A new report from Microsoft indicates that the Russian hackers behind the devastating SolarWinds attack are employing similar tactics to worm their way into tech supply chains, looking to establish long-term footholds for espionage purposes.
Microsoft’s security researchers find that the Russian hackers are putting a particular emphasis on IT services resellers, impersonating them to compromise their downstream customers. It is believed that the campaign’s focus is on installing backdoors for long-term use in intelligence gathering on subjects of interest to the Russian government.
Microsoft tracks Russian hackers as over 140 resellers targeted by Nobelium
Nobelium is the group believed to be behind the 2020 breach of software management firm SolarWinds that ultimately led to the compromise of multiple US government agencies. This breach was in turn tied to an earlier compromise of Microsoft Office products. Nobelium is thought to be supported by the SVR, Russia’s foreign intelligence service.
Microsoft says that the Russian hackers are repeating this basic process with the global tech supply chains, using resellers as an entry point. These resellers are a broad range of IT service providers that customize cloud services and other connected technologies for their clients. Though it was attributed to a different group (REvil) and involved a different approach (ransomware), this is similar to the attack on Kaseya that ended up compromising thousands of clients downstream that had invested digital trust in the service.
Microsoft says Nobelium’s campaign against tech supply chains began in May, just before the Kaseya attack occurred. The Russian hackers have thus far made attempts against at least 140 of these companies; Microsoft says it has notified those it is aware of and is preparing technical assistance and guidance for the reseller community. 14 of these companies may have been compromised.
The attempts to infiltrate tech supply chains have not been Nobelium’s only projects during this time, however. Microsoft’s researchers say that between July and October, the Russian hackers were responsible for 22,868 total attacks on a little over 600 of their customers. This period of 3.5 months had more activity than all attacks from all known state-backed actors in the previous three years.
Nobelium is apparently not using zero-days or software flaws against tech supply chains, simply sending phishing emails and attempting password sprays using previously leaked credentials in an attempt to exploit employees. In addition to new technical guidance just released by Microsoft, the company has made some new tools and programs available to its partners to counteract the group’s known approaches. These include two years of an Azure Active Directory Premium plan with enhanced security controls for free, new detections added to Microsoft’s suite of threat detection tools, and some pilot programs that allow resellers greater control over privileged client accounts. Microsoft also says that it is actively working with the United States and other foreign governments on an ongoing basis.
Amit Yoran, Chairman and CEO of Tenable, observes that this incident is an indictment of email security efforts in spite of mounting cyber crime since the pandemic began: “Once again, we’re not seeing super sophisticated, never-before-seen techniques behind a major cyberattack. It’s the basics that are still tripping organizations up. What is a relatively new development over the last 12 months is a strategic and continued focus on the software supply chain. This speaks directly to the gaping supply chain security issues that SolarWinds brought to attention — break just one chain link and you can bring down the entire fence.”
Tech supply chains targeted for Russian government interests
The activity from the Russian hackers comes in spite of the Biden administration’s recent sanctions on Moscow, and talks between the two countries about cracking down on rampant cyber crime. It is possible that Russia has quietly intervened to rein in private criminal groups like REvil, but its foreign intelligence services show no signs of slowing down espionage activities.
The US government agrees with Microsoft’s assessment that SVR is involved and the end goal of compromising tech supply chains is the exfiltration of information the Russian government is interested in. Christopher Krebs, former director of the Cybersecurity and Infrastructure Security Agency at the Department of Homeland Security, told the New York Times that the Russian hackers were hunting for “systemic access” that allows broad movement around networks without having to compromise individual accounts. Russian presidential spokesman Dmitry Peskov has denied the country’s involvement in hacking.
Also known as “Cozy Bear” and Advanced Persistent Threat Group 29 (APT29), Nobelium has a long history of espionage. The group was linked to Russia’s SVR agency by hacked video camera footage obtained by Dutch intelligence agents. The group is believed to have been active since 2008, and began its primary focus on foreign governments in 2010. Named for its “CozyDuke” malware, the group first made news in 2014 by targeting US Democratic Party members with an “Office Monkeys” Flash video that contained malware. The group also penetrated the Pentagon email system in 2015, participated in the breach of Democratic National Committee servers in 2016 ahead of the election, and has since popped up targeting government agencies and think tanks around the world.
Demi Ben-Ari, CTO and Co-Founder of Panorays, sees this as yet another reminder that multi-factor authentication should be standard across organizations given the threat landscape: “The good news is that organizations can help prevent these kinds of attacks by implementing security best practices including enabling MFA and minimizing access privileges. To accomplish this rapidly and effectively, however, it’s crucial to have a robust and automated third-party security management program in place to assess supply chain partners, close cyber gaps and continuously monitor for any issues.”
Troy Gill, Senior Manager of Threat Intelligence at Zix | AppRiver, suggests that automated email defense systems need AI to keep up with groups like Nobelium: “These attacks underscore how threat actors continue to misuse legitimate services to help their campaigns evade detection. Traditional email security solutions will not protect them against these sophisticated attacks. In response, organizations need to upgrade their email security posture with a solution that’s capable of scanning incoming correspondence for campaign patterns, malware signatures, IP addresses, and other threat behaviors. This analysis should occur in real time so that legitimate correspondence can reach its intended destination without delay.”
And Danny Lopez, CEO of Glasswall, makes the case for “zero trust” architecture as a standard as well: “Recent attacks and these new attempts reveal that the traditional castle-and-moat approach to network security leaves organisations exposed. Zero trust security sees the world differently. No one is trusted by default, regardless of whether they are inside or outside a network. In a world where data can be held amongst multiple cloud providers it is crucial to strengthen all processes relating to access verification. Without a zero trust approach organisations run the risk of attackers like Nobelium having a free reign across a network once they are inside.”