Since May 2021, Nobelium, the threat actor behind last year’s widely-reported SolarWinds campaign (opens in new tab), has been observed attacking organizations in the US and Europe according to cybersecurity (opens in new tab) experts.
Tracking the movements of Nobelium, researchers from the Microsoft Threat Intelligence Center (MSTIC) share that the group is going after IT services organizations including cloud service (opens in new tab) providers (CSP), and managed service providers (MSP (opens in new tab)), in a bid to gain access to their downstream customers.
“MSTIC assesses that NOBELIUM has launched a campaign against these organizations to exploit existing technical trust relationships between the provider organizations and the governments, think tanks, and other companies they serve,” shares MSTIC (opens in new tab).
The researchers add that the latest observed activity bears the hallmarks of Nobelium’s compromise-one-to-compromise-many approach.
Not over yet
The SolarWinds hacking campaign, which went undetected for over a year, brought forth the risks of a software supply chain attack (opens in new tab), where compromising an essential component could be used as a springboard for further attacks on a much wider scale.
After categorizing Nobelium as Russian state-sponsored threat actors, the US government imposed several financial sanctions (opens in new tab) on the country and also expelled about a dozen of its diplomats.
However it seems Washington’s actions have had little impact on the Kremlin. Microsoft has reportedly observed Nobelium attack 609 companies some 22,868 times, between July 1 and October 19 this year.
For comparison, this number represents more attacks than Microsoft observed from all government-linked hackers in the previous three years, Tom Burt, Microsoft’s corporate vice president for customer security and trust, told the Wall Street Journal (opens in new tab).
“This recent activity is another indicator that Russia is trying to gain long-term, systematic access to a variety of points in the technology supply chain,” asserts Burt.
All in a day’s work
A US government official briefed on Microsoft’s findings told WSJ that the latest intrusion attempts appeared to be largely routine hacking attacks.
“Based on the details in Microsoft’s blog, the activities described were unsophisticated password spray and phishing (opens in new tab), run-of-the mill operations for the purpose of surveillance that we already know are attempted every day by Russia and other foreign governments,” the US government official told the WSJ.
The official added that the intrusion attempts “could have been prevented if the cloud service providers had implemented baseline cybersecurity practices, including multi-factor authentication (MFA (opens in new tab)).”
