Story image

Microsoft, Mandiant uncover Russian threat actor targeting cloud services

By Shannon Williams, Wed 27 Oct 2021

Mandiant and Microsoft have identified a new wave of intrusion activity from the threat actor behind the SolarWinds supply chain attacks. 

The Russian nation-state actor Nobelium is the same actor behind the cyberattacks targeting SolarWinds customers in 2020 and which the U.S. government and others have identified as being part of Russia’s foreign intelligence service known as the SVR.

According to Microsoft, Nobelium has been attempting to replicate the approach it has used in past attacks by targeting organisations integral to the global IT supply chain. This time, it is attacking a different part of the supply chain: resellers and other technology service providers that customise, deploy and manage cloud services and other technologies on behalf of their customers. 

"We believe Nobelium ultimately hopes to piggyback on any direct access that resellers may have to their customers’ IT systems and more easily impersonate an organisation’s trusted technology partner to gain access to their downstream customers," Microsoft says.

"We began observing this latest campaign in May 2021 and have been notifying impacted partners and customers while also developing new technical assistance and guidance for the reseller community."

Since May, Microsoft says it has notified more than 140 resellers and technology service providers that have been targeted by Nobelium. 

"We continue to investigate, but to date we believe as many as 14 of these resellers and service providers have been compromised," it says.

"Fortunately, we have discovered this campaign during its early stages, and we are sharing these developments to help cloud service resellers, technology providers, and their customers take timely steps to help ensure Nobelium is not more successful."

These attacks have been a part of a larger wave of Nobelium activities this summer. In fact, between July 1 and October 19 this year, Microsoft informed 609 customers that they had been attacked 22,868 times by Nobelium, with a success rate in the low single digits. By comparison, prior to July 1, 2021, it had notified customers about attacks from all nation-state actors 20,500 times over the past three years.

Microsoft says this recent activity is another indicator that Russia is trying to gain long-term, systematic access to a variety of points in the technology supply chain and establish a mechanism for surveilling – now or in the future – targets of interest to the Russian government. 

"The attacks we’ve observed in the recent campaign against resellers and service providers have not attempted to exploit any flaw or vulnerability in software but rather used well-known techniques, like password spray and phishing, to steal legitimate credentials and gain privileged access," the company says.

"We have learned enough about these new attacks, which began as early as May this year, that we can now provide actionable information which can be used to defend against this new approach."

Mandiant says that while the SolarWinds supply chain attack involved malicious code inserted in legitimate software, most of this recent intrusion activity has involved leveraging stolen identities and the networks of technology solutions, services, and reseller companies in North America and Europe to ultimately access the environments of organisations that are targeted by the Russian government. 

"This attack path makes it very difficult for victim organisations to discover they were compromised and investigate the actions taken by the threat actor," says Mandiant SVP and CTO, Charles Carmakal.

"This is particularly effective for the threat actor for two reasons: First, it shifts the initial intrusion away from the ultimate targets, which in some situations are organisations with more mature cyber defenses, to smaller technology partners with less mature cyber defenses and second, investigating these intrusions requires collaboration and information sharing across multiple victim organisations, which is challenging due to privacy concerns and organisational sensitivities," he says.

"We've observed this attack path used to obtain access toon-premises and cloud victim environments," Carmakal says.

"Similar to the victimology observed in the 2020 campaign, the targets of this intrusion activity appear to ultimately be government organisations and other organisations that deal in matters of interest to Russia. 

"The intrusion activity is ongoing and Mandiant is actively working with organisations that are impacted."

Recent stories
More stories