70cc710850b21f2cd1027a96d266b2e7aaf4081a

Microsoft Warns of Nobelium Hackers Attacking New Global IT Supply Chain



Just very recently Microsoft has revealed that Russian state-linked Nobelium is attacking a different part of the IT supply chain. Nobelium, as we all knew is known as the hacking group in the infamous SolarWinds hack. This time, the attack is aimed towards the global technology supply chain and other technology service providers. These include resellers and other IT service providers that customize, deploy, and manage cloud services and other technologies on behalf of their customers. Their new strategy is to piggyback on the direct access that cloud service resellers have to their customers' IT systems in the hope of “to more easily impersonate an organization's trusted technology partner to gain access to their downstream customers," Microsoft’s cybersecurity experts said.

This recent activity only shows that Russia is trying to gain long-term, systematic access to a variety of points in the technology supply chain. This further establishes a mechanism for surveilling targets of interest to the Russian government - now or in the future. The Russian-linked hacking group that’s been blamed for an attack on the U.S. government and a significant number of private U.S. companies last year, has been attempting to replicate the approach it has used in past attacks by targeting organizations integral to the global IT supply chain. These hacking attacks as observed in the recent campaign against resellers and service providers have not attempted to exploit any flaw or vulnerability in software, instead, it uses a well-known technique, like password spray and phishing, to steal legitimate credentials and gain privileged access. These password spray and phishing techniques involve trying commonly used passwords such as Password1 or 1234 against multiple accounts before moving on to try a second password. Nobelium was identified by the US government as part of Russia’s foreign intelligence service known as the SVR.



Microsoft has been observing Nobelium’s latest “campaign” since May of 2021 and has been notifying impacted partners and customers while also developing new technical assistance and guidance for the reseller community. It said it has been working with U.S. and European government agencies. According to the tech giant, more than 140 resellers and technology service providers have been targeted by Nobelium so far, but it believes that as many as 14 of these resellers and service providers have been compromised. These developments are shared to help cloud service resellers, technology providers, and their customers take timely steps to help ensure Nobelium is not more successful. Fortunately, this new campaign by Nobelium has been discovered in its early stages.

While Microsoft is sharing details about the most recent activity by Nobelium, the Microsoft Digital Defense Report, published earlier this month, highlights continued attacks from other nation-state actors and cybercriminals. In line with these attacks, Microsoft is notifying its customers when they are targeted or compromised by those actors. Further, these attacks have been a part of a larger wave of Nobelium activities this summer. In fact, between July 1 and October 19 this year, we informed 609 customers that they had been attacked 22,868 times by Nobelium, with a success rate in the low single digits. By comparison, before July 1, 2021, we had notified customers about attacks from all nation-state actors 20,500 times over the past three years. Microsoft has also been coordinating with others in the security community to improve knowledge of and protections against Nobelium’s activity and has been working closely with government agencies in the USA and Europe. Though it is clear-eyed that nation-states, including Russia, will not stop attacks like these overnight, it is believed that steps like the cyber-security executive order in the USA, and the greater coordination and information shared as seen between industry and government in the past two years, have put all in a much better position to defend against them.

For all these years, Microsoft has long maintained and evolved the security requirements and policies it enforces with service providers that sell or support Microsoft technology. Specifically, in September 2020, it updated contracts with its resellers to expand Microsoft’s abilities and rights to address reseller security incidents and to require that resellers implement specific security protections for their environments. That is restricting partner portal access and requiring that resellers enable multi-factor authentication in accessing its cloud portals and underlying services.

“We will take the necessary and appropriate steps to enforce these security commitments,” said Tom Burt, Microsoft corporate vice president. “We continue to assess and identify new opportunities to drive greater security throughout the partner ecosystem, recognizing the need for continuous improvement. As a result of what we have learned over the past several months, we are working to implement improvements that will help better secure and protect the ecosystem, especially for the technology partners in our supply chain.”

Last month it also released technical guidance that could help organizations protect themselves against the latest Nobelium activity is observed as the actor honed its techniques as well as guidance for partners.

Microsoft is also piloting more granular features for organizations that want to provide privileged access to resellers. It is piloting improved monitoring to empower partners and customers to manage and audit their delegated privileged accounts and remove unnecessary authority. It is also auditing unused privileged accounts and working with partners to assess and remove unnecessary privilege and access.

“These are just the immediate steps that we have taken, and, in the coming months, we will be engaging closely with all of our technology partners to further improve security,” said Burt. "We will make it easier for service providers of all sizes to access our most advanced services for managing secure log-in, identity, and access management for free or at a low cost. 

As we said in May, progress must continue. At Microsoft, we will continue our efforts across all these issues and continue to work across the private sector, with the U.S. administration, and with all other interested governments to make this progress.”

Post a Comment

Previous Post Next Post