The Microsoft Security Response Center is tracking a new attack campaign in which Nobelium, a group connected to Russia, targets Microsoft customer support agents and uses its foothold to attempt further attacks.
Nobelium is the same group Microsoft attributed to the SolarWinds supply chain attack in 2020, and it has been active since then. Last month, Nobelium launched a phishing attack after gaining access to the Constant Contact account of the United States Agency for International Development.
An investigation into Nobelium's recent activity revealed information-stealing malware on a machine belonging to a Microsoft customer support agent. The device had access to basic account information for a small number of customers. Attackers used the information, in some cases, to launch highly targeted attacks as part of a broader campaign. The access was removed and the device secured.
Microsoft says its latest activity targeted specific customers, mostly IT companies (57%), government (20%), and non-governmental organizations and think tanks, as well as financial services. About 45% of attacks were focused on US interests, followed by 10% in the UK and smaller numbers in Germany and Canada. A total of 36 countries were targeted, they report.
"This recent activity was mostly unsuccessful, and the majority of targets were not successfully compromised – we are aware of three compromised entities to date," officials found. All affected customers are being contacted.
Read the full MSRC blog post for more details.