Nobelium, the Russia-based threat actor behind the supply chain attack on SolarWinds, is targeting cloud service providers and IT services organizations in a large-scale and ongoing campaign designed to infiltrate systems belonging to downstream customers of these companies.
Since May, Nobelium has attacked at least 140 cloud service providers and compromised 14 of them, according to Microsoft, which has been tracking the campaign.
Once on a service provider's network, Nobelium has been targeting the privileged accounts that providers use to access and manage networks belonging to their downstream customers. It has used several tactics, including password spraying, phishing, token theft, and API abuse, to steal legitimate credentials for these accounts. The attackers have then used the privileged accounts to gain a foothold on systems belonging to targeted downstream customers of the service provider. Victims have included enterprise organizations, technology vendors, government entities, and think tanks, Microsoft says. Most of the organizations that have been targeted are based in the United States or countries across Europe.
The attacks on service providers — and resulting compromises — are not the result of product security vulnerabilities. Rather, they are the result of Nobelium actors taking advantage of any direct access that Internet and cloud service providers have to their customer systems, said Tom Burt, corporate vice president of customer security and trust at Microsoft, in a blog posted Sunday.
"We believe Nobelium ultimately hopes to piggyback on any direct access that resellers may have to their customers’ IT systems and more easily impersonate an organization’s trusted technology partner to gain access to their downstream customers," Burt wrote.
This latest Nobelium campaign is an example of attackers' growing focus on targets that provide them with means to compromise multiple organizations at the same time without having to break into each one separately. Examples of such targets include cloud service providers, managed service providers, software vendors, and other trusted entities in the technology supply chain, many of which have privileged access rights on networks belonging to their customers.
In the SolarWinds campaign, Nobelium broke into the company's software build environment and used its access to quietly embed malicious code into legitimate updates of SolarWinds' Orion network management product. That single intrusion gave the attacker a way to distribute malware to thousands of organizations, though it was interested in stealing data from only a small subset.
"This time, it is attacking a different part of the supply chain: resellers and other technology service providers that customize, deploy and manage cloud services and other technologies on behalf of their customers," Burt said.
In July, threat group REvil used a similar tactic by targeting a Kaseya server technology — which many managed service providers use — to distribute ransomware to thousands of their downstream customers.
For enterprise organizations, the main takeaway from such attacks is that supply chain threats extend well beyond just software vendors, says Jake Williams, co-founder and CTO at BreachQuest. IT service providers often have relatively poor security themselves while simultaneously having access to numerous customer networks, he adds.
"Every penetration security professional has horror stories about security at IT service providers," Williams says. "In one example, if I know the organization is serviced by a particular provider and the year the contract began, I know the domain admin password for the network."
A Persistent Adversary
Nobelium is a threat actor that the US government and others have formally identified as linked to Russia's foreign intelligence service, SVR. One of its missions is to collect information and conduct surveillance on organizations and entities thought to be of interest to the Russian government. Microsoft and others believe the group is trying to gain and maintain persistent access to a variety of entry points on the technology supply chain as part of this mission. Burt said that between July 1 and mid-October of 2021, Microsoft security researchers observed some 22,868 Nobelium attacks on organizations in the US and elsewhere. So far, Microsoft has informed 609 customers of being targets of these attacks, he said.
Williams describes Nobelium as a truly persistent adversary.
"Nobelium is one of the best in the threat actor ecosystem at remaining undetected after a remediation attempt," Williams notes. "Often organizations fail to fully remediate incidents, leaving the threat actor access to the network after the remediation is considered complete."
Microsoft has recommended steps that organizations can take to reduce their exposure to attacks like Nobelium's that try to take advantage of the delegated administrative privileges that third parties often have on customer networks. The recommendations are different for service providers and for enterprise customers of these providers.
The recommendations for enterprise organizations include the need to review, audit, and limit third-party access privileges and delegated permissions on their network, the use of multifactor authentication and conditional access policies, and the need to audit and review logs and configurations. For service providers, Microsoft recommended they remove connections with delegated access privileges on customer networks when not in use. The company also urged service providers to review and audit security controls around connections with customer networks and to conduct a thorough investigation to verify if they had been breached in the current Nobelium campaign.
Chris Morgan, senior cyber threat intelligence analyst at Digital Shadows, says the recent activity demonstrates the significant risk to organizations when an APT group targets privileged accounts.
"Trusted relationships between providers and user organizations are highly valuable and an essential part of modern security processes," he says. "Compromising privileged accounts that have a high level of access enables threat actors to move through the cyber kill chain with little chance of being detected."
Given that many of the organizations impacted by Nobelium's activity are reportedly cloud and managed service providers, and considering the group's established ability to move laterally on compromised networks, it is possible that the scope of Nobelium's latest campaign could increase, he says.
ImmuniWeb founder Ilia Kolochenko recommends organizations implement a third-party risk management (TPRM) program that goes beyond the usual one-size-fits-all questionnaire for assessing vendor risk. He suggests organizations focus on drafting an adequate, proportional, and threat-aware vendor assessment process as part of their TPRM process.
"Reasonable contractual clauses, allocating the risks of data breaches and security incidents, can motivate vendors to maintain better security," he says.