Nobelium, a threat actor believed to be behind last year’s massive SolarWinds breach, is still targeting technology firms integral to the global IT supply chain. Since May 2021, the group has attacked 140 managed service providers (MSPs) and cloud service providers and managed to compromise at least 14 of them.
“We believe Nobelium ultimately hopes to piggyback on any direct access that resellers may have to their customers’ IT systems and more easily impersonate an organization’s trusted technology partner to gain access to their downstream customers,” Microsoft’s corporate vice president Tim Burt wrote in the company blog.
During the three months between 1 July and 19 October 2021, Microsoft said it had seen Nobelium make 22,868 attack attempts against 609 MSP customers, with “a success rate in the low single digits.”
“By comparison, prior to July 1, 2021, we had notified customers about attacks from all nation-state actors 20,500 times over the past three years,” Burt said.
According to Microsoft, in the recent campaign the attackers have not attempted to exploit vulnerabilities in software but rather used a diverse and dynamic toolkit that includes sophisticated malware, password sprays, supply chain attacks, token theft, API abuse, and spear phishing to obtain credentials and gain privileged access.
“Microsoft assesses that organizations, such as cloud service providers and other technology organizations who manage services on behalf of downstream customers, will be of continued interest to persistent threat actors and are at risk for targeting via a variety of methods, from credential access to targeted social engineering via legitimate business processes and procedures,” Microsoft said.
The Windows maker has also published technical guidance to help organizations protect themselves against Nobelium’s attacks.
