Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Russia-Linked SolarWinds Hackers Continue Supply Chain Attack Rampage

The Russia-linked cyberespionage group that hacked IT management solutions provider SolarWinds continues to launch supply chain attacks, Microsoft warned on Monday.

The Russia-linked cyberespionage group that hacked IT management solutions provider SolarWinds continues to launch supply chain attacks, Microsoft warned on Monday.

The threat actor, tracked by Microsoft as Nobelium (and APT29 and Cozy Bear by others), has been running a campaign since May 2021, in which it has targeted at least 140 organizations, including 14 whose systems have been compromised.

In the SolarWinds attack, the hackers delivered their first-stage malware to thousands of organizations, and hacked into the networks of roughly 100 entities by leveraging the access they had to SolarWinds systems.

In the more recent attacks, Microsoft said Nobelium targeted “resellers and other technology service providers that customize, deploy and manage cloud services and other technologies on behalf of their customers.”

“We believe Nobelium ultimately hopes to piggyback on any direct access that resellers may have to their customers’ IT systems and more easily impersonate an organization’s trusted technology partner to gain access to their downstream customers,” Microsoft said.

Mandiant has also been monitoring these attacks and the cybersecurity firm spotted downstream victims in North America and Europe.

The tech giant informed over 600 customers about nearly 23,000 Nobelium-linked attacks between July 1 and October 19. Whily only a handful of the targets actually had their systems compromised, Microsoft wanted to highlight that it only sent out a total of 20,500 alerts to customers regarding all state-sponsored attacks observed over the past three years, prior to July 1.

“This recent activity is another indicator that Russia is trying to gain long-term, systematic access to a variety of points in the technology supply chain and establish a mechanism for surveilling – now or in the future – targets of interest to the Russian government,” Microsoft said.

In a report published earlier this month, Microsoft said Russia had been behind 58% of the state-sponsored cyberattacks it has observed.

The company noted on Monday that the recent Nobelium attacks have not exploited any software vulnerabilities, and instead leveraged techniques such as phishing and password spraying to steal legitimate credentials and gain access to targeted systems.

Microsoft has also made available technical guidance that can help organizations detect attacks launched by Nobelium.

Last month, Microsoft published a blog post detailing a piece of malware used by the threat group to exfiltrate data from compromised servers.

Related: Microsoft, Intel and Goldman Sachs Lead New Supply Chain Security Initiative

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Cybercrime

A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cyberwarfare

Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona

Cybercrime

Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack