Russian nation-state actor behind SolarWinds cyberattack at it again: Microsoft
The same actors behind the SolarWinds breach that infiltrated nine U.S. government agencies is attempting to do the same targeting the global supply chain, researchers from Microsoft have concluded.
Russian nation-state actor Nobelium is targeting the cloud service and technology providers “that customize, deploy and manage” services for customers, Microsoft said.
“We believe Nobelium ultimately hopes to piggyback on any direct access that resellers may have to their customers’ IT systems and more easily impersonate an organization’s trusted technology partner to gain access to their downstream customers,” the report said.
The intrusion involves software from SolarWinds, which makes IT management tools, that had been adulterated or “Trojanized” with a vulnerability that could be exploited by hackers to steal information, manipulate systems or plant trap doors and other exploits for future use.
The hack even compromised former acting Homeland Security Secretary Chad Wolf’s emails, according to three sources familiar with the situation.
Starting in May 2021, the company said it notified 140 resellers and technology service providers it said had been targeted by Nobelium, 14 of which were compromised.
Microsoft said these attacks are part of a larger pattern of the group’s activities: between July 1 and October 19, they informed 609 customers that they had been targeted by Nobelium.
“This recent activity is another indicator that Russia is trying to gain long-term, systematic access to a variety of points in the technology supply chain and establish a mechanism for surveilling – now or in the future – targets of interest to the Russian government,” Microsoft said.
The alleged activity also comes as President Joe Biden has put Russia on notice that these types of cyberattacks will not be tolerated.
The White House on Monday declined to explicitly confirm the allegation by Microsoft that the same actors behind the SolarWinds breach were now attacking the global supply chain.
But when asked about it by ABC News, White House principal deputy press secretary Karine Jean-Pierre did not dispute the Microsoft account. She even repeated some of what the company alleged, but referred questions about the details to the company — and more broadly said the U.S. was “aggressively using our authorities to protect the nation from cyberthreats.”
“Broadly speaking,” she said, “the federal government is aggressively using our authorities to protect the nation from cyberthreats, including helping the private sector defend itself through increased intelligence sharing, innovative partnership to deploy cybersecurity technologies, bilateral and multilateral diplomacy and measures we do not speak about publicly or national security reasons.”
Javed Ali, the former director of counterterrorism at the National Security Council, told ABC News this campaign is a continuation of Russia’s aggressive cyber operations “using state-backed security services.”
“This operation also raises a host of questions about the limits of the Biden administration’s approach to Russia, which seems to include a combination of carrots and sticks to prevent, punish, and deter similar attacks,” Ali said.
The Biden administration has taken several steps to in an attempt to mitigate cyberattacks, such as executive orders strengthening cooperation on cybersecurity with the public sector and sanctions against the Russian government officials or the criminal groups responsible for cyberattacks.
“Critics of this approach will say the Russian government continues to operate with impunity in cyberspace and that the United States has not imposed the right level of costs to deter future activity,” Ali, who also was a senior FBI and DHS official said. “Whether the Biden administration is willing to escalate to even more aggressive measures remains to be seen given other geopolitical risks and concerns with Russian activity.”
Jean-Pierre, the White House spokesperson, seemed to downplay the alleged Russian flouting of Biden’s actions.
“According to Microsoft, the activities described were unsophisticated password spray and phishing attempts for the purpose of surveillance that cybersecurity exa– — experts say are attempted every day by Russia and other foreign governments and have been for years,” she said. “You can prevent these attempts if the cloud service providers implement baseline cybersecurity practices, including multi-factor authentication.”
ABC News reached out to the Russian embassy for comment but did not receive an immediate response.
ABC News’ Ben Gittleson contributed to this report.