Microsoft Warns of Nobelium Attacks on IT Supply Chain

October 29, 2021 - Russian-linked hacking group Nobelium poses a significant threat to the global IT supply chain, Microsoft warned in a recent blog post. Threats to the IT supply chain could have an immense impact on the healthcare sector in particular, as many providers utilize cloud security and IT vendors to handle sensitive data.

Nobelium was responsible for a massive 2020 cyberattack on SolarWinds that impacted thousands of organizations, including portions of the US government.

Microsoft’s Tom Burt, corporate vice president of customer security and trust, warned resellers and technology service providers that customize, deploy, and manage cloud services to be wary of Nobelium.

“We believe Nobelium ultimately hopes to piggyback on any direct access that resellers may have to their customers’ IT systems and more easily impersonate an organization’s trusted technology partner to gain access to their downstream customers,” Burt wrote in the blog post.

“We began observing this latest campaign in May 2021 and have been notifying impacted partners and customers while also developing new technical assistance and guidance for the reseller community.”

Since May, Microsoft has notified more than 140 technology service providers and resellers that have been targeted by Nobelium. Approximately 14 of those technology vendors have been compromised. Microsoft issued this warning in hopes that resellers, technology providers, and customers take steps to mitigate these attacks and prevent Nobelium from being more successful.

Microsoft observed an uptick in Nobelium attacks over the summer. Between July 1 and October 19, Microsoft notified 609 customers that they had been attacked 22,868 times by Nobelium. Although the threat actors had a success rate in the single digits, Microsoft had notified customers about attacks from all nation-state actors a total of 20,500 times over the prior three years.

“This recent activity is another indicator that Russia is trying to gain long-term, systematic access to a variety of points in the technology supply chain and establish a mechanism for surveilling – now or in the future – targets of interest to the Russian government,” the post continued.

Rather than exploiting software vulnerabilities, recent Nobelium attacks have used common techniques including password spray and phishing to obtain credentials and gain access to networks. Microsoft is now working closely with US and European government agencies to mitigate the attacks.

“While we are clear-eyed that nation-states, including Russia, will not stop attacks like these overnight, we believe steps like the cybersecurity executive order in the U.S., and the greater coordination and information sharing we’ve seen between industry and government in the past two years, have put us all in a much better position to defend against them,” Burt wrote.

Based on this new knowledge, Microsoft is working to implement supply chain security improvements for service providers that sell or support Microsoft technology. Microsoft is currently piloting improved monitoring to enable customers to audit their privileged accounts. In addition, the tech giant improved security protocols and detections in its products to help organizations quickly identify and respond to cyberattacks.

Nobelium and other threat actors are continuing to ramp up attacks and deploy sophisticated ransomware on unsuspecting organizations. FIN12 ransomware group has focused nearly a quarter of its attacks on the healthcare sector, and over 70 percent of its attacks were targeted at US-based entities.