Nobelium attacking IT supply chain, says Microsoft

  • November 1, 2021
  • Steve Rogerson

Russian nation-state actor Nobelium, the organisation behind the cyber attacks targeting SolarWinds in 2020, has been attempting to disrupt the global IT supply chain, according to Microsoft.

Nobelium, identified by the US government as part of Russia’s foreign intelligence service known as the SVR, is trying to replicate the approach it has used in past attacks by targeting organisations integral to the global supply chain.

This time, it is attacking a different part of the supply chain: resellers and other technology service providers that customise, deploy and manage cloud services and other technologies on behalf of their customers.

“We believe Nobelium ultimately hopes to piggyback on any direct access that resellers may have to their customers’ IT systems and more easily impersonate an organisation’s trusted technology partner to gain access to their downstream customers,” said Tom Burt, Microsoft corporate vice president, in a blog post. “We began observing this latest campaign in May 2021 and have been notifying impacted partners and customers while also developing new technical assistance and guidance for the reseller community.”

Since May, Microsoft has notified more than 140 resellers and technology service providers that have been targeted by Nobelium. It believes as many as 14 of these resellers and service providers have been compromised.

“Fortunately, we have discovered this campaign during its early stages, and we are sharing these developments to help cloud service resellers, technology providers and their customers take timely steps to help ensure Nobelium is not more successful,” said Burt.

These attacks have been a part of a larger wave of Nobelium activities this summer. Between July 1 and October 19 this year, Microsoft informed 609 customers that they had been attacked 22,868 times by Nobelium, with a success rate in the low single digits. By comparison, prior to July 1, 2021, it had notified customers about attacks from all nation-state actors 20,500 times over the past three years.

This recent activity is another indicator that Russia is trying to gain long-term, systematic access to a variety of points in the technology supply chain and establish a mechanism for surveilling – now or in the future – targets of interest to the Russian government.

While Microsoft is sharing details about the most recent activity by Nobelium, the Microsoft Digital Defense Report, published last month, highlights continued attacks from other nation-state actors and cyber criminals. In line with these attacks, it is notifying its customers when they are targeted or compromised by those actors.

The attacks observed in the recent campaign against resellers and service providers have not attempted to exploit any flaw or vulnerability in software but rather used well-known techniques, such as password spray and phishing, to steal legitimate credentials and gain privileged access.

“We have learned enough about these new attacks, which began as early as May this year, that we can now provide actionable information which can be used to defend against this new approach,” said Burt. “We’ve also been coordinating with others in the security community to improve our knowledge of and protections against Nobelium’s activity, and we’ve been working closely with government agencies in the USA and Europe. While we are clear-eyed that nation states, including Russia, will not stop attacks like these overnight, we believe steps like the cyber-security executive order in the USA, and the greater coordination and information sharing we’ve seen between industry and government in the past two years, have put us all in a much better position to defend against them.”

Microsoft has long maintained and evolved the security requirements and policies it enforces with service providers that sell or support Microsoft technology. For example, in September 2020, it updated contracts with its resellers to expand Microsoft’s abilities and rights to address reseller security incidents and to require that resellers implement specific security protections for their environments, such as restricting partner portal access and requiring that resellers enable multi-factor authentication in accessing its cloud portals and underlying services.

“We will take the necessary and appropriate steps to enforce these security commitments,” said Burt. “We continue to assess and identify new opportunities to drive greater security throughout the partner ecosystem, recognising the need for continuous improvement. As a result of what we have learned over the past several months, we are working to implement improvements that will help better secure and protect the ecosystem, especially for the technology partners in our supply chain.”

Last month, it launched a programme to provide two years of an Azure Active Directory Premium plan for free that provides extended access to additional premium features to strengthen security controls.

Microsoft threat protection and security operations tools such as Microsoft Cloud App Security (MCAS), M365 Defender, Azure Defender and Azure Sentinel have added detections to help organisations identify and respond to these attacks.

The company is piloting more granular features for organisations that want to provide privileged access to resellers. And it is piloting improved monitoring to empower partners and customers to manage and audit their delegated privileged accounts and remove unnecessary authority. It is also auditing unused privileged accounts and working with partners to assess and remove unnecessary privilege and access.

Last month it also released technical guidance that could help organisations protect themselves against the latest Nobelium activity it observed as the actor honed its techniques as well as guidance for partners.

“These are just the immediate steps that we’ve taken and, in the coming months, we will be engaging closely with all of our technology partners to further improve security,” said Burt. “We will make it easier for service providers of all sizes to access our most advanced services for managing secure log-in, identity and access management for free or at a low cost. As we said in May, progress must continue. At Microsoft, we will continue our efforts across all these issues and will continue to work across the private sector, with the US administration and with all other interested governments to make this progress.”