The group behind the massive SolarWinds hacks recently launched another cyberattack campaign, and one of the victims was a Microsoft customer support agent. Microsoft has revealed in a blog post that it's tracking new activity from the group christened as Nobelium. "This recent activity was mostly unsuccessful," the company said, and the group failed to infiltrate most of the targets. The attackers managed to compromise at least three entities, however, and Microsoft also found information-stealing malware on one of its customer support agents' machines as part its current investigation.
At the moment, the tech giant is still looking into the methods the attackers used, but it has seen evidence of password spray and brute-force attacks so far. It didn't name the three compromised entities in its initial report, and it also didn't say whether the attackers got their information from the machine owned by the company's customer support rep. Microsoft did admit, however, that the machine had access to basic account information for a small number of its customers and that the bad actors used that info to launch highly targeted attacks.
The company said it responded quickly and was able to remove the group's access to its customer service agent's device. It has also alerted the compromised entities and all other targets through its nation-state notification process. US officials believe Russia was behind the SolarWinds hacks and previously linked Nobelium to the country's intelligence agency. ("The latest cyberattack reported by Microsoft does not involve our company or our customers in any way," a SolarWinds spokesperson said in a statement.)
Just last month, Microsoft discovered that the same group has been running a sophisticated email-based spear-phishing campaign targeting government agencies, think tanks and non-governmental organizations. It sent out infected emails to its targets after infiltrating the mass mailing service used by the United States Agency for International Development or USAID. This new campaign focused more on IT companies, though it also targeted government organizations and NGOs to a smaller extent. Like in its previous activities, Nobelium mostly went for entities based in the US in this recent series of attacks. Around 10 percent of the targets is based in UK, while a smaller number is based in Germany and Canada.