How nation-state attackers like NOBELIUM are changing cybersecurity
This is the first post in a four-part series on the NOBELIUM nation-state cyberattack. Microsoft started telling the industry about this extremely advanced cyberattack in December 2020. The NOBELIUM blog series—which mirrors Microsoft’s four-part video series “Decoding NOBELIUM”—will pull the curtain back on the world of threat detection and showcase insights from cybersecurity professionals on the front lines, both Microsoft defenders and other industry experts.
In many ways, the NOBELIUM nation-state cyberattack realized the deepest fears of United States cybersecurity experts, according to Microsoft 365 Security Corporate Vice President Rob Lefferts. It was a supply chain attack. It was methodically planned and executed. And it impacted multiple world-class companies with strong security teams. Perhaps, your company was one of them—or perhaps you know someone who works at a company that was affected. As we begin Cybersecurity Awareness Month in October, the far-reaching nature of such attacks is ever-present on our minds, which is one reason why more than 3,500 Microsoft security experts actively defend and protect organizations from cyberattacks every day.
Nation-state attacks are malicious cyberattacks that originate from a particular country and are an attempt to further that country’s interests. Numerous organizations were impacted by the NOBELIUM attacks. Such attacks are fueled by geopolitical competition and a desire to gain an advantage over other nations, such as by stealing intellectual property for economic benefit or supporting traditional espionage.
In December 2020, Microsoft began sharing information with the cybersecurity industry on what would become widely recognized as the most sophisticated nation-state cyberattack in history. NOBELIUM, a group of Russia-based hackers, gained access to multiple enterprises through vulnerable software code, stolen passwords, compromised on-premises servers, and minted SAML tokens.
In this supply chain attack, hackers were able to access the SolarWinds code, slip malicious code into a piece of the software, and use the vendor’s legitimate software updates to spread their malware to customer systems. Successful attacks gave NOBELIUM hackers high-level permissions on the downstream compromised systems.
Why should enterprises worry about nation-state attacks?
Historically, nation-state actors directly targeted infrastructure, think tanks, and governments of other countries. However, as organizations improve their defenses, sophisticated actors look for new ways to gain access to their targets through the vendors, software, and networks they rely upon. Enterprises are also increasingly at risk of attacks as nation-state actors expand their objectives to pursue intellectual property theft. As a result, enterprises are often targeted by nation-state actors attacking the networks of their customers, partners, or vendors through their own network or software. The Microsoft Threat Intelligence Center, which collects billions of data points to gather threat intelligence, has observed that enterprises are increasingly at risk of these attacks.
Consider these statistics, which show the magnitude of security threat from nation-state attacks:
- 35 percent of all nation-state attacks are targeted at enterprises, according to the CSO article, “Nation states: Cyberconflict, and the Web of Profit.”1
- 78 percent increase in attacks on supply chain vendors, according to the CPO Magazine article “HP Study: Nation-state Cyber Attacks Double Between 2017 and 2020 as World Edges Toward Open Cyber Warfare.”2
- 13,000 nation-state attack alerts emailed to customers during the past two years, according to the September 2020 Microsoft Digital Defense Report.
Unlike other types of cybercriminals, who exploit a vulnerability and move on, nation-state attackers are persistent and determined to achieve their objectives. They invest serious time profiling their targets and probing their network for vulnerabilities and are continually adding more tools and skills to their capabilities. Any organization—regardless of size—could be a potential target.
Another reason the NOBELIUM attack matters to the enterprise is that state-sponsored attackers often have unlimited monetary and technical support from their countries, giving them access to unique, modern hacking techniques and tactics.
“Nation-state actors are hard because they effectively have infinite funding and they’re above the law – at least in their country,” said Roberto, Principal Consultant and Lead Investigator of the Microsoft Detection and Response Team. “They have very good technical resources, so it’s not like they’re going to give up. It’s one of the reasons we put in the 80-hour weeks.”
NOBELIUM’s long-term impact
How did the NOBELIUM attack unfold and how has it changed cybersecurity? In the first episode of our four-part video series Decoding NOBELIUM: When Nation-States Attack, security professionals share behind-the-scenes details and weigh in on the lasting impacts of the NOBELIUM attack on cybersecurity. Watch the episode to learn security strategies you can implement in your organization, like which vulnerabilities to patch.
Microsoft is committed to helping organizations stay protected from cyberattacks, whether cybercriminal or nation-state. In particular, nation-state adversaries have significant expertise and resources and will develop new attack patterns with the specific intent of furthering their geopolitical objectives. Consistent with our mission to provide security for all, Microsoft will continue to use our leading threat intelligence and global team of dedicated cybersecurity defenders to help protect our customers and the world. Just two recent examples of Microsoft’s efforts to combat nation-state attacks include a September 2021 discovery and investigation of a NOBELIUM malware referred to as FoggyWeb and our May 2021 profiling of NOBELIUM’s early-stage toolset compromising EnvyScout, BoomBox, NativeZone, and VaporRage.
For immediate support, reach out to the Microsoft Security Response Center. Keep an eye out for future posts in the NOBELIUM nation-state attack series. In these posts, we’ll share the story of how we discovered the attack, how we fought the threat, and how the attack has shaped the future of cybersecurity.
To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.
1Nation States, Cyberconflict, and the Web of Profit, CSO, 2021.
2HP Study: Nation-State Cyber Attacks Double Between 2017 and 2020 as World Edges Toward Open Cyber Warfare, Scott Ikeda, CPO Magazine. 22 April 021.
READ MORE HERE