- Nobelium, the Russian nation-state threat actor behind the SolarWinds compromise, is targeting resellers and service providers that help customers manage, deploy and customize cloud services, Microsoft said in a Sunday blog post. The hackers did not exploit any vulnerabilities in its software but instead relied on password spraying and phishing to gain access, Microsoft said.
- The campaigns began in May and so far Microsoft identified at least 14 breaches, though the technology company did not provide details on how severe the breaches were. The attacks were "part of a larger wave of Nobelium activities this summer," Tom Burt, corporate VP, customer security and trust at Microsoft, wrote in the blog post.
- The company alerted 609 organizations that were targeted 22,868 times to get into systems between July 1 and Oct. 19, 2021, according to the blog post. In the last three years, Microsoft had notified customers about 20,500 access attempts made by nation-state actors.
Given the connections resellers and service providers have, the latest campaign suggests attackers were after data resellers possessed because it could grant attackers access to government emails, defense technologies or vaccine research, The New York Times reported. The government confirmed the activity, though the breach is considered routine espionage. A U.S. official described the campaign as particularly "unsophisticated," according to The Times.
For a cyberattack or data breach to be considered cyber espionage, the perpetrator has to have motive with specific data in mind. But cyber espionage exists in an international law gray area, because cyber espionage is technically legal, according to a 2017 paper by Brian Egan, partner at Skadden and former State Department adviser, and deputy assistant to President Barack Obama's National Security Council.
"Remote cyber operations involving computers or other networked devices located on another State's territory do not constitute a per se violation of international law. In other words, there is no absolute prohibition on such operations as a matter of international law," Egan wrote.
The recent Nobelium campaign builds on ongoing efforts by nation-state actors to gather intelligence and compromise corporate networks. "This recent activity is another indicator that Russia is trying to gain long-term, systematic access to a variety of points in the technology supply chain and establish a mechanism for surveilling — now or in the future — targets of interest to the Russian government," Burt said.
This is at least the second SVR-related campaign directed at Microsoft this year. In January, Microsoft confirmed the SolarWinds attackers accessed some of its source code, though no changes were made. In December, Microsoft President Brad Smith said the SolarWinds campaign was not "espionage as usual," as secondary targets were handpicked by the hackers.
Nobelium pursued Microsoft as one of its secondary targets following the initial SolarWinds hack. "We believe Nobelium ultimately hopes to piggyback on any direct access that resellers may have to their customers' IT systems and more easily impersonate an organization's trusted technology partner to gain access to their downstream customers," Burt said. "Fortunately, we have discovered this campaign during its early stages."
Currently, corporate espionage is not considered technically illegal by international law but given the escalation of supply chain-style attacks — particularly SolarWinds and the secondary targets — existing standards could change.
In the U.S., where the government relies heavily on the private sector for critical infrastructure protection, economically motivated cyber espionage is correlated to national security. In 2015, Obama and China agreed to restrict "economic" cyber espionage, as national security was at play.
While the current campaign Microsoft is facing is considered typical spying, if any breach is successful at Microsoft or other cloud providers, the companies would be the responsible parties, The Times said.
As showcased by the SolarWinds hack, supply chain attacks are changing. Attackers are widening their scope of potential victims, whether or not they decide to pursue them further. The government has limited ability to protect private industry networks, with the exception of effective information sharing.