Since May 2021, Nobelium, the threat actor behind last year’s widely-reported SolarWinds campaign, has been observed attacking organizations in the US and Europe according to cybersecurity experts.
Tracking the movements of Nobelium, researchers from the Microsoft Threat Intelligence Center (MSTIC) share that the group is going after IT services organizations including cloud service providers (CSP), and managed service providers (MSP), in a bid to gain access to their downstream customers.
“MSTIC assesses that NOBELIUM has launched a campaign against these organizations to exploit existing technical trust relationships between the provider organizations and the governments, think tanks, and other companies they serve,” shares MSTIC.
The researchers add that the latest observed activity bears the hallmarks of Nobelium’s compromise-one-to-compromise-many approach.
Not over yet
The SolarWinds hacking campaign, which went undetected for over a year, brought forth the risks of a software supply chain attack, where compromising an essential component could be used as a springboard for further attacks on a much wider scale.
After categorizing Nobelium as Russian state-sponsored threat actors, the US government imposed several financial sanctions on the country and also expelled about a dozen of its diplomats.
However it seems Washington’s actions have had little impact on the Kremlin. Microsoft has reportedly observed Nobelium attack 609 companies some 22,868 times, between July 1 and October 19 this year.
For comparison, this number represents more attacks than Microsoft observed from all government-linked hackers in the previous three years, Tom Burt, Microsoft’s corporate vice president for customer security and trust, told the Wall Street Journal.
“This recent activity is another indicator that Russia is trying to gain long-term, systematic access to a variety of points in the technology supply chain,” asserts Burt.
All in a day’s work
A US government official briefed on Microsoft’s findings told WSJ that the latest intrusion attempts appeared to be largely routine hacking attacks.
“Based on the details in Microsoft’s blog, the activities described were unsophisticated password spray and phishing, run-of-the mill operations for the purpose of surveillance that we already know are attempted every day by Russia and other foreign governments,” the US government official told the WSJ.
The official added that the intrusion attempts “could have been prevented if the cloud service providers had implemented baseline cybersecurity practices, including multi-factor authentication (MFA).”
