SolarWinds attackers targeting the channel, says Microsoft
Nobelium, the Russian-backed threat group that masterminded last year's SolarWinds hack still has the global IT supply chain in its crosshairs, with 140 managed service providers (MSPs) and cloud service providers attacked and at least 14 breached since May this year.
This was revealed by Microsoft in its blog, which said that as with previous attacks, the group employed a diverse and ever-evolving toolkit, including a wide range of tools and tactics such as malware, password sprays, token theft, API abuse and spear phishing.
Nobelium has been attempting to replicate the approach it has used in past attacks by targeting entities close to the global IT supply chain, but this time, it is targeting a different part of the supply chain. It is now going after resellers and other technology service providers that customise, deploy and manage cloud services and other technologies on behalf of their customers.
Piggybacking on access
“We believe Nobelium ultimately hopes to piggyback on any direct access that resellers may have to their customers’ IT systems and more easily impersonate an organisation’s trusted technology partner to gain access to their downstream customers,” the company said.
Microsoft began watchin this latest campaign in May, and has been notifying affected partners and customers while also developing new technical assistance and guidance for the reseller community. Since then, it has notified more than 140 resellers and technology service providers that have been targeted by the group.
The software giant said investigations are ongoing, but it believes up to 14 of these players have been compromised.
“These attacks have been a part of a larger wave of Nobelium activities this summer. In fact, between 1 July and 19 October this year, we informed 609 customers that they had been attacked 22 868 times by Nobelium, with a success rate in the low single digits,” said Microsoft.
In comparison, before 1 July this year, it had notified customers about attacks from all nation-state actors 20 500 times over the past three years.
Gaining systematic access
This latest activity, says Microsoft, is a sign that Russia is trying to gain long-term, systematic access to a slew of points in the tech supply chain and establish an instrument for surveilling – now or in the future – targets of interest to the government.
Microsoft says it has been working with others in the security community to improve its knowledge of, and protections against, the group’s activity, and has been co-operating closely with government agencies in the US and Europe.
"While we are clear-eyed that nation-states, including Russia, will not stop attacks like these overnight, we believe steps like the cyber security executive order in the US, and the greater coordination and information sharing we’ve seen between industry and government in the past two years, have put us all in a much better position to defend against them.”
The company also released technical guidance that can help companies protect themselves against the latest Nobelium activity.
"As we said in May, progress must continue. At Microsoft, we will continue our efforts across all these issues and will continue to work across the private sector, with the U.S. administration and with all other interested governments to make this progress."
Supply chain attacks to surge
Ilia Kolochenko, founder of ImmuniWeb and a member of Europol Data Protection Experts Network, believes supply chain attacks will continue their surge into next year.
“Suppliers are the Achilles’ Heel of the largest financial institutions, governmental institutions and providers of critical national infrastructure,” he explains. “Compared to frontal attacks against the victims, attacks against third parties are generally faster, cheaper and less noisy.”
In addition, Kolochenko says suppliers may have access to more data than the victims themselves, for example, by storing more data in backups than contractually allowed or expected. Even worse, some suppliers won’t detect sophisticated intrusions and the victims are never even made aware of the incident.
Attribution of supply chain attacks is also a complex issue, from a technical and legal standpoint, he says. “Cyber gangs actively cooperate with each other, outsourcing some specific tasks to their accomplices in different countries.”
He says only a handful of cyber mercenaries will ever conduct research for new zero-day vulnerabilities or create novel stealth Trojans, but will rather just purchase these from one of the criminal groups who sells them on the dark Web.
Moreover, nation-state actors have been known to hire several hacking groups and creatively split a task between them, and often, cyber gangs are purposely hired from countries like Russia or China as a red herring to confuse the victim and investigators.
“Eventual attribution to a specific person, organisation or even country is thus overly problematic,” he ends. “International collaboration and further expansion of such treaties as the Budapest Convention are essential to curb transnational cyber crime.”