Microsoft calls the group Nobelium. It has a new strategy to take advantage of cloud service resellers’ direct access to customers’ IT systems. Resellers “more easily impersonate an organisation’s trusted technology partner to gain entry to their downstream customers.” They manage and customize accounts and act as intermediaries between cloud giants.
“Fortunately, this campaign was discovered in its early stages and we are sharing the developments to help cloud service resellers and technology providers and their customers take timely actions to ensure Nobelium does not become more successful,” Tom Burt (a Microsoft vice president) wrote in a blog.
Microsoft’s announcement was downplayed by the Biden administration. An American official briefed about the matter who requested anonymity to discuss the government’s response stated that the activities described were “unsophisticated password-spray and phishing, run of the mill operations for surveillance that we already know are attempted daily by Russia and other foreign countries.”
The Russian Embassy did no immediate reply to our request for comment.
Relations between the U.S., Russia have been straining this year due to a series of ransomware attacks on U.S. targets by Russian-based cyber gangs. U.S. President Joe Biden warned Russian President Vladimir Putin to clamp down on ransomware criminals. However, several high-ranking cybersecurity officials in the administration have stated recently that they have not seen any evidence.
Hackers can use supply chain attacks to steal information from multiple targets. They do this by breaking into one product that they all use. The U.S. government previously blamed Russia’s SVR foreign intelligence agency (SVR) for the SolarWinds hack. This supply-chain hack went unnoticed for most 2020 and severely embarrassed Washington.
After the U.S. software firm whose product was used in this hacking effort, the hacking campaign is named SolarWinds. In April, the Biden administration placed new sanctions on six Russian companies supporting the country’s cyber efforts as a result of the SolarWinds hack.
Microsoft has been monitoring Nobelium’s latest attack campaign since May. It has notified over 140 companies that were targeted by the group. As many as 14 are believed to have been compromised. Since July, the attacks have intensified. Microsoft noted that 609 customers had been notified that they had been targeted 22,868 times. The success rate of Nobelium’s attacks has been low single digits. This is more attacks than Microsoft had reported to all other nation-state actors over the past three years.
Burt stated that Russia is seeking long-term, systemic access to a number of points in technology supply chains and establishing a mechanism to surveil – now and in the future- targets of Russian interest.
Microsoft didn’t name any hackers in the latest campaign. Mandiant, a cybersecurity firm, said it had witnessed victims in North America and Europe.
Charles Carmakal, Chief Technology Officer at Mandiant, stated that hackers use the resellers as a way to hide their identity making detection challenging.
He said, “It shifts an initial intrusion away form the ultimate targets, who in some cases are organizations with more advanced cyber defenses to smaller technology partners with fewer cyber defenses.”