Microsoft researchers said that the attackers behind the SolarWinds intrusion targeted at least 140 technology service providers - and successfully compromised 14 - in an ongoing campaign that started in May.
The threat group, which is known as Nobelium or APT29 and is affiliated with the Russian SVR, has previously targeted organizations integral to the global IT supply chain. Now, the group is attacking a different part of the supply chain, said Microsoft: Resellers and technology service providers across the U.S. and Europe, which assist end users in deploying, customizing and managing cloud services and other technologies.
“This recent activity is another indicator that Russia is trying to gain long-term, systematic access to a variety of points in the technology supply chain and establish a mechanism for surveilling – now or in the future – targets of interest to the Russian government,” said Tom Burt, corporate vice president of Customer Security and Trust at Microsoft on Sunday.
Instead of exploiting software vulnerabilities, attackers behind this campaign utilized well-known tactics like password spraying and phishing to steal legitimate credentials and gain privileged access, said Microsoft. The aim here is to move laterally across impacted cloud environments in order to then gain access to downstream government and think tank customers, enabling further attacks.
Nobelium’s targeting of these “trusted relationships” between technology providers and their customers has become a staple for the actor. In this attack, the group targeted delegated administrative privileges, which allows admins to delegate administrative responsibilities - such as adding users or domains, or resetting passwords - to partners. Delegated administrative privileges are infrequently audited for approved use, and oftentimes they are not disabled by a service provider or downstream customer once use has ended, making them a lucrative target for cybercriminals.
“They use password spraying and spearphishing, but their most innovative activity has been focusing on supply chain attacks, whether that is abusing the access or resellers, or subverting software updates," John Hultquist, VP of intelligence analysis with Mandiant, said.
“Microsoft assesses that organizations... will be of continued interest to persistent threat actors and are at risk for targeting via a variety of methods, from credential access to targeted social engineering via legitimate business processes and procedures."
Microsoft researchers have been tracking Nobelium’s activities and tools for months. In September, for instance, they uncovered a backdoor called FoggyWeb being used by the group to target Microsoft Entra ID Federation Services (AD FS) servers, access and exfiltrate the server’s configuration database, and maintain persistence on machines. And in June, they said that Nobelium targeted government agencies and IT companies and was able to compromise the machine of a Microsoft customer support agent who had access to customer account data.
On Sunday, Microsoft said that the more recent attacks are part of a larger wave of Nobelium activities over the summer, with 609 Microsoft customers being attacked 22,868 times by the actor between July 1 and Oct. 19, with a success rate in “the low single digits.” To put that into context, Microsoft said that in the three years prior to July 1, customers were notified of attacks 20,500 times - by all nation-state actors, as opposed to only Nobelium.
The SolarWinds attack, where malware was installed in SolarWinds software updates that were pushed out to 18,000 companies and government entities, put supply chain attacks on the forefront as a top concern this year. This most recent IT supply chain attack “highlighted the need for administrators to adopt strict account security practices and take additional measures to secure their environments,” said Microsoft.
Microsoft has security requirements for its cloud service provider partners to help defend against these attacks, which include the use of multi-factor authentication and conditional access policies; the adoption of Microsoft’s Secure Application Model Framework introduced in August, used for authenticating cloud solution provider partners; and the auditing of security operations. Microsoft also recommends partners remove delegated administrative privileges when not in use. The company is introducing a new reporting tool in November that will help partners identify all active delegated administrative privilege connections and remove any unused ones. For end-user organizations, Microsoft recommends reviewing and minimizing access privileges, enabling multi-factor authentication and auditing logs and configurations.
“Microsoft assesses that organizations, such as cloud service providers and other technology organizations who manage services on behalf of downstream customers, will be of continued interest to persistent threat actors and are at risk for targeting via a variety of methods, from credential access to targeted social engineering via legitimate business processes and procedures,” the company said.