1. News
  2. Company news
June 28, 2021updated 01 Jul 2021 9:04am

SolarWinds hackers strike again: Kremlin-backed group hits Microsoft customers

By Robert Scammell

The Russian state-backed group behind the SolarWinds hack has conducted further cyberattacks, this time against Microsoft and its customers.

The hacking group, dubbed Nobelium by Microsoft, has been conducting password spray and brute-force attacks to gain entry into corporate systems.

Nobelium also successfully hacked a Microsoft support agent’s computer and installed an “information-stealing trojan” to gain access to customer subscription information. The attacker than used this stolen information to launch further “highly targeted attacks”.

Microsoft said it is currently aware of three entities being breached in the latest spate of attacks.

Nobelium has been officially designated as operatives of the Russian Foreign Intelligence Service, or SVR, by US and UK intelligence agencies. The Kremlin has denied any involvement. The group – also known as Cozy Bear, ATP29 and the Dukes – was blamed for the SolarWinds hack that saw 18,000 organisations affected globally after unwittingly installing a malicious update injected into the IT vendor’s software.

While SolarWinds was in no way involved in this latest flurry of attacks, it is the latest example of the Russian hacking outfit using supply chain attacks to gain access to other targets.

In a blog post published on Friday evening, Microsoft said Nobelium’s recent activity was “mostly unsuccessful” and that the “majority of targets were not successfully compromised”.

Microsoft did not specify how many attacks Nobelium had launched in total.

“The activity was largely focused on US interests, about 45%, followed by 10% in the UK, and smaller numbers from Germany and Canada. In all, 36 countries were targeted,” the company said.

A White House official told Reuters that the attack appears to be “run-of-the-mill espionage”.

However, a former US Cyber Command intelligence officer told Verdict this language could be “deliberate messaging to downplay hype and limit Russia’s claim to sophistication”.

“Espionage may be run-of-the-mill to insiders and folks like me, but in my opinion for the public or layperson there is rarely such a thing as ‘run-of-the-mill’ espionage,” said Cody Barrow, now director of threat intelligence at global threat intel company EclecticIQ.

But he added that it “might also be what it looks like – a bit of a nothing-burger and leftover breadcrumbs from the earlier [SolarWinds] campaign”.

The Redmond-headquartered tech giant said it discovered the compromise during its response to Nobelium’s SolarWinds hack, which has cast a long shadow due to its sheer size.

Microsoft warned in May that Nobelium is targeting third sector organisations and government agencies. At the time, the company said the Russian hacking group has targeted 3,000 email accounts across 150 organisations, primarily in the US.

Microsoft said it has advised compromised customers that they were the victim of a nation-state attack. According to a copy of a warning note seen by Reuters, Nobelium had access to one victim during the second half of May.

Just weeks later, US President Joe Biden met with Vladimir Putin and gave the Russian president a list of 16 critical infrastructure sectors that are “off-limits”. This included US government agencies – some of which were compromised during the SolarWinds hack.

Microsoft, along with tech companies Cisco, FireEye and Malwarebytes, were also compromised during the SolarWinds attack.

Separate cybercriminal groups operating out of Russia – although not state-backed – have been behind recent ransomware attacks against Colonial Pipeline and meat processor JBS.