Russian cyber-crime gang Nobelium is active again. This time they are targeting resellers and other technology service providers that customize, deploy and manage cloud services and other technologies for their customers. This is replicating earlier attacks on organisations integral to the global IT supply chain, Microsoft says in a security blog post.
Nobelium was behind the cyberattacks targeting SolarWinds customers in 2020. U.S. government and others have said Nobelium is part of Russia’s foreign intelligence service known as the SVR.
“This recent activity is another indicator that Russia is trying to gain long-term, systematic access to a variety of points in the technology supply chain and establish a mechanism for surveilling – now or in the future – targets of interest to the Russian government,” Tom Burt, vice president and head of customer security, writes.
“We believe Nobelium ultimately hopes to piggyback on any direct access that resellers may have to their customers’ IT systems and more easily impersonate an organization’s trusted technology partner to gain access to their downstream customers.”
“Since May, we have notified more than 140 resellers and technology service providers that have been targeted by Nobelium. We continue to investigate, but to date we believe as many as 14 of these resellers and service providers have been compromised.”
Burt says that the new attacks have been discovered during its early stages and that they have been a part of a larger wave of Nobelium activities this summer.
“In fact, between July 1 and October 19 this year, we informed 609 customers that they had been attacked 22,868 times by Nobelium, with a success rate in the low single digits. By comparison, prior to July 1, 2021, we had notified customers about attacks from all nation-state actors 20,500 times over the past three years.”
Microsoft Digital Defense Report recently highlighted continued attacks from other nation-state actors and cybercriminals.
“The attacks we’ve observed in the recent campaign against resellers and service providers have not attempted to exploit any flaw or vulnerability in software but rather used well-known techniques, like password spray and phishing, to steal legitimate credentials and gain privileged access.”
Burt says Microsoft has been coordinating with others in the security community to improve knowledge of, and protections against, Nobelium’s activity, and that the company has been working closely with government agencies in the U.S. and Europe.
“While we are clear-eyed that nation-states, including Russia, will not stop attacks like these overnight, we believe steps like the cybersecurity executive order in the U.S., and the greater coordination and information sharing we’ve seen between industry and government in the past two years, have put us all in a much better position to defend against them.”
Burt also refers to a new technical guidance that can help organizations protect themselves against the latest Nobelium activity.