The Nobelium hacking group allegedly compromised a support agent’s computer and attacked some of its customers with brute-force attacks, says the report of 25 June 2021. Microsoft said in a terse statement published late on a Friday afternoon that nation-state hackers were behind the SolarWinds supply chain attack and used the access to launch targeted attacks against company customers.
Hackers also compromised three entities using password-spraying and brute-force techniques, which gain access to accounts by bombarding login servers with large numbers of guesses. Besides three undisclosed entities, the password-spraying campaign was “mostly unsuccessful.” Microsoft has since notified all targets, regardless of whether the attacks were successful or not.
Microsoft discovered the threats as part of its investigation into Nobelium, a sophisticated hacking group that used SolarWinds software updates and other means to compromise networks belonging to nine US government agencies and 100 private organizations. Nobelium is part of the Federal Security Service of the Russian government, according to the federal government.
In the course of our investigation into this ongoing activity, we also found information-stealing malware on a machine belonging to one of our customer service representatives who had access to basic account information for a small number of our customers, Microsoft said in a post.
In some cases, the actor used this information to launch highly targeted attacks as part of a broader campaign. As reported by Reuters, Microsoft published the breach disclosure after one of the news outlet’s reporters inquired about the notification it sent to targeted or hacked customers. The infection of the worker’s computer was revealed in the fourth paragraph of the five-paragraph post.
Reuters reported that the infected agent had access to billing contact information and the services customers had paid for. In a statement, Microsoft advised affected customers to use caution when communicating with their billing contacts and to consider changing their usernames and email addresses and barring old usernames from logging in.
SolarWinds was attacked in its supply chain in December. Following this, the hackers from Nobelium targeted a company based in Austin, Texas, gained access to the company’s software-building system, and released malicious updates to 18,000 SolarWinds customers. As a response to Microsoft’s cyberattack, SolarWinds representatives stated in an email neither their company nor the customers were affected in any way.
Nobelium didn’t just compromise its targets through the SolarWinds supply chain attack. Malwarebytes, a provider of anti-malware software, said it was also infected by Nobelium, but via a different vector, which it did not specify. Similarly, Microsoft and email provider Mimecast has said that they have also been hacked by Nobelium, which used the compromises to hack the companies’ clients or partners.
According to Microsoft, the password-spraying activity was focused on 57 percent of IT companies, 20 percent of government organizations, and the rest of nongovernmental organizations, think tanks, and financial services. Approximately 45 percent of the activity focused on American interests, while 10 percent targeted UK customers, and smaller numbers were in Germany and Canada. A total of 36 countries were targeted.
According to Reuters, Microsoft’s spokesman said Friday’s breach was not a continuation of Nobelium’s past successful attack on Microsoft. The company has not provided key details, including how long the agent’s computer was compromised or whether the compromise involved a Microsoft-managed machine on a Microsoft network or a contractor’s device on a home network.
It came as a shock to many security analysts when the disclosure was made on Friday. “I mean, Jesus, if Microsoft can’t keep their own kit clear of viruses, how is the rest of the corporate world supposed to?” Kenn White, an independent security researcher, told.