Group Behind SolarWinds Attack Targeted Microsoft CustomersCompany Says Russian-Linked Group Targeted Its Customer Support System
The Russian-linked cyberespionage group behind the supply chain attack against SolarWinds recently targeted Microsoft's customer support system as part of a new campaign, the company disclosed in a report published Friday.
Microsoft attributes this latest intrusion against its customers to an attack group that the company calls Nobelium, which also conducted the SolarWinds supply chain attack that affected 18,000 users of the Orion network monitoring platform and resulted in follow-on attacks on nine government agencies and 100 companies. The Biden administration has accused Russia's Foreign Intelligence Service, or SVR, of conducting the SolarWinds supply chain compromise.
The campaign by Nobelium that Microsoft described on Friday is not related to the attack on SolarWinds, which used a backdoor called Sunburst, that was uncovered by security firm FireEye in December 2020. "The latest cyberattack reported by Microsoft does not involve our company or our customers in any way," a SolarWinds spokesperson said on Saturday.
In the recent campaign that Microsoft uncovered, the attackers targeted the company's customer support system. The investigation showed that information-stealing malware was found on a device belonging to one of Microsoft's customer support agents. That agent's account had access to basic account information related to a "small number" of the company's customers, according to the report.
The hacking group then used that data to target specific Microsoft customers in what the company called a "highly-targeted attack," the report notes, although it appears that most of these intrusions were not successful.
"This recent activity was mostly unsuccessful, and the majority of targets were not successfully compromised - we are aware of three compromised entities to date. All customers that were compromised or targeted are being contacted through our nation-state notification process," according to the Microsoft report.
After discovering the campaign, Microsoft expelled the attackers from the device belonging to the customer service agent and removed the malware. The company's report did not give specific details about whether this attack was a phishing campaign or another type of attack, but it does appear that the attackers used brute-force or password-spraying techniques to compromise potential victims. Microsoft also did not specify when exactly this incident took place.
"Our investigation into the methods and tactics being used continues, but we have seen password spray and brute-force attacks and want to share some details to help our customers and communities protect themselves," Microsoft notes.
A Microsoft spokesperson said Saturday that the company is not releasing any other details of the attack at this time.
The U.S. Cybersecurity and Infrastructure Security Agency is also investigating this latest incident involving Russian-linked attack groups.
"CISA is aware of this activity and is working with Microsoft and our interagency partners to evaluate the impact. We stand ready to assist any affected entities," Anne Cutler, a spokesperson for CISA, tells Information Security Media Group.
While Microsoft did not release specifics of this latest campaign, the company offered some insights into what organizations Nobelium targeted as part of this recent activity.
These latest attacks primarily targeted IT companies, but they also hit government agencies as well as nongovernment organizations and think tanks as well as some financial services firms. Most of the threat activity - about 45% - focused on Microsoft customers in the U.S., but businesses and organizations in the U.K., Germany and Canada were also targeted during this campaign, according to the report.
Overall, the Nobelium attackers targeted Microsoft customers in 36 nations, the report notes.
"The investigation is ongoing, but we can confirm that our support agents are configured with the minimal set of permissions required as part of our zero trust 'least privileged access' approach to customer information," according to Microsoft. "We are notifying all impacted customers and are supporting them to ensure their accounts remain secure."
Other Nobelium Activity
The series of attacks against Microsoft customers is the second time since May that the company has uncovered fresh campaigns linked to Nobelium.
On May 27, Microsoft published a report that described a Nobelium campaign that compromised a marketing firm used by the U.S. Agency for International Development - USAID - to send malicious messages to thousands of potential victims.
In this case, the attackers gained access to the Constant Contact email marketing account of USAID and sent out messages that contained a malicious link that would install a backdoor dubbed "NativeZone" on victims' devices, according to Microsoft's research report. The hacking group appears to have targeted about 3,000 email accounts at 150 organizations - most of which are involved in international development, humanitarian and human rights work (see: SolarWinds Attackers Return With Fresh Phishing Campaign).
Later, the U.S. Department of Justice announced that it has seized two domains used as part of the phishing campaign that compromised the marketing firm used by USAID (see: DOJ Seizes 2 Domains Linked to USAID Phishing Campaign).
U.S. and Russia
Cyberthreats were a main point of discussion between President Joe Biden and Russian President Vladimir Putin during a recent summit between the two leaders in Geneva. Most of that meeting focused on a series of ransomware attacks that targeted America's critical infrastructure and appear to have been conducted by cybercriminal gangs operating within Russia's borders (see: Analysis: The Cyber Impact of Biden/Putin Summit Meeting).
The Biden administration has also published an executive order mandating that government agencies adopt cybersecurity principles such as "zero trust," encryption and multifactor authentication to help stop these types of attacks and intrusions.
Chris Pierson, CEO of concierge cybersecurity firm BlackCloak, says that it's no surprise that Russian-linked activity has not died down, and organizations need to continue to focus on improving their cybersecurity defenses.
"The ability to successfully target the U.S. and other interests globally using credential stuffing and other spray attacks will only escalate," Pierson says. "Unless dual-factor authentication is implemented globally on every account, these attacks will succeed. Unless companies have controls on every endpoint, patching, and other remote desktop protocol service accounts blocked, we’ll see successful intrusions."