Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Russia-Linked SolarWinds Hackers Continue Supply Chain Attack Rampage

The Russia-linked cyberespionage group that hacked IT management solutions provider SolarWinds continues to launch supply chain attacks, Microsoft warned on Monday.

The Russia-linked cyberespionage group that hacked IT management solutions provider SolarWinds continues to launch supply chain attacks, Microsoft warned on Monday.

The threat actor, tracked by Microsoft as Nobelium (and APT29 and Cozy Bear by others), has been running a campaign since May 2021, in which it has targeted at least 140 organizations, including 14 whose systems have been compromised.

In the SolarWinds attack, the hackers delivered their first-stage malware to thousands of organizations, and hacked into the networks of roughly 100 entities by leveraging the access they had to SolarWinds systems.

In the more recent attacks, Microsoft said Nobelium targeted “resellers and other technology service providers that customize, deploy and manage cloud services and other technologies on behalf of their customers.”

“We believe Nobelium ultimately hopes to piggyback on any direct access that resellers may have to their customers’ IT systems and more easily impersonate an organization’s trusted technology partner to gain access to their downstream customers,” Microsoft said.

Mandiant has also been monitoring these attacks and the cybersecurity firm spotted downstream victims in North America and Europe.

The tech giant informed over 600 customers about nearly 23,000 Nobelium-linked attacks between July 1 and October 19. Whily only a handful of the targets actually had their systems compromised, Microsoft wanted to highlight that it only sent out a total of 20,500 alerts to customers regarding all state-sponsored attacks observed over the past three years, prior to July 1.

“This recent activity is another indicator that Russia is trying to gain long-term, systematic access to a variety of points in the technology supply chain and establish a mechanism for surveilling – now or in the future – targets of interest to the Russian government,” Microsoft said.

Advertisement. Scroll to continue reading.

In a report published earlier this month, Microsoft said Russia had been behind 58% of the state-sponsored cyberattacks it has observed.

The company noted on Monday that the recent Nobelium attacks have not exploited any software vulnerabilities, and instead leveraged techniques such as phishing and password spraying to steal legitimate credentials and gain access to targeted systems.

Microsoft has also made available technical guidance that can help organizations detect attacks launched by Nobelium.

Last month, Microsoft published a blog post detailing a piece of malware used by the threat group to exfiltrate data from compromised servers.

Related: Microsoft, Intel and Goldman Sachs Lead New Supply Chain Security Initiative

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

DARPA veteran Dan Kaufman has joined Badge as SVP, AI and Cybersecurity.

Kelly Shortridge has been promoted to VP of Security Products at Fastly.

After the passing of Amit Yoran, Tenable has appointed Steve Vintz and Mark Thurmond as co-CEOs.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.