By Jim Lundy and Craig Kennedy
There’s been more ongoing movement post the SolarWinds hack from 2020. Earlier this year, the US federal government accused Russia’s Foreign Intelligence Service (SVR) of sponsoring a group called Nobelium, which was confirmed as the group that conducted the SolarWinds hack.
This blog provides a quick update on the current state of affairs and reinforces the need for better IT security.
State-Sponsored Hacking Has Arrived
Figure 1
While China has been in the news recently for state-sponsored hacking, it’s now Russia’s SVR that’s making the headlines. The US federal government accused Russia’s SVR of hacking in April of 2021 due to its sponsorship of Nobelium, the Russian hacking group that perpetrated the SolarWinds attack. Microsoft announced last week that Nobelium is attempting to replicate its prior hack of SolarWinds, only this time it’s focusing on the global IT supply chain.
The Microsoft Digital Defense Report, published last month, highlights the activities of cybercriminals and nation-state actors and the countries and sectors they’re targeting (Figure 1) as well as lots of other information on cyber threats and how to mitigate them.
Nothing To See Here—I’m Your Trusted Technology Partner
Nobelium is targeting service providers that offer IT services to their clients. Or, more specifically, it is targeting service providers that have been granted elevated privileges to deploy and manage services on behalf of their clients. Once a service provider is compromised, any service that’s deployed on behalf of one of its clients should be assumed to have been compromised.
Microsoft has identified more than 140 resellers and technology service providers attacked by Nobelium since May with as many as 14 being compromised. These attacks are part of a larger ongoing series of activities by Nobelium over the summer where 609 separate customers had been attacked a total of 22,868 times. Microsoft has notified these 609 customers, however, this increase in activity illustrates Russia’s determination to gain a permanent foothold within the US supply chain.
From Russia Without Love
These attacks didn’t exploit any flaws or vulnerabilities to access the targeted systems, but rather used simple phishing or password spray techniques to obtain credentials and gain privileged access. It also appears that the goal was not to cause immediate damage, but rather to stealthily gain access to a wide number of resources to conduct espionage and surveillance over time and identify high-value targets for exploitation or damage now or in the future.
Microsoft Doubles Down on Security
Microsoft has been working closely with others in the security community as well as government agencies in the US and Europe. Additionally, it has launched a series of activities to help mitigate the threats from these attacks including a new program that provides two years of Azure Active Directory Premium plan for free to ensure that customers have the best possible protection. It is also working with customers and partners on additional security measures to help isolate and mitigate these threats.
The attacks we’re aware of are significant, and kudos to Microsoft for being incredibly transparent about the issues as well as the remediation efforts to mitigate these attacks. What should keep all of us up at night is wondering how much of the state-sponsored hacking iceberg are we actually seeing, and how much is lurking beneath the surface that we haven’t seen yet?
Bottom Line
These latest rounds of cybersecurity attacks are backed by nation-states and are well-funded and resourced–presenting an increasingly dangerous threat to our cyberinfrastructure. Enterprises need to review their security positioning and ensure that not only are they taking a proactive stance on ensuring the security of their infrastructure, but that any trusted technology provider is doing the same.