Microsoft on Monday warned that the same Russian group behind the SolarWinds cyber attack in 2020 has been attempting to “replicate” that approach, now targeting organizations “integral” to the global IT supply chain–specifically, resellers and technology service providers.
Microsoft Corporate Vice President of Customer Security & Trust Tom Burt shared the “latest activity” the company has observed from Russian nation-state actor Nobelium. Burt, in a blog post, said Nobelium was identified by the U.S. government and others as being part of Russia’s foreign intelligence service, known as the SVR.
US COUNTERINTELLIGENCE OFFICIALS WARN OF THREATS FROM CHINA, RUSSIA TO EMERGING TECHNOLOGY
“Nobelium has been attempting to replicate the approach it has used in past attacks by targeting organizations integral to the global IT supply chain,” Burt wrote. “This time, it is attacking a different part of the supply chain: resellers and other technology service providers that customize, deploy and manage cloud services and other technologies on behalf of their customers.”
Burt added that Microsoft believes Nobelium “ultimately hopes to piggyback on any direct access that resellers may have to their customers’ IT systems and more easily impersonate an organization’s trusted technology partner to gain access to their downstream customers.”
Microsoft said it began observing Nobelium’s latest activity in May 2021, and said it has been notifying “impacted partners and customers, while also developing new technical assistance and guidance for the reseller community.”
“Since May, we have notified more than 140 resellers and technology service providers that have been targeted by Nobelium,” Burt wrote. “We continue to investigate, but to date we believe as many as 14 of these resellers and service providers have been compromised.”
Microsoft said it discovered the campaign “during its early stages,” and said they are sharing developments to cloud service resellers, technology providers, and customers to take “timely steps to help ensure Nobelium is not more successful.”
Microsoft said that the attacks on this sector of the global IT supply chain have been a part of a “larger wave” of Nobelium activities over the summer.
Burt said that between July 1 and Oct. 19, Microsoft informed 609 customers that they had been attacked 22,868 times by Nobelium, with a success rate in the low single digits.
“By comparison, prior to July 1, 2021, we had notified customers about attacks from all nation-state actors 20,5000 over the past three years,” Burt wrote.
Microsoft warned, though, that the activity is “another indicator that Russia is trying to gain long-term, systematic access to a variety of points in the technology supply chain and establish a mechanism for surveilling–now or in the future–targets of interest to the Russian government.”
Microsoft, detailing the attacks, explained that it does not appear to be an attempt to “exploit any flaw or vulnerability in software,” but rather the utilization of “well-known techniques, like password spray and phishing, to steal legitimate credentials and gain privileged access.” Microsoft said that the company “can now provide actionable information which can be used to defend against this new approach.”
Microsoft said it has been coordinating with others in the security community, and has been “working closely with government agencies in the U.S. and Europe.”
“While we are clear-eyed that nation-states, including Russia, will not stop attacks like these overnight, we believe steps like the cybersecurity executive order in the U.S., and the greater coordination and information sharing we’ve seen between industry and government in the past two years, have put us all in a much better position to defend against them,” Burt wrote.
Meanwhile, a senior administration official explained that the activities Microsoft described taking place were “unsophisticated password spray and phishing attempts for the purpose of surveillance that cybersecurity experts say are attempted every day by Russia and other foreign governments and have been for years.”
The official said these types of attempts can be prevented if cloud service providers implement “baseline” cybersecurity practices, including multi-factor authentication–a measure to require users to authenticate their accounts with more than a password.
“Broadly speaking, the federal government is aggressively using our authorities to protect the Nation from cyber threats, including helping the private sector defend itself through increased intelligence sharing, innovative partnerships to deploy cybersecurity technologies, bilateral and multilateral diplomacy, and measures we do not speak about publicly for national security reasons,” the official told Fox News.
Earlier this year, the Biden administration imposed sanctions on Russia for the SolarWinds computer hack, which began in 2020 when malicious code was snuck into updates to popular software that monitors computer networks of businesses and governments. The malware, affecting a product made by the American SolarWinds, gave elite hackers remote access into an organization’s networks so they could steal information.
WHITE HOUSE TO HOST GLOBAL ANTI-RANSOMWARE MEETING; RUSSIA NOT INVITED
Earlier this month, Biden hosted virtual meetings with more than 30 countries to “accelerate cooperation to counter ransomware,” but the White House did not extend the invitation to Russia, senior administration officials said. The officials noted that the United States and the Kremlin have a “separate channel” where they “actively” discuss the matter.
Officials said that the president established a U.S.-Russia experts group for the U.S. to engage “directly” on the issue of ransomware.
“We do look to the Russian government to address ransomware criminal activity coming from actors within Russia,” an official said, adding that the Biden administration has “also shared information with Russia regarding criminal ransomware activity being conducted from its territory.”
“We’ve seen some steps by the Russian government, and are looking to see follow up actions and broader international cooperation is an important line of effort, because these are transnational criminal organizations,” an official said, adding that they “leverage global infrastructure and money laundering networks to carry out their attacks.”
Biden, during his summit in Geneva with Russian President Vladimir Putin in June, raised the issue of ransomware. At the time, Biden said he told Putin that “certain critical infrastructure should be off limits to attack.” Biden said he gave a list of “16 specific entities defined as critical infrastructure,” saying it ranged from energy to water systems.
Putin, though, during his press conference after the meeting, denied that Russia was responsible for cyberattacks and instead claimed that the most cyberattacks in the world were carried out from the U.S.
Also over the summer, the president signed a national security memo directing his administration to develop cybersecurity performance goals for critical infrastructure in the United States–entities like electricity utility companies, chemical plants, and nuclear reactors.
Meanwhile, the National Counterintelligence and Security Center last week announced it is prioritizing industry outreach efforts in U.S. technology sectors where the stakes are “potentially greatest” for U.S. economic and national security, warning of “nation-state threats” posed by China and Russia.
The NCSC warned that the Kremlin “is targeting U.S. advances through the employment of a variety of licit and illicit technology transfer mechanisms to support national-level efforts, including its military and intelligence programs.”
NCSC officials warned that Russia is also “increasingly looking to talent recruitment” and international scientific collaborations to “advance” their domestic research and development efforts. NCSC said, though, that their “resource constraints” have forced the Kremlin to focus on “indigenous” research and development efforts, such as Russian military applications of artificial intelligence.
NCSC warned that Russia uses intelligence services, academics, joint ventures and business partnerships, talent recruitment, foreign investments, government to government agreements, and more to acquire U.S. technologies.
Fox Business’ Meghan Henney contributed to this report.