Earlier this year, a supply chain attack targeted at Solarwinds customers rocked the cybersecurity industry, implicating big tech as well as numerous government agencies. Nobelium, the Russian-based actor behind this attack, is now targeting various is cloud, and IT services providers in a large-scale campaign.
As with the Solarwinds hack, the ongoing aim is to infiltrate the systems of high-profile downstream customers of these services.
Nobelium is believed to be a nation-state actor that forms part of Russia’s foreign intelligence service known as the SVR. Beyond simply exploiting businesses for financial gain, the aim of these attacks goes as far as to threaten the national interests and security of the US.
Nobelium has a penchant for targeting organizations integral to the global IT supply chain. They are looking to once again capitalize on this technique that has proven successful before. The only significant difference is that they are now targeting a different part of the supply chain: the resellers and service providers that manage cloud services and other technologies on behalf of their customers.
The approach is fairly straightforward, although the actual implementation is highly sophisticated and effective. Once they gain access to the target service provider’s network, they try to hijack privileged accounts to take control of networks belonging to downstream customers.
They utilize several TTPs (techniques, tactics, and procedures) to take over accounts, such as password spraying, phishing, token theft, and API abuse. This illustrates both the technical sophistication as well as the social engineering prowess employed by Nobelium. It also shows that threat actors don’t necessarily have to exploit software vulnerabilities to steal credentials and carry out successful attacks.
Most of the targeted downstream organizations are based in the US as well as Europe. They include think tanks, enterprise organizations, technology vendors, and government entities.
Microsoft is currently on the case, trying to analyze the scope and scale of this wave of attacks. According to them, 140 resellers and technology service providers have been targeted by Nobelium, with around 14 of them being successfully compromised.
That’s not all. Microsoft also claims this is part of an even wider campaign between July 1 and October 19, 2021, whereby over 609 organizations have been attacked as many as 22,868 times. This is more than the 20,500 attacks involving nation-state actors that Microsoft had reported in the prior three years.
As with the Solarwinds attack, the scale, complexity, and dynamic nature of the campaign make it nearly impossible to estimate the financial damage caused accurately. That’s also partly because financial gain does not seem to be the primary goal of these attacks.
Microsoft asserts that “This recent activity is another indicator that Russia is trying to gain long-term, systematic access to a variety of points in the technology supply chain and establish a mechanism for surveilling – now or in the future – targets of interest to the Russian government.”
Aside from having their interests compromised, this shows how private businesses can be embroiled in large-scale international incidents facilitated through the use of targeted cybercrime campaigns.
Aside from using common-sense techniques, such as MFA, the principle of least privilege, permission auditing, etc., downstream customers should also review their contracts and campaign for reasonable contractual clauses, allocating the risks of data breaches and security incidents.
