SolarWinds hackers Nobelium take aim at IT supply chain: Microsoft

SolarWinds hackers Nobelium take aim at IT supply chain: Microsoft
Photo Credit: Pixabay

Russian hacking group Nobelium, suspected to be a part of the Russian Foreign Intelligence Service known as the Sluzhba Vneshney Razvedki (SVR), has now targeted multiple cloud and managed service providers (MSP), along with IT service organisations, according to startling revelations by the Microsoft Threat Intelligence Centre (MSTIC).   

Microsoft said that the hackers were clearly looking to target the customers of these cloud and MSPs, in order to infiltrate the global IT supply chain.   

“This recent activity is another indicator that Russia is trying to gain long-term, systematic access to a variety of points in the technology supply chain and establish a mechanism for surveilling – now or in the future – targets of interest to the Russian government,” pointed out Microsoft. 

In an infamous incident in early 2020, Nobelium was charged with infiltrating Texas-based Cybersecurity Company SolarWind’s systems and implanted malicious code into their software system called ‘Orion’.  

Orion is used by over 33,000 customers of SolarWinds, including many marquee names.  When SolarWinds unknowingly sent out software updates to its clientele, the customers downloaded the malicious code, which created a backdoor to their information for Nobelium.   

The targets for the current attacks were organisations in the United States and Europe and Microsoft said that it has notified more than 140 resellers and technology service providers that have been targeted by Nobelium in a single May 2021 campaign.    

So far, however, 14 of these resellers and service providers have been compromised with their data, the company said.   

“MSTIC assesses that Nobelium has launched a campaign against these organisations to exploit existing technical trust relationships between the provider organisations and the governments, think tanks, and other companies they serve,” said Microsoft in the blog.   

 The numbers only seem to get worse.  

In the period between July 1 and October 19, 2021, 609 customers were attacked 22,868 times by Nobelium, however, the success rate, Microsoft claimed, was in the low single digits.  

In stark comparison, prior to July 1st 2021, notified attacks from all state actors combined was at 20,500 for the past three years.   

“The Russian-based group is looking for another popular vendor to play a similar role to that of SolarWinds. Hence, the search for the next carrier is on and intense,” said Lotem Finkelstein, Head of Threat Intelligence at cybersecurity company Check Point Research.   

 "We urge every company to ensure they are protected, as the Nobelium group is highly sophisticated, attacking with both advanced homegrown tools and off-the-shelf ones,” added Finkelstein.   

The sophisticated toolkit that Nobelium uses allegedly contains complex malware, password sprays (software that tries to login through guessing multiple password), supply chain attack tools, token theft (where administrator privileges are stolen), spear phishing (personalised and ultra-targeted fraud emails) and API abuse (overloading APIs with traffic).   

To mitigate these attacks Microsoft requested the ecosystem participants to ensure multifactor authentication is in use and enforcement of conditional access policies, adopt the ‘secure application model framework’ built by Microsoft, and constantly check the activity logs in their Partner Center software to monitor unusual behaviour.   

“To reduce the potential impact of Nobelium activity, Microsoft encourages partners and customers to implement risk mitigations, harden environments, and investigate suspicious behaviours,” Microsoft said.