The rise of cyber-attacks – Enter Nobelium – Warns Microsoft 

I remember when I first read about the Solarwinds article and wrote about it here, it took me by surprise a simple mistake with a password could’ve caused so much havocs. The Nobelium group has been on the radar for quite a while after the Solarwindws attack. The group also ended up breaching some of Microsoft’s infrastructure [Reference]. Now Microsoft says that the Russian-backed threat group ( Nobelium) is still targeting some IT supply chain. These targets include 140 Manager Service Providers (MSPs) and cloud service providers since May this year.

This campaign is showing signs of Nobelium’s approach to compromise a great deal of targets by breaching their respective service providers. The group has been prominent since their attack on Solarwinds, that occurred last year, have been on a wave of attacks thereby showing off their interest in targeting supply chain via the “compromise-one-to-compromise many” approach as quoted by Bleeping computer. The tools deployed by this group has been pretty diverse and has been constantly evolving tool kits. These include but not limited to tools, tactics and procedures varying from simple malware attacks, to password spraying attacks and token theft to abuse the APIs to spear-phishing attempts. The main targets of these new attacks are resellers and technology service providers that deploy and manage cloud services and similar tech for their customers. Microsoft has advised and notified the impacted targets and spotting some detections to their threat intelligence products enabling them to also spot intrusions in the future.

Source : Reference

Tom Burt, Microsoft VP, has said that the company has taken constant efforts and has notified companies and technology providers impacted by Nobelium. This effort came as a result of a customer data breach that Microsoft encountered where more than 600 customers were attacked multiple times repeatedly although with a meek success margin between July and October. These attempts is just a glimpse of a larger wave of the threat group’s activities since December 2020. Microsoft also advised it’s 609 impacted customers who were attacked by Nobelium 22, 868 times. Wow, that number says something. The only consolation that the rate of success was in single digits.

A quick brief of the Nobelium group that is available today are that they are the hacking division of the Russian Foreign Intelligence Service ( SVR), aka APT 29, Cozy Bear and The Dukes.  You can check more about APT 29 here. If you check the MITRE website for the types of techniques employed by this group, the list is extensive. It is known that they target high profiles. Earlier this year, Microsoft detailed three Nobelium malware strains used for maintaining persistence on compromised networks: a command-and-control backdoor dubbed ‘GoldMax,’ an HTTP tracer tool tracked as ‘GoldFinder,’ a persistence tool and malware dropper named ‘Sibot.’ [Reference]

Source : Reference

It seems Microsoft has predicted that Nobelium’s goal seems that they ultimately want to piggy back any direct access to customer’s IT systems and impersonate an organization’s trusted technology partner to access customer data. If anything, the attacks are yet another manifestation of Nobelium’s oft-repeated tactics, which has been found abusing trust relationships enjoyed by service providers to burrow into multiple victims of interest for intelligence gain.

Published by The Art of Cyber-Space

I am a security professional specializing in incident management and network security. With vivid experience in different industries, I love exploring various ideologies and share knowledge about the current threat landscape to instill more cybersecurity awareness.

Published by The Art of Cyber-Space

I am a security professional specializing in network security. With vivid experience in different industries, I am looking to explore the current cyberspace and discuss the ideology of neuroscience and neurotechnology research from a security perspective. I love exploring various blog posts and share knowledge about the current threat landscape to instill more cybersecurity awareness.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: