Security experts have been sharing advice and guidance after newly published intelligence linked a spate of attempted cyber attacks against targets in the IT channel to Nobelium, the Kremlin-backed advanced persistent threat (APT) group that perpetrated the 2020 SolarWinds cyber attack.
On Sunday 24 October, Microsoft’s Tom Burt, corporate vice-president of customer security and trust, published new insight into the volume of malicious activity observed being conducted by Nobelium.
Burt said the group continued to try to replicate the approach it used in the SolarWinds incident by targeting organisations within the global IT supply chain, but it has now moved from suppliers on to channel resellers and managed service providers (MSPs), particularly those specialising in cloud services.
“We believe Nobelium ultimately hopes to piggyback on any direct access that resellers may have to their customers’ IT systems and more easily impersonate an organisation’s trusted technology partner to gain access to their downstream customers,” said Burt.
“We began observing this latest campaign in May 2021 and have been notifying impacted partners and customers while also developing new technical assistance and guidance for the reseller community. Since May, we have notified more than 140 resellers and technology service providers that have been targeted by Nobelium.
“We continue to investigate, but to date we believe as many as 14 of these resellers and service providers have been compromised. Fortunately, we have discovered this campaign during its early stages, and we are sharing these developments to help cloud service resellers, technology providers and their customers take timely steps to help ensure Nobelium is not more successful.”
Burt went on to disclose that between 1 July and 19 October 2021, Microsoft informed 609 customers of a total of 22,868 attempted attacks, a very small percentage of which were successful. By comparison, between 1 July 2018 and 1 July 2019, it made 20,500 customer notifications about attacks from all nation-state actors it observed.
Most of these attacks have not attempted to exploit software flaws or vulnerabilities, but rather tried-and-tested techniques such as password spraying and phishing to obtain valid credentials.
Burt said this indicated the Russian state was trying to gain long-term and systemic access to the technology supply chain to conduct surveillance of its targets.
However, Alicia Townsend, a technology evangelist at identity specialists OneLogin, said that despite the high volume of attacks, the fact that the success rate was so low was cause for some cautious celebration, even though Microsoft did not reveal precisely how the attacks were stopped.
“Since the means of attack is through password spraying and phishing, we should be able to assume that these organisations have implemented some basic defences, such as security training for their employees and requiring multifactor authentication when users log on,” said Townsend.
Townsend was not alone in this view. Others also spoke of the importance of safeguarding privileged identities to guard against both Nobelium-linked intrusions and other attackers. Among them was Danny Lopez, CEO of file security specialist Glasswall.
“To prevent these attackers from gaining privileged access and wreaking havoc, organisations need to adopt robust processes for onboarding and offboarding employees and affiliates that may receive access to key information systems,” he said.
“It is vital to control privileged access and to monitor those that enjoy administrator privilege. Ensuring that multifactor authentication is enforced, wherever possible, is a vital defence where user credentials find their way into the public domain. This will help to limit the blast radius and, in most cases, defeat the data breach.”
Lopez also said Microsoft’s revelations reinforced the case for zero-trust security approaches. “Recent attacks and these new attempts reveal that the traditional castle-and-moat approach to network security leaves organisations exposed – zero-trust security sees the world differently,” he said.
“No one is trusted by default, regardless of whether they are inside or outside a network. In a world where data can be held among multiple cloud providers, it is crucial to strengthen all processes relating to access verification. Without a zero-trust approach, organisations run the risk of attackers like Nobelium having free rein across a network once they are inside.”
And there is good reason to get the basics right, as Cybereason Government president Sam Curry pointed out. Curry said that in the case of a reseller, the consequences of compromise were much worse, going beyond mere financial injury to encompass a business’s entire reputation.
“Those with the privilege of managing or servicing customers downstream have a responsibility that increases exponentially to do things right,” said Curry. “Security isn’t just a differentiator for them, it’s a necessity. Managing customers is a privilege, not a right, and it can be lost if resellers don’t get this right now.”
Questions of responsibility
But Saket Modi, co-founder and CEO of Safe Security, said it was not necessarily the case that a breached IT reseller or MSP should carry the can for a supply chain attack. He argued that there was a degree of responsibility that must fall on the user as well.
“Today in a provider/customer relationship, customers delegate unrestricted administrative rights to the provider to allow seamless management of customers’ tenants,” said Modi. “Most often, customers follow traditional and qualitative risk management assessments before onboarding a third party. Nobelium’s ongoing supply chain attacks show the importance of closing loopholes to trusted relationships that cause downstream impacts.
“Nobelium has been successful because organisations lack a single, enterprise-wide and real-time cyber security view of what and where their vulnerabilities lie across people, technology and third-party (supply chain).
“To effectively manage third-party security risks today, organisations need to go beyond a questionnaire and outside in approach only, and have a cohesive inside-out, real-time risk analysis of third parties to get a better understanding of their risk posture and critical vulnerabilities.”
While ransomware attacks by financially motivated cyber criminals who splash their earnings on Italian supercars may appear more glamorous, supply chain attacks are now emerging as the bigger threat because they can so easily be weaponised to perform much deeper, long-lasting intrusions, as Arctic Wolf’s field chief technology officer, Ian McShane, pointed out.
“Supply chain hygiene deserves just as much planning and forethought [as ransomware],” said McShane. “Specific to this revelation around Nobelium, a concerning trend that we are seeing in cyber security is the continuing availability and accessibility of sophisticated nation-state-developed exploits to e-crime groups, thus spreading with a far bigger radius.
“What is concerning about this supply chain incident and the reporting from Microsoft is that the vulnerabilities spreading downstream to MSPs and IT providers can result in latent threats for years to come, and without significant focus on uncovering and remediating the impacted systems, we may see a number of threat actors – nation states or e-crime groups – exploit those vulnerabilities.”