Mega-distie SYNNEX attacked and Microsoft cloud accounts it tends tampered
Republican National Committee said to be a victim, with Cozy Bear in the frame for the attack
Updated Technology distributor SYNNEX has admitted that its systems and Microsoft accounts it tends have been attacked, after the National Committee of the US Republican Party (RNC) named it as the source of a recent security incident.
Bloomberg on Tuesday reported that APT 29, aka Cozy Bear, last week attacked the RNC which, as the organising entity of the US Republican Party, holds all sorts of interesting and sensitive data. Cozy Bear was also named as the entity behind the supply chain attack on SolarWinds
In response to the Bloomberg report, the RNC quickly named mega-distributor SYNNEX as the source of the breach, said no data was accessed, and that it has worked with Microsoft to get the situation is under control.
SYNNEX ’fessed up to its involvement, in a statement that admits “it is aware of a few instances where outside actors have attempted to gain access, through SYNNEX, to customer applications within the Microsoft cloud environment.”
- Here's what Russia's SVR spy agency does when it breaks into your network, says US CISA infosec agency
- It was Russia wot did it: SolarWinds hack was done by Kremlin's APT29 crew, say UK and US
- FYI Russia is totally hacking the West's labs in search of COVID-19 vaccine files, say UK, US, Canada cyber-spies
The nature of the RNC’s activities and hint of Cozy Bear’s involvement mean this incident is potentially another online skirmish between the USA and Russia. US President Biden recently told his Russian counterpart Vladimir Putin to stop his compatriots using digital weaponry — a call that Putin rebuffed by saying that his nation is the real victim. Biden said he “made it clear that we will not tolerate attempts to violate our democratic sovereignty or destabilize our democratic elections, and we would respond”. It remains to be seen if this incident is deemed worthy of response.
SYNNEX distances itself from Kaseya
SYNNEX’s statement is also notable for stating: “These actions could potentially be in connection with the recent cybersecurity attacks of Managed Service Providers, or MSPs” — almost certainly a reference to recent troubles at Kaseya and SolarWinds.
The statement adds: “While SYNNEX provides many services as part of its overall IT distribution business, including supporting Microsoft cloud applications, it is not an MSP in the context mentioned in recent media.”
And indeed, it is not. But like all distributors, SYNNEX has in recent years tried to grow beyond the box-moving and licence-slinging business, and, in its word, “stems design and integration services for the technology industry to a wide range of enterprises.”
Those offerings can include overseeing cloud accounts for customers — either by managing licences or with more substantial hands-on consultancy.
And just like MSPs, or the likes of Kaseya and SolarWinds, SYNNEX and other distributors are therefore potentially a gateway to attack numerous other entities.
If Cozy Bear and other miscreants have started attacking disties, that is therefore very scary indeed. Doubly so to SYNNEX, which is currently working its way through a merger with rival distie Tech Data. Once that transaction concludes, the combined company will be the planet’s largest tech distributor and an even tastier target.
Note, too, that SYNNEX’s statement says it’s aware of “a few instances” of concern. The RNC may therefore not be the only client to feel the rancid breath of Cozy Bear wafting uncomfortably close. ®
Updated to add at 0848 UTC on July 7, 2021
Michael Urban, president of worldwide technology solutions distribution at SYNNEX, told The Reg in a statement: “This morning, we responded to media reports over the weekend that referred to SYNNEX in reference to the Kaseya attack. We do not have a relationship with Kaseya and do not use its systems. We are conducting a thorough review of a few instances in which outside actors have attempted to gain access, through SYNNEX, to customer applications within the Microsoft cloud environment. These instances did not involve ransomware."