Microsoft on Sunday reported that Nobelium — the same state-sponsored threat actor behind the SolarWinds attack — has been replicating the approach it used in past attacks to target organizations integral to the global supply chain.
In a blog post by Tom Burt, Microsoft’s corporate vice president of customer security and trust, Burt said these activities further underscore Russia’s continued attempts to infiltrate the supply chain. This time, Nobelium has been attacking a different part of the supply chain: resellers and other technology service providers that customize, deploy and manage cloud services and other technologies.
“We believe Nobelium ultimately hopes to piggyback on any direct access that resellers may have to their customers’ IT systems and more easily impersonate an organization’s trusted technology partner to gain access to their downstream customers,” Burt said.
Microsoft began observing this latest campaign in May 2021 and have been notifying impacted partners and customers while also developing new technical assistance and guidance for the reseller community. Since May, Microsoft has notified more than 140 resellers and technology service providers that have been targeted by Nobelium.
The impact of a cyberattack for the service provider community can be distinct, given the variety of stakeholders involved: vendors, providers, and end customers. This was demonstrated during the cyberattack targeting Kaseya.
While Microsoft continues to investigate, Burt said the company believes as many as 14 of these resellers and service providers have been compromised. Fortunately, Microsoft discovered the campaign during its early stages, and it has been sharing these developments to help cloud service resellers, technology providers, and their customers take timely steps to help ensure Nobelium is not more successful.
The attacks are a part of a larger wave of Nobelium activities this summer. Burt said between July 1 and Oct. 19 this year, Microsoft informed 609 customers they had been attacked 22,868 times by Nobelium, with a success rate in the low single digits. By comparison, prior to July 1, 2021, Microsoft had notified customers about attacks from all nation-state actors 20,500 times over the past three years.
While Microsoft plans continued sharing to the supply chain, in the Microsoft Digital Defense Report, the company also highlights continued attacks from other nation-state actors and cybercriminals. Microsoft has also been working closely with government authorities in the United States and Europe.
The recent Nobelium activity demonstrates the significant risk to organizations when an advanced persistent threat group targets privileged accounts, said Chris Morgan, senior cyber threat intelligence analyst at Digital Shadows. Morgan said trusted relationships between providers and user organizations are highly valuable and an essential part of modern security processes. Compromising privileged accounts that have a high-level of access lets threat actors move through the cyber kill chain with little chance of being detected.
“Given many of the organizations impacted by this activity are reportedly cloud and managed service providers, it’s realistically possible that the scope of this incident could increase,” Morgan said. “Nobelium is known for its resourcefulness in moving laterally across supply chains, additional impacted organizations may surface in the coming months.”
Oliver Tavakoli, chief technology officer at Vectra, added that it’s not surprising that the Russian foreign intelligence service continues to remain active as the mission of gathering intelligence never goes out of style. Tavakoli said these new attacks, which focus on infiltrating service providers and leveraging the trust placed on them by their customers, present new challenges as the signals left behind by each attack span multiple organizations.
“The attacks do share some of the hallmarks of the SolarWinds hack in leveraging the interconnected nature of on-premises, cloud identity, SaaS application, and public cloud footprints and hopscotching through these as necessary to achieve an end goal,” Tavakoli said.
Jake Williams, co-founder and chief technology officer at BreachQuest, added that IT service providers often have relatively poor security themselves while simultaneously having access to numerous customer networks, often in the hundreds. Williams said every penetration security professional has horror stories about security at IT service providers, adding that if he knows the organization is serviced by a particular provider and the year the contract began, he knows the domain admin password for the network.
“Nobelium is a truly persistent adversary,” Williams said. “Often organizations fail to fully remediate incidents, leaving the threat actor access to the network after the remediation is considered complete. Nobelium is one of the best in the threat actor ecosystem at remaining undetected after a remediation attempt. It’s not a DIY project for most organizations and will likely require professional assistance to be successful due to the variety of tools and tradecraft used. And it’s not just a Microsoft problem. Customers must use the tools at their disposal (and often provided by Microsoft) to address these threats.”