Microsoft says Russian group behind SolarWinds attack now targeting IT supply chain

Microsoft Corporate Vice President of Customer Security & Trust Tom Burt shared thelatest activitythe company has observed from Russian nation-state actor Nobelium. Burt, in a blog post, said Nobelium was identified by the U.S. government and others as being part of Russia’s foreign intelligence service, known as the SVR.


Nobelium has been attempting to replicate the approach it has used in past attacks by targeting organizations integral to the global IT supply chain,” Burt wrote. “今回, it is attacking a different part of the supply chain: resellers and other technology service providers that customize, deploy and manage cloud services and other technologies on behalf of their customers.

Burt added that Microsoft believes Nobeliumultimately hopes to piggyback on any direct access that resellers may have to their customers’ IT systems and more easily impersonate an organization’s trusted technology partner to gain access to their downstream customers.

Microsoft said it began observing Nobelium’s latest activity in May 2021, and said it has been notifyingimpacted partners and customers, while also developing new technical assistance and guidance for the reseller community.

“5月以降, we have notified more than 140 resellers and technology service providers that have been targeted by Nobelium,” Burt wrote. “We continue to investigate, but to date we believe as many as 14 of these resellers and service providers have been compromised.

Microsoft said it discovered the campaignduring its early stages,” and said they are sharing developments to cloud service resellers, technology providers, and customers to taketimely steps to help ensure Nobelium is not more successful.

Microsoft said that the attacks on this sector of the global IT supply chain have been a part of alarger waveof Nobelium activities over the summer.

Burt said that between July 1 and Oct. 19, Microsoft informed 609 customers that they had been attacked 22,868 times by Nobelium, with a success rate in the low single digits.

“比較すると, prior to July 1, 2021, we had notified customers about attacks from all nation-state actors 20,5000 over the past three years,” Burt wrote.

Microsoft warned, でも, that the activity isanother indicator that Russia is trying to gain long-term, systematic access to a variety of points in the technology supply chain and establish a mechanism for surveillingnow or in the futuretargets of interest to the Russian government.

Microsoft, detailing the attacks, explained that it does not appear to be an attempt toexploit any flaw or vulnerability in software,” but rather the utilization ofwell-known techniques, like password spray and phishing, to steal legitimate credentials and gain privileged access.Microsoft said that the companycan now provide actionable information which can be used to defend against this new approach.

Microsoft said it has been coordinating with others in the security community, and has beenworking closely with government agencies in the U.S. and Europe.

While we are clear-eyed that nation-states, ロシアを含む, will not stop attacks like these overnight, we believe steps like the cybersecurity executive order in the U.S., and the greater coordination and information sharing we’ve seen between industry and government in the past two years, have put us all in a much better position to defend against them,” Burt wrote.


その間, a senior administration official explained that the activities Microsoft described taking place wereunsophisticated password spray and phishing attempts for the purpose of surveillance that cybersecurity experts say are attempted every day by Russia and other foreign governments and have been for years.

The official said these types of attempts can be prevented if cloud service providers implementbaselinecybersecurity practices, including multi-factor authentication—a measure to require users to authenticate their accounts with more than a password.

Broadly speaking, the federal government is aggressively using our authorities to protect the Nation from cyber threats, including helping the private sector defend itself through increased intelligence sharing, innovative partnerships to deploy cybersecurity technologies, bilateral and multilateral diplomacy, and measures we do not speak about publicly for national security reasons,” the official told Fox News.

今年の初め, the Biden administration imposed sanctions on Russia for the SolarWinds computer hack, で始まった 2020 when malicious code was snuck into updates to popular software that monitors computer networks of businesses and governments. The malware, affecting a product made by the American SolarWinds, gave elite hackers remote access into an organization’s networks so they could steal information.


今月上旬, Biden hosted virtual meetings with more than 30 countries toaccelerate cooperation to counter ransomware,” but the White House did not extend the invitation to ロシア, senior administration officials said. The officials noted that the United States and the Kremlin have aseparate channelwhere theyactivelydiscuss the matter.

Officials said that the president established a U.S.-Russia experts group for the U.S. to engagedirectlyon the issue of ransomware.

We do look to the Russian government to address ransomware criminal activity coming from actors within Russia,” 関係者は言った, adding that the Biden administration hasalso shared information with Russia regarding criminal ransomware activity being conducted from its territory.

We’ve seen some steps by the Russian government, and are looking to see follow up actions and broader international cooperation is an important line of effort, because these are transnational criminal organizations,” 関係者は言った, adding that theyleverage global infrastructure and money laundering networks to carry out their attacks.

バイデン, during his summit in Geneva with Russian President Vladimir Putin in June, raised the issue of ransomware. 当時の, Biden said he told Putin thatcertain critical infrastructure should be off limits to attack.Biden said he gave a list of “16 specific entities defined as critical infrastructure,” saying it ranged from energy to water systems.

プーチン, でも, during his press conference after the meeting, denied that Russia was responsible for cyberattacks and instead claimed that the most cyberattacks in the world were carried out from the U.S.

Also over the summer, the president signed a national security memo directing his administration to develop cybersecurity performance goals for critical infrastructure in the United States—entities like electricity utility companies, chemical plants, and nuclear reactors.

その間, the National Counterintelligence and Security Center last week announced it is prioritizing industry outreach efforts in U.S. technology sectors where the stakes arepotentially greatestfor U.S. economic and national security, warning ofnation-state threatsposed by 中国 そして ロシア.


The NCSC warned that the Kremlinis targeting U.S. advances through the employment of a variety of licit and illicit technology transfer mechanisms to support national-level efforts, including its military and intelligence programs.

NCSC officials warned that Russia is alsoincreasingly looking to talent recruitmentand international scientific collaborations to “前進” their domestic research and development efforts. NCSC said, でも, that theirresource constraintshave forced the Kremlin to focus on “先住民族” research and development efforts, such as Russian military applications of artificial intelligence.

NCSC warned that Russia uses intelligence services, academics, joint ventures and business partnerships, talent recruitment, foreign investments, government to government agreements, and more to acquire U.S. technologies.

Fox BusinessMeghan Henney contributed to this report.