author photo
By SecureWorld News Team
Tue | Oct 26, 2021 | 3:01 AM PDT

When I attended the Women in CyberSecurity (WiCyS) annual conference in September, the SolarWinds cyberattack was the elephant in almost every room.

At one point, a presenter said matter-of-factly that Solarwinds was "the one we all knew about" and denied a further analysis of the headline-making cyber incident, because it crossed into mainstream knowledge. It was understood the attack left many in cybersecurity with a looming feeling of dread, exhaustion, and burnout, and a sense of urgency around ramping up defenses.

From recent findings by Microsoft, it looks like there is no better time to ready our organizations than now. The suspected Russian APT (Advanced Persistent Threat) behind the SolarWinds incident is attempting to warm up strategic social engineering techniques to breach IT supply chain firms around the world in an effort to breathe life into similar cyberattacks.  

The malicious hacking group, referred to as Nobelium or Cozy Bear, wants to further cause chaos to global supply chains and has targeted Microsoft's technology resellers and software clients more than 22,000 times in six months with a high success rate, according to Microsoft. 

Microsoft leadership comments on Nobelium's disruption efforts

Tom Burt, Corporate Vice President of Customer Security and Trust, wrote about the details on the Microsoft on Issues blog. 

"Nobelium has been attempting to replicate the approach it has used in past attacks by targeting organizations integral to the global IT supply chain.

This time, it is attacking a different part of the supply chain: resellers and other technology service providers that customize, deploy and manage cloud services and other technologies on behalf of their customers.

We believe Nobelium ultimately hopes to piggyback on any direct access that resellers may have to their customers' IT systems and more easily impersonate an organization’s trusted technology partner to gain access to their downstream customers." 

Since May 2021, Microsoft has been monitoring Nobelium, and Burt says more than 600 clients were attacked 22,868 times "with a success rate in the single digits." Burt says the focus of the attack was on using techniques to steal credentials. 

"The attacks we've observed in the recent campaign against resellers and service providers have not attempted to exploit any flaw or vulnerability in software but rather used well-known techniques, like password spray and phishing, to steal legitimate credentials and gain privileged access."

He also commended the first steps from the U.S. White House and encouraged information sharing to battle against the cybercrime and espionage operations.

"While we are clear-eyed that nation-states, including Russia, will not stop attacks like these overnight, we believe steps like the cybersecurity executive order in the U.S., and the greater coordination and information sharing we've seen between industry and government in the past two years, have put us all in a much better position to defend against them."

In an effort to give partners and other organizations a leg up, Microsoft also released the technical details on its blog. 

"Today, we are also releasing technical guidance that can help organizations protect themselves against the latest Nobelium activity we've observed as the actor has honed its techniques as well as guidance for partners."

Responses to the analysis of Nobelium's methods 

One of the hallmarks of Cozy Bear's attack framework is how long they can go undetected. According to Jake Williams, CTO and Co-Founder of BreachQuest: 

"Nobelium is a truly persistent adversary. Often organizations fail to fully remediate incidents, leaving the threat actor access to the network after the remediation is considered complete. Nobelium is one of the best in the threat actor ecosystem at remaining undetected after a remediation attempt.

This is not a DIY project for most organizations and will likely require professional assistance to be successful due to the variety of tools and tradecraft used."

Troy Gill, Senior Manager of Threat Intelligence at Zix, also remarked on the level of sophistication of these attacks. Gill said:

"These attacks underscore how threat actors continue to misuse legitimate services to help their campaigns evade detection. Traditional email security solutions will not protect them against these sophisticated attacks. In response, organizations need to upgrade their email security posture with a solution that's capable of scanning incoming correspondence for campaign patterns, malware signatures, IP addresses, and other threat behaviors. This analysis should occur in real time so that legitimate correspondence can reach its intended destination without delay." 

Another discussed the style of how Russian hackers hope to achieve their goals. Says Oliver Tavakoli, CTO at Vectra:

"It's unsurprising that the Russian SVR continues to remain active as the mission of gathering intelligence never goes out of style. These new attacks, which focus on infiltrating service providers and leveraging the trust that is placed on them by their customers, present new challenges as the signals left behind by each attack span multiple organizations. The attacks do share some of the hallmarks of the SolarWinds hack in leveraging the interconnected nature of on-premise, cloud identity, SaaS application, and public cloud footprints and hopscotching through these as necessary to achieve an end goal."

Russian nation-state hackers focus on PSYOP and disruption tactics

In a partnership between the Associated Press-NORC Center for Public Affairs Research and Pearson Institute, a survey found nearly three-quarters of participants saw Russia as the biggest threat in cybersecurity. 

Over the past weeks, tensions have come to a head between the U.S. technology industry and potential nation-state hackers from the top cyber threats to our economy: Russia and China.

Tom Burt also went into detail about what he suspects. 

"This recent activity is another indicator that Russia is trying to gain long-term, systematic access to a variety of points in the technology supply chain and establish a mechanism for surveilling—now or in the future—targets of interest to the Russian government.

While we are sharing details here about the most recent activity by Nobelium, the Microsoft Digital Defense Report, published earlier this month, highlights continued attacks from other nation-state actors and cybercriminals. In line with these attacks, we are notifying our customers when they are targeted or compromised by those actors."

Eric Botts, Director of Global Cybersecurity Program at St. Thomas University in Houston, recently spoke at SecureWorld Texas virtual conference. His presentation gave our audience insight into the vulnerabilities the U.S. is facing with Russia-backed nation-state hackers.

"Russia has learned that a fundamental weakness can be exploited in this manner. Our vulnerabilities often include our information institutions—which are vulnerable to disinformation and they have compromised on the political side—and supply chain disruption on the economic side," Botts said. 

Botts also discussed in depth how Russia uses tactics he calls psychological operations, or PSYOP, to prey on one of our nation's biggest weaknesses: the current political division and the economic distress caused by disrupting the nation's supply chain.

"Russia is very active in the area of disinformation, what I call psychological operate, or PSYOP. I believe they view that… the divisions in our [the United States'] society is our chief vulnerability to be exploited. Now, having said that, they are very active in looking at our defense, intelligence, and our defense industry, looking at technologies that we're developing, because right now, on the cyber side, the United States and Russia are probably the most advanced countries in developing the best technology."

Russia's leader is also no stranger to espionage.

"Given that Russian President Vladimir Putin cut his teeth as a KGB officer, he is well-schooled and at home in the world of espionage and sabotage.... That's what he knows, and that's what he's good at. It plays to Russia's advantage, because they do not have the economic power to compete with the United States and our NATO allies."

The ultimate goal of Russia is to stir up uncertainty and use that to prop their nation up, according to Botts.

"In my view, the goal is to degrade the U.S. as a global competitor, to create uncertainty among our partners and allies, and as to the stability of the U.S. and whether or not we can be relied upon as a global leader. These actions are not to bring Russia up or to elevate Russia, but to bring the United States down so that Russia gains power relative to that of the United States."

Now a lingering question: what will happen next in this cyber arms race? 

[RESOURCES] Would you like more context behind the SolarWinds cyberattack? Listen to The SecureWorld Sessions podcast on the SolarWinds Data Breach Impact, Part 1 and Part 2.

Tags: APT, Russia, Microsoft,