The nation-state actor behind the 2020 cyberattack targeting SolarWinds customers – Nobelium – is continuing its campaign to target the global IT supply chain, according to a new advisory from Microsoft, which says 140 resellers and technology service providers have been notified that they have been targeted by the group, and as many as 14 have been compromised.
Nobelium, which the U.S. government has connected to Russia’s foreign intelligence service, or SVR, is now targeting partners that customize, deploy and manage cloud services, Microsoft warns. Several cybersecurity experts contend that it is further proof the Russian government will take drastic steps to gather sensitive intelligence.
In technical guidance released alongside the advisory, Microsoft warns that Nobelium’s latest tactics do not attempt to exploit software vulnerabilities. Instead, the group is reportedly leveraging password sprays, token theft, API abuse and spear-phishing to compromise user accounts and gain privileged access.
Tom Burt, Microsoft’s corporate vice president of customer security and trust, says in the advisory: “We believe Nobelium ultimately hopes to piggyback on any direct access that resellers may have to their customers’ IT systems and more easily impersonate an organization’s trusted technology partner to gain access to their downstream customers.
“Fortunately, we have discovered this campaign during its early stages,” Burt continues, noting that Microsoft began observing the activity in May 2021. “And we are sharing these developments to help [those affected] take timely steps to help ensure Nobelium is not more successful.”
Nobelium APT: An Active Threat
Microsoft adds that the attacks are a part of a larger wave of Nobelium activity in 2021. Between July 1 and Oct. 19, the advisory states, Microsoft informed 609 customers that they had been attacked 22,868 times by Nobelium, though the success rate was in the low single digits. Microsoft says that, by comparison, prior to July 1, 2021, it notified customers of nation-state attacks 20,500 times over three years.
Charles Carmakal, SVP and CTO of the security firm Mandiant, which assisted in the identification of this new wave of activity, adds, “This attack path makes it very difficult for victim organizations to discover they were compromised and investigate the actions taken by the threat actor.
“[This] shifts the initial intrusion away from the ultimate targets, which in some situations are organizations with more mature cyber defenses, to smaller technology partners,” Carmakal continues. “Similar to the victimology observed in the 2020 campaign, the targets of this intrusion activity appear to ultimately be government organizations and other organizations that deal in matters of interest to Russia.”
Jake Williams, a former member of the National Security Agency’s elite hacking team, and co-founder and CTO of the security firm BreachQuest, calls Nobelium “a truly persistent adversary” and warns that it is “one of the best in the threat actor ecosystem at remaining undetected after a remediation attempt.”
The group behind the 2020 SolarWinds campaign is reportedly targeting the IT supply chain. (File image)
Nobelium, which orchestrated the SolarWinds campaign disclosed by Microsoft and FireEye in December 2020, breached SolarWinds’ systems and pushed out a malicious Orion software update to the company’s customers. Some 100 organizations globally were breached, and follow-on attacks occurred at nine U.S. federal agencies, including the Department of Homeland Security and the Department of the Treasury (see: SolarWinds Supply Chain Hit: Victims Include Cisco, Intel).
Microsoft President Brad Smith said on “60 Minutes” in February that the SolarWinds incident may have entailed the coordinated efforts of some 1,000 engineers.
Smith declared at the time: “I think from a software engineering perspective, it’s probably fair to say that this is the largest and most sophisticated attack the world has ever seen.”
President Joe Biden’s administration in April attributed the 2020 espionage efforts to Russia’s SVR.
‘More Aggressive Action’
According to Danny Lopez, former HM consul general for the U.K.’s Foreign and Commonwealth Office and CEO of the firm Glasswall, these recent attacks reveal that, across sectors, “the traditional castle-and-moat approach to network security leaves organizations exposed” – potentially offering “attackers like Nobelium free rein” over a network.
Jamil Jaffer, former associate White House counsel to President George W. Bush and founder and executive director of the National Security Institute at George Mason University, warns, “This [activity no doubt] highlights the need to take more aggressive action to impose costs in order to deter such activity by Russia.”
Jaffer, who is SVP of strategy, partnerships and corporate development for IronNet Cybersecurity, continues: “It is clear that the previously imposed sanctions for both hacking activity as well as Russia’s support of ransomware attacks have not adequately deterred Russian cyber activity against the U.S. private sector.”
In the advisory, however, Microsoft’s Burt says: “We are clear-eyed that nation-states, including Russia, will not stop attacks like these overnight; [but] we believe steps like the cybersecurity executive order in the U.S., and the greater coordination and information sharing we’ve seen between industry and the government in the past two years, have put us in a much better position to defend against them.”
Nobelium’s latest maneuver underscores the immense cybersecurity challenge faced by U.S. officials. In addition to levying economic sanctions against Russia, Biden has mounted an offensive against ransomware and its financial infrastructure, going as far as targeting specific cryptocurrency exchanges, and laying out “off-limits” critical infrastructure for Russian President Vladimir during a June summit (see: Analysis: The Cyber Impact of Biden/Putin Summit Meeting).
At the Mandiant Cyber Defense Summit in Washington, D.C., this month, Gen. Paul Nakasone, who heads the National Security Agency and U.S. Cyber Command, called SolarWinds a turning point for the nation, but noted that U.S. agencies successfully cut off the Russian reconnaissance (see: Top US Cyber Officials Say Ransomware Is Here to Stay).