Hackers compromised Microsoft support agent to launch attacks against customers

Cartoon Phishing
(Image credit: Shutterstock / DRogatnev)

Cybersecurity researchers from Microsoft have shared details about a recent and “mostly unsuccessfully” campaign by state-sponsored actors against several customers.

Security experts at the Microsoft Threat Intelligence Center (MSTIC) note that threat actor Nobelium used an information-stealing malware on the computer of a customer support agent to launch a series of “highly-targeted” attacks.

“This recent activity was mostly unsuccessful, and the majority of targets were not successfully compromised – we are aware of three compromised entities to date,” shared MTIC in a blog post, without going into details about the extent of the compromise.

TechRadar needs you!

We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and you can also choose to enter the prize draw to win a $100 Amazon voucher or one of five 1-year ExpressVPN subscriptions.

>> Click here to start the survey in a new window <<

Reuters claims Microsoft announced the breach only after it approached the software giant to inquire about a note the Redmond-based company had sent out to affected customers.

Run-of-the-mill espionage

The state-sponsored Nobelium group, thought to be operating out of Russia, is largely believed to be behind the infamous SolarWinds supply chain attack.

Reuters spoke to an unnamed official at the White House, who claimed the latest campaign appeared far less serious than the SolarWinds attack.

"This appears to be largely unsuccessful, run-of-the-mill espionage," the official reportedly told Reuters.

In its blog post, MSTIC shares that Nobelium conducted password spray and brute-force attacks against Microsoft customers to gain access to their networks.

The threat actor targeted customers in three dozen countries, with most of the targets in the US (45%), followed by UK (10%), and smaller numbers in Germany and Canada.

The majority of these were IT companies (57%), followed by government entities (20%), and smaller percentages for non-governmental organizations and think tanks, as well as financial services.  

“This type of activity is not new, and we continue to recommend everyone take security precautions such as enabling multi-factor authentication to protect their environments from this and similar attacks,” MSTIC advised.

Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.