SolarWinds Attackers Targeting Resellers, Service Providers: Microsoft

The Russian-based cybercrime group responsible for the high-profile attack on software maker SolarWinds last year is continuing to take aim at the global supply chain, according to a warning issued by Microsoft this week.

In a blog post, Tom Burt, corporate vice president of customer security and trust at Microsoft, wrote that the hacker group Nobelium is looking to use the same pathways that it leveraged in its attack on SolarWinds and its customers by compromising a set of companies to gain access to their customers. This time the targets are other parts of the global supply chain, namely resellers and other tech service providers.

“We believe Nobelium ultimately hopes to piggyback on any direct access that resellers may have to their customers’ IT systems and more easily impersonate an organization’s trusted technology partner to gain access to their downstream customers,” Burt wrote.

Russia Seeking Access to Tech Assets

Microsoft first detected the latest campaign in May, and has since notified more than 140 resellers and tech service providers that Nobelium has targeted. At least 14 of these companies have been compromised. Microsoft was able to discover the campaign early and has been giving these targets and their customers information in hopes that the hacker group’s success can be muted.

Those attacks are part of a larger effort by Nobelium that started in the summer, with Microsoft informing 609 customers between July 1 and Oct. 19 that they had been attacked a total of 22,868 times. The cybercrime gang, which is affiliated with the SVR – Russia’s foreign intelligence agency – had a success rate in the low single digits.

As a comparison, before July 1, Microsoft had notified customers about attacks from all nation-state actors 20,500 times over the past three years, illustrating the size of Nobelium’s activities. Microsoft has outlined efforts by other nation-states and cybercriminals in its Digital Defense Report.

“This recent activity is another indicator that Russia is trying to gain long-term, systematic access to a variety of points in the technology supply chain and establish a mechanism for surveilling – now or in the future – targets of interest to the Russian government,” Burt wrote.

See also: Best Third-Party Risk Management (TPRM) Tools of 2021

Old Attack Techniques Resurface

Nobelium is taking a different approach with the latest attacks, he wrote. With SolarWinds, the group was able to insert malicious code into the company’s Orion software updates. Customers that used the updates became vulnerable to attack from the Sunburst malware. While 18,000 customers downloaded the affected version of SolarWinds software, the actual number of customers who were hacked through Sunburst were under 100. The victims included several government agencies in the United States and UK. Cybersecurity vendor FireEye (now called Mandiant) and Microsoft both disclosed the attacks.

Now the cybercriminals are returning to tried-and-true methods like password spraying – using one password against many different accounts – and phishing in hopes of stealing legitimate credentials and gaining privileged access to systems.

“IT supply chain companies must act now to avoid becoming the next SolarWinds,” Danny Lopez, CEO of cybersecurity firm Glasswall, told eSecurity Planet. “With Nobelium surveying global organizations for weak points, shoring up security infrastructure is absolutely critical.”

Lopez noted Nobelium’s return to traditional methods such as phishing, API abuse and token theft, adding that “if successful, lateral movement across the compromised organization’s network would be the next stage, allowing for data theft, reconnaissance, compromise of customer systems and more.”

See also: Top Microsegmentation Tools for 2021

Supply Chain Attacks Won’t Stop

Oliver Tavakoli, CTO at cybersecurity vendor Vectra, said the Russian SVR’s mission to gather intelligence never ends, making Nobelium’s return to the scene unsurprising.

“These new attacks, which focus on infiltrating service providers and leveraging the trust that is placed on them by their customers, present new challenges as the signals left behind by each attack span multiple organizations,” Tavakloli told eSecurity Planet. “The attacks do share some of the hallmarks of the SolarWinds hack in leveraging the interconnected nature of on-premises, cloud identity, SaaS [software-as-a-service] application and public cloud footprints, and hopscotching through these as necessary to achieve an end goal.”

The scope of Nobelium’s recent campaign could increase, given that many of the initial targets are managed service providers (MSPs) and cloud providers, according to Chris Morgan, senior cyberthreat intelligence analyst at digital risk protection solutions maker Digital Shadows.

“The recent Nobelium activity demonstrates the significant risk to organizations when an APT [advanced persistent threat] group targets privileged accounts,” Morgan told eSecurity Planet. “Trusted relationships between providers and user organizations are highly valuable and an essential part of modern security processes. Compromising privileged accounts that have a high-level of access enables threat actors to move through the cyber kill chain with little chance of being detected.”

Burt wrote that Microsoft has been working with other players in the security community to get more information about Nobelium and its activities and to better understand how to protect against them. The company also has been coordinating with government agencies in both the United States and Europe.

“While we are clear-eyed that nation-states, including Russia, will not stop attacks like these overnight, we believe steps like [the Biden Administration’s executive order in May to improve the nation’s cybersecurity defenses] in the U.S., and the greater coordination and information sharing we’ve seen between industry and government in the past two years, have put us all in a much better position to defend against them,” he wrote.

Microsoft’s Threat Intelligence Center released technical guidance to help organizations protect against Nobelium’s latest activities as well as guidance for partners.

Zero Trust is Important

Glasswall’s Lopez said that recent attacks – including those of Nobelium – “reveal that the traditional castle-and-moat approach to network security leaves organizations exposed. Zero trust security sees the world differently. No one is trusted by default, regardless of whether they are inside or outside a network. In a world where data can be held amongst multiple cloud providers, it is crucial to strengthen all processes relating to access verification.”

Companies must adopt more robust processes for onboarding and offboarding employees and affiliates that may have access to key information systems, he said. They need to control privileged access and to monitor those with administrator privilege. Companies also should institute multi-factor authentication, which he called a “vital defense where user credentials find their way into the public domain. This will help to limit the blast radius, and in most cases, defeat the data breach.”

Jake Williams, co-founder CTO at cybersecurity firm BreachQuest, told eSecurity Planet that companies need to take the necessary steps to protect themselves.

“This isn’t a Microsoft problem,” Williams said. “Customers must use the tools at their disposal – and often provided by Microsoft – to address these threats.”

That includes implementing such measures as reviewing and monitoring all tenant administrator accounts, service provider permissions and auditing logs “should be table stakes for security in any larger organization,” he said. “However, the reality is that most organizations are resource-strapped. This makes complying with these recommendations difficult for more organizations.”

Jeff Burt
Jeffrey Burt has been a journalist for more than three decades, the last 20-plus years covering technology. During more than 16 years with eWEEK, he covered everything from data center infrastructure and collaboration technology to AI, cloud, quantum computing and cybersecurity. A freelance journalist since 2017, his articles have appeared on such sites as eWEEK, eSecurity Planet, Enterprise Networking Planet, Enterprise Storage Forum, The Next Platform, ITPro Today, Channel Futures, Channelnomics, SecurityNow, and Data Breach Today.

Top Products

Related articles