Russia-linked Nobelium APT targets orgs in the global IT supply chain

Russia-linked Nobelium APT group has breached at least 14 managed service providers (MSPs) and cloud service providers since May 2021.

The SolarWinds security breach was not isolated, Russia-linked Nobelium APT group has targeted140 managed service providers (MSPs) and cloud service providers and successfully breached 14 of them since May 2021.

The NOBELIUM APT (APT29, Cozy Bear, and The Dukes) is the threat actor that conducted supply chain attack against SolarWinds, which involved multiple families of implants, including the SUNBURST backdoor, TEARDROP malware, GoldMax malware, Sibot, and GoldFinder backdoors.

NOBELIUM focuses on government organizations, non-government organizations (NGOs), think tanks, military, IT service providers, health technology and research, and telecommunications providers.

The recent large scale campaign uncovered by Microsoft aimed at the service providers was uncovered by Microsoft researchers, in order to avoid detection, threat actors repetitively changed tactics and used a broad range of hacking tools and malware.

“This time, it is attacking a different part of the supply chain: resellers and other technology service providers that customize, deploy and manage cloud services and other technologies on behalf of their customers. We believe Nobelium ultimately hopes to piggyback on any direct access that resellers may have to their customers’ IT systems and more easily impersonate an organization’s trusted technology partner to gain access to their downstream customers.” states Microsoft.

Attackers did not leverage exploits for vulnerabilities in the target organizations, but rather they used well-known techniques, like password spray and spear-phishing.

The campaign confirms that Russia-linked threat actors are trying to gain long-term, systematic access to multiple points in the technology supply chain to carry out cyberespionage activities. 

Microsoft researchers spotted the campaign in its early stages, between July 1 and October 19 the IT giant informed 609 customers that they had been attacked 22,868 times by Nobelium. The number of attacks is very high, by comparison, prior to July 1, 2021, the company had notified customers about attacks from all nation-state actors 20,500 times over the past three years.

The company is still investigating these attacks, anyway the company believes that there was a very low rate of success between July and October.

Microsoft also released technical guidance that can allow organizations to protect themselves against hacking attempts that are part of the latest Nobelium’s campaign.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, cyber security)

[adrotate banner=”5″]

[adrotate banner=”13″]