Microsoft stated that Nobelium, the Russian-backed threat group responsible for the SolarWinds hack, has attacked 140 managed service providers (MSPs) and cloud service providers since May. Tom Burt, Corporate Vice President at Microsoft, stated that 14 of the 140 MSPs were successfully breached. In addition, more than 600 Microsoft customers were attacked, although with a low success rate. The Russian hackers use a diverse set of tools to carry out these attacks including tactics ranging from malware, password sprays, and token theft to API abuse and spear phishing. Nobelium is the hacking division of the Russian Foreign Intelligence Services and is also tracked as APT29, Cozy Bear, and The Dukes. The group continues to carryout aggressive espionage campaigns to gain long term access to systems and steal information.
Analyst Notes
Microsoft recommends that MSPs and cloud service providers, other technology organizations with elevated privileges for customer systems, and all downstream customers of these organizations review and implement the actions in the link below to help mitigate and remediate the recent NOBELIUM activity.
https://www.microsoft.com/security/blog/2021/10/25/nobelium-targeting-delegated-administrative-privileges-to-facilitate-broader-attacks/
https://www.bleepingcomputer.com/news/microsoft/microsoft-russian-svr-hacked-at-least-14-it-supply-chain-firms-since-may/
