Microsoft says Russia-backed hackers are targeting cloud services, supply chain
Microsoft says the same Russia-backed hackers responsible for the 2020 SolarWinds breach continue to attack the global technology supply chain and have been relentlessly targeting cloud service companies and others since summer.
The group, which Microsoft calls Nobelium, has employed a new strategy to piggyback on the direct access that cloud service resellers have to their customers' IT systems, hoping to "more easily impersonate an organization's trusted technology partner to gain access to their downstream customers," Microsoft said. Resellers act as intermediaries between software and hardware makers and product users.
"Fortunately, we have discovered this campaign during its early stages, and we are sharing these developments to help cloud service resellers, technology providers, and their customers take timely steps to help ensure Nobelium is not more successful," the Seattle-based software giant said in a blog post on Sunday.
"This is the same actor behind the cyberattacks targeting SolarWinds customers in 2020 and which the U.S. government and others have identified as being part of Russia's foreign intelligence service known as the SVR," the company said.
SVR is one of two Russian intelligence bureaus that were linked to prominent ransomware gangs in a report earlier this year by cybersecurity firm Analyst1. Russian intelligence services worked with cybercriminals to compromise U.S. government and government-affiliated organizations, the report said.
The ransomware groups used a technique called "domain fronting" to hide their activity. They likely relied on a time-tested hacking tool called Mimikatz to infiltrate targeted systems, then distributed malware using a PowerShell Windows application, according to Analyst1.
Biden administration downplayed impact
The Biden administration downplayed the impact of the Russian efforts. A U.S. government official who requested anonymity because they were not authorized to speak on the record noted that "the activities described were unsophisticated password spray and phishing, run-of-the mill operations for the purpose of surveillance that we already know are attempted every day by Russia and other foreign governments."
Microsoft has been observing Nobelium's latest campaign since May and has notified more than 140 companies targeted by the group, with as many as 14 believed to have been compromised. The attacks have increased dramatically since July, Microsoft noted. The company wrote that it told 609 customers that they had been attacked 22,868 times by Nobelium between July 1 and October 19, with a success rate in the low single digits. That's more attacks than Microsoft had flagged from all nation-state actors in the previous three years.
Earlier this month, Microsoft reported that Russia accounted for the majority of state-sponsored hacking it detected during the past year. Most of the attacks targeted government agencies and think tanks in the United States, followed by Ukraine, Britain and European NATO members.
The U.S. government has previously blamed Russia's SVR foreign intelligence agency for the SolarWinds hack, which went undetected for most of 2020, compromised several federal agencies and badly embarrassed Washington. The Russian government has denied any wrongdoing.
Microsoft said the recent activity "is another indicator that Russia is trying to gain long-term, systematic access to a variety of points in the technology supply chain and establish a mechanism for surveilling — now or in the future — targets of interest to the Russian government."