Microsoft has shared more details about a recent cyberattack campaign orchestrated by the Russian state-sponsored group blamed for last year's devastating SolarWinds hack. The company's cybersecurity experts warned that Nobelium is once again trying to access government and corporate networks around the world, despite President Joe Biden sanctioning Russia over previous cyberattacks.
According to Microsoft, the group is using the same strategy it employed in the successful SolarWinds attack — targeting companies whose products form core parts of global IT systems. In this campaign, Microsoft says, Nobelium has focused on a different aspect of the IT supply chain, namely resellers and service suppliers that provide cloud services and other tech.
The company says it has informed more than 140 providers and resellers that the group has targeted them. It believes Nobelium breached up to 14 of these companies' networks. However, Microsoft says it detected the campaign, which isn't related to the Sunburst attack on SolarWinds, in its early stages in May, which should help mitigate the fallout.
Microsoft notes these hack attempts are part of a huge series of attacks conducted by Nobelium over the last few months. Between July 1st and October 19th, it told 609 of its customers that Nobelium had attempted to hack them on 22,868 occasions, with fewer than 10 successes. In the three years prior to July 1st, Microsoft told its customers about 20,500 attacks from all nation-state actors — not just Nobelium.
"This latest activity shares the hallmarks of Nobelium’s compromise-one-to-compromise-many approach and use of a diverse and dynamic toolkit that includes sophisticated malware, password sprays, supply chain attacks, token theft, API abuse [and] spear phishing," Microsoft's security intelligence division wrote in a tweet. Nobelium has also been known as Cozy Bear and APT29.
In 2020, hackers created a backdoor in a SolarWinds product called Orion, which was used by around 30,000 customers in the public and private sector. Nobelium is said to have carried out further hacks on the systems of nine US agencies and around 100 companies. Other hackers piggybacked onto the backdoor to facilitate their own attacks. The US sanctioned six Russian companies and 32 individuals and entities in April over alleged misconduct connected to the SolarWinds attack and attempts to interfere with the 2020 presidential election.
"This recent activity is another indicator that Russia is trying to gain long-term, systematic access to a variety of points in the technology supply chain and establish a mechanism for surveilling — now or in the future — targets of interest to the Russian government," Tom Burt, Microsoft's corporate vice president of customer security and trust, wrote in a blog post.