The same Russia-backed hackers behind last year’s massive SolarWinds cyberattack are at it again, this time targeting tech companies that provide and resell cloud technology, Microsoft said Monday.
What You Need To Know
- The same Russia-backed hackers behind last year’s massive SolarWinds cyberattack are at it again, this time targeting tech companies that provide and resell cloud technology, Microsoft said Monday
- In a blog post, Tom Burt, Microsoft’s corporate vice president of customer security and trust, wrote that the group Nobelium has been attempting to replicate its approach in past attacks on organizations key to the global technology supply chain
- The company said it has notified more than 140 resellers and technology service providers that they have been attacked; it believes as many as 14 have been compromised
- The U.S. government blamed Russia for the SolarWinds attack, in which hackers had unfettered access for months to the files and emails of at least nine federal agencies and about 100 private-sector companies
In a blog post, Tom Burt, Microsoft’s corporate vice president of customer security and trust, wrote that the group Nobelium has been attempting to replicate its approach in past attacks on organizations key to the global technology supply chain.
“We believe Nobelium ultimately hopes to piggyback on any direct access that resellers may have to their customers’ IT systems and more easily impersonate an organization’s trusted technology partner to gain access to their downstream customers,” Burt wrote.
Microsoft said it first detected the latest campaign in May. The company said it has notified more than 140 resellers and technology service providers that they have been attacked; it believes as many as 14 have been compromised.
“Fortunately, we have discovered this campaign during its early stages, and we are sharing these developments to help cloud service resellers, technology providers, and their customers take timely steps to help ensure Nobelium is not more successful.”
Burt said the hacks are part of a larger campaign by Nobelium, leading to nearly 23,000 attacks on more than 600 customers, but a success rate “in the low single digits.”
He added that the latest attacks do not exploit any vulnerability in software, but rather uses methods such as phishing and password sprays to steal log-in credentials. Microsoft said it is providing assistance and guidance to help its partners protect themselves and their customers.
“This recent activity is another indicator that Russia is trying to gain long-term, systematic access to a variety of points in the technology supply chain and establish a mechanism for surveilling — now or in the future — targets of interest to the Russian government,” Burt wrote.
The U.S. government blamed Russia for the SolarWinds attack, in which hackers hid malware code in an update for SolarWinds’ popular network management software, giving the cybercriminals unfettered access for months to the files and emails of at least nine federal agencies and about 100 private-sector companies.
Microsoft President Brad Smith called it “the largest and most sophisticated attack the world has ever seen.”
In May, Sergei Naryshkin, director of Russian’s Foreign Intelligence Service, denied his country had any role in the SolarWinds attack, but said he was “flattered” by the allegation.
The U.S. sanctioned Russia in April over the SolarWinds attack, as well as election interference, and expelled 10 Russian diplomats. The White House said this summer there were ongoing expert-level talks between Russia and the U.S. over cyber security after President Joe Biden raised the issue with Russian President Vladimir Putin during their summit in June in Geneva.
The Russian Embassy in Washington did not immediately respond to a request for comment from Spectrum News about Microsoft’s latest allegations.
In a statement to Spectrum News, Eric Goldstein, executive associate director of the cybersecurity division at the U.S. Cybersecurity and Infrastructure Security Agency, said CISA "encourages all organizations, regardless of size, to take stock of their cybersecurity and ensure they have appropriate measures in place to protect their networks and systems, including data and applications hosted in the cloud."
The agency is also working with the Joint Cyber Defense Collaborative "to optimize our public-private response to threats facing public cloud infrastructure," Goldstein said.
A senior Biden administration official downplayed the latest intrusion to The New York Times, saying they considered it routine spying that could have been prevented by cloud service providers practicing baseline cybersecurity measures.
Editor's Note: This article was updated to include the statement from CISA's Eric Goldstein.