Nobelium, the advanced, persistent threat (APT) actor behind the 2020 SolarWinds supply chain attack that served as a springboard for breaching a variety of high-level targets, is targeting organizations via their various service providers.
“Nobelium has been attempting to replicate the approach it has used in past attacks by targeting organizations integral to the global IT supply chain. This time, it is attacking a different part of the supply chain: resellers and other technology service providers that customize, deploy and manage cloud services and other technologies on behalf of their customers,” says Tom Burt, Corporate VP, Customer Security & Trust, Microsoft.
“We believe Nobelium ultimately hopes to piggyback on any direct access that resellers may have to their customers’ IT systems and more easily impersonate an organization’s trusted technology partner to gain access to their downstream customers.”
Targeting service providers
According to Microsoft’s threat analysts, Nobelium has been trying to compromise cloud service providers, managed service providers, and other IT services organizations in the US and Europe, to ultimately target government organizations, think tanks, and companies these companies serve.
The threat actor apparently does not leverage product vulnerabilities, but has other tools in their offensive arsenal – malware, password spraying, supply chain attacks, token theft, API abuse, and spear phishing – to steal legitimate credentials and gain privileged access. Oftentimes, Nobelium attackers try different methods and probe several third parties to get access to one specific target (as illustrated in the image above).
Microsoft detected over 140 resellers and technology service providers being targeted by the attackers, but not all attacks were successful.
“We continue to investigate, but to date we believe as many as 14 of these resellers and service providers have been compromised. Fortunately, we have discovered this campaign during its early stages, and we are sharing these developments to help cloud service resellers, technology providers, and their customers take timely steps to help ensure Nobelium is not more successful,” Burt added.
Aside from notifying targeted entities, Microsoft has been working on implementing improvements to help protect technology partners in its supply chain.
The company has also shared attackers’ TTPs, threat hunting queries for detection and investigation, and specific technical guidance for potential targets: service providers, organizations that rely on elevated privileges, and downstream customers.
A nation-state actor?
“Nobelium is frequently observed conducting activities consistent with intelligence collection,” Microsoft pointed out.
The company (and the U.S. government, and other governments) believes Nobelium to be part of Russia’s foreign intelligence service (SVR).
“This recent activity is another indicator that Russia is trying to gain long-term, systematic access to a variety of points in the technology supply chain and establish a mechanism for surveilling – now or in the future – targets of interest to the Russian government,” Burt noted.
Microsoft’s analysts warned that organizations previously targeted by Nobelium should monitor for recurring attacks by the same actor.