Russian-linked hacking group Nobelium poses a significant threat to the global IT supply chain, Microsoft warned in a recent blog post. Threats to the IT supply chain could have an immense impact on the healthcare sector in particular, as many providers utilize cloud security and IT vendors to handle sensitive data.
Nobelium was responsible for a massive 2020 cyberattack on SolarWinds that impacted thousands of organizations, including portions of the US government. Microsoft’s Tom Burt, corporate vice president of customer security and trust, warned resellers and technology service providers that customize, deploy, and manage cloud services to be wary of Nobelium.
“We believe Nobelium ultimately hopes to piggyback on any direct access that resellers may have to their customers’ IT systems and more easily impersonate an organization’s trusted technology partner to gain access to their downstream customers,” Burt wrote in the blog post. “We began observing this latest campaign in May 2021 and have been notifying impacted partners and customers while also developing new technical assistance and guidance for the reseller community.”
Since May, Microsoft has notified more than 140 technology service providers and resellers that have been targeted by Nobelium. Approximately 14 of those technology vendors have been compromised. Microsoft issued this warning in hopes that resellers, technology providers, and customers take steps to mitigate these attacks and prevent Nobelium from being more successful.
“Microsoft’s recent revelation confirms a frightening motive: Nobelium is in search of its next carrier. The company SolarWinds was just the carrier for Nobelium to reach a larger audience. Nobelium quickly learned that a company like SolarWinds can open doors into infiltrating its target audience,” added Lotem Finkelsteen, Head of Threat Intelligence at Check Point Research (CPR). “The target audience being federal agencies, cyber security companies, IT companies and more. Now, the Russian-based group is looking for another popular vendor to play a similar role to that of SolarWinds. Hence, the search for the next carrier is on and intense. We urge every company to ensure they are protected, as the Nobelium group is highly sophisticated, attacking with both advanced homegrown tools and off-the-shelf ones, as we describe on a previous blog.”
Microsoft observed an uptick in Nobelium attacks over the summer. Between July 1 and October 19, Microsoft notified 609 customers that they had been attacked 22,868 times by Nobelium. Although the threat actors had a success rate in the single digits, Microsoft had notified customers about attacks from all nation-state actors a total of 20,500 times over the prior three years.
“This recent activity is another indicator that Russia is trying to gain long-term, systematic access to a variety of points in the technology supply chain and establish a mechanism for surveilling – now or in the future – targets of interest to the Russian government,” the post continued.
Rather than exploiting software vulnerabilities, recent Nobelium attacks have used common techniques including password spray and phishing to obtain credentials and gain access to networks. Microsoft is now working closely with US and European government agencies to mitigate the attacks.
“While the reveal of Sunburst (aka Solarwinds) ruined Nobelium main attack vector, it didn’t affect or change the interest behind it – gaining long last foothold in federal agencies. Therefore when plan A falls they must bring a plan B to the table,” explained Finkelsteen. “It all starts with a resistant security posture. One that is not only capable of detecting known threats, but one that is also designed to detect threats that were never seen before. It costs, but this is the only answer to advanced threats.”
“While we are clear-eyed that nation-states, including Russia, will not stop attacks like these overnight, we believe steps like the cybersecurity executive order in the U.S., and the greater coordination and information sharing we’ve seen between industry and government in the past two years, have put us all in a much better position to defend against them,” Burt wrote.
Based on this new knowledge, Microsoft is working to implement supply chain security improvements for service providers that sell or support Microsoft technology. Microsoft is currently piloting improved monitoring to enable customers to audit their privileged accounts. In addition, the tech giant improved security protocols and detections in its products to help organizations quickly identify and respond to cyberattacks.
“The lesson is that while you are not the target of the attack, you may have some other role in the attack – maybe you are the carrier, or only the tunnel. And maybe you just what is considered as a “collateral damage”. In Sunburst many companies were compromised, and only few found to be valuable and were picked for the “long” term of this operation. We cannot ignore or overlook it. no matter what are the real targets and goals of this attack,” explained Finkelsteen.
Nobelium and other threat actors are continuing to ramp up attacks and deploy sophisticated ransomware on unsuspecting organizations. FIN12 ransomware group has focused nearly a quarter of its attacks on the healthcare sector, and over 70 percent of its attacks were targeted at US-based entities.