Just very recently Microsoft has revealed that Russian state-linked Nobelium is attacking a different part of the IT supply chain. Nobelium, as we all knew is known as the hacking group in the infamous SolarWinds hack. This time, the attack is aimed towards the global technology supply chain and other technology service providers. These include resellers and other IT service providers that customize, deploy, and manage cloud services and other technologies on behalf of their customers. Their new strategy is to piggyback on the direct access that cloud service resellers have to their customers' IT systems in the hope of “to more easily impersonate an organization's trusted technology partner to gain access to their downstream customers," Microsoft’s cybersecurity experts said.
This recent
activity only shows that Russia is trying to gain long-term, systematic access
to a variety of points in the technology supply chain. This further establishes a mechanism for
surveilling targets of interest to the Russian government - now or in the future.
The Russian-linked hacking group that’s been blamed for an attack on the U.S.
government and a significant number of private U.S. companies last year, has
been attempting to replicate the approach it has used in past attacks by
targeting organizations integral to the global IT supply chain. These hacking
attacks as observed in the recent campaign against resellers and service
providers have not attempted to exploit any flaw or vulnerability in software,
instead, it uses a well-known technique, like password spray and phishing, to steal legitimate
credentials and gain privileged access. These password spray and phishing
techniques involve trying commonly used passwords such as Password1 or 1234
against multiple accounts before moving on to try a second password. Nobelium
was identified by the US government as part of Russia’s foreign intelligence
service known as the SVR.
Microsoft
has been observing Nobelium’s latest “campaign” since May of 2021 and has been
notifying impacted partners and customers while also developing new technical
assistance and guidance for the reseller community. It said it has been working
with U.S. and European government agencies. According to the tech giant, more
than 140 resellers and technology service providers have been targeted by
Nobelium so far, but it believes that as many as 14 of these resellers and
service providers have been compromised. These developments are shared to help
cloud service resellers, technology providers, and their customers take timely
steps to help ensure Nobelium is not more successful. Fortunately, this new
campaign by Nobelium has been discovered in its early stages.
While
Microsoft is sharing details about the most recent activity by Nobelium,
the Microsoft Digital Defense Report, published earlier this
month, highlights continued attacks from other nation-state actors and
cybercriminals. In line with these attacks, Microsoft is notifying its
customers when they are targeted or compromised by those actors. Further, these
attacks have been a part of a larger wave of Nobelium activities this summer.
In fact, between July 1 and October 19 this year, we informed 609 customers
that they had been attacked 22,868 times by Nobelium, with a success rate in
the low single digits. By comparison, before July 1, 2021, we had notified
customers about attacks from all nation-state actors 20,500 times over the past
three years. Microsoft has also been coordinating with others in the security
community to improve knowledge of and protections against Nobelium’s activity
and has been working closely with government agencies in the USA and Europe.
Though it is clear-eyed that nation-states, including Russia, will not stop
attacks like these overnight, it is believed that steps like the cyber-security
executive order in the USA, and the greater coordination and information shared
as seen between industry and government in the past two years, have put all in
a much better position to defend against them.
For all
these years, Microsoft has long maintained and evolved the security
requirements and policies it enforces with service providers that sell or
support Microsoft technology. Specifically, in September 2020, it updated
contracts with its resellers to expand Microsoft’s abilities and rights to
address reseller security incidents and to require that resellers implement
specific security protections for their environments. That is restricting
partner portal access and requiring that resellers enable multi-factor
authentication in accessing its cloud portals and underlying services.
“We will
take the necessary and appropriate steps to enforce these security
commitments,” said Tom Burt, Microsoft corporate vice president. “We continue
to assess and identify new opportunities to drive greater security throughout
the partner ecosystem, recognizing the need for continuous improvement. As a
result of what we have learned over the past several months, we are working to
implement improvements that will help better secure and protect the ecosystem,
especially for the technology partners in our supply chain.”
Last month
it also released technical guidance that could help organizations protect
themselves against the latest Nobelium activity is observed as the actor honed
its techniques as well as guidance for partners.
Microsoft is
also piloting more granular features for organizations that want to provide
privileged access to resellers. It is piloting improved monitoring to empower
partners and customers to manage and audit their delegated privileged accounts
and remove unnecessary authority. It is also auditing unused privileged accounts
and working with partners to assess and remove unnecessary privilege and
access.
“These are
just the immediate steps that we have taken, and, in the coming months, we will
be engaging closely with all of our technology partners to further improve
security,” said Burt. "We will make it easier for service providers of all
sizes to access our most advanced services for managing secure log-in,
identity, and access management for free or at a low cost.
As we said
in May, progress must continue. At Microsoft, we will continue our efforts
across all these issues and continue to work across the private sector, with
the U.S. administration, and with all other interested governments to make this
progress.”