In the recent past, the famous company SolarWinds had encountered a couple of attacks and new vulnerabilities being taken advantage of. This time, the hackers who breached SolarWinds seem to have infiltrated some of the Microsoft infrastructure. Its reported that the customer support tools have been compromised. As another sign that Russian hackers who attacked SolarWinds network monitoring software to compromise large numbers of units never actually went away, Microsoft said that the threat actor behind the malicious cyber activity used password leaks and brute-force attacks to get access to its customer accounts. Microsoft says some of its customer support tools were accessed by the hacking group Nobelium, which was also connected to the separate SolarWinds attack, due to a Microsoft customer service agent’s computer being compromised. [Reference]
Microsoft told Reuters that the agent had limited access, and was able to see things like what services customers used, and their billing contact information. According to Microsoft, the hackers used the info gleaned from the tools to start “highly targeted” attacks on specific Microsoft customers. The attack, Microsoft says, was part of a larger Nobelium campaign largely focused on IT companies and governments throughout the world. The company says it’s reached out to the customers who were affected by the hacking group’s use of the tools, and that Nobelium no longer has access to the customer support agent’s device. The most recent wave of breaches is said to target IT companies in particular, followed by government agencies, non-governmental organizations, think tanks and financial services providers, with 45% of attacks in the US, US, US, Germany and Canada. [Reference]
A deep dive into the attack –Nobelium is the name assigned by Microsoft to the nation-state adversary responsible for the unprecedented SolarWinds supply chain attacks that came to light last year. It’s tracked by the wider cybersecurity community under the monikers APT29, UNC2452 (FireEye), SolarStorm (Unit 42), StellarParticle (Crowdstrike), Dark Halo (Volexity), and Iron Ritual (Secureworks). In addition, Microsoft said it detected information-stealing malware on a machine belonging to one of its customer support agents, who had access to basic account information for a small number of its customers. The stolen customer information was subsequently used “in some cases” to launch highly-targeted attacks as part of a broader campaign, the company noted, adding it moved quickly to secure the device. [Reference]
Investigation into the incident is still ongoing. The infected agent, Reuters said, could access billing contact information and the services the customers paid for, among other things. “Microsoft warned affected customers to be careful about communications to their billing contacts and consider changing those usernames and email addresses, as well as barring old usernames from logging in,” the news service reported. The attack on the supply chain on SolarWinds became known in December. After Nobelium hacked into the Austin, Texas-based company and took control of its software creation system, Nobelium sent malicious updates to around 18,000 SolarWinds customers. The latest cyberattack reported by Microsoft does not affect our company or our customers in any way, ”a SolarWinds representative said in an email.
With the upcoming Windows 11, Microsoft has been talking a lot about the security features to be incorporated. These types of attacks just goes on to prove that sky is the limit to achieve such attacks and with the latest technology at our disposal today, threat actors have undoubtedly stepped up the game with constant sophisticated attacks. This is yet another example of how cyberattacks have become the tool of choice for a growing number of nation states attacks to achieve a variety of political ends, with these Nobelium attacks targeting humanitarian and human rights organizations.
Article by Kaushik Sundararajan
I am a security professional specializing in network security. With vivid experience in different industries, I am looking to explore the current cyberspace and discuss the ideology of certain ideas from a different perspective.