Microsoft warns of new attack by group behind SolarWinds hack

Microsoft is warning that the hacking group behind the SolarWinds cyberattack has launched another campaign against the global IT supply chain, including resellers and providers of cloud technology.

“Nobelium has been attempting to replicate the approach it has used in past attacks by targeting organizations integral to the global IT supply chain,” Microsoft’s corporate vice president of customer security and trust, Tom Burt, said in a blog on Monday.

According to Burt, Nobelium is “attacking a different part of the supply chain: resellers and other technology service providers that customize, deploy and manage cloud services and other technologies on behalf of their customers.”

Burt said that 609 customers were informed between July 1 and Oct. 19 “that they had been attacked 22,868 times by Nobelium, with a success rate in the low single digits.” 

Burt added that Microsoft has notified more than 140 resellers and technology service providers that have been targeted by Nobelium since May.

“We continue to investigate, but to date we believe as many as 14 of these resellers and service providers have been compromised,” he said.

The attacks come less than a year after the discovery of the SolarWinds hack, which allowed the same Russian government hacking group to compromise almost a dozen U.S. federal agencies for most of last year through exploiting a vulnerability in the software of IT group SolarWinds. 

Cybersecurity group Mandiant, previously FireEye, was the first to discover the massive hacking operation when it announced that its systems had been compromised in December. 

Charles Carmakal, senior vice president and chief technology officer at Mandiant, told The Hill in a statement Monday that the new attacks had “involved leveraging stolen identities and the networks of technology solutions, services, and reseller companies in North America and Europe to ultimately access the environments of organizations that are targeted by the Russian government.”

“This attack path makes it very difficult for victim organizations to discover they were compromised and investigate the actions taken by the threat actor,” Carmakal said. “Similar to the victimology observed in the 2020 campaign, the targets of this intrusion activity appear to ultimately be government organizations and other organizations that deal in matters of interest to Russia. The intrusion activity is ongoing and Mandiant is actively working with organizations that are impacted.”

Karine Jean-Pierre, the White House principal deputy press secretary, pointed to Microsoft Monday for details on the attacks when questioned by reporters, but  stressed that the Biden administration was taking steps to prevent and deter malicious cyber activity. 

“Broadly speaking, the federal government is aggressively using our authorities to protect the nation from cyber threats, including helping the private sector defend itself through increased intelligence sharing, innovative partnerships to deploy cybersecurity technologies, bilateral and multilateral diplomacy, and measures we do not speak about publicly for national security reasons,” Jean-Pierre told reporters aboard Air Force One.

Burt also said that the hacks were not targeted at any flaw or vulnerability in software, but were instead “password spray and phishing,” attacks aimed at stealing legitimate credentials and gaining privileged access. 

He added that “Russia is trying to gain long-term, systematic access to a variety of points in the technology supply chain and establish a mechanism for surveilling – now or in the future – targets of interest to the Russian government.”

The New York Times, meanwhile, reported that Russia is attempting to access thousands of U.S. government, corporate and think-tank computer networks in response to the sanctions imposed by the Biden administration.