Microsoft: SolarWinds hackers are back and attacking supply chains

Nobelium's last campaign hit companies all over the world

Image:
Nobelium's last campaign hit companies all over the world

At least 14 IT service providers have already been compromised

The Russia-linked hacking group Nobelium, which has been blamed for last year's SolarWinds intrusion, is targeting key players in the global IT supply chain as part of a new campaign, according to Microsoft.

This time, the threat group is attacking a different part of the supply chain: resellers and other tech service providers who assist end users in customising, deploying and managing cloud services and other technologies.

Microsoft researchers believe Nobelium ultimately hopes 'to piggyback on any direct access that resellers may have to their customers' IT systems and more easily impersonate an organisation's trusted technology partner to gain access to their downstream customers.'

Nobelium, also known as UNC2452, Dark Halo, SolarStorm, and StellarParticle, is believed to be a Russian government-sponsored threat group.

It is linked with Russia's foreign intelligence service known as the SVR, and has a history of targeting organisations integral to the global IT supply chain.

Tom Burt, corporate vice president of customer security and trust at Microsoft, said Nobelium has targeted at least 140 IT service providers - and successfully compromised 14 - in the latest campaign, which it began in May this year.

However, instead of exploiting vulnerabilities in software, the group is relying on well-known tactics such as phishing, password spraying, API abuse and token theft in its attempts to steal valid credentials and gain privileged access to victim's networks.

Microsoft warned more than 600 customers of nearly 23,000 hacking attempts between 1st July and 19th October.

"This recent activity is another indicator that Russia is trying to gain long-term, systematic access to a variety of points in the technology supply chain and establish a mechanism for surveilling - now or in the future - targets of interest to the Russian government," Burt said.

"Fortunately, we have discovered this campaign during its early stages, and we are sharing these developments to help cloud service resellers, technology providers, and their customers take timely steps to help ensure Nobelium is not more successful," he added.

Microsoft has released technical guidance detailing how Nobelium's members attempt to move laterally across networks to reach downstream customers.

Ilia Kolochenko, a member of Europol Data Protection Experts Network, said: "Supply chain attacks will certainly continue their surge in 2022. Suppliers are the Achilles' Heel of the largest financial institutions, governmental institutions and providers of critical national infrastructure. Compared to frontal attacks against the victims, silence attacks against third parties are generally faster, cheaper and less noisy. Moreover, suppliers may also have access to more data than the victims themselves, for example, by storing more data in backups than contractually allowed or expected."

Sam Curry, president at Cybereason Government Inc., said: "What Microsoft's Nobelium report doesn't include is the smoking gun pointing from Russia to its targets, but that could exist behind the scenes.

"The company is, however, suggesting that downstream compromises, which effectively leverage trusted software to begin attack runs, are enabled by upstream identity compromise. Should it be true, this would begin to clear the upstream methodology of Nobelium who attacked SolarWinds and Microsoft alike over the last two years."

The SolarWinds hack first came to light in December 2020, after the US Treasury Department and the US Department of Commerce's National Telecommunications and Information Administration (NTIA) were found to have been compromised in a massive cyber campaign.

The attackers were able to breach networks after compromising SolarWinds' network monitoring software Orion, which was widely used by various government departments and private companies.

The hackers then inserted malicious code into legitimate software updates for Orion, which gave them remote access into the victims' environments.

The USA blamed Russia for the intelligence coup and sanctioned several Russian officials and organisations in April.

Russia denied the allegations, saying it had no involvement in the hack.