SolarWinds attacker on the move: Russia's Nobelium crew has trebled attacks targeting MSPs, cloud resellers, says Microsoft

Phishing and password spraying on the up

Russia's Nobelium group – fingered as being a Russian state actor by both the United States and Britain – has massively ramped up phishing and password spraying attempts against managed service providers (MSPs) and cloud resellers, Microsoft's security arm has warned.

The Windows maker said the group's targeted attacks against "resellers and other technology service providers that customize, deploy and manage cloud services and other technologies on behalf of their customers" had trebled over the past three months.

Nobelium has been linked by Microsoft and others as the organisation behind the infamous SolarWinds supply chain compromise, and linked to Russia's foreign intelligence (SVR). In infosec circles the SVR-backed group is also known as APT29.

During the three months between 1 July and 19 October this year, Microsoft said it had seen Nobelium make 22,868 attack attempts against MSP customers, contrasting that figure with 20,500 attacks "over the past three years." Redmond claimed that 609 customers were targeted in the latest blurt of activity from the Russian state actor "with a success rate in the low single digits."

"This recent activity is another indicator that Russia is trying to gain long-term, systematic access to a variety of points in the technology supply chain and establish a mechanism for surveilling – now or in the future – targets of interest to the Russian government," wrote Microsoft corporate veep Tom Burt.

Phishing, as Reg readers know well, is the art of sending malicious emails either to compromise the victim's device (gaining a foothold to target their organisation's network) or to trick them into handing over their login credentials for some portal or service that can be abused for the same end. Password spraying is a form of brute-forcing login portals – and the group's use of brute-forcing suggests enabling multi-factor authentication is more important than ever before.

It does help if account authentication works properly and doesn't lock users out altogether if they see someone else attempting to log into a protected account, as one Microsoft user recently found.

Compromising SolarWinds saw APT29 establish access to the build servers for the network monitoring company's Orion product starting in late 2019. Over a period of almost a year, the Russian digital spies patiently infiltrated SolarWinds, waiting months between steps to check for any signs of detection. The attack was only noticed by infosec firm FireEye, a SolarWinds customer, in December 2020.

"Russia does not conduct offensive operations in the cyber domain," said an implausible statement published by Russia's US embassy in December 2020, long before the attack was attributed to the SVR. English-language statements from Russian political figures are usually intended to confuse and mislead Western audiences, the best guide to country's government's intentions being its actions rather than words.

To that end, British and American cybersecurity agencies spent summer 2021 cheerfully publishing details of the SVR's changing tactics, techniques, and procedures as the agency seemingly tried to hide its tracks following public attribution of the SolarWinds hack. Even the private sector got in on the SVR-busting act.

Back on the SVR's home turf, Kaspersky recently attributed a new malware strain to the spies, naming it Tomiris. Microsoft itself warned in September of a malicious SVR tool targeting Active Directory credentials and token-decryption certificates.

All of which goes to show, you can't be too careful these days. Hostile countries' threat actors are targeting you and your organisation, no matter how low-value or uninteresting you think you are. ®

Similar topics

Other stories you might like

  • Prisons transcribe private phone calls with inmates using speech-to-text AI

    Plus: A drug designed by machine learning algorithms to treat liver disease reaches human clinical trials and more

    In brief Prisons around the US are installing AI speech-to-text models to automatically transcribe conversations with inmates during their phone calls.

    A series of contracts and emails from eight different states revealed how Verus, an AI application developed by LEO Technologies and based on a speech-to-text system offered by Amazon, was used to eavesdrop on prisoners’ phone calls.

    In a sales pitch, LEO’s CEO James Sexton told officials working for a jail in Cook County, Illinois, that one of its customers in Calhoun County, Alabama, uses the software to protect prisons from getting sued, according to an investigation by the Thomson Reuters Foundation.

    Continue reading
  • Battlefield 2042: Please don't be the death knell of the franchise, please don't be the death knell of the franchise

    Another terrible launch, but DICE is already working on improvements

    The RPG Greetings, traveller, and welcome back to The Register Plays Games, our monthly gaming column. Since the last edition on New World, we hit level cap and the "endgame". Around this time, item duping exploits became rife and every attempt Amazon Games made to fix it just broke something else. The post-level 60 "watermark" system for gear drops is also infuriating and tedious, but not something we were able to address in the column. So bear these things in mind if you were ever tempted. On that note, it's time to look at another newly released shit show – Battlefield 2042.

    I wanted to love Battlefield 2042, I really did. After the bum note of the first-person shooter (FPS) franchise's return to Second World War theatres with Battlefield V (2018), I stupidly assumed the next entry from EA-owned Swedish developer DICE would be a return to form. I was wrong.

    The multiplayer military FPS market is dominated by two forces: Activision's Call of Duty (COD) series and EA's Battlefield. Fans of each franchise are loyal to the point of zealotry with little crossover between player bases. Here's where I stand: COD jumped the shark with Modern Warfare 2 in 2009. It's flip-flopped from WW2 to present-day combat and back again, tried sci-fi, and even the Battle Royale trend with the free-to-play Call of Duty: Warzone (2020), which has been thoroughly ruined by hackers and developer inaction.

    Continue reading
  • American diplomats' iPhones reportedly compromised by NSO Group intrusion software

    Reuters claims nine State Department employees outside the US had their devices hacked

    The Apple iPhones of at least nine US State Department officials were compromised by an unidentified entity using NSO Group's Pegasus spyware, according to a report published Friday by Reuters.

    NSO Group in an email to The Register said it has blocked an unnamed customers' access to its system upon receiving an inquiry about the incident but has yet to confirm whether its software was involved.

    "Once the inquiry was received, and before any investigation under our compliance policy, we have decided to immediately terminate relevant customers’ access to the system, due to the severity of the allegations," an NSO spokesperson told The Register in an email. "To this point, we haven’t received any information nor the phone numbers, nor any indication that NSO’s tools were used in this case."

    Continue reading

Biting the hand that feeds IT © 1998–2021