Threats from the U.S. government apparently weren’t enough to keep Nobelium, the group behind the SolarWinds campaign, away from the vulnerable global IT supply chain—Microsoft said the threat actors, affiliated with Russian intelligence unit SVR, have attacked at least 140 managed service providers (MSPs) and cloud service providers, with 14 known breaches since May 2021.
The Microsoft Threat Intelligence Center (MSTIC) “detected nation-state activity associated with the threat actor tracked as Nobelium, attempting to gain access to downstream customers of multiple cloud service providers (CSPs), managed service providers (MSPs) and other IT services organizations that have been granted administrative or privileged access by other organizations,” researchers noted in a blog post, in an effort “to move laterally in cloud environments, leveraging the trusted relationships to gain access to downstream customers and enable further attacks or access targeted systems.”
That’s a troubling discovery, given the damage caused by the same actors in the SolarWinds attack.
After that incident and a string of devastating ransomware attacks, President Biden issued stark warnings earlier this year to Russia and directly to president Vladimir Putin—saying the U.S. would take “any necessary action” against cyberattackers—and took steps to harden security, build resilience and promote good cybersecurity hygiene at government agencies and among government software contractors.
“I made it very clear to him that the United States expects when a ransomware operation is coming from his soil—even though it’s not sponsored by the state—we expect him to act,” Biden said last summer.
Biden said the consequences of cyberattack could have grave implications, resulting in a kinetic response. “I think it’s more than likely we’re going to end up, if we end up in a war—a real shooting war with a major power—it’s going to be as a consequence of a cyber breach of great consequence. And it’s increasing exponentially, the capabilities,” Biden told the intelligence community in late July.
The new crop of attacks didn’t arise from a product security vulnerability but are a continuation of Nobelium’s “use of a diverse and dynamic toolkit that includes sophisticated malware, password sprays, supply chain attacks, token theft, API abuse and spear phishing to compromise user accounts and leverage the access of those accounts,” Microsoft researchers said.
“Nobelium is a truly persistent adversary. Often organizations fail to fully remediate incidents, leaving the threat actor access to the network after the remediation is considered complete,” said Jake Williams, co-founder and CTO at BreachQuest. “Nobelium is one of the best in the threat actor ecosystem at remaining undetected after a remediation attempt.”
In these supply chain attacks, Nobelium is also targeting downstream customers of service providers and other organizations” where customers have delegated admin rights to a provider “that enable the provider to manage the customer’s tenants as if they were an administrator within the customer’s organization,” Microsoft researchers wrote.
“Supply chains seem to be this year’s weak link into computer networks and systems, thanks to the strain of getting products and components to market for manufacturing and retail,” said Saryu Nayyar, CEO at Gurucul. While relatively few of Nobelium’s attacks “have succeeded, they don’t need many to cause significant disruptions,” she said.
“The international supply chain has become both the key facet and weak link of companies delivering products,” Nayyar added. “We have seen this graphically with the back-up of over 60 cargo ships at the Port of Los Angeles. Attackers are hitting those weak links, and enterprises who have a global supply chain have to manage not only their data, but also data from their suppliers around the world. This is likely going to be the next stage of logistics and supply chain management online.”
“Suppliers are the Achilles’ Heel of the largest financial institutions, governmental institutions and providers of critical national infrastructure,” said Ilia Kolochenko, founder of ImmuniWeb and a member of the Europol Data Protection Experts Network. “Compared to frontal attacks against the victims, silent attacks against third parties are generally faster, cheaper and less noisy.”
In addition, suppliers might have “access to more data than the victims themselves; for example, by storing more data in backups than contractually allowed or expected,” he said. “Worse, some suppliers fail to detect sophisticated intrusions and the victims are never even notified about the incident.”
The attacks revealed by Microsoft are likely just the tip of the iceberg. “Organizations impacted by this activity are reportedly cloud and managed service providers; it is realistically possible that the scope of this incident could increase,” said Chris Morgan, senior cyber threat intelligence analyst at Digital Shadows. “Nobelium is known for their resourcefulness in moving laterally across supply chains, so additional impacted organizations may surface in the coming months.”
It’s “unsurprising that the Russian SVR continues to remain active as the mission of gathering intelligence never goes out of style,” as Oliver Tavakoli, CTO at Vectra, said. That means it’s more important than ever that organizations follow Microsoft’s advice that administrators “adopt strict account security practices and take additional measures to secure their environments.”
It also means that government may have to make good on its promise to respond in a meaningful way. Biden has said he has opened up a direct line of communications with Putin. For the time being, then, all eyes are on the White House.