These service providers often have direct or privileged access to their customers’ IT systems. After compromising and impersonating a service provider, the hackers aim to exploit their customers’ networks. Nobelium is a Russian state-backed actor and a part of SVR, Russia’s foreign intelligence service. The group is responsible for a cyberattack on SolarWinds in 2020. According to Microsoft, the group has been very active this summer, as well. Between July 1 and October 19, the group targeted 609 Microsoft customers with a total of 22,868 attacks. This represents a massive increase compared to previous attacks from state-backed hackers (in the three years prior to July 1, 2021, Microsoft reported 20,500 attacks from nation-state actors). Microsoft added that it is fortunate that the attack was detected at an early stage. The company has kept tabs on Nobelium’s activities since May and has released a technical guide to help organizations defend themselves against this latest cyberattack.
Details of Nobelium’s Latest Campaign
Nobelium’s latest campaign targets “resellers and other technology service providers that customize, deploy and manage cloud services and other technologies on behalf of their customers.” Furthermore, Microsoft says that the campaign was not caused by exploiting a flaw or vulnerable systems. Instead, the hackers relied on techniques such as password spray and phishing to obtain login credentials. Since May, Microsoft informed 140 resellers and service providers that they were targeted by Nobelium. The company believes that, to date, as many as 14 of them have been compromised. It continues to notify its customers in the event they are targeted. Additionally, Microsoft believes that Nobelium hopes to exploit “downstream customers,” which indicates that Russia is trying to gain access at various levels of the technology supply chain. This access can be used to carry out surveillance for the Russian state.
Steps Taken by Microsoft to Combat the Threat to Cloud Service Providers
The software giant has spent the last few months working on improvements to increase security and provide solutions to its partners in the IT supply chain. Some of these measures include:
enabling Multi-Factor Authentication to access its cloud portals, launching a premium plan for Azure, which provides additional features to improve security controls, and adding additional detections to its security and threat prevention tools, like Microsoft Cloud App Security (MCAS), M365 Defender, Azure Defender, and Azure Sentinel.
Microsoft is also piloting several new features for its partners and customers which are aimed at:
providing privileged access solutions, monitoring capabilities, and reviewing unnecessary privilege and authority.
The company says that it has “been coordinating with others in the security community to improve our knowledge of, and protections against, Nobelium’s activity, and we’ve been working closely with government agencies in the U.S. and Europe.” It also stressed the importance of efforts taken by national governments to address nation-backer hacker groups.