Microsoft says Russian group behind SolarWinds attack is now targeting IT supply chain
Microsoft on Monday warned that the same Russian group behind the SolarWinds 2020 cyberattack was trying to “replicate” this approach, now targeting organizations “integral” to the global IT supply chain, particularly resellers. and technology service providers.
Microsoft Corporate Security & Trust vice chairman Tom Burt shared the “latest activity” the company has seen from Russian nation-state actor Nobelium. Burt, in a blog post, said Nobelium has been identified by the US government and others as part of Russia’s foreign intelligence service, known as SVR.
US COUNTER-INTELLIGENCE OFFICIALS WARNING OF CHINA AND RUSSIA’S THREATS TO EMERGING TECHNOLOGIES
“Nobelium attempted to replicate the approach it used in past attacks by targeting organizations that are integral to the global IT supply chain,” Burt wrote. “This time around, it’s tackling another part of the supply chain: resellers and other technology service providers who customize, deploy and manage cloud services and other technologies on behalf of their customers.”
Burt added that Microsoft believes that Nobelium “ultimately hopes to graft on any direct access that resellers may have to their customers’ computer systems and more easily impersonate an organization’s trusted technology partner to gain access to it. their downstream customers “.
Microsoft said it began observing Nobelium’s last activity in May 2021 and said it notified “affected partners and customers, while developing new technical support and guidance for the reseller community.”
“Since May, we have notified over 140 resellers and technology service providers that have been targeted by Nobelium,” Burt wrote. “We are continuing to investigate, but to date we believe that up to 14 of these resellers and service providers have been compromised.”
Microsoft said it discovered the campaign “in its early stages” and said they are sharing developments with cloud service resellers, technology providers and customers to take “timely steps to ensure that Nobelium does not have more success “.
Microsoft said the attacks on this sector of the global IT supply chain were part of a “larger wave” of Nobelium activity over the summer.
Burt said that between July 1 and October 19, Microsoft informed 609 customers that they had been attacked 22,868 times by Nobelium, with a single-digit success rate.
“By comparison, prior to July 1, 2021, we had informed clients of attacks by all actors in the 20,000 nation-state over the past three years,” Burt wrote.
Microsoft, however, warned that the activity is “another indicator that Russia is trying to gain systematic long-term access to a variety of points in the technology supply chain and to establish a monitoring mechanism – now or at. the future – targets of interest to the Russian government. ”
Microsoft, detailing the attacks, explained that it does not appear to be an attempt to “exploit a flaw or vulnerability in the software”, but rather the use of “well-known techniques. , such as password spraying and phishing, to steal legitimate credentials and gain privileged access. ” Microsoft said the company “can now provide actionable information that can be used to defend against this new approach.”
Microsoft said it has coordinated with other members of the security community and “worked closely with government agencies in the United States and Europe.”
“While we are clear that nation states, including Russia, will not stop attacks like these overnight, we believe measures such as the Executive Decree on Cyber Security to States “United, and the increased coordination and information sharing that we have seen between industry and government over the past two years, have put us all in a much better position to defend against them,” Burt wrote.
LA MAISON BLANCHE CALLS FOR A “NEW APPROACH” TO THE CHALLENGES OF NATIONAL SECURITY TO “PREVAL” IN COMPETITION WITH CHINA
Meanwhile, a senior administration official explained that the activities Microsoft described were “unsophisticated password spraying and phishing attempts for surveillance purposes which cybersecurity experts say are attempted every day. day by Russia and other foreign governments for years. “
The official said these types of attempts can be avoided if cloud service providers implement “core” cybersecurity practices, including multi-factor authentication, a measure to require users to authenticate their accounts with more than one. ‘a password.
“Overall, the federal government is aggressively using our authorities to protect the nation from cyber threats, including helping the private sector defend itself through increased intelligence sharing, innovative partnerships to deploy cybersecurity technologies, bilateral and multilateral diplomacy and measures we are not talking about. publicly for national security reasons, ”the official told Fox News.
Earlier this year, the Biden administration imposed sanctions on Russia for the SolarWinds hack, which began in 2020 when malicious code was infiltrated into popular software updates that monitor corporate computer networks. and governments. The malware, affecting a product manufactured by the American SolarWinds, allowed elite hackers to gain remote access to an organization’s networks so that they could steal information.
WHITE HOUSE TO HOST A GLOBAL ANTI-RANSOMWARE MEETING; RUSSIA UNINVITED
Earlier this month, Biden held virtual meetings with more than 30 countries to “accelerate cooperation to counter ransomware,” but the White House did not extend the invitation to Russiasenior administration officials said. Officials noted that the United States and the Kremlin have a “separate channel” where they “actively” discuss the issue.
Officials said the president created a US-Russian panel of experts to engage the US “directly” on the ransomware issue.
“We expect the Russian government to tackle criminal ransomware activity from actors in Russia,” an official said, adding that the Biden administration had “also shared information with Russia regarding the criminal activities of ransomware carried out from its territory “.
“We have seen some measures taken by the Russian government, and we are looking to see follow-up actions and broader international cooperation is an important focus of effort, as these are transnational criminal organizations,” an official said, adding that they “exploit the global infrastructure and money laundering networks to carry out their attacks.
Biden, during his summit in Geneva with Russian President Vladimir Putin in June, raised the issue of ransomware. At the time, Biden said he told Putin that “certain critical infrastructure should be closed to attack.” Biden said he gave a list of “16 specific entities defined as critical infrastructure,” saying it ranged from energy systems to water supply systems.
Putin, however, in his post-meeting press conference denied that Russia was responsible for the cyberattacks and instead claimed that most cyberattacks around the world were carried out from the United States.
Also over the summer, the president signed a national security memo directing his administration to develop cybersecurity performance targets for critical infrastructure in the United States, entities such as corporations. electricity, chemical plants and nuclear reactors.
Meanwhile, the National Center for Counterintelligence and Security announced last week that it is prioritizing industry outreach efforts in U.S. technology sectors where the stakes are “potentially the greatest” for the United States. economic and national security of the United States, warning of “nation-state threats” posed by China and Russia.
ODNI WARNS CHINA’S COLLECTION OF US HEALTH CARE DATA, DNA POSES “SERIOUS RISKS” TO ECONOMIC AND NATIONAL SECURITY
The NCSC warned that the Kremlin “targets US advances by using a variety of legal and illegal technology transfer mechanisms to support efforts at the national level, including its military and intelligence programs.”
NCSC officials have warned that Russia is also “increasingly seeking talent recruitment” and international scientific collaborations to “advance” its domestic research and development efforts. The NCSC, however, said its “resource constraints” have forced the Kremlin to focus on “native” research and development efforts, such as Russian military applications of artificial intelligence.
The NCSC has warned that Russia is using intelligence services, academics, joint ventures and business partnerships, talent recruiting, foreign investment, government-to-government deals and more to acquire U.S. technology.
Meghan Henney of Fox Business contributed to this report.