Microsoft Warns of Resurgence of Russian-Linked Nobelium Hacker Group
Russia wants long-term, systemic access to the technology supply chain.
![Hacker Hacker](https://eu-images.contentstack.com/v3/assets/blt10e444bce2d36aa8/bltcfdc1a50bdbcc62a/6524402754b4aa457703c0e3/5-Cloaked-Hacker-1.jpg?width=700&auto=webp&quality=80&disable=upscale)
Shutterstock
This recent activity is another indicator that Russia is trying to gain long-term, systematic access to a variety of points in the technology supply chain, according to Microsoft. Moreover, it wants to establish a mechanism for surveilling targets of interest to the Russian government.
“The attacks we’ve observed in the recent campaign against resellers and service providers have not attempted to exploit any flaw or vulnerability in software, but rather used well-known techniques, like password spray and phishing, to steal legitimate credentials and gain privileged access,” said Microsoft’s Tom Burt. “We have learned enough about these new attacks, which began as early as May this year, that we can now provide actionable information which can be used to defend against this new approach.”
Troy Gill is senior manager of threat intelligence at Zix/AppRiver.
“These attacks underscore how threat actors continue to misuse legitimate services to help their campaigns evade detection,” he said. “Traditional email security solutions will not protect them against these sophisticated attacks. In response, organizations need to upgrade their email security posture with a solution that’s capable of scanning incoming correspondence for campaign patterns, malware signatures, IP addresses and other threat behaviors. This analysis should occur in real time so that legitimate correspondence can reach its intended destination without delay.”
Chris Morgan is senior cyber threat intelligence analyst at Digital Shadows. He said the recent Nobelium activity demonstrates the significant risk to organizations when an advanced persistent threat (APT) group targets privileged accounts.
“Trusted relationships between providers and user organizations are highly valuable and an essential part of modern security processes,” he said. “Compromising privileged accounts that have a high level of access enables threat actors to move through the cyber kill chain with little chance of being detected. Given many of the organizations impacted by this activity are reportedly cloud and managed service providers, it is realistically possible that the scope of this incident could increase. As Nobelium is known for their resourcefulness in moving laterally across supply chains, additional impacted organizations may surface in the coming months.”
Oliver Tavakoli is CTO at Vectra. He said it’s unsurprising that the Russian SVR, Russia’s external intelligence agency, continues to remain active as the mission of gathering intelligence never goes out of style.
“These new attacks, which focus on infiltrating service providers and leveraging the trust that is placed on them by their customers, present new challenges as the signals left behind by each attack span multiple organizations,” he said. “The attacks do share some of the hallmarks of the SolarWinds hack in leveraging the interconnected nature of on-premises, cloud identity, SaaS application and public cloud footprints, and hopscotching through these as necessary to achieve an end goal.”
Jake Williams is co-founder and CTO of BreachQuest. He said supply chain threats extend well beyond just software.
“IT service providers often have relatively poor security themselves while simultaneously having access to numerous customer networks, often hundreds,” he said. “Every penetration security professional has horror stories about security at IT service providers. In one example, if I know the organization is serviced by a particular provider and the year the contract began, I know the domain admin password for the network.”
Nobelium is a truly persistent adversary, Williams said. Often organizations fail to fully remediate incidents, leaving the threat actor access to the network after the remediation is considered complete.
“Nobelium is one of the best in the threat actor ecosystem at remaining undetected after a remediation attempt,” he said. “This is not a do-it-yourself project for most organizations and will likely require professional assistance to be successful due to the variety of tools and tradecraft used.”
The threat posed by Nobelium isn’t a Microsoft problem, BreachQuest’s Jake Williams said. Customers must use the tools at their disposal, and often provided by Microsoft, to address these threats.
“Implementation of some of the recommended mitigation measures, such as reviewing, hardening and monitoring all tenant administrator accounts, reviewing service provider permissions and reviewing auditing logs, should be table stakes for security in any larger organization,” he said. “However, the reality is that most organizations are resource strapped. This makes complying with these recommendations difficult for more organizations.”
The threat posed by Nobelium isn’t a Microsoft problem, BreachQuest’s Jake Williams said. Customers must use the tools at their disposal, and often provided by Microsoft, to address these threats.
“Implementation of some of the recommended mitigation measures, such as reviewing, hardening and monitoring all tenant administrator accounts, reviewing service provider permissions and reviewing auditing logs, should be table stakes for security in any larger organization,” he said. “However, the reality is that most organizations are resource strapped. This makes complying with these recommendations difficult for more organizations.”
Microsoft says Nobelium, the Russian nation-state hacking group behind the massive Solarwinds attack, is back. This time they’re targeting a different area of the supply chain.
According to Microsoft, Nobelium has been attempting to replicate the approach it has used in past attacks by targeting organizations integral to the global IT supply chain. This is the same group that carried out attacks on SolarWinds customers in 2020.
Now, Nobelium is attacking resellers and other technology service providers that customize, deploy and manage cloud services and other technologies on behalf of their customers.
Tom Burt is Microsoft‘s corporate vice president of customer security and trust.
Microsoft’s Tom Burt
“We believe Nobelium ultimately hopes to piggyback on any direct access that resellers may have to their customers’ IT systems and more easily impersonate an organization’s trusted technology partner to gain access to their downstream customers,” he said in a blog. “We began observing this latest campaign in May 2021 and have been notifying impacted partners and customers while also developing new technical assistance and guidance for the reseller community.”
Mounting Targets
Since May, Microsoft has notified more than 140 resellers and technology service providers that have been targeted by Nobelium, Burt said.
“We continue to investigate, but to date we believe as many as 14 of these resellers and service providers have been compromised,” he said. “Fortunately, we have discovered this campaign during its early stages, and we are sharing these developments to help cloud service resellers, technology providers and their customers take timely steps to help ensure Nobelium is not more successful.”
These attacks have been a part of a larger wave of Nobelium activities this summer, according to Microsoft. Between July 1 and Oct. 19, Microsoft informed more than 600 customers that they had been attacked nearly 22,900 times by Nobelium, with a success rate in the low single digits.
In comparison, prior to July 1, Microsoft had notified customers about attacks from all nation-state actors 20,500 times over the past three years.
Scroll through our slideshow above for more on Nobelium, and more from Microsoft and other cybersecurity experts.
Want to contact the author directly about this story? Have ideas for a follow-up article? Email Edward Gately or connect with him on LinkedIn. |
About the Author(s)
You May Also Like