Posted on October 26, 2021 at 6:09 PM

Microsoft Says SolarWinds Hackers Are Launching New Sets Of Attacks

Microsoft has issued a warning about the recent activities of the Nobelium hacking group responsible for the SolarWinds incident last year. According to the tech giant, the group has targeted about 140 technology service providers and resellers in global IT supply chains.

The threat group is specifically targeting the providers that offer customized, deployment, and cloud managing services.

Researchers at Microsoft noted that the threat actors are looking to gain access to the organizations’ downstream customers via the computer systems of their partners.

Nobelium goes by so many other names, including StellarParticle, SolarStorm, Dark Hello, and UNC2452. The threat group is believed to be sponsored by the Russian government.

The hacking syndicate has been connected to the Russian foreign intelligence called SVR. It has a record of launching cyber attacks on organizations that are vital to the global IT supply chain.

Microsoft’s corporate vice president of customer security, Tom Burt, confirmed the recent activities of the group. According to him, the group has already launched an attack on 140 IT service providers. It has also successfully compromised 14 of them 5 months into the new campaign.

Threat Group Changes Direction 

Nobelium is notorious for its preference to exploit software vulnerabilities. However, in the latest attack, the group has decided to exploit other more popular attack methods. The group is using methods such as API abuses, password spraying, and phishing, as well as token theft to gain unauthorized access to the victims’ networks.

Microsoft said the group has attempted over 23,000 hacks between July 1 and October 19, 2021. Its researchers said the threat group is still active and looking to infiltrate as many customer computer systems as they can.

Russia Looking To Gain Long-Term Access

Microsoft revealed that the attacks on these organizations show that the Russian government wants to gain systematic and long-term access to the supply chain technology supply. It also wants to put a system in place that can monitor targets of interest for the government.

But Microsoft stated that the activities of the threat actor were discovered at the early stage of their infiltration, which has helped to reduce the damage. The researchers said they want to issue advice and share the development to help technology providers and service resellers. This, according to the researchers, will help them take the necessary steps to make sure the threat actors are not successful in their plans.

Microsoft has also released details of the actions taken by the Nobelium Group to navigate across networks and infiltrate customers’ accounts.

Ilia Kolochenko, of the European Data Protection Experts Network, noted that threat actors are not done with supply chain attacks yet. He added that it will likely continue until 2022, with the majority of the attackers targeting suppliers who are the most vulnerable.

Unlike direct attacks on the downstream customers, supply chain attacks are generally more concealed and faster. In most cases, it is difficult to notice the attack until the threat actors have caused several damages and infiltrated organizations’ systems.

Additionally, the suppliers could have more important data than the victims, which makes their attack more lucrative. For instance, the suppliers can store more data in backups, which is contractually not expected or allowed.

Companies Advised To Protect Themselves 

President at Cybereason Government Inc, Sam Curry, added that the report by Microsoft is a comprehensive one. He stated that companies in harm’s way should do the needful to avoid being victims of the latest onslaught of the dangerous Nobelium group.

Microsoft has suggested methods organizations can use to protect themselves against the attack. It stated that the downstream attacks take advantage of trusted software to launch their attack. The vulnerable software is unknowingly enabled by the upstream identity infiltration. As a result, companies should start clearing the upstream methodology of Nobelium, which affected both Microsoft and SolarWinds over the last two years. 

The SolarWinds attack has been well documented after it hit major organizations and institutions in December 2020. 

The massive cyber campaign affected the NTIA and the US Treasury Department. The threat actors successfully compromised Orion, the SolarWinds’ network monitoring software. The network was used by several private firms and government departments.

After gaining access, the threat actors planted malicious code in Orion’s genuine software update, which was downloaded by the victims and gave the hackers direct access.

The ripple effect of the attack on several government agencies made it one of the most notorious cyber attacks the world has ever experienced.

The US government pointed accusing fingers at Russia, but the government denied having any link with the hackers.