Microsoft has identified the latest activity from Nobelium, the Russian nation-state actor behind the SolarWinds attack in 2020. Nobelium is trying to replicate the same approach and has reportedly targeted hundreds of U.S. organizations in its latest wave of attacks.
“We have discovered this campaign during its early stages, and we are sharing these developments to help cloud service resellers, technology providers, and their customers take timely steps to help ensure Nobelium is not more successful,” Microsoft said in an official release.
Old Tactics, New Targets
Microsoft observed that Nobelium used its old attack techniques to target organizations integral to the global IT supply chains, including resellers and other technology service providers that customize, deploy, and manage cloud services and other technologies. As per reports, Nobelium operators are trying to obtain direct access that resellers may have to their customers’ IT systems. Active since May 2021, the group has targeted more than 140 resellers and technology service providers in the U.S., and around 14 resellers and service providers were compromised.
The recent attacks did not exploit any vulnerability in software, instead used password spray and phishing techniques to steal login credentials and obtain privileged access.
“We’ve also been coordinating with others in the security community to improve our knowledge of, and protections against, Nobelium’s activity, and we’ve been working closely with government agencies in the U.S. and Europe. While we are clear-eyed that nation-states, including Russia, will not stop attacks like these overnight, we believe steps like the cybersecurity executive order in the U.S., and the greater coordination and information sharing we’ve seen between industry and government in the past two years, have put us all in a much better position to defend against them,” Microsoft added.
Despite several cybersecurity initiatives, Russian hackers continue to target the critical infrastructures in the U.S. The latest activity indicates that Russian state-sponsored actors are trying to access the critical supply chain technology and establish a long-term cyberespionage campaign. However, several cybersecurity experts opine that these kinds of attacks can be prevented if cloud service providers practice robust cybersecurity measures.
Commenting on the latest cybercampaign, Amit Yoran, Chairman and CEO of Tenable, said, “Those who thought SolarWinds was a once-in-a-lifetime attack didn’t see the writing on the wall. The cybercriminals behind the infamous breach are unsurprisingly at it again. This time, they’re targeting Microsoft cloud services resellers through an unsophisticated yet wide-scale attack. The attacks were preventable had companies implemented basic cyber hygiene measures such as enforcing multi-factor authentication, implementing strong password policies, and enabling robust access management.
“Once again, we’re not seeing super sophisticated, never-before-seen techniques behind a major cyberattack. It’s the basics that are still tripping organizations up. What is a relatively new development over the last 12 months is a strategic and continued focus on the software supply chain. This speaks directly to the gaping supply chain security issues that SolarWinds brought to attention — break just one chain link, and you can bring down the entire fence.”