The same Russia-backed hackers that were behind the 2020 SolarWinds breach are still attacking the global technology supply chain and have been continuously targeting cloud service businesses and others since the summer, according to Microsoft.
The gang, dubbed Nobelium by Microsoft, has devised a new technique to capitalize on cloud service resellers’ direct access to their clients’ IT systems, with the goal of “more simply impersonating an organization’s trusted technology partner to get access to its downstream customers.” Resellers function as go-betweens for big cloud firms and their end users, administering and personalizing accounts.
“We are disclosing these findings to enable cloud service resellers, technology providers, and their clients take prompt actions to ensure Nobelium does not become more successful,” said Tom Burt, a Microsoft vice president, in a blog post.
Microsoft’s statement was downplayed by the Biden administration. “The activities described were unsophisticated password spray and phishing, run-of-the-mill operations for the purpose of surveillance that we already know are attempted every day by Russia and other foreign governments,” a US government official briefed on the matter said, insisting on anonymity to discuss the government’s response.
A request for comment from the Russian Embassy was not immediately returned.
Relations between the US and Russia have already been strained this year as a result of a series of high-profile ransomware attacks on US targets carried out by Russian cyber gangs. President Joe Biden has issued a warning to Russian President Vladimir Putin, urging him to clamp down on ransomware perpetrators, but numerous top administration cybersecurity officials have lately stated that they have seen no proof of this.
Hackers can employ supply chain attacks to collect data from several targets by breaking into a single product that they all use. The SolarWinds attack, which remained undiscovered for most of 2020, damaged multiple federal agencies and embarrassed Washington, was originally blamed on Russia’s SVR foreign intelligence organization.
Since May, Microsoft has been monitoring Nobelium’s newest effort and has contacted more than 140 firms that the group has targeted, with as many as 14 thought to have been hacked. Since July, the assaults have been more frequent, with Microsoft reporting that 609 customers have been attacked 22,868 times by Nobelium, with a success rate in the low single digits. That’s more assaults than Microsoft had detected in the preceding three years from all nation-state actors combined.
“Russia is attempting to get long-term, systematic access to a number of locations in the technological supply chain and develop a framework for surveillance of targets of interest to the Russian government — now or in the future,” Burt said.
In their newest effort, Microsoft did not specify any of the hackers’ targets. However, Mandiant, a cybersecurity firm, claimed it has encountered victims in Europe and North America.
The hackers’ approach of going after resellers, according to Mandiant Chief Technology Officer Charles Carmakal, makes detection tough.
“It moves the first incursion away from the final targets, which in some cases are enterprises with more mature cyber defenses, and towards smaller technology partners with less established cyber defenses,” he explained.