Nobelium threat group actively targeting IT supply chain

Microsoft has warned that global IT supply chains are under attack from Nobelium, a Russian state-backed threat group responsible for the SolarWinds cyber attack last year, where swathes of the US government and private company were compromised. 

This latest attack appeared to be focused on resellers and technology service providers, with at least 140 organisations targeted and 14 confirmed cases of successful compromise. 

Tom Burt, Microsoft Corporate Vice President of Customer Security & Trust stated in an advisory on Sunday that Nobelium is targeting software and cloud service resellers in hopes of being able to “piggyback on any direct access that resellers may have to their customers' IT systems”. 

Reportedly, Microsoft started “observing this latest campaign in May 2021 and have been notifying impacted partners and customers while also developing new technical assistance and guidance for the reseller community”.  

The attacks 

Between July 1st and October 19th, Microsoft has picked up 22,868 hacking attempts by the Nobelium threat group and has alerted more than 609 customers of its customers. 

Unlike SolarWinds, where Nobelium leveraged specific vulnerabilities and security flaws in software, these latest attacks apparently rely more on password spray and phishing to perform credential stuffing and gain access to victims’ systems, where hackers will escalate privilege. 

Microsoft has stated “This recent activity is another indicator that Russia is trying to gain long-term, systematic access to a variety of points in the technology supply chain and establish a mechanism for surveilling” both now and the long-term “targets of interest to the Russian government”. However, Microsoft says it “discovered this campaign during its early stages” and “are sharing these developments to help cloud service resellers, technology providers, and their customers take timely steps to help ensure Nobelium is not more successful”. 

Recommendations: 

Microsoft  has released technical guidance that outlines how Nobelium manages to gain access to organisation’s systems and move laterally across networks to reach downstream customers as well as what customers can do to safeguard themselves against these attacks. 

Rise of Nobelium 

Nobelium has become one of the more infamous Russian-backed advanced persistent threat (APT) groups. Prior to July 1st, a past phishing campaign of theirs, where they impersonated USAID, was reported to customers by Microsoft. At the time, Microsoft was alerting customers of 20,500 hacking attempts conducted by nation-state actors. 

Only last month, Nobelium were also linked to FoggyWeb backdoor malware, showing that the threat group really lives up to its name as an advanced persistent threat group. 

Nobelium is most infamous for SolarWinds breach in December 2020. Nobelium breached SolarWinds systems and injected malicious code into a legitimate update for Orion software, utilising SolarWind’s legitimate channels to then spread it to and compromise 18,000 customers, installing malware and creating the infamous Sunburst/Solorigate backdoor.  

The APT then targeted high-profile organisations, including Microsoft, FireEye, the Cybersecurity and Infrastructure Agency (CISA), the Department of Homeland Security (DHS) and the US Treasury, stealing sensitive data and planting more backdoor malware.  

Due to the complexity of the SolarWinds operation, Microsoft estimated it had been the work of at least 1,000 engineers. 

With these latest attacks, Nobelium has switched gears again, showing it is nothing if not adaptable, although this still falls in line with their attack vector theme of taking advantage of the trust between suppliers and consumers to perform cyber attacks. 

Charles Carmakal, Mandiant’s Strategic Services CTO, whose firm has investigated many incidents of suspected Russian state-backed cyberattacks, stated “While the SolarWinds supply chain attack involved malicious code inserted in legitimate software, most of this recent intrusion activity has involved leveraging stolen identities and the networks of technology solutions, services, and reseller companies in North America and Europe to ultimately access the environments of organizations that are targeted by the Russian government”. 

US officials confirmed to the Times the Russian hacking operation was ongoing, however one anonymous senior administration official called these latest attacks “unsophisticated, run-of-the mill operations that could have been prevented if the cloud service providers had implemented baseline cybersecurity practices”.