The Russian cyber actor is employing a new strategy to gain access to sensitive customer information, according to a new report from Microsoft.
Global tech giant Microsoft has released findings from a new analysis of Nobelium’s recent cyber activity, revealing that the state actor, notorious for its SolarWinds attack, is now targeting a different part of the global IT supply chain.
According to Microsoft, Nobelium is attacking resellers and other technology service providers that customise, deploy and manage cloud services and other technologies on behalf of customers.
Rather than attempting to exploit software flaws or vulnerabilities in software, the attackers leveraged well-established techniques, including password spray and phishing.
This new approach is believed to be an attempt to “piggyback” on any direct access organisations may have to a customer’s IT systems, while also enabling the malicious actor to impersonate a firm’s trusted technology partner to gain access to downstream customers.
“We began observing this latest campaign in May 2021 and have been notifying impacted partners and customers while also developing new technical assistance and guidance for the reseller community,” Microsoft noted in a statement.
Since May, Nobelium has targeted at least 140 resellers and technology service providers, which have been notified by Microsoft.
“We continue to investigate, but to date we believe as many as 14 of these resellers and service providers have been compromised,” the tech giant added.
“Fortunately, we have discovered this campaign during its early stages, and we are sharing these developments to help cloud service resellers, technology providers and their customers take timely steps to help ensure Nobelium is not more successful.”
These latest attacks have been part of a broader wave of malicious activity from the state-based actor, with 609 customers attacked 22,868 times by Nobelium from 1 July to 19 October.
“This recent activity is another indicator that Russia is trying to gain long-term, systematic access to a variety of points in the technology supply chain and establish a mechanism for surveilling – now or in the future – targets of interest to the Russian government,” Microsoft claimed.
Reflecting on the Microsoft research, Daniel Spicer, chief security officer at Ivanti said most attacks are the result of “poor cyber hygiene”.
“To effectively combat phishing attacks, organisations need to implement a Zero Trust security strategy that incorporates unified endpoint management with on-device threat detection and anti-phishing capabilities,” he said.
“Zero Trust is more important today than ever before, and President Biden recently issued an Executive Order stating that federal agencies must develop plans to implement Zero Trust Architecture.
“Yet all organisations – not just federal agencies – should implement a Zero Trust strategy to achieve comprehensive visibility across users, devices, apps and networks, and combat growing cyber threats.”
Spicer said stakeholders should consider removing passwords by leveraging mobile device authentication with biometric-based access.
“At the same time, employees should think carefully before clicking on any links. All phishing emails include a call to action and create a sense of urgency,” he added.
“I encourage people to slow down and really think about if the email and call to action makes sense.”
News Editor – Defence and Security, Momentum Media
Prior to joining the defence and aerospace team in 2020, Charbel was news editor of The Adviser and Mortgage Business, where he covered developments in the banking and financial services sector for three years. Charbel has a keen interest in geopolitics and international relations, graduating from the University of Notre Dame with a double major in politics and journalism. Charbel has also completed internships with The Australian Department of Communications and the Arts and public relations agency Fifty Acres