Russia-Linked SolarWinds Hackers Continue Supply Chain Attack Rampage

The Russia-linked cyberespionage group that hacked IT management solutions provider SolarWinds continues to launch supply chain attacks, Microsoft warned on Monday.

The threat actor, tracked by Microsoft as Nobelium (and APT29 and Cozy Bear by others), has been running a campaign since May 2021, in which it has targeted at least 140 organizations, including 14 whose systems have been compromised.

In the SolarWinds attack, the hackers delivered their first-stage malware to thousands of organizations, and hacked into the networks of roughly 100 entities by leveraging the access they had to SolarWinds systems.

In the more recent attacks, Microsoft said Nobelium targeted “resellers and other technology service providers that customize, deploy and manage cloud services and other technologies on behalf of their customers.”

“We believe Nobelium ultimately hopes to piggyback on any direct access that resellers may have to their customers’ IT systems and more easily impersonate an organization’s trusted technology partner to gain access to their downstream customers,” Microsoft said.

Mandiant has also been monitoring these attacks and the cybersecurity firm spotted downstream victims in North America and Europe.

The tech giant informed over 600 customers about nearly 23,000 Nobelium-linked attacks between July 1 and October 19. Whily only a handful of the targets actually had their systems compromised, Microsoft wanted to highlight that it only sent out a total of 20,500 alerts to customers regarding all state-sponsored attacks observed over the past three years, prior to July 1.

“This recent activity is another indicator that Russia is trying to gain long-term, systematic access to a variety of points in the technology supply chain and establish a mechanism for surveilling – now or in the future – targets of interest to the Russian government,” Microsoft said.

In a report published earlier this month, Microsoft said Russia had been behind 58% of the state-sponsored cyberattacks it has observed.

The company noted on Monday that the recent Nobelium attacks have not exploited any software vulnerabilities, and instead leveraged techniques such as phishing and password spraying to steal legitimate credentials and gain access to targeted systems.

Microsoft has also made available technical guidance that can help organizations detect attacks launched by Nobelium.

Last month, Microsoft published a blog post detailing a piece of malware used by the threat group to exfiltrate data from compromised servers.

Related: Microsoft, Intel and Goldman Sachs Lead New Supply Chain Security Initiative