SolarWinds attacker on the move: Russia’s Nobelium crew has trebled attacks targeting MSPs, cloud resellers, says Microsoft

Russia’s Nobelium group – fingered as being a Russian state actor by both the United States and Britain – has massively ramped up phishing and password spraying attempts against managed service providers (MSPs) and cloud resellers, Microsoft’s security arm has warned.

The Windows maker said the group’s targeted attacks against “resellers and other technology service providers that customize, deploy and manage cloud services and other technologies on behalf of their customers” had trebled over the past three months.

Nobelium has been linked by Microsoft and others as the organisation behind the infamous SolarWinds supply chain compromise, and linked to Russia’s foreign intelligence (SVR). In infosec circles the SVR-backed group is also known as APT29.

During the three months between 1 July and 19 October this year, Microsoft said it had seen Nobelium make 22,868 attack attempts against MSP customers, contrasting that figure with 20,500 attacks “over the past three years.” Redmond claimed that 609 customers were targeted in the latest blurt of activity from the Russian state actor “with a success rate in the low single digits.”

“This recent activity is another indicator that Russia is trying to gain long-term, systematic access to a variety of points in the technology supply chain and establish a mechanism for surveilling – now or in the future – targets of interest to the Russian government,” wrote Microsoft corporate veep Tom Burt.

Phishing, as Reg readers know well, is the art of sending malicious emails either to compromise the victim’s device (gaining a foothold to target their organisation’s network) or to trick them into handing over their login credentials for some portal or service that can be abused for the same end. Password spraying is a form of brute-forcing login portals – and the group’s use of brute-forcing suggests enabling multi-factor authentication is more important than ever before.

It does help if account authentication works properly and doesn’t lock users out altogether if they see someone else attempting to log into a protected account, as one Microsoft user recently found.

Compromising SolarWinds saw APT29 establish access to the build servers for the network monitoring company’s Orion product starting in late 2019. Over a period of almost a year, the Russian digital spies patiently infiltrated SolarWinds, waiting months between steps to check for any signs of detection. The attack was only noticed by infosec firm FireEye, a SolarWinds customer, in December 2020.

“Russia does not conduct offensive operations in the cyber domain,” said an implausible statement published by Russia’s US embassy in December 2020, long before the attack was attributed to the SVR. English-language statements from Russian political figures are usually intended to confuse and mislead Western audiences, the best guide to country’s government’s intentions being its actions rather than words.

To that end, British and American cybersecurity agencies spent summer 2021 cheerfully publishing details of the SVR’s changing tactics, techniques, and procedures as the agency seemingly tried to hide its tracks following public attribution of the SolarWinds hack. Even the private sector got in on the SVR-busting act.

Back on the SVR’s home turf, Kaspersky recently attributed a new malware strain to the spies, naming it Tomiris. Microsoft itself warned in September of a malicious SVR tool targeting Active Directory credentials and token-decryption certificates.

All of which goes to show, you can’t be too careful these days. Hostile countries’ threat actors are targeting you and your organisation, no matter how low-value or uninteresting you think you are. ®

READ MORE HERE