Microsoft warns about Nobelium hacker group supply-chain attacks

Russian hacker group behind SolarWinds hack found still targeting global IT supply chain

Russian ATP targets high-profile companies like FireEye, DHS, Microsoft.

Threat group known as Nobelium is still managing attacks, and according to the reports, 14 global supply chain firms affected already since May.^[1] The Russian-backed hackers last year were involved in the SolarWinds hack^[2], and right now, Microsoft reports that the criminals still target supply-chain companies. At least 140 cloud service providers got targeted. These recent hacker attacks show the leveraging of stolen identities and the networks of technology solutions, services, and resellers in North America and Europe.

Attackers use the diverse and ever-changing toolkit that includes tools and methods like malware, password sprays, token theft, spear-phishing campaigns. The main targets remain to be the technology resellers and service providers, customers. Microsoft informed targets of these attacks once these activities got spotted. Also, took some protection solutions into considerations so that possible targets could spot the attempts of intrusion.^[3]

Tom Burt, Microsoft Corporate Vice President of Customer Security & Trust, released the advisory^[4] that stated:

This time, it is attacking a different part of the supply chain: resellers and other technology service providers that customize, deploy and manage cloud services and other technologies on behalf of their customers.

140 targets: at least 14 compromised

It is revealed that the latest campaign of the Nobelium hacker group was spotted in May of this year when no less than 140 different companies got targeted with the area of different exploit and hacking tools. Within those targets, 14 of the firms are listed as confirmed compromise cases.^[5]

The investigation is still ongoing, but at least 600 Microsoft customers have been attacked at least thousands of times. These instances took place between July and October, and even though with a low rate of successful exploits, the number of targets is concerning. This seems to be a part of a larger-scale campaign of the activities launched over the summer.

In fact, between July 1 and October 19 this year, we informed 609 customers that they had been attacked 22,868 times by Nobelium, with a success rate in the low single digits.

Nobelium is still aiming to achieve the same goal as they managed with the SolarWinds breach, so these attempts are not going to stop, apparently. Threat actors try to gain long-term access to the network of a particular target to get the opportunity for exfiltration.

Nobelium hacker group targets companies like FireEye and Microsoft

This Russian Foreign Intelligence Service – SVR, also known as ATP29, Cozy Bear, The Dukes, and Nobelium hacker group, is known to target high-profile companies. It aims to exploit entities like the Department of Homeland Security, the Cybersecurity and Infrastructure Agency, US Treasury, Microsoft, FireEye.

In the first campaigns, the malicious updates were used to spread malware like backdoors and affect systems from there. Right now, Russian threat actors use a more comprehensive range of techniques. The group is not using the particular vulnerability but relies on spray-and-pray credential stuffing method, phishing, API abuse to obtain account credentials, and admin access to targeted systems.

Russia is trying to gain access to various points in the technology supply chain and establish a system of surveilling. Those high-profile targets that are aimed at now, the ones from previous attacks, are of interest to the Russian government. These campaigns got discovered during pretty early stages, so developments that help could service sellers and technology providers to ensure the protection against Nobelium got released.