The U.S. technology giant Microsoft says that the same Russia-backed hackers responsible for the 2020 SolarWinds breach of corporate computer systems is continuing to attack global technology systems, this time targeting cloud service resellers.
Microsoft said the group, which it calls Nobelium, is employing a new strategy to take advantage of the direct access resellers have to their customers’ IT systems, hoping to “more easily impersonate an organization’s trusted technology partner to gain access to their downstream customers.”
Resellers are intermediaries between software and hardware producers and the eventual technology product users.
In a statement Sunday, Microsoft said it has been monitoring Nobelium’s attacks since May and has notified more than 140 companies targeted by the group, with as many as 14 of the companies’ systems believed to have been compromised.
“This recent activity is another indicator that Russia is trying to gain long-term, systematic access to a variety of points in the technology supply chain and establish a mechanism for surveilling — now or in the future — targets of interest to the Russian government,” Microsoft wrote in a blog post.
“Fortunately, we have discovered this campaign during its early stages, and we are sharing these developments to help cloud service resellers, technology providers, and their customers take timely steps to help ensure Nobelium is not more successful,” the company said.
Charles Carmakal, senior vice president and chief technology officer at cybersecurity firm Mandiant, said this attack was different from the SolarWinds attack that used malicious code inserted into legitimate software, saying this involves “leveraging stolen identities” to access systems.
“This attack path makes it very difficult for victim organizations to discover they were compromised and investigate the actions taken by the threat actor,” he said. “This is particularly effective for the threat actor for two reasons: First, it shifts the initial intrusion away from the ultimate targets, which in some situations are organizations with more mature cyber defenses, to smaller technology partners with less mature cyber defenses.
“And second, investigating these intrusions requires collaboration and information-sharing across multiple victim organizations, which is challenging due to privacy concerns and organizational sensitivities,” Carmakal said.
When asked about the attack, White House Principal Deputy Press Secretary Karine Jean-Pierre said Monday companies “can prevent these attempts if the cloud service providers implement baseline cybersecurity practices, including multifactor authentication.”
“Broadly speaking, the federal government is aggressively using our authorities to protect the nation from cyber threats, including helping the private sector defend itself through increased intelligence sharing, innovative partnership to deploy cybersecurity technologies, bilateral and multilateral diplomacy, and measures we do not speak about publicly for national security reasons,” she told reporters aboard Air Force One on route to New Jersey.
Microsoft said Nobelium had made 22,868 attacks since July but had only been successful a handful of times. Most of the attacks have targeted U.S. government agencies and think tanks in the United States, followed by attacks in Ukraine, the United Kingdom and in other NATO countries.
A U.S. government official downplayed the attacks in a statement to The Associated Press, saying, “The activities described were unsophisticated password spray and phishing, run-of-the mill operations for the purpose of surveillance that we already know are attempted every day by Russia and other foreign governments.”
Washington blamed Russia’s SVR foreign intelligence agency for the 2020 SolarWinds hack, which compromised several federal agencies and went undetected for much of last year. Russia has denied any wrongdoing.
Some information for this report comes from AP and Reuters.