Contents:
Nobelium APT group, the one behind the famous SolarWinds attack and also supposedly associated with Russia’s spy agency, seems to reenter the threat landscape scene. This time its targets are tech resellers, as the threat actors try to get access to these resellers’ downstream customers in a fresh supply chain attack.
Nobelium APT New Supply-Chain Attack: How It Works
As per Microsoft and Mandiant, the impact this new cyberattack has had so far is related to Europe and North America and the group does not use the same method as in SolarWinds case this time: the trojanizing of legitimate code, therefore there is no vulnerability exploited now.
Here is how the new Nobelium Apt attack works, according to ThreatPost:
- It makes use of tried-and-true methods with the goal to infiltrate the networks of resellers;
- These methods could be phishing for instance or credential stuffing, engaging in theft of tokens, or abusing the API;
- Through this, they manage to access resellers’ networks. How? Via credentials that are legitimate and also via privileged access that comes with those credentials;
- Then, an action of landing and pivoting into the resellers’ network happens as the threat actors’ goal is to reach their clients;
- Then, once the network access is achieved, what threat actors do is to pose as the legitimate company and exploit the reseller-customer relationship.
As Microsoft declared:
Nobelium has been attempting to replicate the approach it has used in past attacks by targeting organizations integral to the global IT supply chain. This time, it is attacking a different part of the supply chain: resellers and other technology service providers that customize, deploy and manage cloud services and other technologies on behalf of their customers. We believe Nobelium ultimately hopes to piggyback on any direct access that resellers may have to their customers’ IT systems and more easily impersonate an organization’s trusted technology partner to gain access to their downstream customers. (…) The attacks we’ve observed in the recent campaign against resellers and service providers have not attempted to exploit any flaw or vulnerability in software but rather used well-known techniques, like password spray and phishing, to steal legitimate credentials and gain privileged access.
What Mandiant Said About It
The Mandiant’s CTO, Charles Carmakal, addressed this issue, saying that the company has observed the exploitation of the relationship between resellers and their customers and that this new attack is different from that when SolarWinds was involved because instead of inserting compromised code in a software that is legitimate, threat actors make use of identity theft and network access.
While the SolarWinds supply chain attack involved malicious code inserted in legitimate software, most of this recent intrusion activity has involved leveraging stolen identities and the networks of technology solutions, services, and reseller companies in North America and Europe to ultimately access the environments of organizations that are targeted by the Russian government.
He also added that some intrusions in on-premises and cloud environments were successful and that the way Nobelium APT group attacks now makes it difficult for targeted organizations to identify and start investigating the cyberattack because there are privacy rules which basically hinder the collaboration and data-sharing between companies.
Microsoft’s Position on This Topic
In relation to the latest news on this Nobelium supply chain attack, Microsoft said in their post from the 24th of October that they have noticed that Nobelium Apt group has been attacking more than 140 providers of technology services and also resellers starting May. The number of the affected downstream customers is, however, not mentioned by the company.
Microsoft also added that this Nobelium’s activity apparently indicates the fact that Russia is trying to set up a surveilling system this way.
Nobelium ultimately hopes to piggyback on any direct access that resellers may have to their customers’ IT systems. This recent activity is another indicator that Russia is trying to gain long-term, systematic access to a variety of points in the technology supply chain and establish a mechanism for surveilling – now or in the future – targets of interest to the Russian government.
Mitigation Measures
The SolarWinds attack permitted the Nobelium APT group to achieve access to various US government agencies. They did this by targeting an update associated with legitimate software. This software was hijacked and it served to propagate malware.
Both companies, Mandiant and Microsoft are further investigating this Nobelium APT group new campaign by collaborating with compromised organizations. Microsoft also released a technical guide in this sense.
The mitigation measures presented there refer to 3 aspects:
- MFA should be used and conditional access policies enabled;
- The secure application model framework should be implemented;
- The “Activity Log “ in the partner center should be checked as a matter of usual practice in terms of restricting access and high privileges creation.
If you enjoyed this article, you’ll surely enjoy other pieces of content too. To make sure you do not miss a thing follow us on LinkedIn, Twitter, YouTube, Facebook, and Instagram to keep up to date with everything we post!