Nobelium, which was behind the SolarWinds attack, is still targeting the global supply chain, according to Microsoft. Since May 2021, it attacked 600 clients, among which were 140 managed service providers (MSPs) and cloud service providers, and breached at least 14.
Nobelium, also tracked as APT29, Cozy Bear, and The Dukes, is the hacking division of the Russian Foreign Intelligence Service (SVR). In April 2021, the US government accused the SVR division of coordinating a cyber espionage campaign against multiple US agencies through a SolarWinds hack.
Nobelium’s attack strategy was similar to previous ones when they used a variety of tools and techniques. Their list of tools and tactics ranged from malware and password sprays to token theft, API abuse, and spear phishing.
The attacks are designed to steal sensitive information from tech service providers and resellers that deploy and manage cloud services for their customers.
Microsoft alerted the affected companies after spotting the attacks. Microsoft also added detections to its security products to prevent future attacks.
“Since May, we have notified more than 140 resellers and technology service providers that have been targeted by Nobelium,” said Tom Burt, Corporate Vice President at Microsoft. “We continue to investigate, but to date we believe as many as 14 of these resellers and service providers have been compromised.”
Over 600 Microsoft customers were victims of cybercrimes during the last three months, according to Burt:
“These attacks have been a part of a larger wave of Nobelium activities this summer. In fact, between July 1 and October 19 this year, we informed 609 customers that they had been attacked 22,868 times by Nobelium, with a success rate in the low single digits,” Burt said. “By comparison, prior to July 1, 2021, we had notified customers about attacks from all nation-state actors 20,500 times over the past three years.”
This is proof that Nobelium is still trying to launch attacks against US organizations similar to the SolarWinds attack.
In response to the ongoing attacks by the Nobelium group, Microsoft has shared a set of measures to help protect organizations from these types of attacks.