Last December the cybersecurity world was shaken by the SolarWinds hack, arguably the largest cybersecurity attack of its kind (at that time). And despite several other high profile attacks since then, the SolarWinds attack is still fresh in the cybersecurity community’s mind.
And now, the Nobelium hacking group, the Russian cyber gang behind the SolarWinds attack are at it again with a Microsoft supply chain attack.
According to Microsoft, Nobelium hacker group have been targeting Microsoft and their partners since May 2021 trying to gain a foothold within Microsoft’s networks to launch an attack at Microsoft customers worldwide. Given that Microsoft is one of the largest IT suppliers in the world, that’s the potential to impact a lot of organisations across all sectors, and of all sizes.
A Microsoft supply chain attack to end all attacks
According to the Microsoft Threat Intelligence Center (MSTIC), Nobelium hacking group began targeting Microsoft, Microsoft resellers, and Microsoft service providers in May 2021, aiming to compromise them in order to gain access to their downstream customers, including governments, think tanks, and large and small businesses.
Their tactics have been to launch a barrage of attacks utilising a wide range of attack techniques at a relentless pace. According to MSTIC, Nobelium hacking group have launched 22,868 attacks at 609 Microsoft and associated targets between 1st July and 19th October 2021. That’s an average of over 200 hack attempts a day, or an unrelenting barrage of attacks. While just a handful of these attacks have been found to be successful so far, the potential of this attack is vast.
This is not so surprising for anyone familiar with the Nobelium hacking group. They are reportedly sponsored by the Russian foreign intelligence service (SVR) who appear to have given them limitless resources in their quest to gain access to high profile, national level targets across the United States and Europe.
The Microsoft supply chain attack affects… everyone
You might wonder what Microsoft has to do with you (or us)? Well plenty.
Microsoft is one of the most ubiquitous suppliers in the world, and by targeting them, Nobelium hacking group are implementing a compromise-one-to-compromise-many approach, aiming to gain access to any Microsoft customer that they possibly can. No organisation is too small – Nobelium will maximise the damage they cause.
They have targeted a wide range of Microsoft partner organisations in order to exploit trusted supplier relationships to move laterally in cloud environments, and gain access both up and down stream, with an eye to carrying further attacks, or to eventually gain access to specific targets. Whether an organisation is a target or not is irrelevant. If they can gain access, and stay there, Nobelium hacking group will find some way to attack them.
And unlike with the SolarWinds attack where they could exploit a vulnerability, this time Nobelium hacking group have tried to manufacture access points through a wide range of techniques. Just some of the techniques they have used include malware, password spraying, token theft, API abuse, spear phishing to compromise user accounts and use them to gain access.
CyberSecurity as a Service – proactive defence against attack
By creating a Microsoft supply chain attack, Nobelium hacking group is attacking one of the most far reaching IT suppliers in the world. This means that no one is safe, and every organisation everywhere should be taking this as a sign to check their cyber security position and strengthen their defences now.
The wide range of techniques used in not just this Microsoft supply chain attack, but in every other wide-ranging attack, demonstrates just how important it is for organisations to have a comprehensive cybersecurity strategy in place that incorporates both prevention and monitoring tactics.
In the first instance, organisations must ensure that they have done everything they can to protect themselves against attack. Some of the key elements of a preventative approach include:
- Ensuring good identity and access management, such as limiting privileged account holders to the smallest number of users, regular checks and removal of out-of-date accounts, and effective password and multi-factor authentication controls.
- Providing training for staff to help them protect the organisation from password spraying or phishing attacks.
- Implementing endpoint protection on every internet-facing device, including servers, and every employee computer, and tying this in with antivirus and antimalware solutions and firewalls to prevent and detect intrusions.
Simply implementing preventative tactics and a few pieces of software is not enough. Cybersecurity never sleeps, and prevention activity must be backed up by continuous monitoring of the network to ensure that any attack is identified as quickly as possible. Cybersecurity teams must regularly check logs for unfamiliar activity or users, scan the network for vulnerabilities, apply patches, and more.
Maintaining current, effective cybersecurity defences requires a wide range of skills that many organisations simply don’t have access to. Those are precisely the organisations that hacker gangs like Nobelium are hoping to gain access to through their activity against Microsoft and other key supply chain suppliers. That’s where our CyberSecurity as a Service model comes in, with comprehensive support for organisations of all sizes.
Want to learn more about how we can help you? Contact us for more information now.