Russian hackers going after key services in fresh US cyberattack, says Microsoft

Microsoft declared that notorious Russian hackers are now going after cloud resellers for critical infrastructure
27 October 2021 | 1 Shares

Workers board up a Microsoft store on 5Th Avenue the night before the Presidential Elections last year. Russian actors had been accused of tampering with prior US elections, prompting stricter measures ahead of the 2020 primaries.(Photo by Kena Betancur / AFP)

The state-backed Russian hackers group that carried out last year’s massive SolarWinds cyberattacks is behind a new and ongoing assault against US and European targets, Microsoft said earlier this week.

The software giant’s Threat Intelligence Center (MSTIC) said in a blog post that the Nobelium hackers group was of Russian origin, and were attempting to gain access to customers of cloud computing services and other IT service providers to infiltrate “the governments, think tanks, and other companies they serve”.

Describing the cyberattack as “nation-state activity“, MSTIC said it “shares the hallmarks” of the assault on SolarWinds, a Texas-based software company targeted as its 300,000-strong customer base gave the hackers access to a huge number of companies. “It appears the widespread SolarWinds Russia-linked hackers from last year’s attack are again on the hunt for sensitive data and stepping up supply chain attacks across the board,” Wedbush analyst Dan Ives said in a note to investors.

Washington imposed sanctions in April and expelled Russian diplomats in retaliation for Moscow’s alleged involvement in the SolarWinds attack, as well as election interference and other hostile activity. The latest attack has been underway since at least May, MSTIC said, with Nobelium deploying a “diverse and dynamic toolkit that includes sophisticated malware”.

Russian hackers going after crucial links in supply chain

“Nobelium has been attempting to replicate the approach it has used in past attacks by targeting organizations integral to the global IT supply chain,” Microsoft vice president Tom Burt wrote in a blog post published late Sunday. This time, Burt noted, Nobelium is targeting “resellers” — companies that customize Microsoft’s cloud computing services for use by businesses and other organisations.

“Since May, we have notified more than 140 resellers and technology service providers that have been targeted by Nobelium,” he wrote. “We continue to investigate, but to date we believe as many as 14 of these resellers and service providers have been compromised.”

Microsoft said it had notified known victims of the latest attack. While it did not specify any of the organizations hit, it noted they included “victims of interest for intelligence gain”. The software company urged its customers to check on their security arrangements, using multi-factor authentification where possible.

It is not the first time Nobelium has mounted a comeback since SolarWinds, with Microsoft announcing in May that it had again detected a series of attacks by the group on government agencies, think tanks, consultants and other organizations. Burt said the speed of the attacks was escalating, with Microsoft notifying more than 600 customers this year of nearly 23,000 attempted intrusions.

While the success rate was only “in the low single digits”, this compares to “attacks from all nation-state actors 20,500 times over the past three years”. The past year has seen a number of high-profile cyberattacks with major consequences as companies increasingly find themselves unable to do business when their online infrastructure is compromised.