The nation-state threat actors credited with the SolarWinds attack are back on the hunt for new targets in the IT supply chain, according to new research published Monday by Microsoft.
The new research relates to Nobelium, the Russian nation-state group credited with the massive SolarWinds supply chain attack disclosed in December. According to Microsoft, which released both a threat advisory and a blog post, the group is targeting IT services organizations across the United States and Europe, including cloud service providers and managed service providers.
“MSTIC [the Microsoft Threat Intelligence Center] assesses that NOBELIUM has launched a campaign against these organizations to exploit existing technical trust relationships between the provider organizations and the governments, think tanks, and other companies they serve,” the technical post read.
Microsoft said that Nobelium is targeting privileged accounts of service providers in order to attain lateral movement, and that the activity is “a continuation of Nobelium’s use of a diverse and dynamic toolkit that includes sophisticated malware, password sprays, supply chain attacks, token theft, API abuse, and spear phishing to compromise user accounts and leverage the access of those accounts.”
In addition to service providers themselves, the technical post said that downstream customers and “other organizations” were being targeted.
Tom Burt, Microsoft corporate vice president of customer security and trust, wrote in a separate blog post that Microsoft began observing Nobelium’s latest campaign in May of this year, and that since then the company has notified “more than 140 resellers and technology service providers that have been targeted by Nobelium.”
He added that Microsoft believes that “as many as 14” of the resellers and service providers have been compromised. Burt said that the current campaign was in the early stages.
“Fortunately, we have discovered this campaign during its early stages, and we are sharing these developments to help cloud service resellers, technology providers, and their customers take timely steps to help ensure Nobelium is not more successful,” Burt wrote.
Burt called the campaign one part of a larger wave of Nobelium activity in recent months.
“In fact, between July 1 and October 19 this year, we informed 609 customers that they had been attacked 22,868 times by Nobelium, with a success rate in the low single digits,” he said. “By comparison, prior to July 1, 2021, we had notified customers about attacks from all nation-state actors 20,500 times over the past three years.”
Microsoft declined to respond to SearchSecurity’s questions or comment beyond linking to both blog posts.
Microsoft is among the list of organizations impacted by Nobelium in the past year. In June, the company disclosed that Nobelium compromised a Microsoft customer support agent’s system and accessed three client networks. Months before, the nation-state actor stole source code for three different Microsoft products.
Alexander Culafi is a writer, journalist and podcaster based in Boston.