Microsoft has warned that Nobelium, the hacking group behind the SolarWinds fiasco, has targeted at least 140 resellers and technology service providers in global IT supply chains.
- Hackers somehow got their rootkit a Microsoft-issued digital signature
- This monster of a phishing campaign is after your passwords
- SolarWinds hackers Nobelium to strike global IT supply chains again, Microsoft warns
- Microsoft Teams: Your video calls just got a big security boost
- Cybersecurity 101: Protect your privacy from hackers, spies, the government
On October 24, Tom Burt, Microsoft Corporate Vice President of Customer Security & Trust said in an advisory that the advanced persistent threat (APT) group, of Russian origin, has now pivoted to software and cloud service resellers in order to “piggyback on any direct access that resellers may have to their customers’ IT systems.”
The Redmond giant says that Nobelium’s latest campaign was spotted in May this year and no less than 140 companies have been targeted, with 14 confirmed cases of compromise.
Nobelium was responsible for the SolarWinds breach, disclosed by Microsoft and FireEye (now known as Mandiant) in December 2020.
SolarWinds systems were breached and an update for Orion software was poisoned and later deployed to approximately 18,000 customers.
The APT then selected a small number of high-profile targets to exploit, including Microsoft, FireEye, the Department of Homeland Security (DHS), the Cybersecurity and Infrastructure Agency (CISA), and the US Treasury.
After the malicious update was pushed through SolarWind’s legitimate channels, malware was planted on these systems, including the Sunburst/Solorigate backdoor.
Microsoft estimates that the feat may have taken the efforts of up to 1,000 engineers. However, the latest wave of attacks does not appear to make use of any specific vulnerabilities or security flaws; instead, the group is relying on spray-and-pray credential stuffing, phishing, API abuse, and token theft in attempts to obtain account credentials and privileged access to victims’ systems.
The new campaign is part of the Russian threat actors’ wider activities. Between July 1 and October 19, Microsoft has warned 609 customers of 22,868 hacking attempts, although the company notes that success is in the “low single digits.”
Prior to July 1, Microsoft alerted customers to overall nation-state hacker attack attempts a total of 20,500 times, including a past phishing campaign launched by Nobelium that impersonated USAID.
“This recent activity is another indicator that Russia is trying to gain long-term, systematic access to a variety of points in the technology supply chain and [to] establish a mechanism for surveilling — now or in the future — targets of interest to the Russian government,” Microsoft commented. “Fortunately, we have discovered this campaign during its early stages, and we are sharing these developments to help cloud service resellers, technology providers, and their customers take timely steps to help ensure Nobelium is not more successful.”
Microsoft has informed all impacted vendors and has also released technical guidance outlining how Nobelium attempts to move laterally across networks to reach downstream customers.
In a statement, Mandiant SVP and CTO, Charles Carmakal said the firm has investigated multiple cases of suspected Russian cyberattacks, of which supply chain relationships between technology providers and customers have been exploited.
“While the SolarWinds supply chain attack involved malicious code inserted in legitimate software, most of this recent intrusion activity has involved leveraging stolen identities and the networks of technology solutions, services, and reseller companies in North America and Europe to ultimately access the environments of organizations that are targeted by the Russian government,” Carmakal commented.
Previous and related coverage
- Tomiris backdoor discovery linked to Sunshuttle, DarkHalo hackers
- Microsoft warns of current Nobelium phishing campaign impersonating USAID
- Microsoft warning: This malware creates a ‘persistent’ backdoor for hackers
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0