New Russian Hacks Revealed—but U.S. Says it’s Microsoft’s Fault

Microsoft has issued another of its “look how clever we are” writeups of detecting hackers breaking into its cloud services. In its report, the Redmondites tut-tut to say its customers really need to take more care with their security.

But the U.S. government sees it differently, blaming Microsoft itself. Officials say Microsoft and other cloud service providers need to do more to prevent these sorts of supply chain attacks from getting past the firewalls.

Shots fired. In today’s SB Blogwatch, we search for the truth.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Meow House.

Cozy Bear with Us

What’s the craic? David E. Sanger reports—“Russia Renews Broad Cybersurveillance Operation”:

Microsoft … bore much of the blame
The new effort is “very large, and it is ongoing,” Tom Burt, one of Microsoft’s top security officers, said. … Government officials confirmed that the operation … seemed to come out of the S.V.R., the Russian intelligence agency that was the first to enter the Democratic National Committee’s networks during the 2016 election.

Earlier this year, the White House blamed the S.V.R. for the so-called SolarWinds hacking … giving the Russians broad access to 18,000 users. Mr. Biden said the attack undercut trust in the government’s basic systems and vowed retaliation.

American officials confirmed that the operation … was underway. But they insisted that if it was successful, it was Microsoft [that] bore much of the blame: A senior administration official [said it] “could have been prevented if the cloud service providers had implemented baseline cybersecurity practices.”

Ouch. To which u/SmallParade reacts accordingly:

Classic response: … “This story is a massive nothingburger. Also it’s not our fault or even our job to deal with it.”

Which hacking group is this? Sergiu Gatlan identifies—“Russian SVR hacked at least 14 IT supply chain firms since May”:

APT29, Cozy Bear
Microsoft says the Russian-backed Nobelium threat group … is still targeting the global IT supply chain, with 140 managed service providers (MSPs) and cloud service providers attacked and at least 14 breached since May 2021. … Just as in previous attacks, the Russian state hackers used a diverse … toolkit, including a long list of tools and tactics ranging from malware, password sprays, and token theft to API abuse and spear phishing.

Nobelium is the hacking division of the Russian Foreign Intelligence Service (SVR), also tracked as APT29, Cozy Bear, and The Dukes. … The main targets of these new attacks are resellers and technology service providers that deploy and manage cloud services and similar tech for their customers.

Horse’s mouth? The anonymous PR drones in Microsoft’s Threat Intelligence Center blog thuswise—“NOBELIUM targeting delegated administrative privileges”:

Leveraging the trusted relationships
The threat actor tracked as NOBELIUM [is] attempting to gain access to downstream customers of multiple cloud service providers (CSP), managed service providers (MSP), and other IT services organizations … that have been granted administrative or privileged access by other organizations … in the United States and across Europe. … MSTIC assesses that NOBELIUM has launched a campaign against these organizations to exploit existing technical trust relationships between the provider organizations and the governments, think tanks, and other companies they serve.

NOBELIUM [is] targeting privileged accounts of service providers to move laterally in cloud environments, leveraging the trusted relationships to gain access to downstream customers and enable further attacks. … These attacks have highlighted the need for administrators to adopt strict account security practices and take additional measures to secure their environments. … To identify and triage delegated administrative privileges, see the mitigations and recommendations [at the link].

So the guv’mint blames Microsoft, but Microsoft blames its own customers? Gareth Corfield notes the irony—“Russia’s Nobelium crew has trebled attacks”:

It does help if account authentication works properly
You can’t be too careful these days. Hostile countries’ threat actors are targeting you and your organisation, no matter how low-value or uninteresting you think you are.

The group’s use of brute-forcing suggests enabling multi-factor authentication is more important than ever before. It does help if account authentication works properly and doesn’t lock users out altogether if they see someone else attempting to log into a protected account, as one Microsoft user recently found.

Ouch. And here’s innocent_white_lamb:

Hooray for Microsoft. … Doing their best to make the world a less secure place since 1995.

But c’mon, is it really down to Microsoft? u/bro_please decides whether the blame is fairly directed at Redmond:

It’s true. You can’t force corporations to have basic cybersecurity.

What of the Russian connection? Our own Teri Robinson has more—“Supply Chain Attacks Force U.S. Government’s Hand”:

All eyes are on the White House
Threats from the U.S. government apparently weren’t enough to keep Nobelium … away from the vulnerable global IT supply chain. … The attacks revealed by Microsoft are likely just the tip of the iceberg.

President Biden issued stark warnings earlier this year to Russia and directly to president Vladimir Putin—saying the U.S. would take “any necessary action” against cyberattackers. … Biden said the consequences of cyberattack could have grave implications, resulting in a kinetic response.

Government may have to make good on its promise to respond in a meaningful way. … For the time being, then, all eyes are on the White House.

And the response? Enter the mind of Pascal Monett:

Terminated with extreme prejudice
This is sabotage and nothing less than an act of war. I’m thinking Tom Clancy could have whipped up a scenario where such actors were terminated with extreme prejudice à la Rainbow Six.

Perhaps stronger medicine is required? Mazzachre notes the only way to be sure:

Probably nuking the entire site is an over reaction, but how to get Russia off the internet otherwise?

Meanwhile, this Anonymous Coward sums up the Russian version of events:

Bears do not **** in the woods.
The Pope is not Catholic.
Russia does not conduct offensive operations in the cyber domain.

And Finally:

“This is a Halloween cat story you don’t want to miss”

Hat tip: nospoon

Previously in And Finally


You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.

Image sauce: DonkeyHotey (cc:by)

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and CIO.com. Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 590 posts and counting.See all posts by richi