The notorious hacking group, Nobelium is the main culprit who organized the sensational cyberattack on the American software manufacturer SolarWinds. However, the latest wave of Nobelium aimed at the resellers and other tech service providers in the cloud. In short, they have targeted 14 IT supply chains and 140 MSPs in their latest attack wave.

Since May of this year, this Russian threat group Nobelium carried out attacks on resellers and other providers of technology services, for deployment and management of cloud services to get access to the IT networks of their customers.

Nobelium is the elite hacking group of Russia’s SVR foreign intelligence agency, and this group is also known as “Cozy Bear.” While Microsoft has notified more than 140 resellers and technology service providers since May that are targeted by the Nobelium.

The SolarWinds hack went unnoticed for most of 2020, and when the whole incident was discovered it became a very embarrassing moment for Washington.

Not only that even Nobelium also compromised several US government agencies that include:-

  • The Department of Justice
  • The Department of Homeland Security (DHS)
  • The Cybersecurity and Infrastructure Agency (CISA)
  • The United States Treasury

From the above-mentioned departments, the Department of Justice is the one from which Nobelium compromised 80% of the email accounts that were used by the US prosecutors’ offices in New York.

More than 22,868 times the threat actors of the Nobelium group have attacked 609 customers between July 1 and October 19 this year. While Microsoft notified 20,500 times over the past three years all its customers about the cyberattacks from state-sponsored hacking groups.

The devastating effects of the long-undetected SolarWinds hack clearly show the success rate of Russian state-sponsored hackers and the success rate is about 32%, while in the previous 12 months it was at 21%.

In these attacks, they have used well-known techniques, like password spray and phishing, by executing these attacks they managed to steal legitimate credentials and gain privileged access.

Security activities of Microsoft

Here are the improvements that are done by Mircosoft to protect and secure their ecosystem:-

  • In September 2020, to access Partner Center and to use delegated administrative privilege (DAP) to manage a customer environment Microsoft rolled out MFA.
  • On October 15, to strengthen security controls Microsoft launched a program to provide two years of an Azure Active Directory Premium plan for free.
  • To help organizations identify and respond to these attacks promptly Microsoft has added detections in its security tools like Microsoft Cloud App Security (MCAS), M365 Defender, Azure Defender, and Azure Sentinel.
  • To provide privileged access to resellers Microsoft currently steering new and more granular features for organizations.
  • To enable partners and customers to control and audit their delegated privileged accounts and remove unnecessary authority, Microsoft added new security mechanisms to its monitoring system.
  • Microsoft is also working closely with its partners to assess and remove unnecessary privileges and access.

Nobelium in their recent attacks did not exploit any software vulnerabilities, unlike last year’s campaign, as this time they resorted to the techniques like phishing and Password Spraying to steal credentials.

However, a technical guide that describes how Nobelium tries to move laterally through networks to reach intermediate customers has been already published by Microsoft, and it has also informed all the affected vendors as well.

Looking for Best WAF Solutions for your web applications environment?? Register for Free WAF webinar & explore the experts thoughts and Choose the Best one.. Very limited seats available.. grab it here at ProPhaze.

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.


Please enter your comment!
Please enter your name here