Russians hackers behind SolarWinds attack are planning more, Microsoft says

The hackers behind the notorious SolarWinds cyberattack are engaged in a new campaign to compromise global networks by targeting the tech supply chain, including resellers and providers of cloud technology, according to Microsoft.

Microsoft attributes the co-ordinated attack, which was first observed in May, to a group called Nobelium, the same state-sponsored Russian hackers who used sophisticated intrusion techniques in 2020 to infect customers of Texas-based software company SolarWinds with malware. More than 140 technology service providers and resellers have been notified as recent targets of the hackers and 14 of them are believed to have been compromised, Microsoft said in a blog on Monday.

Nobelium was also behind an attack on IT companies, governments, think-tanks and financial service entities earlier this year that spanned 36 countries, Microsoft announced in June.

Microsoft’s disclosure comes amid an effort by the Biden administration to curb cyberattacks, particularly ransomware, after a series of particularly disruptive hacks, including one on Colonial Pipeline in May that squeezed fuel supplies along the East Coast. In ransomware attacks, hackers encrypt a victim’s files and then demand payment to unlock them. Many of the most notorious ransomware gangs have ties to Russia, which has been accused of providing them with safe haven.

Russian state-sponsored hackers, meanwhile, have for years engaged in espionage and attacks, including hacks of Democratic Party officials ahead of the 2016 presidential election. In the case of SolarWinds, Russian hackers installed malware in updates to popular SolarWinds’ software, creating a digital backdoor for the hackers to launch further attacks.

In all, nine US agencies and 100 companies were targeted for further infiltration. In April, the US imposed sanctions against 32 entities and individuals and six Russian companies for alleged misconduct including the SolarWinds attack. 

In June, US President Joe Biden said he gave Russian President Vladimir Putin a list of 16 critical sectors that shouldn’t be hacked to deter a cyber-response from the US government, but the attacks have continued. The Kremlin, for its part, has repeatedly denied responsibility for any hacking attacks.

The attacks described in the Microsoft blog were unsophisticated operations attempted daily by Russia and other foreign governments. The attackers weren’t attempting to exploit any flaws or vulnerabilities in software but instead using “well-known” techniques to steal credentials, the blog said.

Between July and October, “we informed 609 customers that they had been attacked 22,868 times by Nobelium, with a success rate in the low single digits,” Microsoft corporate vice-president of customer security and trust Tom Burt wrote. 

The company said that activity was another indicator that “Russia is trying to gain long-term, systematic access to a variety of points in the technology supply chain, and establish a mechanism for surveilling — now or in the future — targets of interest to the Russian government.”

Charles Carmakal, senior vice-president at the cybersecurity firm Mandiant, which has also tracked the Russian hackers, said that similar to the SolarWinds attack, “The targets of this intrusion activity appear to ultimately be government organisations and other organisations that deal in matters of interest to Russia.”

Carmakal said the technique used by the hackers is exceedingly difficult to detect and investigate. “We know for sure we aren’t seeing everything,” he said.

The White House, which issued an executive order in May urging the private sector to bolster its cyberdefences, said it was increasing its intelligence sharing and other measures to protect against cyberthreats.

Bloomberg News. More stories like this are available on bloomberg.com