The same Russian nation-state actor behind the cyberattacks targeting SolarWinds customers in 2020, Nobelium, has targeted organizations integral to the global IT supply chain. 

According to Microsoft, since May 2021, Nobelium has been attempting to replicate the approach it used to attack SolarWinds, but this time using its tactics to target a different part of the supply chain: resellers and other technology service providers that customize, deploy and manage cloud services and other technologies on behalf of their customers. 

Microsoft says Nobelium hopes to “piggyback” on any direct access resellers may have to their customers’ IT systems and more easily impersonate an organization’s trusted technology partners to gain access to their downstream customers. 

Since May, Microsoft has been notifying more than 140 resellers and service providers that Nobelium has targeted, and 14 of those resellers and service providers have been compromised. 

Jake Williams, Co-Founder and CTO at BreachQuest, an Augusta, Georgia-based leader in incident response, says, “Supply chain threats extend well beyond just software. IT service providers often have relatively poor security themselves while simultaneously having access to numerous customer networks (often hundreds).”

The attacks are part of a larger wave of Nobelium activities, Microsoft says. “Between July 1 and October 19 this year, we informed 609 customers that they had been attacked 22,868 times by Nobelium, with a success rate in the low single digits. By comparison, prior to July 1, 2021, we had notified customers about attacks from all nation-state actors 20,500 times over the past three years,” Microsoft says. 

These attempts indicate Russia is trying to gain long-term, systematic access to various points in the tech supply chain and establish a mechanism for surveillance, now or in the future, targets of interest to the Russian government, Microsoft says. 

Chris Morgan, Senior Cyber Threat Intelligence Analyst at Digital Shadows, a San Francisco-based provider of digital risk protection solutions, says, “The activity demonstrates the significant risk to organizations when an APT group targets privileged accounts. Trusted relationships between providers and user organizations are highly valuable and an essential part of modern security processes. Compromising privileged accounts that have a high level of access enables threat actors to move through the cyber kill chain with little chance of being detected.”

Morgan adds, “Given that many of the organizations impacted by this activity are reportedly cloud and managed service providers, it is possible that the scope of this incident could increase. NOBELIUM is known for its resourcefulness in moving laterally across supply chains. Additional impacted organizations may surface in the coming months.”

It’s unsurprising that the Russian SVR continues to remain active as the mission of gathering intelligence never goes out of style, says Oliver Tavakoli, CTO at Vectra, a San Jose, California-based AI cybersecurity company. “These new attacks, which focus on infiltrating service providers and leveraging the trust that is placed on them by their customers, present new challenges as the signals left behind by each attack span multiple organizations. The attacks do share some of the hallmarks of the SolarWinds hack in leveraging the interconnected nature of on-premise, cloud identity, SaaS application, and public cloud footprints and hopscotching through these as necessary to achieve an end goal.”

Williams says, “Implementation of some of the recommended mitigation measures, such as reviewing, hardening, and monitoring all tenant administrator accounts, reviewing service provider permissions and reviewing auditing logs, should be table stakes for security in any larger organization. However, the reality is that most organizations are resource-strapped. This makes complying with these recommendations difficult for more organizations.”