article featured image


Nobelium, the hacking group behind the massive cyber-espionage activity exploiting the SolarWinds platform recently initiated another cyberattack operation targeting a Microsoft customer support agent. 

The Microsoft Threat Intelligence Center has disclosed in a blog post published last week that it’s tracking new activity from the hacking group known as Nobelium.

The company stated that the threat actor managed to access a customer-service agent’s account and used it in an attempt to hack Microsoft customers.

Before the SolarWinds attack, the prolific hacker group, which Microsoft refers to as Nobelium and is believed to be run by Russia’s Foreign Intelligence Service, or SVR, was more widely known for spear-phishing campaigns.

Microsoft said in a blog post that while its investigation into methods and strategies is in progress, they have noticed that the attackers tried to access its corporate networks by using password spray and brute-force attacks.

According to the tech company, the recent incidents were for the most part unsuccessful, and the majority of those targeted were not successfully compromised.

It also added that the organization knows three entities that were compromised during the Nobelium cyberattack.

This activity was targeted at specific customers, primarily IT companies (57%), followed by government (20%), and smaller percentages for non-governmental organizations and think tanks, as well as financial services.

The activity was largely focused on US interests, about 45%, followed by 10% in the UK, and smaller numbers from Germany and Canada.  In all, 36 countries were targeted.


Threat Actors Managed to Gain Access To Microsoft Support Tools

As part of their investigation into the incident, they also noticed information-stealing software on a device belonging to one of the organization’s customer support agents with access to basic account information for a small number of our customers.

The attacker used this information in targeted phishing attacks against Microsoft customers.

According to BleepingComputer, Microsoft made these attacks public after Reuters came by an email sent to impacted customers alerting them that the threat actors accessed information about their Microsoft Services subscriptions.

A sophisticated Nation-State associated actor that Microsoft identifies as NOBELLIUM accessed Microsoft customer support tools to review information regarding your Microsoft Services subscriptions.


A Closer Look Into The Nobelium’s Latest Attacks

The hacking group (or APT29, or Cozy Bear) is best known for the SolarWinds supply chain attack that provided hackers with access into as many as 18,000 government entities and Fortune 500 companies, as to at least nine federal agencies and more than 100 companies were exposed to the breach.

Some of the compromised US organizations were Microsoft, FireEye, Cisco, Malwarebytes, Mimecast, and various US government agencies.

At the end of May, Microsoft revealed it has discovered a wide-scale malicious email campaign operated by Nobelium after the Russian-backed group managed to take control of the account used by USAID on the Constant Contact email marketing platform.

Microsoft has reacted immediately by removing the access and securing the compromised device. All customers that were compromised or targeted were being contacted through its nation-state notification process.

Author Profile

Antonia Din

PR & Video Content Manager

linkedin icon

As a Senior Content Writer and Video Content Creator specializing in cybersecurity, I leverage digital media to unravel and clarify complex cybersecurity concepts and emerging trends. With my extensive knowledge in the field, I create content that engages a diverse audience, from cybersecurity novices to experienced experts. My approach is to create a nexus of understanding, taking technical security topics and transforming them into accessible, relatable knowledge for anyone interested in strengthening their security posture.

Leave a Reply

Your email address will not be published. Required fields are marked *