the approach it used in past attacks by targeting organisations integral to the global IT supply chain. “This time it is attacking a different part of the supply chain: resellers and other technology providers that customise, deploy and manage cloud services and other technologies on behalf of their customers,” Burt said.
We believe Nobelium ultimately hopes to piggyback on any direct access that resellers may have to their customers’ IT systems and more easily impersonate an organization’s trusted technology partner to gain access to their downstream customers — Tom Burt, Microsoft
Background: In 2020, Reuters first reported that SolarWinds, a major US information technology firm was the victim of a hack that spread to over 15,000 of its clients and went undetected for months. The hack affected cybersecurity firms like FireEye, various departments in the US government including the Department of Homeland Security and Treasury Department, a BusinessInsider report said.
Such was the fallout of the hack that in April 2021, the US government decided that it would sanction Russia as a response to the SolarWinds cyber attack. A White House order directed the government to expel 10 diplomats and place a new range of sanctions on Russian individuals and assets.
State-sponsored cyber-attacks are a reality today. Not just in the United States, but closer home in India; it was reported last year by India Today and Times of India that power substations in Maharashtra and Telangana were attacked by Chinese hackers. These attacks on critical infrastructure indicate a paradigm shift in modern warfare. It warrants a massive overhaul of a country’s cyber defense capabilities and a need for more transparency in the process.
Microsoft first observed the new Nobelium campaign in May
Since it started noticing instances of Nobelium’s new campaign, Microsoft said that it has been notifying impacted partners and customers.
- Microsoft said it has notified more than 140 resellers and technology providers
- 14 of these resellers and service providers have been compromised, the company added.
Fortunately, we have discovered this campaign during its early stages, and we are sharing these developments to help cloud service resellers, technology providers, and their customers take timely steps to help ensure Nobelium is not more successful — Tom Burt, Microsoft
What does this attack indicate?
Microsoft said that this attack is an indicator that Russia was trying to gain “long-term, systematic access to a variety of points in the technology supply chain and establish a mechanism for surveilling — now or in the future — targets of interest to the Russian government”.
Nobelium used traditional techniques to steal credentials: The company said that Nobelium did not exploit a flaw or vulnerability in software but used techniques such as password-spray and phishing, to steal legitimate credentials and gain privileged access.
What has Microsoft, a Nobelium victim, done to protect itself from the actor?
In September 2020, we updated contracts with our resellers to expand Microsoft’s abilities and rights to address reseller security incidents and to require that resellers implement specific security protections for their environments, such as restricting Partner Portal access and requiring that resellers enable multi-factor authentication (MFA) in accessing our cloud portals and underlying services[…] — Tom Burt, Microsoft
Apart from that, Microsoft said it was —
- Piloting new features for organisations that want to provide privileged access to resellers
- Piloting new monitoring features so that customers can manage and audit delegated accounts
- Auditing unused privileged accounts and working with partners to remove unnecessary privilege and access
Nobelium also stole data on US sanctions policy
Months after the US announced that it would sanction Russia as a response to the SolarWinds attack, Reuters reported that Nobelium hacked into the US government systems and obtained information on counter-intelligence investigations, policy on sanctioning Russian individuals, etc.
Quoting an anonymous source, the Reuters report said, “the exposure of counter-intelligence matters being pursued against Russia was the worst of the losses.”
This was also echoed in an annual threat review paper released by Microsoft in October 2021, which said that Russian spies were allegedly looking for US government material on sanctions and other Russia-related policies, along with methods deployed by the US to catch Russian hackers.
- Ransomware gang goes offline as govt agencies hack its network in a tit-for-tat operation
- Acer India hit by ransomware attack, over 60 GB of files and databases stolen
- Pine Labs becomes latest victim of ransomware attack, 500,000 unique records exposed: Report
- Accenture becomes latest victim of a ransomware attack, but says no disruption to operations
- Tech giants Amazon, Google, and Microsoft partner with US cyber team to counter ransomware attacks
Have something to add? Post your comment and gift someone a MediaNama subscription.