Microsoft Says Russian Hackers Again Target Global Supply Chain
WASHINGTON — Microsoft announced Monday that the same hackers who tapped into U.S. government computers in the 2020 SolarWinds cyberattack continue to attack the global supply chain but with a slightly revamped strategy.
This time, the Russia-backed group Microsoft calls Nobelium is piggybacking onto the software of cloud service reseller companies in an apparent attempt to break into their customers’ information technology systems.
Microsoft said in a statement that Nobelium secretly inserts spying software into the resellers’ systems to “more easily impersonate an organization’s trusted technology partner to gain access to their downstream customers.”
Microsoft officials do not yet have an assessment of how much damage Nobelium has done.
“Fortunately, we have discovered this campaign during its early stages, and we are sharing these developments to help cloud service resellers, technology providers, and their customers take timely steps to help ensure Nobelium is not more successful,” Microsoft vice president Tom Burt said in a blog post.
Resellers act as intermediaries in computer system distribution by purchasing software or hardware from manufacturers or wholesalers, selling it to customers and managing their accounts. The customers necessarily put a high degree of trust in their services.
Microsoft said that since May, it has notified more than 140 companies that they were targets of the Nobelium attacks. Fourteen of them are likely to have had their systems hacked.
The latest attack bears similarities to the 2020 SolarWinds attack for the way it embeds spyware into what appears to be legitimate software products.
The SolarWinds attack found a weakness in a popular cybersecurity program that allowed it to spy on government and corporate computers globally.
In the United States, the U.S. departments of Treasury, Commerce and Homeland Security all reported being hacked. Internationally, the victims included the North Atlantic Treaty Organization, the European Parliament, the United Kingdom’s Defense Ministry and pharmaceutical giant AstraZeneca.
So far, the U.S. government is downplaying the importance of the attack Microsoft announced Monday, describing it as a routine password spray and phishing attack.
However, Microsoft indicated it might be more serious. The company has notified more than 600 of its customers that it recorded 22,868 Nobelium attacks on their systems.
Although their success rate is small, Microsoft described the attack as the largest it had seen from a single country in years. Microsoft also left no doubt the Russian government was suspected.
“Russia is trying to gain long-term, systematic access to a variety of points in the technology supply chain and establish a mechanism for surveilling – now or in the future – targets of interest to the Russian government,” the Microsoft blog post said.
The U.S. government blamed Russia’s SVR foreign intelligence agency for the SolarWinds attack. Its apparent motive was to help Russia gain global supply chain secrets that could give it an economic advantage using other organizations’ technology.
The Microsoft announcement adds another chapter to increasing friction between the United States and Russia over cyberattacks.
President Joe Biden has personally warned Russian President Vladimir Putin to stop the attacks but State Department officials say they see no evidence he has made an effort.
Biden warned Putin after the May 2021 Colonial Pipeline ransomware attack on the pipeline that carries gas and jet fuel from Houston to the Southeastern United States. The Russian hackers demanded $4.4 million in bitcoin before they would release their block on the oil company’s software.
Colonial Pipeline paid the ransom but the pipeline was shut down for five days.
Tom can be reached at [email protected].
